Bellur Narayanaswamy Srikrishna, retired judge of the Supreme Court, who led the inquiry into the Mumbai riots in 1992 and headed the committee for a separate Telangana, is now deep into issues related to data protection.

The committee he chaired has offered several recommendations on data protection which will regulate the way MNC tech giants will operate in India. This is crucial for a country with 850 million phone connections, 300 million smartphones and where much of the data generated go through machines developed or owned by foreign companies or social networks. Since his committee’s recommendations have been opened up for discussions, concerns have emerged that the report misinterprets the Supreme Court’s right to privacy judgment and even gives widespread power to government over citizens’ rights. In an email interview to BusinessLine , Justice Srikrishna explains his approach of taking the “middle path” which will neither be the American free-for-all approach nor the stringent European GDPR way. Excerpts:

India seems to be at a point when businesses are saying that too much oversight would hinder innovation. At the same time, privacy rights need to be enforced strictly. How do you balance this dichotomy?

When two or more fundamental rights collide, there is bound to be some tension. However, as between the rights of trade or business and those of the citizen, the latter must always prevail; it is for the sake of the citizen that an industry or a business exists, and not vice versa. Nonetheless, the report and the draft Bill contain a provision that the government may alter the settings as required eventually.

With any new legislation there are concerns as to how it will affect any section of society, but as people get used to working the legislation, such fears would subside. The bottom line is, no business or industry can ever be totally free of all monitoring. We, in India at least, have not reached that state of maturity.

At a broad level, the internet is undergoing changes and some industry watchers saying that every data fiduciary should store one live, serving copy of personal data in India goes against the basic philosophy of the internet. Your comments.

Yes, like all philosophy, that is the ideal situation. At the ideal level there should not be any barriers at all for trade and business. While we should make efforts to reach that ideal, we have to be alive to the ground realities too.

Data localisation is starting to be common nowadays. Some observers are saying that the personal data protection Bill will place restrictions on transfer of personal data outside of India. Can data be shared with third parties?

Some data can be transferred across the border keeping a live copy in India. Some critical data cannot be and has to be stored in India. The government has the authority to relax the conditions of local storage depending on the criticality of the data and the situation.

The committee has classified passwords and financial data as sensitive personal data. In most countries this is not so. What was the thinking behind this classification?

Recent incidents in the country led us to believe that at this point of time it is preferable to do so.

Why were the observations and recommendations regarding the Aadhaar Act kept outside the scope of the committee’s work?

For the simple reason that the Supreme Court is still sensitive of the matter and it would amount to contempt of court to express any views about the pending matter. Again, all observations would be subject to the Aadhar Act’s constitutional validity being upheld. Why make hypothetical observations without knowing that for sure.

Some reservations have been expressed on granting excessive powers to the Centre, especially under Section 98. Your views.

Such powers are there in practically every modern State. The observations are the result of lack of proper understanding of the draft Bill and the report, and not studying the issue in deeper perspective.

There is a view that civil penalties or fines are insufficient to act as a deterrent against data breaches. Your comments.

True, nothing can really be a deterrent to a person who wants to commit a wrong whatever be the consequences. Therefore, shall we abolish the Indian Penal Code (IPC) itself? Why did not these “sections” give us input on what else could be done?

Education-technology ventures are saying that the Committee should have drafted its own guidelines for the privacy protection of children (minors) using the internet, than reinforcing the Indian Contract Act which was drafted even before the internet came into existence...

The focus should be on guarding the children against targeted advertisements. Hence the recommendation that there be a special category of Data Fiduciaries called Guardian Data Fiduciaries who would monitor to ensure that there is no adverse effect on children, at the same time making sure that their access to internet and the knowledge contained therein is not unduly blocked.

The age of minority in India still 18 years and below which a contact by a minor would be void. Changing the age of minority was not our remit. As and when there is such a change, the legislation can be amended.

Related Topics
comment COMMENT NOW