The Srikrishna Committee White Paper on Data Protection
The purpose of data protection is to protect people. The principles of data protection have to ensure justice, dignity, equality and liberty of the people, whose engaging in common purposes results in the data that is required for the functioning of their systems
In end analysis data is not protected for itself. It is not protected so that data analysts may become entrepreneurs or build a digital economy off the data of the affairs of others. It is protected because it furthers the affairs of the people whose affairs generated it; it is protected to ensure their affairs are just, free of inequality, free of indignity and do not destroy their liberty.
The purpose of Data Protection, then, is to protect people — the participants or parties in a system, not the protection of those who build industry by collecting the data of systems in which they have no role. In a market system comprising of a buyer and a seller, for example, only that data that will help them conduct their relationship and ensure its just, dignified, equal and free nature is meaningful and fair. Similarly in a banking system comprising of borrowers and lenders. Or a democratic system comprising of the representative and the represented. Or a justice system comprising of the aggrieved, the aggressor and the arbitrator.
The most important reason for your participation in any system is the common purpose of the system. There is nothing more important to those in the system than empowering their common purposes. Not the data, not the participation of unrelated third parties, not the growth of digital. Unless any of this protects and furthers the symbiotic relationship they have with their co-participants in the system.
Parties who are not part of the system have little to do with transactions in the system. If any party engages a third party to participate in the system, a fair system would require that their participation not hurt the other parties or the common purpose for which the other parties came together to be part of the system. Every time parties transact in any system they participate in, they generate data. The data that results from transactions usually drives further transactions. Without such data some transactions may be difficult. The inability to undertake transaction, to further the common purpose, without such data decides the need to know.
A data protection regime has to cover the generation, use and updation of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system
Each transaction that furthers the participants’ purposes is meaningful to the participants. Each transaction that does not, is usually unjust, un-dignifying, unequal or one that constrains the liberty of at least one participant. Failing to recognize this purpose of data protection would yield a data protection regime that is parasitic, destroys the many systems that make up our world and usher an era of injustice, inequality, coercion and indignity.
The principles of data protection, then, have to be based on the objective to ensure justice, dignity, equality and liberty of those whose engaging in common purposes results in the data that is required for the functioning of their systems.
A framework for data protection will necessarily have to cover the entire data lifecycle within the system it resides.
During a transaction data is created. The transacting party generating the data has to certify the data if it has to be useful at a later date. It has to have a means to allow the data to be authenticated by an arbitrator at a later date, if there is a dispute that needs to be settled or another system requires auditing the data. It has to have a means to restrict and track access of the data by third parties so that the system may not be compromised. It may have a means to update the data and provide historical values. It may have a means to audit that the data was indeed generated, certified, authenticated, restricted and updated as claimed. Thus a data protection regime has to cover the generation, use and updation of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system.
Data Protection in India
Participants of systems in India often forget symbiosis and common purposes of the systems they participate in. We recognize our systems as corrupt when they turn parasitic. The high perception of corruption in India is testimony to our failure to respect common purposes and symbiotic relationships. The data generated in these systems finds rampant abuse by either participants of the system itself or third parties.
Data abuse in India starts with the generation of fraudulent data. Fraudulent data may be fake data from a system or data generated by third parties to force entry into systems where they have no role or common purpose.
A fake certificate, a fake invoice, fraudulent lorry receipts, or even a fake notice, are common. Very few systems provide certification of genuine data. While the Passport and Drivers license may be certified data resulting from transactions, the Aadhaar, for example, is uncertified data. Most data has no provisions for authentication. The development plan of a city uploaded on a website cannot usually confirm its authenticity. Nor can the government notifications based on non-existent powers in an Act. The accessibility and use of data by third parties is rarely regulated in India. While the data of budget spend of the government may be inaccessible, the Aadhaar of any person may be used by anyone without ability to restrict, track or end its usage by third parties. Most data in India is not easy to update by legitimate parties and extremely easy to update by illegitimate parties. Land records are a classic example. As is the Aadhaar. Data audits to certify that the processes of data generation, certification, authentication, access, and updating work are rare.
