The Sri Krishna committee report reflects the global data privacy climate while keeping in mind India-specific complexities. We will see a huge, positive change in the way India governs, contracts, does business, and even in the manner it extends its welfare activities.
2018 has been the year when people realised the internet is not exactly free. Not in a Rs 5/GB kind of way, but in the way that Facebook is free, because you pay with your personal data. While there has been a lot of talk about “leaks” in India, it was the Cambridge Analytica scandal that showed us the dangers of letting anyone collect, store or trade your data. In India, last year, a committee was constituted under retired Justice Sri Krishna, to formulate our country’s outlook on the handling of data.For the past few weeks, the media has been speculating on the imminent release of the report and a draft bill by the Sri Krishna committee. The report, finally released on Friday, is a 213-page document that encompasses great breadth and covers many pertinent issues around data. It opines on what data is sensitive and what isn’t, whether your data must be stored locally, or can be taken to Timbuktu. It also opines on what changes must be made to the existing Aadhaar Act as well as the RTI act, in order for them to be compliant with the proposed privacy bill. There’s enough details in these 213 pages to give experts and prime time TV hosts a lot to debate about over the next few months. Nevertheless, the broad direction taken by the bill is remarkable for its friendliness to individuals, while also being compassionate to the economic realities of running a business in India.
But, for the common man on the street, we have picked a few things in the bill that are worth noting. First, sensitive data has been comprehensively defined. Your “passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual” are considered sensitive.
The draft bill has adopted a “modified consent framework, with a […] product liability regime”. In layman terms, firms handling your data need to ask you before processing your data. But, in a welcome change, even if they did ask, and then messed up, they will still be responsible to you for the harms they caused. The Bill defines data users as data principals, and anyone holding their data as “data fiduciaries”, explicitly defining the relationship between you and a firm handling your data as a fiduciary one.
As consumers, another right to celebrate is the right to data portability. Which means you can transfer your personal data stored with one data fiduciary to another, and they must provide a machine-readable copy in a standard format. This means no more walled gardens. This move encourages competition, as well as the rights of individuals to use their data to demand services. Imagine your neighbourhood vegetable vendor being able to ask for a Rs 500 loan to grow her business. In a developing nation like India, this creates a seamless digital economy and a shift in the balance of power in favour of the average citizen. With increased competition between fiduciaries, we could see consumer welfare centric competition akin to the telecom wars that drove first call, then data prices, down dramatically.
This report has done a lot in justifying the long wait, and in many senses, accurately reflects the global data privacy climate while keeping in mind India specific complexities. Clear efforts have been made to take a 360 degree view of the citizen’s relationship with privacy—whether as a subject or object of their own information and even the manner in which they view privacy contracts. And where necessary, the report does look at societal impact and state interest in balancing the privacy rights of the individual vs transparency.
But the underlying thread is clear. With this report, we will see a huge, positive change in the way India governs, contracts, does business and even in the manner it extends its welfare activities. In the days to come, with reactions from the industry and law makers, the true impact of this report will be tested. The Sri Krishna committee was asked to perform a tricky three-way balancing act between the rights of an individual, the ability of the state to perform its functions and a growing internet industry that needs access to data to grow. The committee has done a fair job of balancing those three, but in the end, it is only a draft bill—the true implications will only be better known when its ideas get implemented in the field.
By Tanuj Bhojwani, Fellow, iSPIRT Foundation