A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians
The Ministry of Electronics and Information Technology, government of India, constituted a Committee of Experts under the Chairmanship of Justice B. N. Srikrishna on July 31, 2017. Its purpose was to identify the main data protection issues in India and recommend measures to address these issues.
The committee submitted this report to the ministry on July 27, 2018, along with a draft bill on personal data protection (this is different from the Personal Data Protection Bill, 2019, which Ravi Shankar Prasad, minister for Electronics and Information Technology, introduced in the Lok Sabha on December 11, 2019). The report proposes a framework for a personal data protection law “…that protects individual privacy, ensures autonomy [of personal data], allows data flows for a growing data ecosystem and creates a free and fair digital economy.”
The report begins with an introduction (Chapter 1). The other chapters cover: the scope and applicability of a data protection law (Chapter 2); processing of personal data (Chapter 3); obligations of ‘data fiduciaries’ or entities that process personal data (Chapter 4); the rights of ‘data principals’ or individuals who possess their own personal data (Chapters 5); the flow of data across borders (Chapter 6); the impact of a data protection law on other legislations (Chapter 7); issues of consent for processing personal data (Chapter 8); and the enforcement of a data protection law (Chapter 9).
The committee states that a ‘free and fair’ digital economy requires protecting an individual’s autonomy with regard to personal data: “Such an economy envisages a polity where the individual is autonomously deciding what to do with her personal data, entities are responsibly sharing such data and everyone is using data, which has immense potential for empowerment, in a manner that promotes overall welfare.”
The committee suggests that the data protection law should apply to the processing of personal data which has been used, shared, disclosed, collected or otherwise processed in India; or to processing activities that could harm the privacy of data principals in India.
The relationship between an individual (‘data principal’) and a data processing entity (‘data fiduciary’) is a ‘fiduciary relationship’. Data fiduciaries are obliged to process data in a fair and reasonable way. This includes maintaining quality and adhering to personal data storage limitations. The data principal is responsible for providing accurate data.
Personal data, the committee recommends, should be defined on the basis of ‘identifiability’. Personal data should be distinguished from ‘sensitive personal data’, including passwords, financial data, health data, sexual orientation, and an individual’s religious and political beliefs or affiliations.
Consent should be the lawful basis for processing personal data, the report says. For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. All data fiduciaries should adopt age verification mechanisms and obtain parental consent if the data principal is below the age of 18.
The committee asserts that it is essential to provide data principals with the means to enforce their rights against the corresponding obligations of data fiduciaries. These rights must be based on the principles of autonomy, self-determination, transparency and accountability, so that individuals have control over their data. The data principal should have the right to confirm, access and correct their personal data. They should also have the right to object to or restrict the processing of their personal data.
Cross border transfers of personal data should be regulated, suggests the committee. Personal data regarded as sensitive or ‘critical to the nation’ should be processed only in India, and other types of personal data must retain at least one copy within India.
Various laws stipulate the processing of personal data for different objectives, notes the committee. It states that “The Aadhaar Act  needs to be amended to bolster data protection.”
Processing personal data without an individual’s consent, the committee observes, is valid when facilitating the State’s welfare functions, in compliance with a law or legal order, for prompt action in emergency situations, employment or for any other ‘reasonable purpose’.
The committee recommends establishing a Data Protection Authority – an independent regulatory body for creating policies and for monitoring and enforcing a data protection law.
Focus and Factoids by Ajay Srinivasmurthy.
Committee of Experts under the Chairmanship of Justice B. N. Srikrishna
Ministry of Electronics and Information Technology, Government of India, New Delhi
27 Aug, 2018