Is the Shared Private Data Really Safeguarded? (Analysis of Sri Krishna Committee Report and Data Protection Bill, 2018)

Published by Maheen Khan on

Loading

Introduction:

With the augmenting of technology, the use of the Internet has expanded tremendously. We are now utilizing the internet not only for gathering information but for ordering food, social media and so on. Have you ever thought while using the internet we have shared so much personal information about ourselves, so is it secure? We share so much information to access the services provided by the service providers without even thinking twice. The information we feed is stored outside India’s boundaries, which is exceptionally upsetting.

Thus, this makes the protection of our information necessary.

Data protection is the process of sheltering the crucial information from being exploited. It intends to minimise the intrusion into one’s privacy caused by the assembling, storage and dissemination of personal data.

The significance of protecting data increases with the amount of data being shared by the service users.

Background

The history of data protection in India commenced with the famous Aadhar Case.[1] The Aadhar programme was challenged in the Apex Court where some parts of the programme were struck down. During the proceedings of this case, the Government pointed out to the House of Justice that the Indian Constitution doesn’t guarantee Right to Privacy to any of its citizens. A Bench of 9 judges was constituted to solve this issue.

There wasn’t any legislation regarding the data collected by the government from its citizens or from the service providers from its users. There was a need to administer the data and shield the interests of the citizens or users. Power asymmetry was there because the users are unable to anticipate the harms that can be inflicted by the service providers or the government. There wasn’t any clarification on for what purpose the data will be utilized and why it will be utilized and there was no limitation on its usage. Indiscriminate usage and collection of data were needed to be controlled and administered.

During the hearing of the Aadhar case in July 2017, the Indian Government formed a committee of experts to protect data in the country. The committee was led by retired Supreme Court Justice BN Sri Krishna. The committee presented a draft of the Personal Data Protection Bill in July 2018 and requested feedback from the Ministers, stakeholders and other industry experts2. The draft was presented to the IT Minister Ravi Shankar, (Ministry of Electronics and Information Technology). The title of the draft was “A Free and Fair Digital Economy- Protecting Privacy, Empowering Indians”.[3]

Although the relevant provisions of the Information Technology Act, 2000 regulates the use of sensitive personal information but still there was a need for laws to protect the autonomy over the personal data of an individual and setting up of an administering authority to look after the infringement of such laws.

What were the Recommendations of the Committee?

  1. The committee put forward that processing (collection, storing, disclosure etc.) of personal data should be done only for ‘clear, explicit and legal’ purposes. Unnecessary data for processing shouldn’t be collected by anyone.
  2. “Right to be forgotten” to the data principals was proposed. This simply means that the users will have a right to restrict or prevent any display of their personal data once the purpose of unveiling the data has been served, or when the user withdraws consent from the disclosure of their personal data.
    In the European Union, this is used by the public to get the records taken down once the purpose of sharing the data has been served. This additionally gives them the right to confirm what information is being held or revealed about them and to get it rectified in case of error.
  3. Data Localisation: The private data provided by the users will be stored on Indian servers and afterwards transferred outside the country subject to restrictions. But the critically personal data will be processed only in India and not any other place.
  4. The sensitive personal data such as religion, biometric data, sexual orientation, passwords, bank details etc. shouldn’t be processed without the explicit consent of the service user. So, if a data principal reveals his/her religion in a survey which was for the purpose of calculation of a number of people belonging to a specific religion, that principal’s name and religion can’t be used by advertising organisations to send focused advertisements to that user.
  5. The report proposes to alter approx 50 laws but the two main laws which will be altered are:
    • Right to Information Act, 2005:
      The committee suggested changing Section 8(1)(j) of the Act that is associated with the disclosure of personal information for the larger public interest. The unamended section points out that revelation of personal data which isn’t concerned with public activity or interest would be an attack on one’s privacy. The proposed amendment focuses on balancing between the public interest in accessing the information and the injury that can be caused to the data principal.
    • Aadhar Act, 2016:
      The Sri Krishna Committee also suggested that the Unique Identification Authority of India (UIDAI) should be given more authority and made autonomously and also reinforce data protection. There is a need for offline verification of Aadhaar Numbers and new civil and criminal penalties should be imposed.
  6. The Committee has also emphasised on the need for separate and more stringent norms for the protection of the data of the young generation barring the companies from certain types of data processing which isn’t best for young one’s interest.