The UIDAI, GSTN, the NPCI, for example, are similar third parties that play roles in data of systems in which they do not have any common purpose with the participants of the system
Aadhaar is a shining example of data generated by third parties. Niether the UIDAI nor its “ecosystem” have any role in the affairs of the people who have come together in different systems to further their common purposes — from enabling borrowing and lending money, enabling ability to connect and communicate with others, ensuring ability to travel abroad to ensuring food security. It has no understanding of the common purposes nor does it protect or further the common purposes. This overreach destroys the symbiosis between the borrower and lender, the mobile user and service provider, the passport issuer and traveller, the hungry and the food provider.
There is no shortage of examples of third parties destroying our telecom, travel and banking systems by interfering in the data of these systems where they have no role. The GSTN, the NPCI, for example, are similar third parties that play roles in data of systems in which they have no role to play.
The Srikrishna Committee
The Government of India constituted a Committee under the Chairmanship of former Supreme Court Justice Shri B N Srikrishna to study various issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill.
The Committee released a White Paper on 27th November 2017 to solicit public comments by 31st December 2017. In its forward the Committee states two objectives:
a) Ensure growth of the digital economy while keeping personal data of citizens secure and protected.
b) Instrumentally, a firm legal framework for data protection is the foundation on which data- driven innovation and entrepreneurship can flourish in India.
Perhaps because the Committee has excluded the people of India, who come together for common purposes in various systems, in favor of those who are third parties with interests in digital, it has failed to understand the role of data in civil society and systems we participate in. Sadly it has also forgotten that the Preamble of the Constitution of India is not to establish a digital colonization of India but is rather a promise to justice, equality, liberty and fraternity.
The Committee has failed to recognize the need to protect people and the common purposes of the systems they participate in. They have failed to underline the objective of data protection to ensure justice, dignity, equality and liberty of those whose engaging in common purposes results in the data that is required for the functioning of their systems.
Sadly the Committee has forgotten that the Preamble of the Constitution of India is not to establish a digital colonization of India but is rather a promise to justice, equality, liberty and fraternity
The Committee does not outline various issues relating to data protection in India. It lists 7 principles to be considered for drafting a data protection law but does not explain the basis to arrive at the principles. Its principles include: technology agnosticism, the law must apply to both private sector entities and government, informed consent, data minimization, accountability of a data controller, enforcement of the data protection framework by a high-powered statutory authority, and deterrent penalties.
Clearly these principles have little to do with understanding the role and life cycle of data in enabling and protecting justice, equality, dignity and liberty in the systems where the data needs to be protected.
These principles have little recognition that data protection has nothing to do with the medium of data — digital or non-digital. They have no recognition that data protection is not about privacy. They fail to note that it invoves the generation (creation; certification), use (authentication; access restriction) and updation (modification; audit of generation, use and modification processes) of the data throughout its life cycle.
Data protection is not about privacy. Data protection includes the generation, use and updation of data to ensure it allows those in a system to further their common purposes
The way forward
It will be better to have no data protection law than to have one that drives the interest of third parties building digital economies to profit themselves at the cost of the people and systems whose data they profit from. The current framework proposed by the Committee protects the interests of the digital data brokers and provides them ways to digitally colonise India.
Such a law will be the failure of the government to protect our common purpose to form a government: to protect the common purposes of the systems we participate in from private interests within our systems or of third parties intending to profit from our transactions.
A government serious about data protection will ensure that a data protection regime will cover the creation, use and updating of data to ensure justice, dignity, equality and liberty of those who engage in common purposes in their system and keep third parties away from corrupting or destroying these systems as, for example.
A version of this was originally published at tech.economictimes.indiatimes.com.