The Justice BN Srikrishna-led committee to create a data protection law is finally submitting its bill to the Ministry of Electronics and Information Technology in New Delhi. This follows a year of consultation and deliberations, during which the committee debated and thrashed out several divisive issues until they could find middle ground. A series of Caravan reports indicates that a recent draft of the bill strengthens the Aadhaar body UIDAI’s monopoly on filing complaints under the Aadhaar Act, and amends the Right to Information Act to give public officials greater scope to withhold personal information. Per The Caravan, the law will also require Parliament to enact a law to oversee intelligence agencies and how they collect information.
The committee’s bill will now make its way through the IT Ministry, post which it will go to the Cabinet to be approved for introduction in the Parliament, the Ministry told MediaNama in response to an RTI query.
All quotes are paraphrased. Emphasis from Bill excerpts ours.
Saturday, 2:14pm: Scroll.in’s Sruthisagar Yamunan: Draft data protection law is a blow to the right to privacy. “The draft Bill authorises the State to collect data without the consent of the person. And doesn’t put any checks on Aadhaar.”
Saturday, 2:11pm: We are all Aruna Sundararajan right now:
Saturday, 2:01pm: Mozilla has issued a statement on the Bill, saying that they are “pleased to see India take an important step forward towards enacting real privacy protections.” They did voice some concerns, though:
Saturday, 1:57pm: Chinmayi Arun, Executive Director of the Centre for Communications Governance at NLU Delhi, on the localisation/mirroring requirement:
But the one that's most shocking is
5. By forcing data fiduciaries to store a copy of citizens personal data in India
— Chinmayi Arun (@chinmayiarun) July 27, 2018
Saturday, 1:24pm: The RTI Act will be amended to tip the balance between public interest and privacy.
So apparently, interfering with the landmark Right to Information Act is mandatory to the Bill proposed by the Srikrishna Committee, but fixing the awful Aadhaar Act is optional. #SaveRTI #SaveOurPrivacy #RethinkAadhaar
— Raman Chima (@tame_wildcard) July 27, 2018
India moves closer to first data privacy law as Srikrishna panel submits report, focus on individual users’ consent. I report https://t.co/UYADcMcvT3
— Nakul Sridhar (@nakulsridhar) July 28, 2018
Saturday, 12:46pm: Lawyer Nandita Saikia on the competing priorities of the Data Protection Bill, and the non-specific language used in it:
The number of times the words reasonably/reasonable/practicable/practicably are used in the draft Personal Data Protection Bill, 2018.
Short message from the committee: You want your right to privacy? Fight for it, litigate!
— Prasanna S (@prasanna_s) July 28, 2018
Saturday, 12:30pm: While the committee is recommending that private authentications be disallowed in amendment to the Aadhaar Act, this is not in the Bill. It’s up to the government to deal with that specific recommendation:
Srikrishna Committee, in its suggestions–not mandatory for the draft bill–wants to amend Aadhaar Act to disallow private entities from using online authentications, a move that threatens the entire ecosystem backed by some very powerful lobbies. But does the govt have the will? https://t.co/pksfE8Bb9F
— Krishn Kaushik (@Krishn_) July 28, 2018
Saturday, 11:40am: The dissenting voices in the Srikrishna Committee’s Data Protection report: disagreements by NASSCOM’s Data Security Council of India’s CEO and another member on data localisation, criminal provisions, what is considered sensitive personal data, and more.
8:05pm: End of the live blog for Friday. We’ll have more analysis and inputs on the draft bill on MediaNama.
8:00pm: A wrap of all the highlights from the bill can be read here.
7:21pm: There is no right to data erasure for subjects. There is only a right to obtain a summary of information held by the controller.
This is a weak data protection bill and it should NOT be allowed to be passed in Parliament. Justice Srikrishna has disappointed.
Above all, users are not being given ownership of their own data. @trai did better.
Users aren't being given right to erasure, only non disclosure
— Nikhil Pahwa (@nixxin) July 27, 2018
7:10pm: Nandan Nilekani has spoken. It “will be fine” if Aadhaar isn’t mandatory for everything, he told CNBC.
— CNBC-TV18 (@CNBCTV18Live) July 24, 2018
#Exclusive | #Aadhaar Architect @NandanNilekani: Justice Srikrishna Panel has given a balanced opinion on Aadhaar provisions. @UIDAI will now come under the purview of #DataProtection law. Someone who's not happy with UIDAI can now appeal under the new law.@ChandraRSrikant pic.twitter.com/VQImZZoHJi
— ET NOW (@ETNOWlive) July 27, 2018
6:57pm: The committee is recommending that Aadhaar authentication only be used by government entities:
The committee seems to want to limit Aadhaar authentication (as opposed to offline “verification”) to public authorities and those enabled by specific laws to conduct auth. This would signal a huge shift from the “ID as public infrastructure” vision of #Aadhaar. pic.twitter.com/lcrl5h7J9h
— Pranesh Prakash (@pranesh) July 27, 2018
And the committee seems to have rejected the argument that consent and notice needs to be dropped altogether:
The Srikrishna Committee seems to disagree with @matthan on the utility of consent. But acknowledges that there are problems with the way consent currently works when it comes to data protection. pic.twitter.com/HXsDRBIPcA
— Pranesh Prakash (@pranesh) July 27, 2018
6:42pm: Data breach is on the lower penalty scale, while transfer of personal data outside India is fineable on the higher scale. 5 crore/2% global turnover (whichever is higher) on the lower tier and 15 crore/4% of global turnover (whichever is higher) for upper tier. Data breach being on the lower tier is notable.
