The Committee headed by Justice B N Srikrishna recently provided its recommendations with respect to the issue of data privacy and protection in a 176 page report along with a draft Personal Data Protection Bill, 2018. While a primary legislation to govern the issue of data privacy is still to come into force, it becomes pertinent to note the principles governing the current privacy regime in India.
Privacy as a fundamental right
A nine-judge bench of the Supreme Court of India in the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India unanimously delivered its judgment on August 24, 2017 and laid down that Right to Privacy is a constitutionally protected fundamental right under the Constitution of India under Article 21 (Right to Life) and furthermore under Part III.
Fundamentals governing consent under GDPR:
The General Data Protection Regulation (hereinafter referred to as ‘GDPR’) went into effect on May 25, 2018 and has set guidelines for the collection and processing of personal information of the citizens of European Union (hereinafter referred to as ‘EU’). As per the GDPR, even the entities based outside the EU which deal with the personal data of EU residents are required to obtain consent of the EU residents before processing its data in order to comply with the GDPR. In case of non-compliance with GDPR, entities may face imposition of penalty of up to EUR 20,000,000 or 4% of the global annual turnover, whichever is higher.
- Nature of consent: Consent to be obtained from the data subject should be freely given, specific, informed, explicit and unambiguous indication of the data subject’s permission towards the processing of his/ her personal data.
- Evidence of consent: Clear evidence/ records are required to be kept so as to demonstrate that the consent has been duly obtained in a manner which is clearly distinguishable from other matters to prove that the data subject had freely consented for his/ her data to be processed. Such records/ evidence is necessary to ensure that the consent can be verified.
- Withdrawal of consent: The GDPR provides a right to the data subject to withdraw her consent at any time. The GDPR prescribes to ensure that the withdrawal of consent should be as simple and uncomplicated as the giving of the consent.
Draft Data Privacy Code released by a citizen’s initiative:
A citizen’s initiative called “Save our Privacy” which is supported by the Internet Freedom Foundation (a non-profit organization engaged in the protection of digital rights) had released a draft Data Privacy Code. The seven principles which provide a summary of the said draft Data Privacy Code are as follows:
- Individual rights are at the center of privacy and data protection.
- A data protection law must be based on privacy principles.
- A strong privacy commission must be created to enforce the privacy principles.
- The government should respect user privacy.
- A complete privacy code comes with surveillance reform.
- The right to information needs to be strengthened and protected.
- International protections and harmonization to protect the open internet must be incorporated.
TRAI’s recommendations on Privacy in Telecom Sector:
The Telecom Regulatory Authority of India vide press release no. 78/ 2018 on July 16, 2018 released its recommendations with respect to "Privacy, Security and Ownership of Data in the Telecom Sector". TRAI’s recommendations are made with due respect to the digital ecosystem which includes Service providers, Devices, Browsers, Operating Systems, Applications etc.
TRAI first recommendation provides that “each user owns his/ her personal information/ data collected by/ stored with the entities in the digital ecosystem. The entities, controlling and processing such data, are mere custodians and do not have primary rights over this data.”
TRAI further stated in its recommendations that “the existing framework for protection of the personal information/ data of telecom consumers is not sufficient. To protect telecom consumers against the misuse of their personal data by the broad range of data controllers and processors in the digital ecosystem, all entities in the digital ecosystem, which control or process their personal data should be brought under a data protection framework.”
TRAI also recommended that all entities in the digital ecosystem including Telecom Service Providers should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation and preventing such breaches in future.
Recommendations of Justice B N Srikrishna committee:
- The definition of personal data will be based on identifiability.
- Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
- Consent will be a lawful basis for processing of personal data. However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal.
- For consent to be valid it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
- A data principal below the age of eighteen years will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind.
- The principle of granting protection to community data has been recognized by the Committee.
- Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harms caused to the principal due to any violations committed by the transferee.
- Personal data relating to health will however permitted to be transferred for reasons of prompt action or emergency.
- The proposed data protection framework replaces Section 43A of the Information Technology Act and the SPD Rules issued under that provision. Consequently, these must be repealed together with consequent minor amendments.
- The data protection law will set up a Data Protection Authority (DPA) which will be an independent regulatory body responsible for the enforcement and effective implementation of the law. Broadly, the DPA shall perform the following primary functions:
- monitoring and enforcement;
- legal affairs, policy and standard setting;
- research and awareness;
- inquiry, grievance handling and adjudication.
- The RTI Act prescribes a standard for privacy protection in laying out an exemption to transparency requirements under Section 8(1)(j). This needs to be amended to clarify when it will be activated and to harmonies the standard of privacy employed with the general data protection statute.
- The Committee has identified a list of 50 statutes and regulations which have a potential overlap with the data protection framework.
After implementation of GDPR, TRAI and Justice B N Srikrishna committee have now provided their recommendations with respect to the data privacy and protection framework which although are not binding in nature however, they do provide an outlook of the evolving data protection framework in India. It is expected that when a primary legislation governing data privacy and protection in India comes into force, above mentioned principles will be given their due weightage.