Law of Privacy ID No.

214126

DATA PROTECTION IN INDIA: JUSTICE B. N. SRIKRISHNA REPORT

Rashika Narain*

The Industrial Revolution is characterized by rapid growth of industries across sectors. Often the
growth of industry was followed closely with regulations to govern them. As of today, it is safe to
say we are in the midst of what can be best described as an Information Revolution. It is differen-
tiated from an industrial economy on the bases of the fact that it is rooted in digitalization, com-
puterization and information. With decreasing barriers to trade and the world swiftly becoming a
global village, there are several challenges on the information front that face a developing econ-
omy. India, with its myriad requirements for privacy and data protection is faced with these very
challenges. The UIDAI, adoption of Aadhar as well as its linkage with most essential services the
dependence of the economy on information is only increasing with time. At the same time, the cases
of information theft and related cybercrime is also at the highest it has ever been. To exacerbate
this problem, India does not have any legislation that seeks to protect data or information of its
citizens. There exists no legal or regulatory framework to protect the rights of citizens in this re-
gard. Recently, when the Supreme Court of India recognized the fundamental right to privacy of
every citizen, the need for a framework to address data protection, privacy and security was rein-
forced. These growing concerns led the Government to set up a committee to examine the difficul-
ties that faced data protection in India and they were required to provide recommendations and
suggest core principles to base a legislative framework for data privacy and protection. This Com-
mittee of Experts was headed by Justice B. N. Srikrishna. The Committee gave several recommen-
dations and discussed various global standards for data protection. The scope of this paper is
limited to discussing the Committee’s stance on three themes; Consent, Children’s Personal Data
and the Right to be Forgotten.

I. INTRODUCTION

In light of the nine judge verdict in Justice K.S. Puttaswamy (Retd.) v. Union of India, ‘Right to
Privacy’ in India has been recognized as a fundamental right.1 This in itself provides for a strong
foundation for creating a data protection regime in India. This judgement delivered in 20182, paved
way for discourse on the intrinsic value of privacy and how it should be protected. The B N

* 5th Year, B.A. LL.B Student at West Bengal National University of Juridical Sciences (ID No. 214126)
1
An Overview of the Changing Data Privacy Landscape in India, available at https://www.pwc.in/assets/pdfs/publi-
cations/2018/an-overview-of-the-changing-data-privacy-landscape-in-india.pdf (last seen on March 6, 2019).
2
W.P. (Civil) No. 494 of 2012.
Law of Privacy ID No. 214126

Srikrishna Committee and its report is an initial step, first of many, that will help lay down a legal
framework to protect citizens in India from problems arising out of the Information Revolution.3

This Committee of Experts submitted a report that has been historic for several reasons, the context
it is submitted in – a growing digital economy, the unchartered relationship between citizens and
those who handle their data (the report refers to them as data principles and data fiduciaries re-
spectively), the role of the state and of course the limitation of locally regulating data that is mobile
across jurisdiction.4 The Committee was entrusted with addressing these among several other con-
cerns pertaining to data security. The report not only includes the committee member’s suggestions
and recommendation but also incorporates feedback from stakeholders on a white paper that was
made accessible to the public a few months before the publication of the report.5

This paper shall discuss three key concepts of the framework that was suggested by the ten member
committee in the Justice B N Srikrishna report. In part II, the author shall discuss the manner of
and the role played by consent in data protection regimes. This part shall try and highlight provi-
sions relevant brought forward in the report as well as the white paper provisions and feedback on
the same. Part III, shall briefly highlight the Right to be Forgotten as enumerated in the Global
Data Protection Regulation (GDPR) and compare it with what the report has to say on the require-
ment for such a right. Part III shall discuss the requirement for special protection to children and
their data and the Committee’s stance on the same.

II. CONSENT

A framework of notice and choice that forms the principal mechanism for obtaining an individual’s
consent is the foundation for data processing services in the digital economy. This framework is
based on the philosophically important act of an individual actively consenting to the use of her
data. This ‘consent’ is a manifestation of the autonomy and control of an individual- the flip side
to which is that it permits other persons to escape liability for acts which have been consented to
in the first instance. This mechanism works through notice, which places a positive burden on data
fiduciaries to communicate the terms of consent. Notice, however, is not limited to only consent,
it is a vital obligation even in circumstances where data processing takes place on grounds distinct
from consent. Research leads us to the edifying conclusion that this mechanism of consent and
notice on the internet is, for all practical purposes, broken. Consent forms on the internet are often
mired in legalese and boilerplate. This has the effect of making them less accessible to everyday

3
A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, available at https://meity.gov.in/writ-
ereaddata/files/Data_Protection_Committee_Report.pdf (last seen on March 6, 2019).
4
Id.

