## Thursday, February 22, 2018

### Towards a data protection framework for India

by Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman and Renuka Sane.

### Introduction

The Supreme Court's seminal judgment in the Puttaswamy case recognised privacy to be a fundamental right, rooted in individual autonomy and dignity. It also laid down the normative grounding for a data protection law in India. The Justice Srikrishna Committee constituted by the Government is now faced with the formidable task of drafting a blueprint for India's first comprehensive, cross-sectoral data protection law. The Committee released a White Paper in November, 2017, which covered impressive ground in terms of mapping of key issues and the international landscape on data protection. The Committee also presented its provisional views spanning across issues of jurisdiction, to specific rights of individuals vis-a-vis data controllers, and the enforcement mechanism to make these rights justiciable.

In this post, we discuss some of our key recommendations in response to the Committee's White Paper. We focus here on the following three issues.

• A principles-based primary law: The cross-sectoral nature of the proposed data protection law necessarily merits a principles-based approach for identifying the rights and protections that are suitable for the needs of a range of different stakeholders. The focus of the primary law should therefore be on identifying appropriate principles of data protection, the key areas where specific regulations need to be framed and the bounds within which those powers should be exercised.
• Regulatory structure and governance: The usefulness of the data protection law will depend largely on its effective implementation. This requires the creation of an appropriate regulatory structure with well-defined legal processes. In terms of design, we propose the creation of two new agencies -- a cross-sectoral data protection authority to discharge regulatory and supervisory functions and a redress agency to adjudicate individual complaints under the data protection law.
• Data protection obligations of state agencies: The state is uniquely positioned to access personal data from a variety of sources and use it in ways that can radically alter the relationship between the citizen and the state. Any exceptions and exclusions from the data protection law, including on legitimate grounds such as national security, must therefore be crafted carefully and with appropriate procedural safeguards.

### A principles-based primary law

The scope of the data protection law must extend to all sectors and all entities that collect and process user data, whether in the public or private sector. That said, a one-size-fits-all model also seems ill suited, given the variations in the nature and uses of different types of data in the hands of different categories of data controllers and the potential harms that could result from it. To balance these requirements, we recommend that the primary law must be drafted in a principles-based manner while the nuances of specific data protection requirements applicable in each context can be built more gradually. This can be achieved through context-specific and sector-specific subordinate legislations.

This "principles-based" approach needs to be distinguished from a "rules-based" one, which would typically contain prescriptive details about the specific requirements required to be followed by different persons. To take a simple example, a principles-based approach towards disclosures may state that an entity "should make appropriate disclosures that enable a person to make informed decisions". On the other hand, a rules-based approach may set out not only the exact text of the disclosures, but also their periodicity, font and design. We use the example of "consent" requirement to explain this idea in the context of a data protection law.

The principle of collection limitation demands that there must be a legal basis for the collection of information, and we think consent should be a primary ground for data collection. The idea of consent, or the collection and use of an individual's personal data with their approval, flows from the principle of personal autonomy and is a core element of the right to privacy. However, it is also well recognised that the consent model suffers from many challenges, including problems of consent fatigue, information asymmetry and bounded rationality of users. Yet, we argue that instead of using these reasons as grounds for abandoning consent as a basis of data collection, the law should mandate data controllers to find means to overcome these hurdles. Accordingly, the consent principle could state that "the collection of personal data is subject to the consent of the individual and such consent must be obtained in an informed and meaningful manner". It would then be upon the data controllers to develop and adopt appropriate standards that can overcome the hurdles generally associated with the consent model and for the Data Protection Authority to supplement such efforts through its regulations. Thus, if data controllers were to rely on consent to legitimise their data collection activity, they would have to demonstrate fulfilment of this principle.

Such a principle would logically translate into a requirement of clear and simple notice, which could have different meanings in different contexts. It would also mean that certain types of conduct, for instance consent taken through coercion or in a "take it or leave it" manner, is likely to be seen as a violation of the above principle. Most importantly, having such a principle would nudge data controllers towards the use of privacy enhancing technologies, such as consent dashboards and privacy chatbots like PriBot. It would also compel them to evolve practices that take into account the literacy and language contexts of India.

