Give India the Data Security Law it Deserves

The much-awaited Srikrishna Committee report was finally submitted to the government on July 27. The report was aptly titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The report has proposed penalties for violation, initiation of criminal proceedings in case of the violation of the data privacy, setting up a data privacy agency and provision of withdrawal of consent and the concept of consent fatigue.

The major highlights of the report were that any data processed or collected in India would be accountable to Indian laws, any Indian company incorporated in India would be accountable to data processing laws of India even if they have data about non-Indian firms, individual or entities, penalties may be involved if there is a violation of data protection laws and consent will be the basis of sharing personal data.

The committee’s recommendations on key issues such as consent, setting up a data authority, definition of personal data and sensitive personal data along with data localisation are keenly awaited for their implications on tech majors such as Google, Facebook, Instagram and Twitter and many software majors who are based out of India or have subsidiaries in India.

If we take a look at data protection laws the world over, we come across three data privacy rules that apply, and this has been mentioned in the Srikri-shna Committee report too. The US, the European Union and China. The US follows a laissez-faire appro-ach towards data protection and does not have an all-encompassing framework. The judiciary in US, however, has collectively recognised a right to privacy by piecing together the limited privacy protections reflected in the First, Fourth, Fifth and Fourteenth Amend-ments to the US constitution. Certain legislations — for example, the Privacy Act, 1974, the Electronic Communications Privacy Act, 1986 and the Right to Financial Privacy Act, 1978 — protect citizens against the federal government. For the private sector, there are sector-specific laws that have special rules for specific types of personal data. For instance, the GLB Act2 has well-defined provisions for collection and use of financial data.  The EU has recently enacted the EU GDPR, which has come into force on May, 25, 2018. This replaces the Data Protection Directive of 1995. It is a comprehensive legal framework that deals with all kinds of processing of personal data while delineating rights and obligations of parties in detail. It is both technology and sector-agnostic and lays down the fundamental norms to protect the privacy of Europeans, in all its facets. Sixty-seven out of 120 countries outside Europe largely adopt this framework or that of its predecessor.

In recent years, the world community has criticised China. Though the aforementioned approaches have dominated global thinking on the subject, recently, China has articulated its own views in this regard. It has approached the issue of data protection primarily with reference to mitigate national security risks. Its cybersecurity law, which came into effect last year, is a unique law to handle personal data. A follow-up standard or a regulatory framework, issued earlier this year, adopts a consent-based framework with strict controls on international sharing of personal data. It remains to be seen how such a standard will be implemented.

Each of these regimes is founded on each jurisdiction’s own understanding of the relationship between the citizen and the state in general, and the function of the data protection law, in particular. In the US, the laissez-faire approach to regulating data handling by private entities while imposing stringent obligations on the state is based on its constitutional understanding of liberty as freedom from state control. Data protection is thus an obligation primarily on the state and certain categories of data handlers who process data that are considered worthy of public law protection. In Europe on the other hand, data protection norms are founded on the need to uphold individual dignity. Central to dignity is the privacy of the individual by which the individual herself determines how her personal data is to be collected, shared or used with anyone, public or private. The state is viewed as having a responsibility to protect such individual interest. China, on the other hand, frames its law with the interests of the collective as the focus, based on its own privileging of the collective over the individual.

With major government-led initiatives such as Make In India, MyGov.in, Digital India among others aided by cheap mobile and wireline data, the impact of the data security bill, which has been drafted and needs a parliamentary approval, can be far-reaching for the Indian technology sector. Now it’s up to the Indian government to provide India with its first data security law, which can revolutionise the Indian technology industry.

Justice Srikrishna: one man, many commissions of inquiry
A former Supreme Court judge Bellur Narayanaswamy Srikrishna, the son of a prominent labour lawyer, was born on May 21, 1941. Before becoming a judge Mr Srikrishna started private practice as a lawyer in the Bombay high court and Supreme Court (SC). He specialised in labour and industrial law and was a counsel for a number of large corporations. He holds a postgraduate deg-ree in Sanskrit, diploma in Urdu and a post-graduate diploma in Indian Aesth-etics. He also speaks at least seven languages.

Justice Srikrishna retired in 2006 from the SC and he has headed several high-profile commissions.

His first assignment came early in his career in the 1990s, as a sitting judge, when he headed the commission of inquiry into the communal riots that shook Mumbai in 1993 after the demolition of Babri Masjid. His landmark report, which was submitted in February 1998, sparked much debate. In 2006, he was appointed as the chairman of the Sixth Central Pay Comm-ission. The commission in its report to the government had recommended an average of 28 per cent hike for central government staff and defence personnel.

In 2009, Justice Srikrishna headed one-man commission to inquire about the February 19, 2009 Madras high court incident. The stir by lawyers protesting the arrest of their colleagues in an assault case had turned violent with police and the riots going on for several hours.

Later, in 2010, he was again given the task of heading a five-member panel to explore the options on the formation of a separate Telangana state. After eleven months the panel submitted a 461-page report with six options including a Telan-gana state with Hyderabad as its capital and keeping Andhra Pradesh united with constitutional and statutory measures for empowerment of the Telangana region. Finally, he was part of the committee to study issues related to data protection and privacy.