A year after it was constituted, a committee headed by retired Justice BN Srikrishna delivered a report and a draft bill on Friday that is likely to form the core of India’s data protection regime. In the backdrop of constant Aadhaar leaks, allegations that the government is enabling a surveillance state and amidst fears about the data collected by companies like Facebook, the Srikrishna panel was tasked with giving the government a model law based on which data will be regulated in India.

The committee first came up with a white paper in November, 2017 that outlined the areas that the panel would be looking at. The release of the Bill has been expected for some time now, with many presuming the government would seek to get some version of the draft through Parliament in the Monsoon Session, which ends on August 10.

Telecom Minister Ravi Shankar Prasad has claimed that he would like the bill to have the “widest Parliamentary consultation” before it gets put to a vote.

Here’s what you need to know about the Bill:

What does the Bill cover?

The Bill seeks to govern the “processing” – which includes collecting, recording, adapting, indexing, or even disclosing – of personal data. Personal data in this case refers to any information that is specific to the person, and makes them “identifiable”.

The Bill also carves out a category called “sensitive personal data”, which includes: passwords, financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex statues, caste or tribe and religious or political beliefs and affiliations.

Essentially, the Bill says those seeking to use personal data in any manner, have to do so in a way that protects the individual’s privacy. It then explains exactly how this is to be done, and who is permitted to do it.

On what grounds can personal data be processed?

The draft proposes giving permission to process personal data on a number of grounds:

  • If consent is given: Individuals can give consent to a person or entity to process their personal data, as long as that consent is free, informed, specific, clear and capable of being withdrawn.
  • If the state wants it: Across two different provisions, the law sets out under what conditions government can collect and use information: Parliament and state legislatures are allowed to collect and use data without consent, if it is relevant for their functioning – such as in collecting the information needed for lawmaking itself. The state, when authorised by Parliament or state legislatures, can collected and use data as long as it is explicitly mandated it in a law, with a series of fetters on what the government decides is needed. Moreover, even if it’s not explicitly mandated in a law, the Centre and state governments are permitted to collect and use personal data without an individual’s consent, as long as it is for the provision of any service or benefit from the state, or if it is for the issuance of any certification, license or permit. In these cases, only the functions – such as the provision of a welfare benefit – need to be mandated by law. Read more about the concerns surrounding this here.
  • If courts demand it: Any court or tribunal in the country can demand the collection and use of personal information without consent.
  • If it is an emergency: If the individual’s life is in danger due to a medical emergency, or if there is an outbreak of disease or a natural disaster, data can be collected without consent in response to those scenarios.
  • If employers want it: Companies are allowed to collect and use personal data without consent, as long as it is in connection with recruitment or firing, the provision of a benefit, to verify attendance, or to assess the performance of the employee. There is a condition to this: Companies should only do this without consent if it is too cumbersome to obtain the consent, or if any consent here is essentially meaningless because of the relationship between employer and employee.
  • For a few other special reasons: The Data Protection Authority of India, the body that will oversee these regulations, can add more reasons under which personal data can be processed. The Bill lists out a few of these: prevention of unlawful activity, whistleblowing, credit scoring, or the use of publicly available personal data.

Tell me more about giving consent:

There has been much discussion about consent when it comes to data rights, in part because of how terms and conditions tend to be agreed to online without most people actually reading them or knowing that they mean. The law asks that any entity collecting or using personal data should obtain consent that fulfills five criteria:

  • It is freely given, without coercion, fraud or undue influence.
  • It is based on an informed decision, meaning the consent is obtained only after relevant information is conveyed to the individual.
  • It is specific, so that people cannot be forced to give reams of their data if the entity requesting it only needs one specific element.
  • It is clear, in that people are made to actively give their consent, so silence or a pre-ticked box on a form cannot be counted as such.
  • And it can be withdrawn, as easily as the consent was given.

In the case of those bits of information considered sensitive personal data, consent comes with a much higher standard of being ‘explicit’ that include making sure the individual knows what the consequences of giving up that data entail.

Although the draft law does not cover this, the report that was also submitted suggests that India should introduce consent dashboards, which would mean going to one website that collects all the times you gave consent to any entity, so that it becomes easier to keep track of what you have consented to.

