One step forward and two steps back
Recently, the Justice Srikrishna Committee released its long awaited Draft Personal Data Protection Bill, 2018, an outcome of many months of protracted public consultations and meetings. It outlines the broad guidelines that would govern the way a citizen’s data would be collected, processed and stored. The intention of the Bill is to create a comprehensive data protection framework that would be applicable for all entities operating in India. The reality of the bill is that it flies in the face of the recent Supreme Court judgement on the Right to Privacy. It must be stated here that this is a draft bill which has been suggested by a committee of experts and may differ from the version that would be presented in Parliament for deliberation.
Similar to the European Union’s (EU) General Data Protection Regulation (GDPR) which came into effect in May, the draft Bill provides certain rights to the data principal (the citizen) and has expanded various data definitions (personal data, sensitive data, genetic data) to include additional data points as well as mandates the creation of a National Data Protection Authority and appointment of a Data Protection Officer at organisations. It also outlines the principles of data processing to be fair & reasonable and limited in its scope to the intended purpose.
However, unlike the GDPR, it deeply erodes the rights to citizen’s privacy which was recently read into the chapter on Fundamental Rights of the Constitution of India. The exemptions placed on acquiring consent on the processing of personal data are vague at best and sweeping in their scope. The personal or sensitive personal data of any citizen may be processed without obtaining consent for any function of Parliament and/or any State Legislature that is necessary. It also exempts consent requirements in any situation where personal data needs to be processed in the interests of the security of the country, or for prevention, detection, investigation and prosecution of any violation of law. While the data processing in these situations must be authorised by a separate law passed either by the Parliament or the State Legislature, the problem is that most surveillance activities currently undertaken in India, whether for national security or law enforcement, are not authorised by way of a law.
Section 13 (2)a of the Bill is particularly problematic as it removes the necessity for consent for any “service or benefit” to the data principal. This is the very basis of the Aadhaar project; the constitutionality of which has been the subject of the second-longest hearing in the history of the Supreme Court of India. It seems that such pre-emptive protection for a project which is still sub-judice is a worrying aspect of this Bill and raises questions about the motivations of the members of the Committee.
Finally, there is a rather unusual requirement in the Bill, that all personal data collected be collected and stored on a server or data centre in India. The section in question can easily be seen as a provision aimed primarily at ensuring the government has access to it if necessary.
The Draft Personal Data Protection Bill, 2018 may not see introduction in the current session of Parliament due to the widespread negative reaction to it. However, its potential for critically damaging the privacy of citizens in India cannot be understated. It is the author’s hope that civil society in India is successful in lobbying the government to increase the privacy protections for the citizen from the state. It cannot be that citizens are more transparent to their government than the government to its citizens.
Rajat is a Program Manager for Digital Transformation at the Regional Office of the Friedrich Naumann Foundation for Freedom (FNF). In this commentary, he is sharing his personal thoughts.