Given the vast amounts of personal data being collected by private companies and state agencies, and their flow across national jurisdictions, the absence of a data protection legal framework in India has been a cause for deep concern. This is even more so because in many cases individuals whose data have been used and processed by agencies, both private firms and state entities, are oblivious to the purpose for which they are being harnessed. The need for legislation was also underlined last year with the landmark judgment in Justice K.S Puttaswamy v. Union of India that held the right to privacy to be a fundamental right. Against this backdrop, the draft legislation on data protection submitted by a committee of experts chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology after year-long public consultations provides a sound foundation on which to speedily build India’s legal framework. It seeks to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design. This is akin to a contractual relationship that places obligations on the entities entrusted with data and who are obligated to seek the consent of the “principal” for the use of personal information. The draft legislation puts the onus on the “data fiduciary” to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the “principal” to allow for the use and processing of “sensitive personal data”.
In many ways, the draft legislation mirrors the General Data Protection Regulation, the framework on data protection implemented in the European Union this May, in providing for “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure. It envisages the creation of a regulatory Data Protection Authority of India to protect the interests of “principals” and to monitor the implementation of the provisions of the enabling data protection legislation. Taken together, the draft bill and the report mark a welcome step forward, but there are some grey areas. The exemptions granted to state institutions from acquiring informed consent from principals or processing personal data in many cases appear to be too blanket, such as those pertaining to the “security of the state”. These are hold-all phrases, and checks are vital. The report recommends a law to provide for “parliamentary oversight and judicial approval of non-consensual access to personal data”. Without such an enabling law, the exemptions provided in the bill will fall short of securing accountability from the state for activities such as dragnet surveillance. The grey areas must spark public and parliamentary debate before a final legislation comes to fruition.