Understanding the Bill and the involvement of civil society and the media.
For most of this past week, the media has been awash with analyses and opinions on the proposed data protection legislation that was released on July 27. Following weeks of rumours of its imminent release and accompanying leaks, the deliberations of an expert committee constituted under the chairmanship of Justice Srikrishna were finally released as a draft Personal Data Protection Bill and an accompanying report running into more than 200 pages.
The Bill and report both warrant a deeper look, and have been analysed extensively by the media and privacy activists. However, it is also imperative to contextualise these documents through a look at the active role played by the media and civil society in the constantly evolving discourse on privacy in the country.
The gradual recognition of the right to privacy in fundamental rights jurisprudence over the course of the last few decades was called into question with the controversy around the introduction and implementation of Aadhaar, which sought to assign a unique ID to all residents of the country. In the interim, a number of Privacy Bills had been introduced but failed to be passed in Parliament. When the Srikrishna Committee was formed last year to formulate a privacy framework for the country, over 150 academics, lawyers and activists demanded transparency in its functioning, while pointing out the stark lack of civil society representation on the panel.
These apprehensions resulted in two attempts by civil society organisations to create their own model Bills—the Data Protection Bill, 2018 and the Indian Privacy Code, 2018.
The Bill takes the conversation surrounding privacy and data protection a step in the right direction by providing for privacy by design, collection and purpose limitation, data portability, and the formation of an independent Data Protection Authority. However there is much left to be addressed, and both mainstream and alternative media coverage has overwhelmingly pointed out a number of lacunae in its provisions.
Much coverage centres around the failure to acknowledge state surveillance and a lack of government accountability. The expert committee discusses the implications of foreign surveillance, but is silent on domestic state surveillance. This is exemplified in the Bill, which fails to provide adequate safeguards for processing of personal data by the state. The additional requirement that a copy of all data be stored and processed within the country raises further questions about unchecked government access to private data, as well as fears regarding its implications for businesses and the IT sector.
The proposed framework also has serious implications for the DNA Technology (Use and Application) Regulation Bill, 2018, that was slated to be introduced in Parliament this past week despite significant criticism. The lack of protection against processing of sensitive personal data (in this case, genetic information) by the state precipitates fears of potential profiling and surveillance.
Further concerns have been raised about proposed amendments to the Aadhaar Act, 2016 and the Right to Information Act, 2005. Section 8(1)(j) of the RTI Act states that “information which relates to personal information … which has no relation to any public activity or interest” need not be disclosed unless such disclosure is in the “larger public interest”, and forms the basis for many rejections of RTI requests. Amendments suggested by the report propose that disclosure cannot be compelled if it causes harm to the individual, setting higher standards for disclosure and further diluting an already weak legislation. Amendments to the Aadhaar Act propose a new adjudication process, higher civil and criminal penalties for violations, and offline verification—ostensibly in response to criticisms commonly raised against it, but failing to adequately address them. The simultaneous existence of a Data Protection Act and the Aadhaar Act in its present avatar has itself been called into question.
While the Report and the Bill claim to push for transparency, accountability and independence, this fails to be seen in the constitution and functioning of the proposed Data Protection Authority, an aspect that has not yet been analysed in detail in the current media discourse on the issue. The members of the selection committee (which consist of the Chief Justice of India or a Supreme Court Justice approved by the Chief Justice, a cabinet secretary, and an expert from a government list) can only recommend names to the government, which has a final say in who can constitute the Authority.
Further, there is no clear provision mandating that there shall be representatives of civil society in the Authority, leaving space for the appointment of bureaucrats who may technically meet the definition of experts laid down in the requirements. No stipulations have been added to make the process of appointments or proceedings of the Authority public or transparent.
Finally, the Authority is essentially bound to abide by directions by the Centre on issues of policy (as determined by the Centre) if considered necessary for the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order—all of which provide considerable leeway for misuse.
The draft Bill has been submitted to the Ministry of Electronics and Information Technology, but the strong backlash against it raises serious doubts about whether the Bill will be introduced in its present form in the winter session of Parliament. Hopefully, any further changes moving forward will involve greater cognizance of meaningful inputs by civil society.