[Ed Note : The following series of posts contain comments on the Srikrishna Committee Report and the Draft Data Protection Bill, 2018 made and compiled by students from NALSAR University of Law -Ankush Rai, Ashwin Murthy, Arvind Pennathur, Namratha Murugesan, Priyamvadha Shivaji, Shweta Rao, Sriram Kashyap, Vishal Rakhecha and Tanvi Apte. The comments have been uploaded on the Ministry of Electronics and Information Technology (MeitY) website.
The present post deals with comments made in relation to four issues that arise in relation to the Report and Draft Bill – a) vagueness, b) government interference, c) the data protection authority and d) surveillance.
Keep watching this space for more!]
a) Vagueness
Aside from the related concerns of excessive power given to the Government allowing for interference and the concerns related to the Data Protection Agency, the Data Protection Bill suffers from vagueness in a few of its clauses, such as:
- Section 4 requires the processing of personal data in a fair and reasonable manner that respects the privacy of the data principal.
- Section 28 specifies that for the data principal (the owner of the data) to exercise their rights under Chapter VI, they shall be through a request in writing with reasonable information to satisfy the data fiduciary of the identity of the data principal making the request
Both of these clauses, among others, suffer from vagueness. Without defining what a fair and reasonable manner is or what reasonable information is, it is hard to predict the same. This leads to an excessive amount of control with the processor of data and the data fiduciary respectively. Laying down guidelines here would assist in preventing situations of arbitrary action. It is especially important to have precision, or a lack of the availability of arbitrary decisions, when it comes to dealing with personal data of an individual – essentially the data that defines or characterizes a person. The scope for abuse increases substantially when the discretion is given to the executive, both on political and personal grounds.
Furthermore, the charging of a fee and the requirement of writing makes S.28 inherently inaccessible to the economically challenged, many of whom are illiterate as well. This is a part of the larger issue of the Bill of being inaccessible and prejudicial to the economically challenged. Moreover, this requirement of reasonable information to prove the identity of self is a dangerous path to follow – it could in fact lead to the divulsion of excessive information, ironically when attempting to control one’s own information. Such vague terms create interpretative challenges which are problematic when considering a new framework of law (namely data protection and privacy) without experts in the same present in the judiciary. When non-experts attempt to resolve concerns involving rights or subject matter they do not fully understand, there is greater scope for the resultant interpretation to be inconsistent with the intentions of the law or the protection of the individual and their rights.
b) Government Interference
The Bill provides a disconcerting amount of control with the Government, allowing for interference and abundant data control. Some of the concerning clauses are:
- Section 13(a) of the Bill says that “Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature”
- Section 14(a) states “Personal data may be processed if such processing is explicitly mandated under any law made by Parliament or any State Legislature”
- Section 42(a) reads as “Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorized pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved”
A common trend in all three of these provisions is that it gives the Parliament and State Legislature ample opportunity to collect the citizens’ data. It makes the mass collection of data justifiable under vague headings such as “any function” and “any law”. The Legislature can enact a law and collect the data of the citizen without having to justify themselves or take the consent of the citizen. While an argument may be raised that the law would not be passed without safeguards against specifically such action, the law often fails to consider the breadth of its effects and often ignores important stakeholders. It is precisely these individuals whom the law should protect. Additional protections, such as the requirements of proportionate and necessary in clause 42 (while vague and lacking themselves), at least provide some safeguarding of the rights of those concerned from laws that are oppressive or created with ulterior motives by the State. There should be the prevention of the possibility of such laws being created rather than the current practice of relying on the judiciary to act as the cure.
Given the revelations of Snowden and to a lesser degree WikiLeaks, it becomes difficult to see the State as an unbiased protector of Citizens’ data. The State must be considered as an entity from whom the citizens’ privacy and data must be protected. The more data the State possesses, the greater is their influence. The power dynamic, already tilted towards the State, further tilts. It becomes difficult to resist the laws the State creates, and in its most extreme becomes a State without dissent due to the chilling effect a State with personal data of the dissenters creates.
If the Bill was passed in the way it is currently worded, the Legislature can frame a law or make an amendment to virtually any law and collect and store the data of all its citizens. The Bill fails to even make it mandatory for the collected data to be deleted if there is an obligation under a law to do so (Section 10 (2)).
The recent Aadhar judgement also reiterated that the national interest clause was not valid under the Aadhar Act (Section 33(2)). The Hon’ble Supreme Court held that the citizens’ data could not be collected and processes under the guise of National Security. The Srikrishna Data Protection Report clarified that the two terms are used synonymously and therefore the same amendment must be incorporated into the Data Protection Bill.
The term “Security of State” has too wide an ambit to allow the State to collect data on its basis. With recent arrests aimed at targeting dissent and disputably done as a purely politically move being made on the same basis, it becomes more important to define clearly as to what would allow the State to gather and process information without consent.
One of the limiters on these exemptions is the obligation to process the data in a fair and reasonable manner as mentioned in Section 4. This is a very ambiguous clause that can be interpreted in different ways. Such an obligation should be imposed on the State but it cannot be the sole restriction simply as it hesitates to actually specify how it acts as a limiter.
Similarly, the State cannot be allowed to possess and process data about citizens, especially if the collection and possession happen on a massive scale. Even the collection of metadata is problematic as it still gives enough information to disrupt the power dynamic.
c) The Data Protection Agency
An especially notable concern of the Bill is the lack of independence of the regulatory authority from the government – the DPA. Maintaining a high degree of independence from the government is crucial in ensuring fairness in enforcement. The body in question however seems to have very few checks within the framework of the Bill while having large discretionary powers of adjudication. Appointment and tenure of the adjudication officers is left entirely to the central government’s discretion. Moreover, the DPA is bound to the orders and decisions passed by the Central Government – Section 98 of the bill gives the government wide discretion to issue binding directions to the regulator on all “matters of policy.” Even the decision of what counts as “matters of policy” rests with the government. While this provision is commonplace in Indian laws that establish other regulators, like Telecom Regulatory Authority of India (TRAI), Securities and Exchange Board of India (SEBI) and Competition Commission of India (CCI), the rationale for extending the same to the DPA has not been provided.
Given that it is the adjudication officers alone who will decide penalties (including criminal penalties) and compensation, this could allow for targetted action by the DPA – something that unfortunately has become a more common political move, largely against critics of the Government. News reporters, journalists and activists would be easier to target through such ambiguous clauses. Thus there are serious concerns of the independence of the DPA and its role as a political weapon rather than a tool of protection.
d) Surveillance
The Bill notably fails to inculcate any provision for the safeguard against surveillance – an issue that has been sorely missed in India for years as is. As it currently stands mass surveillance would be considered legal, only subject to the standards laid down in Puttaswamy (and then diluted in the Aadhaar judgment). There thus lies scope for argument against mass surveillance bodies, such as the CMS or NETRA, however these are crucially arguments and not statements of law. `
The Bill should have addressed these concerns through a clear provision against mass surveillance, protecting the right to privacy of the citizens, or at the very least provided regulations on the same. A statement within the Bill denoting the same would have been of use in clarifying the position within India (which is currently nebulous) with the intention of preventing blanket mass surveillance.
This is especially concerning given the amount of private surveillance that occurs in today’s digital world. While Google and Facebook are the most infamous for the same, most private companies do commit surveillance on some scale. To protect the citizens, who approach the same at a position of unequal bargaining rights, some regulations specifically against private players should have been in place.
The next post can be found here.