6:27pm: Here are highlights of the Bill by NASSCOM’s Data Security Council of India.
6:25pm: That the data subject is the owner of their personal data is not explicitly asserted in the Bill. The Aadhaar Act is not amended by this Bill, and the UIDAI isn’t named in it, as the draft version that The Caravan had indicated it would.
6:17pm: Aside from defining “fear of surveillance” and a similar term as a possible harm, there is no reform of state surveillance in the Bill, as was demanded in SaveOurPrivacy.in’s Privacy Code.
6:12pm: The establishment of the Data Protection Authority of India will be done through a notification by the central government. This is similar to how TRAI was set up. But the transparency of the DPAI’s functioning will depend on the proactive measures taken by the government in constituting and laying down guidelines for the body. Proceedings may be transparent if the government chooses to stick by its 2014 Pre-legislative Consultation policy.
6:00pm: The DPAI will have to be established within three months of the date notified by the central government after this Bill is passed. Within 12 months, the authority will have to come up with the valid grounds for data processing. Note: The Act will only apply for personal data, not to data that’s in the public domain. However, the scope of the definition of personal data is quite wide.
5:56pm: The DPAI will have powers to discontinue a data controller’s operations or order them to modify their operations to make them compliant with the Bill. It can also suspend cross-border data flow by the controller. This will be appealable to an Appellate Tribunal.
5:50pm: Transfer of data cross-border comes with caveats depending on how sensitive that information is — consent must be given for offshore storage.
41. Conditions for Cross-Border Transfer of Personal Data. —
(1) Personal data other than those categories of sensitive personal data notified under subsection (2) of section 40 may be transferred outside the territory of India where—
(a) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; or
(b) the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible; or
(c) the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity; or
(d) in addition to clause (a) or (b) being satisfied, the data principal has consented to such transfer of personal data; or
(e) in addition to clause (a) or (b) being satisfied, the data principal has explicitly consented to such transfer of sensitive personal data, which does not include the categories of sensitive personal data notified under sub-section (2) of section 40.
5:44pm: Data localization is mandated for personal data — or at least, mirroring is:
40. Restrictions on Cross-Border Transfer of Personal Data. —
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.
5:38pm: The Bill includes a Right to be Forgotten — and it doesn’t just apply to search engines.
27. Right to Be Forgotten —
(1) The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciaryrelated to the data principalwhere such disclosure—
(a) has served the purpose for which it was made or is no longer necessary;
(b) was made on the basis of consent under section 12 and such consent has since been
(c) was made contrary to the provisions of this Act or any other law made by
Parliament or any State Legislature.
(2) Sub-section (1) shall only apply where the Adjudicating Officer under section 68 determines the applicability of clause (a), (b) or (c) of sub-section (1) and that the rights and interests of the data principal in preventing or restricting the continued disclosure of personal data override the right to freedom of speech and expression and the right to information of any citizen.
(3) In determining whether the condition in sub-section (2) is satisfied, the Adjudicating Officer shall have regard to—
(a) the sensitivity of the personal data;
(b) the scale of disclosure and the degree of accessibility sought to be restricted or prevented;
(c) the role of the data principal in public life;
(d) the relevance of the personal data to the public; and
(e) the nature of the disclosure and of the activities of the data fiduciary, particularly whether the data fiduciary systematically facilitates access to personal data and whether the activities would be significantly impeded if disclosures of the relevant nature were to be restricted or prevented.
(4) The right under sub-section (1) shall be exercised by filing an application in such form and manner as may be prescribed.
(5) Where any person finds that personal data, the disclosure of which has been restricted or prevented by an order of the Adjudicating Officerunder sub-section (2) does not satisfy the conditions referred to in that sub-section any longer, they may apply for the review of that order to the Adjudicating Officer in such manner as may be prescribed, and such Adjudicating Officer shall review her order on the basis of the considerations referred to in sub-section (3).
5:35pm: Data controllers will have to transparently disclose how they process personal data, and provide periodic updates on their processes to data subjects.
