Individual rights need protection from both state and private digital players. The Srikrishna Committee draft bill recognises one dangerous actor but seems to have forgotten the other.
The Srikrishna Committee submitted its much-anticipated report and draft bill on data protection in India. But the debate appears to have created more heat than shed light.
Events over the past year, ranging from the affirmation of the right to privacy by the Supreme Court to the Cambridge Analytica scandal, have led to these recommendations being keenly awaited. That India urgently needs a robust law on data protection is undeniable. But has the Srikrishna Committee given us the law we require?
For the draft’s positives, much is owed to the European Union’s General Data Protection Regulation (GDPR) in showing that legal responses to personal data protection can go beyond boilerplate contractual arrangements. The draft’s worrisome features, however, are those that introduce barriers for citizens to know and understand how the state processes their data. By undermining this knowledge, the present draft fails to meet constitutional standards.
The draft begins with an affirmation of the right to privacy. Responding to well-known problems with the notice-and-consent architecture, including verbose privacy policies and consent fatigue, it rightly calls for more user-friendly mechanisms. It insists upon notice furnished in a clear and concise manner, easily comprehensible to a reasonable person, and in multiple languages where necessary and practicable. Consent must be specific to the clearly stated purposes of processing, and obtained after providing the data principal with elaborate information including on the categories of personal data collected, the purposes for which it will be processed, and grievance redressal mechanisms.
Unfortunately, most of these valuable safeguards are rendered meaningless by the exceptions in the draft. The ‘tech giant’ paranoia – some of it doubtless justified – has led to such giants being seen as the exclusive threat in town. The result has been to focus on the actions of digital powerhouses and pay little attention to the state. According to the draft bill, personal data may be processed where necessary for “any function of Parliament or any State legislature”, “the provision of any service or benefit to the data principal from the State”, or “the issuance of any certification, license or permit for any action or activity of the data principal by the State”. Similarly, it may be processed where “explicitly mandated under any law made by Parliament or any State legislature.”
These exceptions are remarkable, and one cannot help wonder whether the keyhole has eaten up the door. There are no guidelines to assess whether these processing activities are being carried out in a manner that is least intrusive on privacy, no transparency requirements to let citizens know the specific ways in which their data is being processed in fulfilment of these exceptions, and no rights-based norms to guide the structure of laws that contain these explicit legal mandates.
Most governance requirements can be easily performed with anonymised data, raising the question of why blunt and overreaching exceptions for personal data processing are necessary.
After thoughtfully placing much emphasis on meaningful notice requirements, the bill makes them immaterial when it comes to data processing by the state. Whether processing personal or sensitive data– where the standard for processing is ‘strictly necessary’ rather than mere necessity– the state need not inform data principals in advance as to what the processing is meant to achieve. The absence of such knowledge and information is a serious concern. It would seem to be a basic component of a right to privacy.
It is possible to conceive of situations where a notice requirement might be legitimately discharged with, say law enforcement and investigation purposes. The draft bill, however, goes far beyond such situations. In doing so, it sends the following message: Governance is a specialised task that requires the unhindered processing of personal data, the details of which must be kept outside the purview of citizens. At best, the general transparency requirements in the bill (Section 30) provide only a broad idea of personal data categories up for processing.
It is worth noting that dispensing with prior consent too is not an evident choice, though there could well arise governance scenarios where obtaining such consent is more difficult than ordinarily so. In studying the multiple reasons stated in the expert Committee’s report for differential treatment of consent when it comes to state purposes, Amba Kak has carefully captured how many of these reasons ironically reaffirm the criticality of consent, and, if anything, advance the case for additional safeguards that protect the privacy of citizens.
The bill also proposes amending the right to information law, thereby denying informational access in a stealthier way. The current exemption in the RTI Act (2005) pre-empts disclosure of personal information that has no relationship to any public activity or interest, or causes unwarranted invasion of individual privacy. The newly proposed exemption goes much further, pre-empting disclosures relating to personal data that are likely to cause harm to a data principal. The requirement that such harm must outweigh “public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority” is too subjective and discretionary, and will inevitably result in easy denials of RTI requests.
Some commentators have observed that the report accompanying the bill is more sensitive to some of these concerns. This observation may be true but it is, alas, besides the point. The bill has to evaluated on its own merits, and fails to secure the right to privacy or balance the freedom of information in a meaningful way. The challenge for any liberal constitutional order is to safeguard individual freedom from two forces: the state and society. The social forces in this instance are private digital powerhouses. While private digital actors have rightly invited concern, their power has often been misleadingly used to support state power over data. But individual rights need protection from both the state and private digital players. The draft bill rightly recognises one dangerous actor but seems to have forgotten about the other.
Madhav Khosla, co-editor of the Oxford Handbook of the Indian Constitution, is a junior fellow at the Harvard Society of Fellows. His Twitter handle is @M_Khosla. Ananth Padmanabhan is a Fellow at the Centre for Policy Research. His Twitter handle is @ananth1148.