Draft of Data Protection Bill more an uneasy compromise than a clear commitment

The Justice Srikrishna Report on Data Protection compromises on individual rights for 5 clear reasons

Over the past few months, the data protection and privacy debate have reached a fever pitch. An important realisation from them has been the requirement of a law that is passed by parliament to protect users as our lives become not only connected by controlled by digital systems. When yesterday the Justice Srikrishna Committee gave its recommendations and a draft law titled as the Personal Data Protection Bill, 2018 (Data Protection Bill). These are two separate outcome documents submitted to the Ministry of Electronics and IT that will steward a legislative effort and define the legal boundaries of the use of our personal data. It is important to remember that it will require further review and parliamentary debate. These recommendations and Data Protection Bill appear the product of an uneasy compromise rather than a clear commitment to protect individual rights.

Five main areas which immediately deserve public debate arise and indicate a need to improve these recommendations starting out with the scope of the protections. Any attempt to provide protections is an acknowledgement of an imbalance of power that exists between people and those who hold their data. These can be larger platforms such as google and facebook, or even the Government. In recognition of these principles, the Data Protection Bill seeks to provide safeguards and remedies to users in India. Many of these are well-meaning, however, they fail their promise due to the phrasing of exceptions which undermine the objective of this act. For instance, there is a special exemption granted under Section 13 which would exclude any data gathering activity which is carved out by an act of parliament on the grounds of necessity. This is a single instance, and there are many others which exist throughout the draft text.

The second concern arises with respect to Aadhaar, the denial, exclusions and its wide pervasive use that has given rise to several privacy concerns. While the Supreme Court is seized with the constitutionality of the Aadhaar project, the legislative route on the Aadhaar Act, 2016 always remains open. It is disappointing that while the recommendations of the committee separately indicate the need for wide amendments to the Aadhaar Act, 2016 which need to be further improved, the actual text of the Data Protection Bill merely places minimal protections for, “Aadhaar numbers” and not the wider class of data which is gathered under the Aadhaar ecosystem. Further wide carve-outs from the requirement of consent are facilitated under Sections 19 and 20. This is again another recurrent pattern in the Bill text, which provides a protection only to be taken away by a wide exception.

The third concern arises from the treatment which is meted out to the Right to Information Act. While the Right to Information and the Right to Privacy are sometimes seen as opposing interests, they are ultimately complementary. Both of them bring greater accountability to institutions and entities and return power back to users and individuals. The Right to Information Act has pre-existing protections in which the disclosure of information may be refused to safeguard privacy however this has been subjected to the superimposing condition of determining public interest. This is a sound legal principle which recognises that the concept of privacy cannot be abused to undermine the right to information. However, these considerations are negated by the Bill text, which in a separate schedule suggests an amendment which would undermine existing language and the institutional framework of the Right to Information Act.

The fourth there is an urgent need to improve the final text of any legislative proposal on data protection that is introduced in parliament will be the issue of surveillance reform. While the recommendations do contain progressive language, it’s legal expression is lacking within the text of the draft bill. It is in many ways a deferral to an urgent legal reform which is intrinsic to any meaningful data protection standard which would require a well fleshed out process not only for surveillance and interception but the legal consequences when these requirements are not followed.

The fifth and the final area of comment is the requirement for mandatory data storage for personal data and the export embargo for sensitive personal data. Taken together both these provisions are not only at variance with several international data protection laws, but also the global character of the internet. Such a requirement would we a regulatory hammer blow to the use of innovative products and services by the wide majority of Indians and will also lead to increased and ease of intersection (given its absence in the existing draft law) and even censorship.

Such criticisms are illustrative and indicate the need for wide public comment as noted by the Hon’ble Minister for IT and Electronics in a press conference yesterday. It is hoped that a transparent, open process enables wide participation helps parliament secure the personal data of residents and Indians. The existing recommendations and the bill text hint at an uneasy patchwork which produces a messy legal quilt. Quite often it appears to be a product of different stakeholder concerns such as private industry particularly local IT firms and government bodies. However, the ultimate job of any data protection law is not to compromise on the rights of individuals but to protect them.

(An edited version of this article was first published in the Hindustan Times on July 28, 2018)