Draft bill more an uneasy compromise than a clear commitment
Over the past few months, the data protection and privacy debate has reached fever pitch. An important realisation from the debate has been the need for a law to protect consumers as their lives become not only increasingly connected but controlled by digital systems. On Friday, a committee headed by former Supreme Court judge BN Srikrishna submitted its recommendations and a draft law titled the Personal Data Protection Bill, 2018. These are two separate outcome documents submitted to the ministry of electronics and information technology that will steward a legislative and define the legal boundaries of the use of personal data. It is important to remember that it will require a further review and parliamentary debate. These recommendations and the Data Protection Bill appear to be the products of an uneasy compromise rather than a clear commitment to protection of individual rights.
Five areas that deserve immediate public debate arise and indicate a need to improve these recommendations, starting with the scope of the data protection. Any attempt to provide protections is an acknowledgement of an imbalance of power that exists between people and those who hold their data. These can be large platforms such as Google and Facebook, or even the government. In recognition of these principles, the Data Protection Bill seeks to provide safeguards and remedies to users. Many of these are well-meaning; however, they fail their promise due to the phrasing of exceptions that undermine the objective of the proposed law. For instance, there is a special exemption granted under Section 13 that would exclude any data gathering activity that is carved out by an Act of Parliament on the grounds of necessity. Many other such instances exist in the draft text.
The second concern arises with respect to Aadhaar, the 12-digit biometric ID whose pervasive use has given rise to several privacy concerns. While the Supreme Court is seized with the constitutionality of the Aadhaar project, the legislative route on the Aadhaar Act, 2016 always remains open. It is disappointing that while the recommendations of the committee separately indicate the need for wide-ranging amendments to the Aadhaar Act, 2016 which need to be further improved, the actual text of the Data Protection Bill merely places minimal protections for, “Aadhaar numbers” and not the wider class of data gathered under the Aadhaar ecosystem. Wide carve-outs from the requirement of consent are facilitated by Sections 19 and 20. This is again another recurrent pattern in the text of the Bill, which provides a protection only for it to be taken away by a wide exception.
The third concern arises from the treatment meted out to the Right To Information (RTI) Act. While the Right to Information and the Right to Privacy are someffort etimes seen as opposing interests, they are ultimately complementary. Both of them bring greater accountability to institutions and entities and return power to individuals. The RTI Act has pre-existing protections in which the disclosure of information may be refused to safeguard privacy; however this has been subjected to the superimposing condition of determining public interest. This is a sound legal principle which recognises that the concept of privacy cannot be abused to undermine the right to information. However, these considerations are negated by the text of the Bill, which in a separate schedule suggests an amendment that would undermine existing language and the institutional framework of the RTI Act.
The fourth will be the issue of surveillance reform. While the recommendations do contain progressive language, legal expression is lacking within the text of the draft bill. It is in many ways a deferral of an urgent legal reform that is intrinsic to any meaningful data protection standard which would require a well fleshed-out process not only for surveillance and interception, but legal consequences when these requirements are not followed.
The fifth and the final area is the requirement for mandatory data storage of personal data and the export embargo on sensitive personal data. Taken together, both these provisions are not only at variance with several international data protection laws, but also the global character of the Internet. Such a requirement would be a regulatory hammer blow to the use of innovative products and services by the wide majority of Indians and could also lead to increased and ease of intersection (given its absence in the existing draft law) and even censorship.
Such criticism is illustrative and indicates the need for wide public comment ,as noted by IT minister Ravi Shankar Prasad in a press conference on Friday. It is hoped that a transparent, open process enables wide participation and helps Parliament secure the personal data of individuals. The existing recommendations and the Bill’s text hint at an uneasy patchwork which produces a messy legal quilt. Quite often, it appears to be a product of different stakeholder concerns such as those of private industry, particularly local IT firms and government bodies. However, the ultimate job of any data protection law is not to compromise on the rights of individuals, but to protect them.
THERE’S NEED FOR A LAW TO PROTECT CONSUMERS AS THEIR LIVES ARE CONNECTED AND CONTROLLED BY DIGITAL SYSTEMS
(Apar Gupta, is a lawyer and a volunteer with a civil society effort called Saveourprivacy.in)