The much-awaited Srikrishna Committee Report on Data Protection was made public on Friday along with the draft Personal Data Protection Bill. Low-intensity alarm bells had already started ringing even before this happened: Caravan published a report stating that the proposed law will make worrisome changes in the Right to Information Act and the Aadhaar Act. Now that the report and Bill are both public, it’s time to see if these alarm bells should reach a high-pitched fervour.

But before we get to the report, the Bill and their contents, let’s answer a few fundamental questions like why is this whole gig important to the citizens of India (You, I’m looking at you. Stand still now.)? Why was this entire gig necessary in the first place and why are a few wine-and-cheese liberals so worried about it? And, more importantly, does it have anything to do with Aadhaar (#DestroyTheAadhaar?)?

You are Important

First things first. You, who are reading this, is a citizen of India and has a fundamental Right to Privacy. This reassurance was given, amid the much-deserved celebration, by the Supreme Court last year in August. The Supreme Court had to step in because the government of the day argued that we do not have that right. A nine-judge SC Bench was like, “Um. Actually, they do. Here is a 547-page judgment which explains why.”

This landmark judgment does reassure us, but a lot more needs to be done on this front. A solid law is required to make this right actionable. For instance, whether the Aadhaar programme violates the right to privacy is a question that can have no real answers till we actually get a law on protection of personal data. And that is where the story really begins.

This whole interest in Privacy and its implications was triggered when Aadhaar (The Many Headed Hydra) started to creep up into various facets of our lives. The issue snowballed with revelations about Cambridge Analytica going bonkers with Facebook data to influence voter behaviour and disclosures made by Snowden regarding mass surveillance. It became apparent, across the world, that personal data of individuals being collected needs to be monitored and the people need to be protected. Both from private entities and government.

To put it simply, government and private companies collect a whole load of personal data from all of us, analyses it and processes it to achieve a few things. Governments are doing it for better-targeted implementation of their schemes, making more effective policies and/or mass surveillance. Private companies do it for targeted advertisement, making their products better based on the behaviour of the customer, selling that data and analysis to other companies for some sweet $$$ and, well, surveillance of their own.

In a situation such as this, we, the fodder which produces data (and dandruff) wherever we go, needs some protection from these powerful, overbearing entities. Just so that they don’t use our personal information to screw with us personally. That is why this whole consultation and the draft Bill is critical in these contemporary times.

The Srikrishna Committee, headed by retired judge Justice BN Srikrishna, was tasked with debating, deliberating and discussing this whole issue to come up with ways to implement a data protection regime.

The Committee and The Bill

The Srikrishna Committee faced much criticism when it was constituted because the members contained zero people from civil society. Basically, a committee that is supposed to decide on data processing of individuals who are basically powerless had no powerless citizens on board to have their say. The criticism also arose because the consultations were held behind closed doors and the deliberations were never made public.

But keeping all that aside, because what other option do we have ( ¯\_(ツ)_/¯ ), let’s take a quick peek at a few crucial things the report says, which are also reflected in the proposed Bill.

Thou Shalt Have A Data Protection Regime

The SC judgment reiterated that we have the right to privacy, but it is up to the state to make a law that makes this meaningful. The way to do that is by creating a data protection framework, which protects the citizens’ personal data and, thus, privacy. Interestingly enough, the government has been allowed to collect and process data by the Draft bill. Which means, it would have no real effect on Aadhaar.

Protect Personal Data

Personal Data has been defined as data that makes an individual identifiable. This is tricky territory for a lot of reasons because data, say someone’s mobile number, on its own might be meaningless. But when combined with other points like name, registered address, carrier, the location of activation, this data becomes useful for identifying a particular person. Committee says there needs to be a broad well-thought-out definition about what constituted personal data. The Bill, however, does not explicitly define what constitutes personal data.

Protect Sensitive Personal Data: Apart from identifiable data, there is also data that provides attributes to an individual. Information on political beliefs, sexual orientation, racial and genetic data, health data, etc. fall in this category. If this information falls in the wrong hands, it might be used in nefarious ways. So the committee recommends a separate category for this which would have stricter protections. This also includes financial information, which will become a point of contention for sure. 

