Last week, the Justice Srikrishna Committee released a White Paper to solicit public comments on the shape that a privacy law should take. The 240-page document reflects the issues that the majority of the committee believes ought to be considered while drafting the proposed privacy law of the country and also contains the provisional views of the committee on each of these issues. At the outset, I have to commend Justice Srikrishna and the committee for adopting this approach. To my recollection, this is the first time that the process of drafting a legislation of such significance has been opened up to this level of extensive public consultation. The breadth of issues raised and the thoroughness with which international legislations have been referenced are truly without precedent in Indian legislative history. I can only hope that this commitment to engage with the broader community of stakeholders is sincere and that it will consider, with an open mind, the many different views that it is bound to receive in response to the White Paper.
While I fully intend to prepare and submit a formal response to the White Paper, there are a few broad issues that are probably worth mentioning at this stage. In the first place, it is evident that the committee has been heavily influenced by European data protection sensibilities while preparing the paper. Some of the issues that have been discussed at length—such as the right to be forgotten and the concept of adequacy in cross-border data flows—are uniquely European in design and the general flavour of the recommendations have rich Continental overtones. The concern I have with this approach is that the European model of data protection, by design, focuses on protecting citizens against having their data processed by private entities and doesn’t concern itself with regulating how governments collect and process data. Europeans, in general, have a high level of trust in their governments. Scandinavian countries, for instance, have the some of the most detailed and in-depth information about household statistics of any country in the world. This is primarily because citizens of those countries are confident that when they share deeply personal information about their families with their governments, it will not be misused. In countries with this level of trust in governmental institutions, it stands to reason that the privacy regulation would focus on corporations that, if unregulated, have a lot to gain from processing personal information.
This is not the case in India. Much of the current concern around personal privacy stems from the manner in which the Indian government has chosen to collect and process the personal data of its citizens. If the committee is looking to present a draft legislation that is truly responsive to the concerns of the people of India, the European model will not work. Instead, it would do well to suggest a framework that the equally focuses on applying fetters to the data processing practices of the state instead of only training its guns on private parties. The White Paper has done an excellent job of reviewing the existing privacy jurisprudence around the world, focusing, for the most part, on the European, Australian, Canadian and South African legal frameworks with occasional references to the laws in the United States. What is a little disconcerting is that even when it seems, from the discussions in the body of a given chapter, that the committee is cognisant of the failings of some of these models, the provisional recommendations of the committee still chose one of these existing alternatives rather than suggest new formulations. For instance, even though the committee recognises in the preamble, the many benefits of big data analytics in the current state of development of these techniques, it seems to be inclined to adopt EU’s more traditional approach of restricting automated decision-making even though the current form of those regulation still contain language formulated at a time before modern, big-data algorithms.
I would have hoped that the committee would use this opportunity to develop new and innovative models of regulation that were both suited for the times as well as the special considerations of the Indian sub-continent. For instance, concerns around notice, consent and the entire choice-based framework that is discussed at length in the paper could easily be resolved by adopting an accountability model unlike any that exists in the world. Since we have none of the regulatory baggage that constrains the rest of the world from doing away with consent, it should be relatively non-disruptive to adopt this sort of an approach. With some effort, it should be possible to develop a bespoke solution that can effectively overcomes the challenges of consent fatigue, lack of effective bargaining power and inability to provide informed consent that plagues the traditional model. That said, it is heartening to note that the committee has used this opportunity to create a data empowerment framework that unequivocally places the citizen at the heart of the privacy construct. By putting its weight behind a data portability regime that grants every individual the right to demand that data controllers should make available, in a universally machine readable format capable of being ported to any other service provider, all personal data about that individual that is in the control of that data controllers, the committee seems to be recommending a model that will allow citizens to leverage data to their advantage. There is lots to like about the White Paper and the provisional recommendations of the committee. Despite concerns expressed about the lack of representation of relevant stakeholders, it appears that we are in the midst of a robust process. Judging solely by this initial output, it seems likely that the final recommendations of the committee will be based on a rigorous consideration of available options.
Author is Partner, Trilegal
Views are personal