An expert committee tasked by the Union government to recommend a data protection law for India is gravitating towards stringent provisions in the draft framework in the aftermath of the Facebook-Cambridge Analytica data scandal but will stop short of copying European Union regulations that are widely seen as the gold standard for user privacy.
It proposes to put in place a data regulatory structure on the lines of the Securities and Exchange Board of India or Insurance Regulatory and Development Authority with an appellate authority and designated courts of appeal.
And, it expects to submit its report to the government by the end of April or early May, the panel chairman B N Srikrishna has said in an interview. “It is for the government to take it from there,” he said.
In the Facebook data breach, analytics firm Cambridge Analytica harvested personal information of some 87 million Facebook users since 2014. In light of the role that fake news and advertisements on Facebook played in the 2016 US presidential elections, data privacy rules have become the focus of lawmakers and users of platforms such as Facebook, Google and others the world over.
The Facebook scandal is the second context-altering event for the Justice Srikrishna-headed data protection committee. Weeks after it was set up by the government end of July last year, a nine-member bench of the Supreme Court ruled that privacy was a fundamental right under the Indian Constitution with reasonable restrictions.
“Today, anybody can take (data) and use it for anything. No one is answerable,” said Justice Srikrishna on phone from Mumbai. “The law has to be agnostic to technology. If it is wedded to one, after two days, the technology will become obsolete and the law will have to be changed. And, you know how difficult that will be with how much the Parliament functions these days.”
After the Facebook-Cambridge Analytica data scandal, there has been a debate on the kind of rules that India’s data privacy law should have and how privacy should be central to the design of platforms. Some experts have pointed to EU’s General Data Protection Regulation (GDPR) as model rules for data protection, while others have called it too stringent. The GDPR law lays down fines of up to the greater of €20 million or 4% of global revenues of companies that violate privacy rules in the EU, among other tough measures.
Justice Srikrishna said the Indian privacy law recommendations, too, would have hefty fines and punishment but stopped short of saying GDPR was a model law for India. “A user will have the right to say that ‘I don’t want to be part of Google, I am deleting my account and make sure that all my data is deleted.’ If subsequently it is found that it was not done, the company will be answerable.”
Most internet companies have sent in their suggestions based on a white paper by the data privacy panel and held public discussions on in New Delhi, Hyderabad, Bengaluru, and Mumbai. “They say GDPR is too strict, we can’t have a law like that,” the retired Supreme Court judge said.
While appreciating the maturity in and thinking behind GDPR, Justice Srikrishna the Indian concept of privacy may not be ready for as strict legal measures. “We need a special law but something like the GDPR in our country to work will be very hard. One size does not fit everybody. We have to make laws for us. Our concept of privacy is very different from the European concept of privacy. We are evolving.”
The key factor in framing the Indian data privacy law will be enforceability. “In India, we are long on law and short on enforcement. We have all kinds of laws but how are they interpreted and enforced. At the same time, without it (a data privacy law), people will say, ‘There is no law. What have I done wrong?’”
The punitive measures in the draft law have not been finalised but they will be stringent and tough, the 76-year-old former judge said. “Every law has to have teeth. How heavy it should be, whether there should be proportionality… all that is up to debate (before the panel),” he said.
“Every law is intended for the benefit of our citizens, benefit of the country. Of course, the benefit of the country also requires improvement of business, ease of business in this country. You can’t take it to one extreme or the other.”
Justice Srikrishna, who chaired the committee on the Financial Sector Legislative Reforms Commission (FSLRC) in 2013, said he expected unanimity in the final recommendations of the 10-member panel. “I don’t see a problem unless somebody votes against me,” he said with a laugh, adding there may be dissenting notes. He pointed out there were a few dissenting notes in the FSLRC committee’s recommendations.
Besides Justice Srikrishna, the committee’s members are: IT and telecom secretary Aruna Sundararajan; Ajay Bhushan Pandey, CEO, UIDAI; Ajay Kumar, additional secretary, IT ministry; Rajat Moona, director, IIT Raipur; National Cybersecurity Coordinator Gulshan Rai; R T Krishnan, director, IIM Indore; Arghya Sengupta, director, research, Vidhi Centre for Legal Policy; Rama Vedashree, CEO, Data Security Council of India; and a joint secretary of the IT ministry who serves as the member-convener.
“I don’t hold the government’s brief. Nor am I an activist. I am a judge. I have to be objective,” Justice Srikrishna said.