By: Digvijay Chaudhary
Knowledge is power. History tells us how spies were major contributors in the dismantling of a nation. Information was sought about the working of the other nation, army warfare evolved and information was prized now. Liberty and fraternity gained ground and the purpose of information changed; from being used against, it was now used for influence in one’s own nation. First to curb anti-nation sentiments and then it gradually spread its wings within the nation too. When anything is objectified, its purpose and aim are forgotten, only the ways to achieve are left. This is what happened with power; knowledge gave power to governments to influence the people of their own country and ‘guide’ them to an aim synonymous with the “state party’s” aim. This was essential as it worked as a two-forked strategy. First, it was justified for national security, as during the war, spies were not uncommon and they had to be caught as national security was at stake, so information within the nation and of the people became important. Second, if a lie is spoken by a thousand men, it will be believed as the truth and this became the foundation of paid media. All this was entangled with the choice of the people/consumer. Choice, as it was found, is so essential that if it could be known and statistically organised, it could reveal the whole identity of the person; one could offer people what they liked to hear or buy.
In the age of computers, this information was in software and hence, data became important, and with the free will that people threw up their data on the net, the risks only increased. This information was now aligned and statistically organized. People became aware and wanted restrictions to be imposed, privacy evolved as a right and has become the ‘liberty and fraternity’ of the 21st century. In India, however, as we usually are, privacy came late as a right but existed as a concept. If anything, Aadhaar will be remembered for granting us privacy and our data protection. Data protection is now the need of the hour and we were at this point presented by the Data Protection Bill, 2018 by the Srikrishna Committee.
The bill was greatly anticipated and everyone had their eyes on the Srikrishna Committee because it’s work and functioning was under wraps and unknown to people. The committee presented us with a report and a bill. The report is the guide to the bill, so the committee says but it doesn’t seem so. The bill has been rightly criticised and defended. Let us look into what the first Data Protection Bill of India has to offer.
There are three things that are desired of the government when it protects data, as it has been rightly said that there are three parts to the triangle:
“The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection cannot be at the cost of trade and industry.”
The Srikrishna Committee draws inspiration from the European Union while completely ignoring the recommendations issued in 2012 by the Justice AP Shah chaired expert committee on privacy to the erstwhile Planning Commission, the 2010 approach paper on a privacy law for India published by the Department of Personnel and Training or the draft Privacy Bill developed by them inter-departmentally across 2011-15 for the Union Government and the recommendations issued by TRAI on privacy, security, and ownership of data in the telecom sector. The committee has also been involved in controversy right from its inception.
It is desired that an individual should have control over his/her data and it is generally believed that data control is synonymous with data ownership. However, the bill doesn’t make the citizens the owner of their data rather, the state. The state, as it has been explained, is a fiduciary. Here, the author has explained why the committee rejected individual’s ownership of data in favour of state ownership of data. He reasons that individual ownership of data is philosophically flawed, legally counter-productive and practically unimplementable. Allowing the individual to be the owner of the data would detract us from the aim of vesting control of data with the individual. He explains that individual ownership of data would make the data a property right which could be sold, and then an individual would lose all rights over it absolutely. However, if the same control is given to the state, the state would be a fiduciary to the individual and it would bind the state to use any information it receives to for a public function and mandating it to follow privacy principles. This fiduciary relationship, he considers, is the messiah of individual rights.
This sounds reasonable as it vests control of the data in the individual by binding the state to not use data for any other purpose than required. This assumes the state to be an all protective and all caring entity, even in the aftermath of the Aadhaar project.
The report emphasises the importance of consent while processing personal data. The bill does lay the principle of consent while processing sensitive personal data (such as passwords, financial data, sexual orientation, biometric data, religion or caste) under Section 14(2) by stating that “sensitive” personal data should not be processed unless someone gives explicit consent – which factors in the purpose of processing, in contrast to this, Sections 42 and 43 give the state to the power to process data for “any function of Parliament or any State legislature”, “the provision of any service or benefit to the data principal from the State”, or “the issuance of any certification, license or permit for any action or activity of the data principal by the State”.
Similarly, it may be processed where “explicitly mandated under any law made by Parliament or any State legislature.” While processing data for such functions, the consent is not deemed to be necessary. Use of such lose ended sentences create arbitrariness and confers on the state unlimited power to share data for any function of the state. There are no guidelines, no transparency requirements and no rights-based norms to guide the structure of laws that contain these explicit legal mandates. Such provisions are worrying and the committee bill in this regard is a letdown because this was one of the problems raised with the Aadhaar Act and the much controversial, Section 57.
The bill fails to deal with the issue of surveillance and without tackling the issue of surveillance a data protection law will remain incomplete and ineffective. The Bill uses the term “surveillance” only once, while defining the term “harm” in section 3(21)(x) as “any observation or surveillance that is not reasonably expected by the data principal”, which in itself seems to indicate that certain kinds of surveillance are to be “reasonably expected” from the State and private actors. Add to this the data localisation requirement; all data fiduciaries are required to store at least one copy of personal data, on a server or data centre located in India. This might seem good because storing of data within a country’s boundaries prevents it from being spied upon by foreign nations. However, the mandate is just for a copy of the data. This leads us to a more logical inference; the government has to usually tackle Silicon Valley giants on providing data information of individuals. But now when a copy of the data is stored within India, this tackling can be done away with. Couple this with the lack of a surveillance provision; we all know where the line is leading us to.
In cases of breach of data, the draft bill says that if there has been a breach of someone’s personal data, the data processor or data fiduciaries for this have to inform the Data Protection Authority. Unfortunately, whether or not the person whose data has been breached will be informed is left up to the Authority’s discretion – which means you may never be informed if your data has been leaked or stolen.
The bill requires the creation of an overseeing authority (like TRAI) for data protection, which it terms as Data Protection Authority (hereinafter ‘DPA’). This had been sorely lacking in the Indian Ecosystem and is a welcome move. It will have the power to issue directions, call for information, launch inquiries, levy penalties and in extreme cases even “temporarily suspend” or discontinue the business activity of a data fiduciary or data processor.
What is concerning here is that the DPA could function or be captured by the government, a separate appellate tribunal that the bill calls for to hear the appeals made against DPA orders, this appellate tribunal process will completely be decided by the government. Further, Section 98(1) allows the Central Government to issue “such directions” to the DPA, “as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order”. Such directions on questions of policy then bind the DPA.
Further, there is no right to erasure of data with an individual, no accountability of intelligence agencies and the only summary of personal data is to be provided when one accesses his/her own data. Even the liability born when one removes his/her consent is to be borne by the data individual. The amendment the bill proposes in the RTI Act is another debate and a major concern through which government can deny RTI requests.
The next loophole in the bill is with regard to its inefficiency to deal with Aadhaar. The bill tries to cover up the issue of consent in Aadhaar. Section 13, as stated above, states that personal data may be processed for the provision of any service or benefits. Section 19, further, states that sensitive personal data may be processed for certain functions of the state. There is also silence on the treatment of metadata on Aadhaar transactions. The draft bill doesn’t take any specific steps to address all the leaks and theft of Aadhaar data that has already taken place; there is no retrospective application of the bill.
The bill, though refreshing, has failed to address key issues surrounding data protection and would need reforms before it is presented in the lower house. As Mr. Gautam Bhatia rightly points out, the requirements of necessity and proportionality should be at the foundation of a data protection law, both to curtail the power of the State and to regulate private parties’ use of data.
(Digvijay is currently a student at Dr. Ram Manohar Lohiya National Law University, Lucknow.)