Privacy Law: Despite Flaws, Srikrishna Report Is A Huge Advance For India

The Srikrishna panel report on framing a new data privacy law is a breakthrough for three reasons: first, it finally sets the stage for an omnibus privacy law of the kind we have never had in this country; it rightly tries to balance the individual’s privacy needs with the legitimate interests of the state or of businesses in terms of access to personal data; and third, it breaks away from the old tendency of lazily copy-pasting laws from the US or Europe without reference to local conditions. It is an original India-based law, as Nandan Nilekani, creator of the Aadhaar Unique ID project, points out here.

It is tempting to get into the details of the report right away, but before we do that, it is worth framing the key issues in simple terms with this quiz.

#1: How often do we click – without thinking – on the “I agree” button to access a service (whether it is email or e-commerce or e-information) we want? Is this informed consent?

#2: How often do we heed warnings that appear whenever you click on a link inside a website, and you are told that you do so at your own risk, and that the current website will take no responsibility for what you do after you click on the link?

#3: When you try and login to a new website, you are often given the choice of logging in through a new registration page, or with your existing Facebook or Gmail logins or passwords. Do you ponder over what happens when this handshake happens between two separate databases?

#4: When we use smartphones, and the data servers are almost always abroad, do you wonder if the finger-prints used to unlock your phone may also be backed up in another country? How safe are your finger-prints in the custody of your smartphone company?

#5: When you log in to Paytm or Airtel Money or Ola or Uber, you explicitly give permission to these apps to read your SMSes and access your contacts. When you buy online insurance, you are often specifically told that you are giving permission to the insurance seller to over-ride your DND (do not disturb) registration with reference to your inquiry. Thus, the DND you registered for is not impregnable.

The point of this quiz is to emphasise one simple point: no matter how sophisticated a privacy advocate you are, and how informed you may be while giving consent to a company or service provider to capture your data, you are ultimately not immune to data insecurity and hacking and leakage. By giving permissions one after another to various service providers, you create a loop of data outside the control of each one of these service providers. Thus, all of them can deny data breaches even while this loop itself is not leak-proof or hack-proof.

Put another way, informed consent is no longer really possible at the individual level, no matter how tight a law we have on data privacy. We need a solution to this issue, and the Srikrishna report does not quite provide an answer. We will attempt one towards the end of this article.

But, with some ifs and buts, the 213-page Srikrishna report (read the full text here) can legitimately claim that “it sets the foundations for a growing, digital India that is at home in the 21st century. This is distinct from the approaches in the US, EU and China and represents a fourth path. This path is not only relevant to India, but to all countries in the Global South which are looking to establish or alter their data protection laws in light of the rapid developments to the digital economy.”

That it has immediately drawn a chorus of criticism (read the critiques here, here, here, here) is not surprising, for when you have to balance so many factors, you will not get an ideal bill from any one constituency’s point of you. If you give too much of privacy protection, the costs for businesses will rise. If you give too little, the individual’s interests are compromised. If you give the state too much of a free hand to inquire into people’s data on the plea that it needs to protect national interest, it can have a chilling effect on our constitutional freedoms.

So, it’s not surprising that the report can be criticised from one angle or the other.

The key elements in its recommendations include the following:

One, Srikrishna rightly makes the individual the owner of her personal data and uses new terminology to describe her status. She is now the Data Principal and not the Data Subject. Those who collect her data for providing various kinds of services are called Data Fiduciaries, which means they need to take full responsibility for the proper use of the data collected.

Two, “sensitive” personal data can be processed and used only in India, which means this data can’t be shipped abroad. Examples of “sensitive” data include genetic and biometric information, passwords and financial data, health data, sex life and orientation, and information on caste, community, religious and political affiliations, among other things. This recommendation will draw howls of protest from the global platforms (Google, Facebook, etc), which have all this information possibly stored outside India. This data is vulnerable to hacking by rogue elements abroad, including official surveillance agencies in the US, Russia and China. US intelligence agencies had tapped into the German chancery for decades, including Chancellor Angela Merkel, and so there is no reason to presume Indian data will be safe abroad.

Three, to regulate and play policeman, the report recommends the creation of a Data Protection Authority which will have all the powers to discipline and penalise those who transgress the law.

Four, the report proposes a Personal Data Protection Bill 2018 that will involve amendments to more than 50 other existing laws, including the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, the Information Technology Act, the Income-Tax Act, the Companies Act, etc.

Clearly, the details of the report involve sweeping changes to the way the Indian state and India Inc relates to citizens. When legislated, this data protection law will be one of the biggest reforms in the area of privacy anywhere in the world.

To come back to the point we mentioned at the beginning, about the impossibility of anyone giving informed consent in every case or occasion, there is perhaps one more kind of institution worth creating apart from the Data Protection Authority. And this institution can be an intermediary acting on behalf of the citizen to actually give or withdraw previously “informed consents”. While the onus of protecting privacy has been shifted substantially to Data Fiduciaries, it would help if the Data Principal (ie, the citizen) got advice and warnings from Privacy Protection Agencies that monitor what data is being collected from the individual, and whether the consent given is excessive or just about right.

An example from the field of investment may be appropriate here. We can’t all be informed investors even though an IPO prospectus may mention all the risks of investing in a company and professional stock pickers give us recommendations with their usual caveats. To help us navigate stock market risks, we have intermediary institutions like mutual funds and portfolio management companies to make our investments more informed.

Isn’t is worth considering the creation of privacy intermediaries who act as agents on behalf of citizens to check if the consents they give are warranted? The way it could work is to route all consents through intermediary apps or websites so that they are aware of what consent is being given and for what purpose. They can then advise citizens on whether they are giving out too much for too little benefit. This intermediary service can be free for all in terms of basic advice, but can come for a fee for those using multiple services for work and personal profit. Privacy, after all, matters most to those who have most to lose. These intermediaries could be unlimited liability companies who could bat on behalf of the ordinary citizen, and could even be funded through the penalties collected by the Data Protection Authority.

It is time to make informed consent even more informed by inserting an intermediary to help make this choice.