Sri Krishna Committee Report On Data Protection

[Monica Okane]

One of the more problematic suggestions of the committee is that they suggest that your personal data may be processed by the government if this is considered necessary for any function of Parliament or State Legislature. This includes provision of services, issuing of licenses, etc. On the face of it, this looks extremely vague and could lead to misuse.

This means they will be able to restrict or prevent any display of their personal data once the purpose of disclosing the data has ended, or when the data principal withdraws consent from disclosure of their personal data. In the EU, this has been used by people to get unflattering records of them on news websites taken down after the matter is no longer a matter of public interest.

Personal data will need to be stored on servers located within India, and transfers outside the country will need to be subject to safeguards. Critical personal data, however, will only be processed in India.

So, if you have disclosed your sexual orientation in a survey where you were told it would be used to assess the numbers of people with such orientation in a particular place, your name and orientation cannot then be sent to an advertising agency to send you targeted ads, as this is different from the purpose you had agreed on.

On 24 July, The Quint had reported on the manner in which the Ministry of Electronics and Information Technology had repeatedly rejected RTI queries for information on the meetings of the committee. According to details that have emerged from the RTI responses, the committee met seven times between September 2017 and May 2018.

Srikrishna Report: The Srikrishna Report stated that data processing practices in the digital economy are founded on consent (Page 32). Accordingly, the 2018 Bill provided for personal data to be processed on the basis of the free, informed, specific and clear consent of the data principal. Moreover, it stated that consent must be capable of being withdrawn (Clause 12).

PDPB: The PDPB adopts the provisions on consent contained in the 2018 Bill but states that consent must be explicitly obtained after giving the data principal the choice of separately consenting to the use of different categories of sensitive personal data [Clause 11(3)]. However, the PDPB also states that the provision on consent shall not be applicable for the performance of any function of the State authorized by law for the provision of any service or benefit to the data principal from the State or for issuance of any certification, license or permit for any action of the data principal [Clause 12].

Srikrishna Report: The Srikrishna Report stated that the right to confirmation and access enables a data fiduciary to enforce the substantive obligations of data fiduciaries (Page 39). Accordingly, the 2018 Bill provided data principals with the right to confirm whether a data fiduciary is processing or has processed personal data of the data principal as well as seek a brief summary of the personal data (Clause 24).

PDPB: The PDPB adopts the provisions of the 2018 Bill but also confers upon the data principal the right to access in one place the identities of the data fiduciaries with whom their personal data has been shared by a data fiduciary along with the categories of personal data shared with them [Clause 17(3)]

Draft Data Protection Bill, 2021: The Draft Data Protection Bill, 2021 has provided the right to the data principal to nominate a legal heir or a legal representative as their nominee who can exercise their right to confirmation and access exercise the right to be forgotten in the event of the death of such data principal [Clause 17(4)].

Srikrishna Report: The 2018 Bill provided that the data principal has the right to obtain from the data fiduciary the correction of inaccurate or misleading personal data, the completion of incomplete personal data and the updating of personal data that is out of date. The data fiduciary could disagree with the need to make such changes but then the data principal could require the data fiduciary to indicate that the personal data in question is disputed by them. (Clause 25)

Srikrishna Report: The Srikrishna Report was of the opinion that the right to data portability is critical in making the digital economy seamless, and empowers the data principals by giving them greater control over their personal data (Page 75). Thus, the 2018 Bill enables data principals to have their personal data transferred if such processing has been carried out through automated means [Clause 26(1)]. The 2018 Bill does not permit data portability if portability is not technically feasible or if it would reveal trade secrets of any data fiduciary or if processing is necessary for functions of the State [Clause 26(2)].

Srikrishna Report: The Srikrishna Report recommended that the Indian data protection regime included a right to be forgotten for data principals. The 2018 Bill, therefore, provided that the data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal on the grounds of purpose fulfilment or the disclosure no longer being necessary (Clause 27). However, the right may only be enforced if an application to be forgotten is approved by an adjudicating officer appointed by the Union Government (Clause 68).

PDPB: The PDPB accepted the provision in the 2018 Bill but imposed an obligation on the data principal to demonstrate to the Adjudicating Officer that their right in preventing disclosure of personal data overrides the right to speech/receive information of any other citizen [Clause 20(2) proviso]. PDPB also enables the data principal to appeal the decision of the Adjudicating Officer [Clause 20(5)].

Draft Data Protection Bill, 2021: The Draft Data Protection Bill, 2021 has recommended to expand the right to be forgotten for processing as well which was previously limited to only disclosure [Clause 20(1)].

The Srikrishna Report: The Committee proposed that the government not be exempted from the rigours of the data protection regime unless it is authorised by a law which is made by the Parliament, and is necessary and proportionate. Moreover, such an exemption should only be granted if it is necessary for the security of the state (Clause 42 of 2018 Bill) and prevention, detection, investigation and prosecution of contravention of law (Clause 43 of 2018 Bill).

Srikrishna Report: The Report emphasized the importance of the need to place additional obligations on entities that are capable of causing significantly greater harm to data principals as a consequence of their data processing activities. Accordingly, the 2018 Bill empowered DPA to categorize certain data fiduciaries as significant data fiduciaries based on factors such as the volume of personal data processed, the sensitivity of personal data processed and the use of new technologies for processing [Clause 38(1)]. The 2018 Bill also conferred discretion upon the DPA to impose additional obligations on significant data fiduciaries.

Srikrishna Committee Report: The Srikrishna Committee Report does not make any references to social media intermediaries apart from stating that these entities process personal data of children (Page 43).

PDPB: The PDPB defines social media intermediary as an intermediary who primarily or solely enables online interaction between two or more users. Furthermore, the PDPB states that social media intermediaries may be notified as significant data fiduciary depending on their number of users and their impact on electoral democracy, security of state, public order or the sovereignty and integrity of India [Clause 26(4)]. Every social media intermediary which is notified as a significant data fiduciary must enable users to voluntarily verify their accounts [Clause 28(3)].

PDPB: Unlike the Srikrishna Report, the PDPB vested the executive with the sole authority to appoint the DPA, despite the fact that the DPA would also regulate government agencies. As per the PDPB, the selection committee of the DPA would be chaired by the Cabinet Secretary and other members would include Secretaries to the Union Government [Clause 42].

c80f0f1006