Apart from consent, however, there should also be scope for other grounds to legitimise data collection. As noted by the Committee, grounds such as compliance with legal requirements and legitimate purposes of data controllers, may also be included. Here too, the law should contain appropriate principles to prevent the misuse of the legitimate purpose criteria, for instance by requiring that there should be a direct nexus between the data being collected and purpose sought to be achieved through it.

### Regulatory structure and governance

While considering various regulatory and enforcement models, the Committee posits a 'co-regulatory approach' as an ideal middle ground between self-regulation and a 'command and control' regime. This is described as a system where the government and industry share the responsibility of drafting and enforcing regulatory standards -- the industry frames code of conducts, which are then approved by the government. We submit that rather than treating the industry as a separate site for framing of standards, an element of `co-regulation' should be built into the statutory framework itself -- in the form of an open and participative regulation-making process. Collaborative regulation making has particular value in an evolving and technical field like data protection, which is also driven by strong economic interests.

For the alternative of government endorsing industry codes to be meaningful, and not simply self-serving to the regulated entities, the regulator would eventually have a similarly high burden of supervision and monitoring. We therefore suggest that embedding collaboration in the process of rule-making, rather than effectively conceding that process to regulated entities, is a better approach. Within this framework, each data controller would of course have some flexibility in adhering to the principles laid down under the law or regulations, while remaining liable for penalties and redress for inadequate compliance.

In terms of regulatory design, we propose the establishment of two new statutory agencies:

1. A Data Protection Authority (DPA) that will function as a cross-sectoral data protection regulator. It will be responsible for drafting regulations, assessing compliance by regulated entities and initiating enforcement actions against them.
2. A Data Protection Redress Authority (DPRA) that will be responsible for adjudicating individual complaints and affording appropriate remedies to individuals.

This draws from a similar recommendation made by the Financial Sector Legislative Reforms Commission (FSLRC) in terms of separating regulatory and redress functions in the context of the financial sector. A key objective behind this design is to allow the DPA and the redress agency to focus exclusively on their core functions. This becomes particularly important in light of the principles-based nature of the proposed law. Given the large number of data collectors in the system and the individuals interacting with them, it would be unrealistic to expect the DPA to effectively discharge its regulatory and supervisory functions while also taking up the responsibility of addressing individual complaints. Staffing and financial constrains will inevitably cause one of the functions to suffer.

Another ground for the proposed separation stems from the need to avoid potential conflicts of interest. A large number of complaints on a particular issue would imply that data controllers are not acting in compliance with the legal principles, but it may also imply a failure on the part of the DPA to take appropriate regulatory or supervisory actions to curb such malpractices. It is therefore important that the resolution of any complaints should take place independent of the other core functions of the regulator. There should however be a strong feedback loop between the redress agency and the DPA for transmission of information about the kinds of complaints being received, the entities to which they relate and the underlying causes. This will enable the DPA to address such issues through appropriate amendments to its regulations or by initiating enforcement actions.

Our response to the White Paper also contains a number of other recommendations about the design and functioning of the proposed agencies, many of which draw from the recommendations of FSLRC and the draft Indian Financial Code. This includes suggestions relating to the need for a sound selection process for members of the DPA, separation of powers within the DPA; emphasis on a transparent regulation-making processes (taking into account the expected costs and benefits of proposed measures); and the need for an independent appellate mechanism.

Finally, the law must also facilitate ways to maximise synergies between the DPA and existing sectoral regulators. This interaction becomes especially important in the short run given that it may take some time for the DPA to build capacity and an accompanying body of regulations for different categories of stakeholders. Sectoral regulators could therefore take the lead in framing appropriate standards for their regulated entities, in accordance with the principles under data protection law and in consultation with the DPA. To facilitate such interactions, we recommend that the law should mandate the creation of cooperation mechanisms between the agencies. This may include consultation on framing of regulations applicable to entities in a particular sector; making a reference to the other agency while initiating supervisory actions against a regulated entity and requirement to enter into an MoU to mutually agree on the exact procedures for this coordination.

### Data protection obligations of state agencies

While the daily interactions between users and commercial platforms such as Facebook and Google undeniably lead to many important concerns, the interactions between personal data and the state must be viewed with even greater care. This is due to the distinct nature and magnitude of state power. The state is uniquely positioned to access the data collected both by itself and other private sources, and use it ways that can radically alter the relationship between the citizen and the state. Data can then easily become a tool for surveillance, intimidation, coercion, and harassment, and the data protection law should be cognizant of such concerns.