30. Transparency. —
(1) The data fiduciary shall take reasonable steps to maintain transparency regarding its general practices related to processing personal data and shall make the following information available in an easily accessible form as may be specified—
(a) the categories of personal data generally collected and the manner of such collection;
(b) the purposes for which personal data is generally processed;
(c) any categories of personal data processed in exceptional situations or any exceptional purposes of processing that create a risk of significant harm;
(d) the existence of and procedure for the exercise of data principal rights mentioned in Chapter VI, and any related contact details for the same;
(e) the existence of a right to file complaints to the Authority;
(f) where applicable, any rating in the form of a data trust score that may be accorded to the data fiduciary under section 35;
(g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out;and
(h) any other information as may be specified by the Authority.
(2) The data fiduciary shall notify the data principal of important operations in the processing of personal data related to the data principal through periodic notifications in such manner as may be specified.
5:33pm: The Data Protection Authority of India will have discretion to determine whether a breach should be disclosed to data subjects or not.
(5) Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.
(6) The Authority, may in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website.
5:31pm: Every data fiduciary will need to have independent Data Auditors perform an annual audit, and the DPAI will register Auditors:
Data Audits. —
(1) The data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.
(2) The data auditor will evaluate the compliance of the data fiduciary with the provisions of this Act, including—
(a) clarity and effectiveness of notices under section 8;
(b) effectiveness of measures adopted under section 29;
(c) transparency in relation to processing activities under section 30;
(d) security safeguards adopted pursuant to section 31;
(e) instances of personal data breach and response of the data fiduciary, including the promptness of notification to the Authority under section 32; and
(f) any other matter as may be specified.
(4) The Authority shall register persons with expertise in the area of information technology,
computer systems, data science, data protection or privacy, with such qualifications,
experience and eligibility having regard to factors such as independence, integrity and
ability, as it may specify, as data auditors under this Act.
(5) A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted under this section.
5:21pm: The Data Protection Authority of India will be set up, and it can add more categories of personal data under these factors:
The Authority shall specify categories of personal data under sub-section (1) having regard to—
(a) the risk of significant harm that may be caused to the data principal by the processing of such category of personal data;
(b) the expectation of confidentiality attached to such category of personal data;
(c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data; and
(d) the adequacy of protection afforded by ordinary provisions applicable to personal data.
5:16pm: Withdrawing consent puts liability on a data subject (“data principal” as put in the Bill): “Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.”
Meanwhile, the burden of proof that consent was obtained lies with the data controller (“data fiduciary”).
5:13pm: Services can’t be provided only if non-essential data is given: “The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.”
5:09pm: We are now highlighting key parts of the Bill as we review it.
On consent: “For the consent of the data principal to be valid, it must be—
(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872);
(b) informed, having regard to whether the data principal has been provided with the information required under section 8;
(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given
4:30: The event has ended. We will post the link to the report when it becomes available.
4:28: “Being a very monumental law, I’d like to have the widest parliamentary consultation possible.” — Minister RS Prasad, adding that the bill will go through multiple stages before reaching parliament.
4:27: “I’m not talking about Aadhaar because it’s sub-judice. […] Yes, there are criminal provisions. If a person refuses to follow an order what do you do? There is a data authority. Baaki ka parde pe dekho. [Watch the rest when the curtain opens].”
4:25: “Reserve Bank already jumped the gun [on financial sector localization]. Sectoral regulator will apply their mind to deal with all these issues. Let the sectoral regulator do the exercise. Obviously all blanks should be filled by them. Apart from criticality nothing has been said on localization. In Atomic Energy Commission, it’s easy. But high school data is not so critical.” — Justice Srikrishna.
4:24: “We have called it data fiduciary and data principal; we haven’t dealt with data as property. Aadhaar is just one scratch on the surface. This is an overarching law. Aadhaar happened to be the first kid on the block so that’s why Supreme Court had to deal with constitutionality. On localization, some people say it should be freely allowed or restricted; we think there are circumstances where it should be stored here and circumstances where it should be stored over there. Mirroring too. Authority will decide.” — Justice Srikrishna, adding that he doesn’t want his personal data to be stored in Timbuktu.
4:21: “There is data protection officer, appellate tribunal… Then there are questions like how much liberty state has to intrude upon the citizen’s rights. If you’re chasing a terrorist you can’t claim privacy. Concepts like data portability have been highlighted in both the report and the bill.” — Justice Srikrishna
4:19pm: Justice Srikrishna tells a parable about an elephant’s droppings to make a point about digital footprints of people. “We have talked about when consent should be given, whether consent is sufficient, circumstances where consent is not enough, how to protect children’s rights, and rights of citizen to have consent recalled, how to avoid consent fatigue, and how to ensure citizens are empowered by this mechanism.”
4:13pm: “Justice Srikrishna did a great job, and thereafter I took the liberty to ask him to head this committee. I’m very grateful that he agreed to that.” — IT Minister Ravi Shankar Prasad.
4:08pm: The event has started.
4:00pm: The press event at the IT Ministry, where the report will be submitted, is set to begin shortly.
Note: The piece has been updated at 4:33pm to reflect that the Bill itself has been released.