An interesting webinar had been organized today by a group of Legal professionals from Mumbai in which justice B N Srikrishna spoke about the Data Protection Act. As the architect of the Indian law on Data Protection which is presently before the Parliament for passage, and since in some recent encounters with the Press, Justice Srikrishna had been critical of some of the changes that had been made by the Government in the latest bill as compared to the version which he had submitted along with his report in 2018, the webinar was keenly followed and over 890 participants attended the webinar at its peak.
Justice Srikrishna gave a good overview of the legislation starting from the objectives, to the Data Protection Principles, Data Principal’s Rights and other key provisions on some of which he has been vocal even earlier.
During the webinar a few important observations were made by Justice Srikrishna which were illuminating which need to be taken note of. Also due to the paucity of time, some questions of the audience went unanswered. The following report tries to record the essence of the discussions and goes on to also provide our view points on the questions that had been raised during the webinar, for the general information of the interested professionals.
Justice Srikrishna started with the explanation of the objectives for which the Personal Data Protection Act (PDPA) was drafted bringing home the reference to the Aadhaar issue and consequent debate in the Justice Puttaswamy case. He later went into the discussion of some of the key elements of current bill and areas where perhaps he had some disagreements.
On the most contentious issue of Section 35 which provides the power to the Government to exempt the application of the act in certain circumstances, he clarified that while he does concede that the Government has the power to infringe on the Privacy under certain circumstances, he was highlighting the need for appropriate checks and balances failing which the possibility of a Government official misusing the law to grossly violate the Privacy rights of the individuals could arise and an “Orwellian State” reference could become possible.
He did not discuss the other controversial issue about the Constitution of the Committee for appointment of the DPA not having Judicial representation.
He however justified the earlier provision regarding the cross border transfer restrictions under which one active copy of all personal data transferred out of India had to be kept in India, which has been diluted in the current version of the bill. He highlighted the fact that a high power delegation from US had met the Government to persuade them to dilute the provisions which the Government obliged ignoring the requirements of the law enforcement agencies.
Another point on which he did focus was that the current bill does not set a deadline for the Government to implement the Act and hence could be endlessly delayed. In the earlier version, there was a 18 month outward time limit within which the entire act had to come into existence with various other provisions being implemented at different points of time indicated in the Act itself.
He was also unhappy with the reference made to the power of the Government to demand transfer of non personal data/Anonymized data under certain circumstances to the Government under Section 91 of the Act and expressed that he would have preferred a separate legislation for this purpose as had been suggested by his committee.
There were a few other important points on which he shed some light from his perspective namely
a) Ownership of Personal Data
b) Definition of Critical data
c) The “Fiduciary” nature of the relationship of a Data Processor
d) Data Retention period
As regards the ownership of the “Personal Data” he gave a jurisprudential view that all that we can call as “Mine” cannot be equated to a “Proprietary Right” and there are “Relationships that need to be recognized” which are not subject to property rights. He therefore reiterated that though the Data Principal calls personal data as “My Personal Data”, he may not have the rights of disposal of the personal data in the same manner as he can dispose of a movable or immovable property.
In this context he highlighted why the two parties who are in other countries referred to as “Data Controller” and “Data Subject” are in India called “Data Fiduciary” and “Data Principal”.
Definition of Critical Data
On the definition of “Critical Data” Justice Srikrishn admitted that there is no definition of the term either in his version or the current version. However, he expressed an opinion that the term can be used in the context of “Whose Personal Data” is being considered and whether that data is of relevance to national security. As an example he referred to the data of the Prime Minister or President or the Chief justice.
The view of Mr Srikrishna is at variance with the general expectation that the distinction between Sensitive and Critical data would be based on the severity of the harm that may be caused to a data principal irrespective of who the data principal is.
The distinction based on whether the data principal is a celebrity or a person of national importance will result in mixing up the type of data with the identity of the person. This distinction may not be the best way to define the criticality of the personal data.
Instead, some data such as Finger print, Iris scan, DNA profile, Skull X-Ray, Tooth X-Ray, Voice Print, or even the Photograph have the character of being inherently identifiable and not being amenable to being “Anonymized” .
Such data are better qualified to be categorized as critical data since once lost they can never be recovered unlike a Password that can be changed.
Fiduciary Nature of Relationship
Justice Srikrishna re-iterated the need to define the relationship between the Data Subject and the Data Controller as “Data Principal” and “Data Fiduciary”. The undersigned has discussed this several times earlier and has hailed it is the single most important contribution of Justice Srikrishna to the Data Protection Jurisprudence which would in due course be accepted world wide. (See one of the earlier articles in this regard for more clarity)
This elevation of the relationship of the Controller to that of the Fiduciary will solve many of the problems the world has seen in Data Protection regulation such as “Consent Fatigue” which is more accentuated in India because of the use of different languages by end users, lack of literacy and reduced appreciation of the culture of “Privacy” which is more an elite concept pushed down the population rather than a felt need of the market.
Data Retention Period
While speaking on the data retention period limitation, Justice Srikrishna referred to the provisions of other laws that may require retention of the data for longer period. He mentioned that though normally data has to be retained as dictated by the purpose, in cases where the other laws dictate otherwise, it can be retained for longer period.
Mr Srikrishna however failed to refer to existence of legitimate interest and evidentiary requirements that may necessitate the distinction between the need to erase the data after the purpose is completed vs the need to retain it for longer period which the new law has tried to accommodate by creating a fine distinction between the right to erasure and right to forget as two different rights under Sections 18 and 20.
Though we donot agree with the contention of Justice Srikrishna that Section 35 of the new Act leads to the possibility of an Orwellian State and his omission to recognize some of the improvements that have been made in the Act including the concepts of “Consent Manager”, “Sandbox”, “exemption of liability” etc., the discussion was very useful in putting across a perspective of the law.
Towards the end of the session, there was no time left for taking up some of the questions from the large number of participants.
In order to provide some clarity to some of the questions raised, I have picked up the questions and provided my views under the “your Queries” section in the website of the Foundation of Data Protection Professionals in India. (www.fdppi.in)
I request visitors to peruse the questions and answers provided.