Does the law give me any rights over my data?

Indeed it does. The draft law proposes a number of rights that in theory would give every individual more control over her data. These include:

  • The right to confirmation and access, which allows individuals to find out what is being done with their data.
  • The right to correction, which allows people to update or correct their data. This right also puts the onus on the body holding the data to pass on the fresh or corrected information to all those who it had earlier given the information to.
  • The right to data portability, which permits individuals to ask for their data to be downloaded in a simple format and transferred to someone else. This right has exceptions however, including when the data is collected based on a law or by the State, or if the company that collected it claims that portability is “not technically feasible.”
  • The right to be forgotten, which allows you to withdraw consent and ask that any data provided to an entity not be disclosed any further. For this to apply, though, an individual will have to make the claim to an Adjudicating Officer, who will then decide whether the demand is fair. This is also unlike the European Union’s version of this right, in which the individual can demand that their data is erased.

Who oversees all of this?

The draft law recommends the creation of a Data Protection Authority of India, that would act as the regulator. The DPAI would have one chairperson and six members, all of whom would be picked by a selection committee including the Chief Justice of India or a judge nominated by her, the Cabinet Secretary and one expert nominated by the Chief Justice or the nominated judge. This body will be expected to monitor and enforce all the provisions in the act, including conducting inquiries into cases where a violation of the law is believed to have happened. The Data Protection Authority of India will even have search and seizure powers, allowing it to enter any building and search the safes, boxes or computers of anyone under inquiry.

What happens when someone doesn’t follow the rules?

The draft bill offers a range of penalties, for different violations. A data security breach, for examples, could result in a fine of “up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher.” If an entity contravenes more serious sections, such as the manner in which it was supposed to process sensitive personal data, it faces “a penalty which may extend up to fifteen crore rupees or four per cent of its total worldwide turnover of the preceding financial year, whichever is higher.” Individuals who believed they have been wronged by companies that collected their data can ask the Data Protection Authority of India to give them compensation for violations.

Er, what about Aadhaar?

What about it? The draft law itself has very little to say about Aadhaar, other than pointing out that the 12-digit number itself comes under “sensitive personal data.” The report that accompanied the draft bill says it will not get into the question of whether creating a database of residents is antithetical to the idea of a well-functioning data protection regime, since the Supreme Court is yet to give its judgement on the constitutional challenge to Aadhaar.

That said, the report recommends a few amendments to the Aadhaar Act, none of which adequately address the mountain of criticism that has been heaped against the 12-digit biometric identity program. Arshu John, writing in the Caravan, examined some of these proposed amendments here.

And the Right to Information Act?

The draft bill proposes to amend the RTI Act to introduce a slightly new test for deciding where the balance between privacy and transparency lies. Where the Act previously presumed transparency was a given, and privacy an exception, the proposed changes would mean making a decision over whether the disclosure of personal data would cause harm to an individual that outweighs the public interest involved.

Is there anything else?

Yes. Many many other things, as Medianama’s Nikhil Pahwa points out. For example, there is the requirement that all personal data be mirrored and kept on a server or a data centre in India, a provision that critics of the Bill say is aimed primarily at ensuring the government has access to it if necessary. This provision will certainly see many responses from international companies that do work in India.

The law also envisages data auditors, who will audit the compliance of entities with the provisions of an act, essentially creating a Chartered Accountant-like structure, but for data regulation. The law leaves it to the DPAI to decide whether it should inform individuals if there has been a breach of their data. And in the exemptions, the law says the government can collect and use information in the interests of the security of the State as long as it is authorised to do so by a law.

The entire draft law is here, and the report that goes alongside it is here.

What happens next?

Ravi Shankar Prasad has said that he would like the Bill go through wide Parliamentary consultations before it is taken to a vote. The government need not use the exact same language as recommended in the draft and indeed it is likely that many, from civil society to the companies that will be affected, will now seek to lobby the government for changes to the draft. With that in mind, it seems unlikely that this government will be able to introduce the Bill in this sessions of Parliament, which goes until August 10. But considering the government’s penchant for last-minute legislation, and the argument that the Srikrishna panel in meeting many stakeholders has already carried out a wide consultation, it would not be unheard of.