5
White Paper of the Committee of Experts on a Data Protection Framework for India, available at https://me-
ity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf (last seen on
March 6, 2019).
Law of Privacy ID No. 214126

users- they do not read them and, even if they do, do not understand them and even if they under-
stand them, cannot give meaningful consent as the means to do so in a ‘granular’ fashion are usu-
ally absent.6 Therefore, any discussion on a consent mechanism must be premised on the under-
standing that consent does not function properly on the internet.7

It is, however, pertinent to note that, even with these lacunae existing, individuals regularly provide
consent for data collection and tailor their practices according to the privacy policy or terms and
conditions of the websites, applications and programs they may be using. Such standard-form con-
tracts are so widespread that even courts have gone ahead and recognised their validity in many
jurisdictions, despite there being a clear case of unequal bargaining power and lingering doubts
about whether the consent obtained was actually ‘informed’. Some have interpreted this as evi-
dence that a consent framework does not work, and have called for it to be done away with com-
pletely as a ground for data processing. This conclusion is, in my opinion, hasty- the problems
highlighted above have more to do with the efficiency of this mechanism in protecting personal
information and preventing individual harm. All of these are practical concerns that do nothing to
undermine the importance of consent as a guarantor of autonomy in a data protection framework.
It would thus be regressive for us to question the fundamental value of consent in this framework-
rather, it is for us to find ways to make the mechanism better and dispense with these practical
difficulties.8

Impact of Report

The importance of consent in processing personal data has been universally recognised as an ef-
fective means of giving individuals control over their personal data inasmuch that they can now
permit or deny companies or organisations the right to process their personal data.

In addition to recognising consent as a basis for the collection and use of private data, the report
also puts forth the following recommendations, which are presently being considered, namely, that
consent should be free, informed and specific about the purpose of the data processing, that all
transactions do not require the same standards of consent, and that whether the consent is valid in
the first place requires careful determination.

6
Digital Assets- What’s the Fuss?, available at https://www.lexology.com/library/detail.aspx?g=c1be55a4-3597-
44a7-b178-171c87ddd8db (last seen on March 6, 2019).
7
Supra 3.

8
Id.
Law of Privacy ID No. 214126

III. THE RIGHT TO BE FORGOTTEN

The ‘right to be forgotten’ has been acknowledged and protected in some manner in certain juris-
dictions, such as Europe, through the General Data Protection Regulation (GDPR) in, and Canada,
though the Personal Information Protection and Electronic Documents Act (PIPEDA).9 This paper
also recognizes the importance of such a right. It frames certain key issues for discussion. The first
is the need to frame the right to be forgotten in a manner such that the twin considerations of the
right to freedom of expression and the right to privacy are balanced. The second revolves around
the scope and extent of this right, and finally, the need for distinct guidelines for entities in different
sectors to comply with requests to enforce this right.

There are also some important requirements that any law on the right to be forgotten must account
for, and include. Any law must ensure that organizations are mandated to have clear and efficient
communication channels, both internally and externally, such that they can fulfill requests from
users for the right to access data, rectify it, etc. within a reasonable time.10 Such individual partic-
ipation rights must be accounted for.11

Secondly, in order to efficaciously fulfill the right to be forgotten, organisations must possess the
ability to map the collection, usage, and storage of all personally identifiable information, so that
requests to delete such data can be complied with fully. The issue of cross-border transfer of data
is also one that must be accounted for. And organizations must ensure that in cases of such a
transfer, data is transferred only to countries where an adequate level of data protection can be
guaranteed, or that users are offered protection comparable to that which they would have received
had the data never left India.

It was proposed in the White Paper that the right to be forgotten must be made a part of the data
protection law. However, the right must be created in a manner that ensures the delicate balancing
of the two competing rights – that of the right to privacy, against the right to freedom of speech
and expression. The view espoused by the White Paper preliminarily was that the data fiduciary
must carry out this balancing test with caution.12 This view was one that was found to be rather
polarizing amongst the public. Some argued that there was no real benefit to be created by guar-
anteeing such a right to individuals, while others even went so far as to the argue that the creation
of this right would detrimentally affect the ability of people to access information through the

9
Right to Erasure, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-
data-protection-regulation-gdpr/individual-rights/right-to-erasure/ (last seen on March 4, 2019).
10
GDPR and India, available at https://cis-india.org/internet-governance/files/gdpr-and-india (last seen on March 4,
2019).
11
Supra 5, pp. 122-136.
12
Id., pp. 137-143.
Law of Privacy ID No. 214126

internet. In terms of the scope of this particular right, many believed that it should stop short of
allowing the erasure of public information about individuals, which is in the public domain. An-
other argument was that anything that amounts to a ‘derivative’ of personal data, once that data
has been processed by algorithms of a particular data collector, should also be outside the ambit
of this right. Certain kinds of data, it was also argued, such as credit ratings, criminal records, court
orders, etc. should be excluded from the scope of this right as it would serve the larger public
interest (by potentially also aiding law enforcement, or for monitoring potentially illegal activi-
ties).