The chapter on exemptions in the White Paper focuses on the types of activities that may be exempted from data protection principles, including a section on national security. However, it does not highlight the manner in which the exemption would translate into practice, and merely relies on the Puttaswamy decision's indication of national security as a legitimate aim.

While the status of national security as a legitimate aim remains fairly uncontested, we propose that the requirements of necessity and proportionality laid down by the Supreme Court in Puttaswamy need to be embedded in the law while creating such exemptions. The provisions on surveillance and national security also need to take into account development of technology that enables low-cost, mass surveillance, reducing the need to rely on physical and human resources (as noted by Sotomayor J. in United States v Jones). The mechanisms to be considered in this context may include judicial review or parliamentary oversight; other forms of systematic review of executive actions; defined time limits; and clear provisions for appeal. We realise that such principles would also have to be included in allied laws such as the Aadhaar Act and the Indian Telegraph Act.

The regular processing of data by state agencies also raises interesting questions about the appropriate liability and enforcement regime for any breach of the law. We submit that the penalties and compensation requirements under the data protection law should apply equally to public and private entities. However, certain distinguishing factors (such as the source and extent of finances) must be taken into account by the implementing authorities. For instance, the law in the United Kingdom gives the Data Commissioner the ability to impose a civil monetary penalty of up to 500,000 GBP on a data controller, whether a private or public body. The exact amount of penalty is, however, determined by a number of factors, including the impact on the entity being penalised and their ability to pay.

### Way forward

The White Paper is the beginning of an important conversation around data protection in the context of state and non-state actors in India. However, in its attempt to cover such a comprehensive topic, the White Paper does not fully explain its provisional views on some of the important and complex issues being addressed by it. One is further limited by the lack of a draft Bill, in which the nuances of these issues will be fully understood.

To facilitate an informed debate, the Justice Srikrishna Committee has already taken an important first step in terms of organising consultations in major cities. It is now imperative that the Committee publish the responses received, so as to take the conversation forward. Even more importantly, the Committee must hold similar, multiple rounds of consultation after it releases a second White Paper with its final views, along with a copy of a draft data protection law for India. It is only when such a draft would be open to the public for comments and consultation, that we will be able to achieve a truly holistic and comprehensive data protection law.

Vrinda Bhandari is a practicing advocate in Delhi. Amba Kak is a Mozilla Technology Policy Fellow. Smriti Parsheera, Renuka Sane and Faiza Rahman are researchers at the National Institute of Public Finance & Policy.

#### 1 comment:

1. Good to see that the national discourse has graduated from the perils of having a centralized UID to that of data protection and how to manage and neutralize the data repositories that a UID system can generate. One can now see the movement towards preempting the possibility of any meaningful data collection and use by state or private players. The idea of consent for example, can be abused by elites and scheming minds to skip over data sharing with the regulator or private players while the less educated and naive tend to give into. This can clearly create moral hazard issues and from the point of data consumption side can lead to incomplete datasets.

In countries like the US and UK, the idea for consent is mostly applied to prevent unsolicited marketing and to opt-out of certain marketing promotions. Also, while the govt and private players collect and create a number of data points about their customers or from third parties, the mandated data use limitations in most cases mean that - for example, the FICO credit scoring models cannot use age, gender, race, education or zip codes to score risk even when they are highly predictive. However, it doesn’t mean these attributes cannot be collected or utilized in marketing models or in fraud models.

In contrast, in India, we are seeing a civil society discourse that exclusively focuses on data collection and prevention of uninformed data use. The idea is to create a mechanism for well-informed citizens to opt-in or out of data collection measures based on individual risk appetite or sensibilities. Most of the time, this thought process stems from the cynical belief that state is incapable of managing data risk once the data is generated and fed into the cloud even if it means precluding legitimate data use. Further, by inserting menacing and uncluttered language on consequences of data protection violations, the laws are expected to discourage non-compliance.

Instead of tailoring its data privacy laws to the sensibilities and needs of Indian liberals and elites, India should take advantage of existing laws and mechanisms from matured democracies like the US and UK that have over the years have evolved to maximize the overarching public benefit by making good use of the data and opening up the possibilities for innovative data intelligence applications both by the state and markets.

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.