Justice B.N. Srikrishna’s data protection committee may have a bill out as soon as Monday, per NDTV. The data protection guidelines will be India’s equivalent of the EU’s General Data Protection Regulation, a privacy law that prescribes conditions for how organizations should receive, handle, and process individuals’ personal data.
What constitutes personal data
The bill will clarify what exactly constitutes personal data, and what counts as sensitive personal data; and how these classes of data will be treated.
SaveOurPrivacy.in’s* model bill defines personal data as “any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data.” The model bill exempts public information about people from this definition, except in cases of sexual assault, kidnapping and abduction.
(This is more or less in line with how the GDPR defines personal data.)
Consent and notice
The report will likely layout:
— What counts as consent, and will set standards on whether data subjects were sufficiently informed.
— Where explicit consent will be required for data collection and processing, and where lower standards of consent are sufficient.
— Whether accountability trumps consent: some have argued that consent and notice are broken, and that it is much more preferable to have accountability for data controllers. It’ll be interesting to see how the committee’s bill approaches this issue; whether it will balance consent and notice with accountability, or leave open room for both to coexist.
The model bill provides for both consent and notice as well as accountability on the part of the data controller; it envisions oversight through privacy commissions as well as self-regulatory privacy impact assessments by data controllers.
Data ownership and user rights
Data subjects are the individuals about whom data is collected and processed. The committee will decide the extent of ownership an individual has over their data, and the rights that flow from such ownership. Here are some of these rights that usually come up in discussions about data protection:
— Right to withdraw consent: The Srikrishna committee will have to decide if data subjects have the right to withdraw consent they gave for their data to be collected and used. In practice, this is not a right that is readily available across several internet services.
— Right to restrict processing: The bill will determine whether users have the power to stop data controllers from processing the information they provided. Provisionally, the Srikrishna committee is wary of having a sweeping right to object to data processing.
— Right to be forgotten/de-indexed: This is one of the most hotly contested user rights out there. While deletion requirements for information collected by a service provider is not a controversial requirement, questions of de-indexing rights, such as those on search engines, are much more contentious.
— Right of portability: Whether a data controller should be required to hand your data back in a way that you can meaningfully switch to a different service.
Data processing and impact assessment
The Srikrishna committee will have to decide on whether it will limit the purpose of data processing, and what exactly data processing is. The model bill forbids the use of data processing for any purpose other than the provision of the service for which the data subject provided information to the data subject.
— What will a data controller have to proactively do to ensure that it is protecting users’ information?
— What kind of events or policy changes should warrant a privacy impact assessment?
— What will be the role of data controllers themselves, and the role of privacy commissions in overseeing and auditing these processes?
Data protection authority/officers
Most jurisdictions that have recently introduced privacy legislation have a privacy commissioner, or a top data protection watchdog with a reasonable level of independence. But a data protection officer is a self-regulatory official and works within organizations to audit and ensure compliance with data protection rules.
— The GDPR requires data controllers that process a lot of personal data to appoint data protection officers who oversee how that information is collected, stored and secured.
Jurisdiction and data localisation
The Reserve Bank of India already has a slew of requirements for financial data to stay within the country, as is the case in some other countries. However, the Srikrishna committee indicated on its whitepaper that such an approach may not work for all kinds of data. This makes the subject of cross-border data transfers important. How does a government secure personal data of residents if it is stored in a different country? Should it?
— The US’s CLOUD Act allows the federal government to compel American companies to hand over user data regardless of the geography in which that data resides.
— The EU was reported to be seeking a similar legal solution, by dismantling rules governing data transfers between countries.
Anonymisation and pseudonymisation
To anonymise data is to fully eliminate any chance that it can be linked to the identity of whoever that data came from. While the prevalent practice is to simply delete the names of individuals linked to this data, anonymisation may be less effective if ‘environmental’ information is used to figure out who the data subject is. Pseudonymisation is a reversible process, where the data subject can be identified again, while anonymisation is not reversible.
The Srikrishna committee could try and lay down additional conditions for these processes to make sure that anonymisation is actually effective. The EU’s GDPR demands anonymisation of personal data when it is processed.
Penalties and remedies
This could be the most consequential part of the bill: what will actually happen to data controllers if they don’t do due diligence.
— The GDPR extracts a fine of 4% of global annual revenue from data controllers in cases of breach.
— In the US, civil suits are frequently brought against companies that fail to protect user data. For instance, Equifax faces multiple suits due to its leak of millions of American citizens’ information. The Federal Trade Commission also brings cases against companies that fail to protect user data from time to time.
Protections against surveillance
As a group of lawyers argued to the Srikrishna committee, “A comprehensive data protection law is incomplete without surveillance reform”. The Indian state has sweeping surveillance powers, and the right to privacy was only recently affirmed as constitutional. Safeguards against surveillance and oversight on whether it follows due process is a key privacy fight. It’ll be interesting to see if the Srikrishna committee co-opts these causes in its bill.
* SaveOurPrivacy.in is an initiative by the Internet Freedom Foundation. The author of this post has volunteered at the Foundation in the past, and Nikhil Pahwa, editor in chief of MediaNama, serves as chairman and co-founder at the Foundation.