Committee says there needs to be a broad well-thought-out definition about what constitutes personal data. The Bill, however, does not explicitly define what constitutes personal data. That would be decided later, it seems.

Protect Sensitive Personal Data

Apart from identifiable data, there is also data that provides attributes to an individual. Information on political beliefs, sexual orientation, racial and genetic data, health data, etc. fall in this category. If this information falls in the wrong hands, it might be used in nefarious ways. So the committee recommends a separate category for this which would have stricter protections. This also includes financial information, which will become a point of contention for sure is already becoming a point of contention. Financial Information is used by a lot of entities to deliver services. By making it sensitive, how they use it and whether they can use it all will become a big question.

Anonymisation Is Cool

Data which has been scrambled and anonymised to remove the risk of identification should be allowed. The committee recommends that if proper standards are set for de-identification of personal data and entities obey those, then collection and processing of personal data should be allowed. The Bill excludes anonymised data from the purview of this law.

Explicit Consent Is A Must

The committee recommends a proper process in place which would seek the consent of people whose data is being collected and processed. This consent should be taken in a manner in which it is possible to withdraw it in case the person feels uncomfortable with the way his/her data is being used. The Bill says that the consent must be explicit, free, informed and specific, meaning the person whose approval is taken must be made aware clearly why it is being considered. This should be especially explicit in the case of sensitive personal data.

Law Is Applicable EVERYWHERE ON EARTH

The thing with Data is that it is stored on servers (Fun fact, I know!). A law of a country can be applied only if the thing its addressing is within its borders. Because of the fun free-flowing nature of the internet, data goes places before it comes to us and a lot of servers are not inside the country. The committee recommended that this law must apply to any entities which are processing data of Indian citizens and will have to comply with it to operate in India, even if they aren’t based in India. Quite tricky this, because it’s yet to be seen how our Government would be able to make giant companies like Facebook or Amazon compliant with this and how they will deal with them in case they break the law. Block them in toto, perhaps. Or penalise them heavily! Fun times ahead.

Mirror All Data

The draft bill mandates that a copy of all data on Indian citizens must be stored within India (especially if the servers are outside). Again, tricky one here. This would mean that the Indian Government would have jurisdiction and control over data, but it would also involve an incredible amount of expenses on the part of companies. Foreign tech companies who have vast swathes of data in their own servers will have to store a copy in India as well. One thing is for sure, if this actually is put in place, the server farm business in India is going to go bonkers! Having the data in India would also make it easier for the government to obtain it quickly and up their surveillance game, perhaps.

Respect My Data Protection Authoriteh

The Bill creates a separate authority to deal with issues of Data Protection (Hello, UIDAI Part 2!). This authority will fill in all the little details, like the process on anonymization of data, and make sure entities obey the data protection regime.

Heavy Penalties

If an entity does not obey the law or violates its provisions, the draft Bill proposes a penalty ranging from Rs 5 crore or two per cent of total worldwide turnover to Rs 15 crores rupees or four per cent of the total global turnover. These penalties will be inflicted after an Adjudication officer, appointed by the Central Government and a part of the Data Protection Authority, will conduct an inquiry after gathering sufficient evidence and hearing out the parties involved.

What Happens Next?

The Committee has given a report and a draft Bill to the Ministry of Electronics & Information Technology. The Bill will be deliberated upon by the Ministry and presented to the Cabinet. After the Cabinet approves it, it will be introduced in Parliament and follow the usual legislative process. Ideally, the Bill should be sent to a Parliamentary Committee for review but given the track record of this government that is unlikely to happen. Fingers crossed!

Whatever happens next is up to the government of the day. Since the BJP has a majority in Lok Sabha, it is very likely that no amendments to the final Bill will be entertained. So it’s ultimately up to everyone interested to go through the Bill and keep spamming MEITY with suggestions, based on this draft and the final draft once it’s introduced.

CONSTANT VIGILANCE PEOPLE!