Srikrishna Committee report fails to safeguard right to privacy of individuals, experts say

[dropcap]T[/dropcap]he Justice Srikrishna Committee submitted its much awaited report on data protection to IT Minister Ravi Shankar Prasad. The 213-page report titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” was accompanied by a Data Protection Bill, and will now be reviewed by the IT Ministry before being forwarded to the Prime Minister.

Though the ten-member committee recognised various amendments to the Aadhaar Act in order to bring it line with the fundamental right of privacy as elucidated upon by the Puttaswamy verdict, it did not address concerns beyond those which purely pertain to data protection.

Below are a few comments based upon an initial perusal of the Committee’s submissions from Prasanna Srinivasan, a lawyer who specialises in tech laws.

  1. In light of the Aadhaar Act and the entire Aadhaar programme being challenged at the Supreme Court, and the Court’s subsequent reservation of its judgment, the suggested recommendations to the Act by the Report was an avoidable exercise.
  2. The exemptions granted to the government and its functionaries under the Act’s various provisions are counter intuitive to the principle of the Government acting akin to a fiduciary or as a model data controller.
  3. When compared to the global standard of best practices, the provisions on data breach notifications appear to be incomprehensive.
  4. The necessity to establish the likelihood of harm, as well as the Unique Identification Authority of India (UIDAI) being given the mandate to decide whether the person whose data has been breached or the Data Principal is to be informed to not, is completely at variance with the premise of data protection obligations being directly related to the rights of the Data Principal.
  5. Provisions that permit personal data processing without express consent are clearly overbroad in comparison to comparable frameworks such as General Data Protection Regulation (GDPR) brought forth by the European Union (EU).
  6. The non requirement of necessity and proportionality with respect to personal data processing by the State prima facie seems regressive and violative of the tests laid down by the Puttaswamy verdict.
  7. A number of provisions of the Act possess no strict guarantees, hence rendering the Right to Privacy realisable only upon litigation.
  8. Vague terminology such as “reasonable”, “reasonably”, “practicably”, and “practicable” appear no less than 41 times in the proposed legislature, inviting criticism on the grounds of its framing being overbroad.

Upon a basic textual perusal, the Committee’s submissions should undergo the necessary pre-legislative consultative process as per the 2014 Pre-legislative Consultation Policy. This would be followed by the standard review by the Union Cabinet and both houses of Parliament, where it may be subject to further scrutiny by departmental standing committees or a specially constituted select committee.