As India looks forward to a legislation to protect data—in these times of Aadhaar or the Unique Identification (UID) project creating a massive database of socially, economically and biometrically sensitive information about citizens—the Srikrishna Committee on data protection issued a white paper on 27 November 2017.
The nine-member expert committee, headed by former Supreme Court judge Justice BN Srikrishna, was set up on July 31 by the Union government—while the apex court was hearing challenges to the UID project—to formulate a data protection law for India.
The government has made Aadhaar – the 12-digit biometrics-linked UID number – mandatory for all of its services, beginning with the welfare schemes that has caused massive exclusions among the poorest, in contravention of the Supreme Court orders.
The white paper covers a wide range of issues and asks pertinent questions related to the protection and ownership of citizens’ data and its use by interested parties.
The paper includes questions to which stakeholders can respond by 31 December 2017, after which the panel will go ahead with drafting the data protection law.
It talks about the definitions of personal data and sensitive data, informed consent, data breaches, setting up of a data protection authority, possible exemptions (like the “legitimate” aims of the state), protecting children’s personal data, data audit, data protection impact assessments as well as enforcement and accountability tools. It also discusses defining the offences, penalties and compensation. It even includes the individual’s right to be forgotten.
The white paper lays out seven key principles for a data protection framework:
1. Technology agnosticism- The law must be technology agnostic. It must be flexible to
take into account changing technologies and standards of compliance.
2. Holistic application- The law must apply to both private sector entities and government.
Differential obligations may be carved out in the law for certain legitimate state aims.
3. Informed consent- Consent is an expression of human autonomy. For such expression
to be genuine, it must be informed and meaningful. The law must ensure that consent
meets the aforementioned criteria.
4. Data minimisation- Data that is processed ought to be minimal and necessary for the
purposes for which such data is sought and other compatible purposes beneficial for the
5. Controller accountability- The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing.
6. Structured enforcement- Enforcement of the data protection framework must be by a high-
powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.
7. Deterrent penalties- Penalties on wrongful processing must be adequate to ensure deterrence.
The report looks at the international practices and data regulatory frameworks, while considering the models followed in the European Union and in the United States as two ends of the “spectrum”.
“The EU model is a rights-based one, where protection of personal data is equated with protecting the fundamental right to privacy. The EU model has been criticised however, for being excessively stringent, and imposing many obligations on the organisations processing data. At the other end of the spectrum is the US approach, which focuses on protecting the individual from excessive State regulation. The US model recognises the value of data vis-a-vis encouraging innovation, and therefore allows collection of personal information as long as the individual is informed of such collection and use,” the report says.
The committee appears inclined to adopt a middle path between the two models for India.
The report, however, also talks about India’s future as a “digital economy”. It talks about “the need to encourage innovation” and “empowerment based on data-driven access to services and benefits for the common man.”
Speaking to Newsclick, Smitha Krishna Prasad, a lawyer who works with Centre for Communication Governance at National Law University, Delhi, said the white paper covered a broad range of issues that data protection laws across the world address.
While traditional principles of data protection—such as the need to be technology agnostic, to provide notice to data subjects and obtain their consent—have been discussed along problems with implementation and enforcement, said Prasad, the white paper also “addresses industry concerns in relation to the cost of compliance with the regulations that many of these principles call for.”
“Based on our preliminary reading, we’ve noticed that these views match those of internationally accepted standards in the case of some of the basic and long standing data protection principles. However, the committee has also expressed concerns have been expressed in relation to adopting some of standards that are otherwise accepted internationally,” she said.
“It is important that we carefully think about the nature of regulatory and enforcement mechanisms that are put in place to implement the data protection principles. Any law that regulates data collection and processing should also empower vulnerable data subjects and allow them to exercise their rights to privacy, and the protection of their data.”
Meanwhile, Rethink Aadhaar, a non-partisan campaign of wide-ranging activists opposing the UID project in India, issued a statement saying it “cautiously welcomes” the Srikrishna Committee white paper as “an important first step in a more transparent and accountable pre-legislative process.”
“The deliberations of the Srikrishna Committee are vital for our collective future and the shape of the Data Protection law.”
It said “the White Paper expresses deep caution when dealing with data – its collection use and storage.”
And the campaign asserted that the Aadhaar project violated the key principles.
“We do not think that the Aadhaar project will survive this increased scrutiny and caution. It is in fact clear that the Aadhaar project, since its inception, has already violated many principles expressed in the white paper,” said the campaign.
However, the campaign reiterated its concern over the “composition of the committee” — because “all its members, except Justice Srikrishna, have pronounced professional and personal views in support of the Aadhaar program and its extension into areas that it was not designed for.”
The campaign had written to the Srikrishna Committee on 5 November 2017 over the composition of the committee, but to no avail.
It alleged that “experts who have expressed independent and critical views on Aadhaar” were excluded from the committee.
The members include Ajay Bhushan, CEO of the Unique Identification Authority of India; Ajay Kumar, additional secretary, Ministry of Electronics and Information Technology; Aruna Sundararajan, secretary of Department of Telecom; Gulshan Rai, National Cyber Security Coordinator; Arghya Sengupta, research director, Vidhi Centre for Legal Policy; Rama Vedashree, CEO of Data Security Council of India, Rishikesha T. Krishnan, director of IIM Indore, Rajat Moona; and director of lIT Raipur.
These considerations gain importance, given the way Aadhaar has been forced onto people – causing exclusions in the social welfare schemes, threatening the privacy of people with frequent data breaches, creating a goldmine for corporates, and greatly expanding the scope for surveillance.
As Rethink Aadhaar said, “A mandatory and coercive Aadhaar project has led to millions of Indian citizens being enrolled into the world’s largest biometric identification project.”