Data Protection Authority

The Sri Krishna Committee Report also proposed the setting up of the Data Protection Authority. The Authority will be independent and will be responsible for the enforcement and effective implementation of the law.

Constitution of Authority: The authority will be governed by a board consisting of 6 whole-time members and a Chairperson appointed by the Government of India on the recommendation of the selection committee. The selection committee will comprise the Chief Justice of India or his/her nominee (the nominee should be a judge of the Supreme Court of India), the Cabinet Secretary, Government of India and one expert in the field of information and technology or other related subjects.

The members of the Data Protection Authority should have exceptional knowledge and at least 10 years of professional experience in the field of data protection, information technology, data management, data science, cyber laws and other related subjects.

Term of the members: The members will have a 5-year term, subject to the suitable retirement age.

Functions of the Authority: Setting policies and standard-setting, observing and enforcing the legal affairs, research and awareness, grievance handling and adjudication etc. Further, it will state codes of practice, conduct inquiries, and issue warnings.

Extra-Territorial Jurisdiction

The jurisdiction of the bill is extended to both regional and extra-territorial provisions and all the Indian citizens along the lines of the General Data Protection Regulation. It has a horizontal application, applying to both private and public sectors.

What Are The Errors In The Proposed Draft?

The Committee suggested that the personal data can be processed by the government if it is necessary for the function of the Parliament or Legislature like in case of Aadhar Card, issuance of licenses, services and so on. The draft additionally permits personal data processing without the consent of an individual for the “Functions of State” like, when the government provides benefits to the individual, for legal proceedings, medical proceedings and so on.

Who really holds the data collected by the entities? It was vague. It also lacks the definition of ‘critical personal data’.

In case of breach of personal information, the individual will have to inform the Fiduciary Authority but there is no obligation for anyone to tell that harmed data principal.

The data localisation has raised concerns of reconnaissance and could hamper in technology advancement and innovation of blockchain and artificial intelligence.

There isn’t any protection given to Aadhaar data apart from the Aadhaar Number as if securing other information isn’t important. There have been so many incidents regarding the leakage of Aadhaar information so the draft lacked this important point.

The draft instead of completely securing the user’s information provides escape clauses thereby giving more power to the Government. There isn’t any sunset clause on for how long the government can hold the data. The proposed amendment in the Right to Information Act is silent on the concept of injury or harm. The draft also is silent on social media. How will privacy be handled on social media platforms as its usage is increasing day by day?

Why were there so Many Problems Even After the Draft Took a Year to be Made?

The Sri Krishna Panel lacked the participation of the general public. The members of the committee were either associated with the government or belonged to the government. The panel also had a weak consultation process. It didn’t reveal the suggestions made by the general public. The committee also lacked straightforwardness and dismissed the request for information under the Right to Information Act.

Current Scenario

The revised draft of the Bill was submitted in the Lower House of the Parliament, on December 11, 2019, and has been sent to a Joint Parliamentary Committee (JPC).

The revised 2019 bill was criticized by Justice BN Sri Krishna. He expressed that the ability of the government or its agency to access the private data on the grounds of sovereignty or public order will have dangerous implications and can turn India into an “Orwellian state”.[4] A state where there is draconian control of its people by a government. These provisions will exempt the government agency from legal obligations.

There was anticipation that the bill will be passed in 2020 but is taking more time because of its complexity.

Conclusion

The first attempt for the legislation of the data protection is good but they need to be more stringent and transparent. The focus should be on the protection of the users rather than creating the loopholes for immuning the government from using the data. The laws should be more stringent and time-bound and free from vagueness.

References:

  1. Justice Puttaswamy (Retd.) & Anr. V. Union Of India & Ors., 2018
  2. https://cisomag.eccouncil.org/all-you-need-to-know-about-indias-first-data-protection-bill/
  3. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  4. https://mumbaimirror.indiatimes.com/news/india/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72487174.cms
Categories: Cyber Laws
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts
Cyber Laws

Data Mining Information Retrieval for Crime Prevention and Forensics

In its truest sense, digital forensics provides answers to the questions of when, what, who, where, how, and why a digital crime occurred.
Cyber Laws

Criminal Investigative Criteria and Standard of Procedure on Computer Crime

Cybercrime scenes are different from traditional crimes & electronic evidence can easily be altered or tampered with.

Competition Laws

Analysing the Relationship between Data Privacy and Competition Law: An Indian Perspective with Reference to Global Scenario

While maintaining healthy competition among companies, the protection of the citizens’ data cannot be side tracked as secondary priority.