India’s Data Protection Law Takes Shape

Right to privacy is now a fundamental right in India, thanks in part to the central government’s overzealous drive for ‘aadharification’ of everything under the sun. This project of the centre ultimately led to the Supreme Court asking that a robust regime for data protection be put into place.

The Centre set up a committee of experts led by Justice B N Srikrishna to study various aspects of privacy, analyse best international practices regarding data protection and come up with a draft bill which secures and protects personal data of citizens but doesn’t hamper the growth of digital economy. The committee has taken a comprehensive view of the issue and put out a white paper in public domain soliciting comments from all stakeholders.

The committee studied various international models: The European Union one, which is rights-based and is heavily tilted in favour of the people and against organisations collecting and processing data. It runs the risk of hampering innovation. The United States model encourages innovation by allowing organisations to process data of individuals as long as they are informed of it. Singapore, Canada, Australia, and other models can be termed as hybrid of these two models which try to balance the interests of individuals as well as the organisations. The committee has strived to achieve this balance in its white paper.

First, it has explored scope and exemptions under a future data protection law. Second, it has focused on discussing various grounds of processing of data, what could be the obligations on identities and individual rights. Third and last, it ventures to zero in on how to frame regulations and their enforcement.

Scope And Exemptions

The data protection law would obviously apply to all entities operating out of India but this is not enough. Most of the firms have their data servers outside India and the processing of data of India’s citizens may be taking place outside its borders. That also needs to be regulated that’s why any law must cover all firms that carry on a business, or offer services or goods in India no matter where the data processing takes place. As the white paper mentions about EU regulation, it puts data subject, that is the people, squarely at the centre of the legislation.

The next question is whether the law should cover natural persons only or even juristic entities (companies)? Should the law apply equally to the state and non-state entities or should there be separate provisions for the public and private sector? Should the law be applied retrospectively given that so much data of individuals is already with various organisations? We will know the answers to these once the white paper becomes a draft bill.

Defining data/information of an individual is at the core of any legislation regarding privacy because that alone will decide the scope of data that has to be protected. India’s Supreme Court has said that the objective of data protection regime should be to shield the autonomy of the individual by protecting his/her identity and not just intimate information. And information about an individual that needs protection needn’t be entirely true and could be an opinion (consider creditworthiness of someone - it’s a form of an opinion).

Autonomy of an individual can be ensured only if personal data of the individual is protected and if he can’t be identified by that data. Some countries broaden the scope of protection by using terms such as “reasonably identifiable” or “identifiable individual”. Some countries mandate pseudonymisation, that is disguising identities, to reduce risk to the data of individuals. Another method could be anonymisation of data which is the process of eliminating any link between an individual and the data about him/her. But with new technologies, this will become harder to execute as many identifiers can’t be reliably delinked.

Next, there is need to differentiate between normal data and sensitive data. Some forms of data are more equal than its other forms. Many countries classify health information, genetic information, religious beliefs and affiliations, sexual orientation, racial and ethnic origin as sensitive personal data. Financial information can also be treated as such. In India’s case, treating caste and religion as sensitive data may not be practical given that welfare benefits are invariably linked to these criteria.

Equally important is defining what operations on a data constitute “processing”.

If the law has to assign accountability, terms such as ‘data controller’ or “data processor” will have to be defined. Some countries exempt certain types of data controllers from the ambit of law. These exemptions include processing of data for personal or household purpose (maintaining a diary etc), processing of data for journalistic, artistic or literary purpose, for research, historical or statistical purpose, for investigation, apprehension or prosecution of offenders, and for national security purposes. The law will have to do a great balancing act here in ensuring privacy as well as not inhibiting research, investigation, etc.

Cross border flow of data is today’s reality. One can’t afford to indulge in data nationalism without suffering grave economic consequences especially services driven economies like India which brand themselves as deliverers of services at inexpensive prices. Some countries have come up with adequacy test and classify other countries based on the quality of data protection they provide. They enter into data trade agreement with each other just like the goods or services trade agreement.

