The dissenting voices in the Srikrishna Committee's Data Protection report

At the end of the Srikrishna Committee’s data protection report, there are two notes of dissent from members of the committee: Rama Vedashree, the CEO of NASSCOM’s Data Security Council of India and Prof. Rishikesha T Krishnan, an IIM Indore professor.

In her dissenting note, Rama Vedashree raised the following issues:

• Data Localisation: The data localisation requirement in the Bill is regressive and against the “fundamental tenets of the liberal economy”. She added that portraying localisation as a tool for developing the domestic market is “fuelled by unfounded apprehensions and assumptions”. She said that localisation could be a trade barrier.
• Sensitive Personal Data: Vedashree disagrees with classifying passwords and financial data as sensitive personal data. “The concept of Sensitive Personal Data is primarily used for providing higher level protection to the data subject from instances of profiling, discrimination and infliction of harm that are identity driven,” she said, adding that most countries don’t classify passwords and financial data as sensitive personal data.
• Criminal Offenses: The inclusion of criminal offenses, she said, was draconian. The steep civil penalties and fines are sufficient as a deterrent, she argued.

She has requests that MeitY hold further consultations with stakeholders before finalizing the bill.

Read: The Data Security Council of India’s highlights of the Srikrishna Committee’s bill

Prof. Rishikesha had two points of dissent:

• The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection [Chapter 6 of the report].
• The observations and recommendations regarding the Aadhaar Act are outside the scope of the committee’s work. [Chapter 7 of the report].

Rama Vedashree’s note of dissent — full

Data Security Council of India (DSCI) and its Industry members have been advocating for a data privacy and protection law in the country for the last several years. We believe, the digital economy should primarily aim to benefit citizens, and the technology sector is fully supportive as the growth and proliferation of Information and Digital technologies is linked to citizen’s feeling safe, secure and assured in the digital environment. DSCI since its inception has been working towards promoting data protection and is committed to equipping the industry through its capacity building initiatives to raise the threshold of privacy practices in India.

To ensure growth of the digital economy while keeping personal data of citizens secure and protected, it is important that as a country we take a balanced view that can meet the twin imperatives of safety and security of Indian data as well as enable the flow of global data into and from India. The committee of experts under the chairmanship of Justice B.N. Srikrishna, has been working tirelessly for a year to achieve the goals laid down before us. The extensive Public Consultation and soliciting feedback from all stakeholders in India and across the world, and comprehensive review of inputs received has been a highlight of the Committee’s deliberations. The framework proposed by the committee incorporates numerous provisions that lay emphasis on demonstration of accountability and re-establishing trust between entities and end consumers in the digital ecosystem. But, with respect to certain provisions inscribed in the bill, I have a fundamental disagreement. This disagreement exists with respect to three provisions inparticular.

First, the draft bill in its present form places restrictions on cross border flow of personal data. Under section 40(1) of the bill, this restriction translates into storing a copy of all personal data within India, while section 40 (2) completely restricts the cross-border flow of personal data for sensitive data categorised as critical personal data by the central government at its discretion, without inscribing guiding principles for this determination in the bill.

This approach is not only regressive but against the fundamental tenets of our liberal economy. Moreover, the inclusion of such restrictions in a bill that should focus primarily on empowering Indians with rights and remedies to uphold their right to privacy, seems out of place.

The committee report in chapter 6, projects localisation as tool for domestic market development. This narrative seems fuelled by unfounded apprehensions and assumptions, rather than evidence and reasoning.

We as a country and Industry have been advocating the imperative of free flow of data and talent across borders. This is the foundation of the $167 billion IT-BPM industry represents and is India’s largest foreign exchange earner ($110B in 2017-18). IT-BPM Service providers in India process financial, healthcare and other data of citizens and companies in the US, EU, and elsewhere in the world and have created employment for over 4 million people. Mandating localization may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the ITBPM industry. We are not` only a Global hub for corporations from more than 80countries, but also the destination for leading Global Corporations for R&D, Product Development and Analytics, Shared Services. We are also one of the largest growing technology start-up hub in the world, who from India are offering their innovative solutions and services to global geographies often leveraging global cloud platforms, thanks to the fundamental principle of Cross Border Data Flows and Internet economy.

Second, I disagree with the categorisation of financial data and password as sensitive personal data under section 3(35) of the bill. The guiding principles as mentioned in the report under chapter 3, for determining sensitivity are broad and can possibly be used to justify the inclusion of any type of data to this category of personal data. The concept of Sensitive Personal Data is primarily used for providing higher level protection to the data subject from instances of profiling, discrimination and infliction of harm that are identity driven. Neither financial data nor passwords fall into this category. It is also important to note, out of the 68 countries that presently have an overarching data protection regulation none have categorised financial data or passwords as sensitive personal data. These include countries from Asia Pacific, Europe and the Middle East.¹

Third, the inclusion of criminal offences under chapter XIII of the draft bill is draconian. The Draft Bill and the Report,with steep fines and compensations advocate penalties which are sufficient to achieve the imperative of having deterrent penalties. The inclusion of criminal offences along with the fines and compensation is excessive and would impact the enforcement mechanism greatly. The enforcement tools should enable swift assessment and action to keep the process lean and approachable for the common man.

In addition to the above-mentioned points, the report under chapter 7 and the associated appendix, suggests sweeping amendments to the Aadhaar Act; these need a thorough review. I suggest a separate public consultation exercise by the government to examine these amendments. I also request Government to publish the Bill, and the Report on MeitY’s website, and conduct a round of Industry and stakeholder consultations before enacting the same.

¹ Annexure to this Note — pp. 210–212 of the report.

Prof. Rishikesha T Krishnan’s note of dissent — full

Dear Justice Srikrishna,

It has been a privilege for me to be a member of this Committee that has undertaken the most challenging task of envisioning a robust data protection framework for India. I thank you for providing an environment where free discussion of all issues was possible. I particularly laud your efforts to undertake extensive consultation with all stakeholders.

I am in broad agreement with the conclusions in the report and the accompanying draft bill.

However, I have reservations regarding the following which I would like to place on record. I would be grateful if these reservations could be recorded appropriately so that these are available to anyone who reads the report.

1. The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection [Chapter 6 of the report].
2. The observations and recommendations regarding the Aadhaar Act are outside the scope of the committee’s work. [Chapter 7 of the report].

Regards,
Rishikesha T. Krishnan