After initially refusing to disclose the minutes and agenda papers of meetings of Justice B.N. Srikrishna Committee for a data protection framework for India, Ministry of Electronics & Information Technology (MeitY) has now disclosed under the RTI Act, 2005 the minutes and agenda papers of two of its meetings dated 8 September, 2017 and 3 October, 2017. The minutes were revealed on an RTI application filed by Mr. Paras Nath Singh.
The disclosure comes as a welcome change after a group of 24 legal academicians and advocates had recently written to the Committee, demanding inter alia release of information on its proceedings, meeting notes and draft bill, as well as the comments received by it.
A perusal of the minutes of the first meeting shows that Justice B.N. Srikrishna, Chairman of the Committee, has emphasized on the fact that Aadhaar is only a subset of total data protection law. The Committee, he opined, is looking for a broader picture of data protection- a sort of an umbrella law. The Chairman also suggested that smaller working groups be formed to deal with different facets of data protection laws. The Committee has, therefore, formed the following four working groups:
Minutes of the second meeting held on 3 October, 2017 reveal that a draft Data Protection Bill has been circulated by MeiTY. This draft Bill proposes TDSAT and its Adjudicating officer as prosecution and adjudication mechanisms.
Dr. Gulshan Rai, as the 4th Working Group member on enforcement, opined that the present scope and applicability of the Draft Bill is very limited and does not reflect the strategic importance of information and data to our social, political and economic well-being. He further opined that TDSAT, at present, has limited capacity and its Adjudicating Officers have no criminal jurisdiction. He, therefore, said that this provision needed to be revisited and strengthened in the Bill. According to him, the present draft Bill has left out very critical areas; that consent framework and its applicability as well as the exceptions need to be revised; and that coverage for objects, device, sensors or phenomena should be considered.
Prof. Rajat Moona, from the 1st working group, asserted that the consent must be traceable, provable, non-repudiable and must stand the test of law. He proposed introduction of an independent function of "consent management", opining that such mechanism may empower data sharing. The Committee deliberated on "consent management" concept and discussed whether such management may cause additional burden on the organization without proportional outcomes. The Chairman then highlighted the difference between a consent-driven model and a rights-driven model, and opined that the liability should be on the data controller and processor in the whole chain.
Dr. Arghya Sengupta, from the 3rd Working Group, stated that at present consent form for collecting personal information amounts to a “contract of adhesion” as they provide only a “take it or leave it” option. He proposed the concept of "dashboard based consent repository". The dashboard issue was discussed among members and it was argued whether sharing of consent on such a dashboard would itself require consent. It was further argued whether this may lead to breach of privacy by such aggregator dashboard provider. It was then suggested that digital locker itself can be used as a dashboard.
The Committee, in its second meeting, inter-alia recommended that each working group shall provide specific comments/amendments on clauses of the draft Data Protection Bill circulated by MeitY. They also need to suggest changes that may be required, if any, to other allied legislation such as the Aadhaar Act, 2016 or the Information Technology Act, 2000.