Countries like China, Australia or Russia mandate data localisation - storing data of individuals in their own country - but this has proved to be costly. In India’s case, we may not go for data localisation as an overall strategy. However, we must certainly do so for countries such as China which are hostile. We can also mandate that companies operating in highly sensitive data localise it here. However, imposing blanket localisation may do more harm than good.

Grounds Of Processing, Obligation Of Entities And Individual Rights

Consent of the individual must be at the heart of any privacy law. But this is not as straightforward it seems. Meaningful and informed consent is not always achievable practically. There should be different levels of consent - it must be explicit when it comes to sensitive data. Many times those consenting don’t have meaningful bargaining power. As the paper notes, “the individual has no opportunity to negotiate the terms of the notice, which she is agreeing to. If she does not agree, she has no option but to forego the service offered by the data controller.” Throw in the ‘child’s consent’ debate into it and the issue gets many more times complicated. There are no easy answers. Parental authorisation is one way to go about it but it may not always be feasible.

‘Notice’ is equally complex term as “consent’. In principle, whenever one’s data is processed for whatever reason, the individual must be informed. But notices for that purposes are not always straightforward. Their intention is more to trick rather than be honest. Their designs will have to be standardised. Tests such as ‘data trust score’ or privacy impact assessment can be designed to rate the organisations on basis of their data use policies or design of notices to nudge them towards good and honest practices. Consent or notice is (can) not (be) the only way for organisations to lawfully process data. Internationally, five other criteria are followed: performance of a contract with the data subject; compliance with a legal obligation imposed on the controller (bank reporting suspicious transactions under anti-money laundering laws); protection of vital interests of the data subject; performance of a task carried out in the public interest; and legitimate interests pursued by the controller, subject to an additional balancing test against the data subject‘s rights and interests.

Should the data controllers specify exactly for the purpose an individual’s data is used? In principle, that’s the right way but it may not always be practical given the answers to that question may be much more complex.

Individual enforcement rights is another important aspect of privacy law. What sort of information about me is out there or can I edit or rectify it are legitimate concerns. This type of control an individual must have. The paper recommends that a fee may be charged for accessing such information to discourage frivolous requests.

Should an individual have the right to object to use of their data for specific purposes? Should they be able to port data from one platform to other? And above all, should an individual have the right to be forgotten (erase permanently data about him/her online)? These are also important questions that privacy law must address.

Regulation And Enforcement

Command-and-control is an enforcement model where government is the sole entity that frames the law and enforces it. Under, self-regulation model, it is left to the industry to come up with its own codes of conduct regarding data protection. However, both are not sufficient, and hence a third way is proposed in the white paper which is also the common practice in various countries. This co-regulation model involves participation of both the government and the industry so that interests of both the individuals and organisation can be balanced the legislation is not skewed in favour of one or the other.

To make sure that accountability is taken seriously, it is necessary that those who violate data protection rules are made liable for the harms they cause to individuals. In fact, the individuals should be compensated not only when there is an economic harm which is calculable but also for breach of confidence which may not always be calculated. In this case, regulator can impose fine on data processor/controller and ask it to pay to the individual.

In case of data breaches, the individuals can be notified so that they can also take actions on their own. Even data protection authority can also be notified in such cases.

It is clear that if all these actions have to be carried out, India will have to create a data protection authority with various positions of data protection/processing officers, etc who will keep a close eye on whether or not the data protection legislation is implemented or not. This agency may also carry out periodic data audits of organisations and publish reports on data protection impact assessment. The white paper suggests three broad categories of functions, powers and duties, which may be performed by a data protection authority: 1) monitoring, enforcement and investigation; 2) standard-setting; and 3) awareness generation.

A new judicial ecosystem will need to be created around data protection legislation. Needless to say, this new system must avoid the pitfalls of old processes and there must be a mandate for speedy completion of cases in a fixed, time-bound manner. If the appellate tribunal meant for adjudicating matters related to data protection in a timely manner, the whole purpose of creating this new law will be defeated. Hence, making sure that the adjudication process works like a well oiled machine must be given topmost priority.

If white paper is any indication of the data protection draft law that is in the offing, we are in for a pleasant surprise. Since the paper is in public domain for comments, it is everyone’s responsibility to help the policymakers come up with a good legislation which balances the security and privacy of data with the innovation and growth in digital economy.