The Committee of Experts under the Chairmanship of Justice B.N. Srikrishna has released its report entitled: A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians along with a draft of The Personal Data Protection Bill, 2018. The Committee carried out the challenging task of balancing legitimate interests of government, industry and consumers in order to achieve a free and fair digital economy, for which it must be complemented.
At several instances, the Committee itself has recognised the importance of ensuring that the potential benefit of a recommendation should outweigh the harm it is likely to cause, and a need for cost-benefit analysis to arrive at a decision. This includes its recommendations on local storage and processing of data; big data processing; right to be forgotten; and exceptions to the right to information. “It is now imperative that recommendations of the Committee be critically examined and potential direct and indirect costs and benefits be identified and analysed to help policymakers in decision making”, noted Pradeep S Mehta, Secretary General, CUTS International.
For instance, the Committee notes that commenters have suggested that mandating storage and processing of data locally may have significant financial implications, however, the real question was whether the actual costs of local processing will be such that it overrides the benefits of companies having access to the burgeoning consumer database in India. The Committee highlights that no evidence was presented before it which demonstrates the results of this cost -benefit analysis conclusively.
Consequently, Committee went on to recommend storage of at least one serving copy of personal data, on a server or data center located in India. Further, critical personal data is required to be processed in India only. Non-critical personal data is allowed to be transferred outside India subject to certain conditions, including approval of standard contract clauses and intra-group schemes by the Data Protection Authority.
The recommendations take into account the need for law enforcement agencies to obtain timely access to data. However, it appears that the Committee has not considered the uncertainty regarding the regulatory regime for setting up and operating of data centers in India. It has also not taken into account infrastructure and ecosystem related hindrances which disincentivise setting up of data centers locally.
However, the Committee must be lauded for recommending consent as the basis for processing personal data. For consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit. The Committee has taken a step forward by recommending a product liability regime for making data fiduciary liable for harms caused to data principal.
Despite the noble intentions, implementability of Committee’s recommendations is doubtful. It is likely that enforcement claims will find their way to a court of law and on whether consent met desired standards or whether actual harm was caused to the data principal. This is likely to increase the cost of doing business for data fiduciary and delay in access to justice for data principals. Such scenarios could act as a roadblock to path of free and fair digital economy.
Limited transparency provisions with respect to disclosure of personal data breach to data principals; the potential of data portability requests to be disallowed when not technically feasible; wide scope of non-consensual processing; lack of accountability in establishment mechanism of Data Protection Authority and Appellate Tribunal; are also troubling, and should be revisited; based on analysis of costs and benefits.