IV. PROTECTION OF CHILDREN’S PERSONAL DATA

It is clear that because children do not understand the full consequences of their actions, it is im-
perative that we carve out specific protections for them. Protecting the best interests of the young-
sters ought to be the core value for any statutory regulation with respect to data protection. This is
articulated in the CRC, to which India is a signatory. The usage of these guidelines in the data
protection law ought to work in two different ways. To start with, it will be an unattached lawful
commitment on all information trustees, i.e., standards will create on how all information guardi-
ans must process data relating to children in their best interests.13

With different kinds of developments taking place every day, particularly in the field of innovation,
it has been seen that kids are becoming increasingly tech savvy. This makes them exceedingly
helpless against assaults, particularly on the web. It is also realized that denying youngsters' the
exposure to technology will be extremely detrimental to them. It would incredibly limit kids from
profiting of the genuine advantages of technology which varies from general awareness to creative
expressions. Some of the suggestions to improve status quo: [1] Requirement for authorities to
execute higher guidelines of information protections; [2] Requiring parental consent14 for access-
ing children's information; [3] Restricting utilization of kids information for possibly unsafe pur-
poses, for example, profiling, promoting and tracking; [4] Setting up strong rules for the way in
which schools, instructive organizations and government bodies handle youngsters' information.

The impact will be that associations handling youngsters' private information, either incidentally
or for explicit purposes, will be required to: [1] Actualize suitable measures to check the age of
subjects from whom they are gathering individual information, [2] Actualize proper measures to

13
Article 24 of the Charter of Fundamental Rights of the European Union states that “[c]hildren shall have the right
to such protection and care as is necessary for their wellbeing. They may express their views freely. Such views
shall be taken into consideration on matters which concern them in accordance with their age and maturity. In all
actions relating to children, whether taken by public authorities or private institutions, the child’s best interests
must be a primary consideration”, Official Journal of the EU 2007, C 303.
14
For a full discussion of obtaining explicit consent, please see CIPL’s comments to the WP29 Guidelines on Con-
sent.
Law of Privacy ID No. 214126

acquire substantial parental consent before accessing kid's private information15 and [3] Execute
fitting authoritative and specialized measures to- a) Secure individual information, and b) Ensure
that kids' private information isn't used for reasons for following, promoting and advertising.16

It will be mandatory for organizations to issue notices of privacy informing about data collection
to the end users, and the notice should be presented in an easy to understand manner. All these
measures will help in protecting the vulnerable youth from the possible exploitations of the data
protection law.17

V. CONCLUSION: HOW CLOSE IS INDIA TO HAVING A DATA PROTEC-

TION REGIME?

This report brings India, one step closer to making a data protection and management regime for
its citizens. The report is a hundred and seventy six page document that along with its assessment
and recommendations, includes a draft bill for a legislation on protection of data. The Bill is called
“Personal Data Protection Bill, 2018.”

The report, addresses several key areas of the privacy regime in India that were much required,
however, it has been criticized to go beyond its scope in certain aspects, so far as to leave the
balanced approach that was observed in the white paper and does have a hint of a bias. For instance,
the report recommends stringent punishment for breach of data privacy if responsibility vests with
the private sector, however looks at state infractions far more kindly.18 Critics have also had a
pessimistic attitude towards the seemingly unassuming role of promoter of digital India, as a role
taken up by the committee. The role, as is beyond the terms of reference of the committee, exerts
an influence on all provisions and even the draft recommendation and Bill. 19

All these criticisms notwithstanding it is indeed a landmark report as it reflects the beginning of a
difficult conversation citizens of India are not having with the Government, one that until a few
years ago the government refused to recognize the need for the same.

15
16 U.S. Code of Federal Regulations § 312.5(b)(1) (“Any method to obtain verifiable parental consent must be
reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's
parent”), https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=16:1.0.1.3.36#se16.1.312_12.
16
See the Office of Fair Trading Principles for Online and App-Based Games, available at https://www.gov.uk/govern-
ment/uploads/system/uploads/attachment_data/file/288360/oft1519.pdf. (last seen on March 6, 2019).
17
See US Federal Trade Commission, “Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for
Your Business”, available at https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-
protectionrule-six-step-compliance (last seen on March 6, 2019).
18
Opinion: The Srikrishna Committee Exceeds Its Brief, available at https://www.livemint.com/Opin-
ion/AoKiTcZacKTyF3TcoepWuL/Opinion--The-Srikrishna-committee-exceeds-its-brief-on-data.html (last seen on
March 6, 2019).
19
Id.
Law of Privacy ID No. 214126

While, the report has continued to generate large-scale debate on the nuances of the manner in
which this data privacy regime should be enforced, there is consensus among all stakeholders in-
cluding technology giants, start ups, industrial bodies that the law must first safeguard customers
(citizens) and from there catapult the emerging digital economy. The implications of the reports
recommendations are far and wide, especially for the technological companies. With over five
hundred million active internet users in our country, it is the second largest online space in the
world. In the last five years penetration due to tech companies and start ups have reached deep
inside India.20 Thus, the requirement for protection also increases with the amount of penetration
as more vulnerable sections of society are now exposed in new ways. Thus, this report is a welcome
step in what will hopefully be a stringent privacy and data protection regime for the country.

20
India Finally Has A Data Protection Framework: What Does It Mean For Its Billion Dollar Tech Industry, available
at https://www.forbes.com/sites/sindhujabalaji/2018/08/03/india-finally-has-a-data-privacy-framework-what-
does-it-mean-for-its-billion-dollar-tech-industry/#5db077f570fe (last seen on March 6, 2019).