By Inderjit Badhwar
In the most recent issue of India Legal, one article which attracted serious attention and comment was a piece by our regular contributor, Chennai-based barrister Shaan Katari Libby: Amid WhatsApp privacy concerns, the draft Data Protection Bill comes to mind, which raised a national issue that needs front-page attention: The Justice BN Srikrishna Committee drafted a tough data protection law in 2018. It included the right to confirmation and access and data portability. Why has it been hanging fire since then?
In order to try and ensure that the issue is kept alive, I will hammer home to our readers, once again, the salient points made by Katari after a recent seminar attended by the esteemed judge. For starters, what relevance does this Bill that has been in the pipeline for a couple of years (it is a mystery when it will become an Act) have for ordinary Indians?
Data is not impersonal or non-intrusive, as many people think. The very act of gathering it is an intrusion. It identifies you, your name, telephone number, your address, and indeed, your biometric footprint on this planet. While technically, nobody can obtain this without your consent, this remains in the field of technicality. Actually, security cameras at malls or hotels do just this with implied consent for the purpose of protection. A thief or worse can be identified with this footage.
But the extent of misuse is rampant. Businesses and commercial establishments continuously use data gathered with implied consent or for “security” purposes on applications and related documents use it to propagate their products. Today, data is sold and hence, valuable. But can it be defined as property? The answer is, no! Why? Because then it would fall under The Sale of Goods Act. Only if something can be physically sold, rented out or gifted, then it becomes a property.
But even before Justice Srikrishna delivered his report, the courts were not silent on this subject. The Supreme Court had, in fact, taken this matter with utmost gravity and delivered a judgment that was music to the ears of privacy advocates and resonated internationally. The Court’s attention was drawn to this subject during the controversy over the use of India’s universal identifier – the Aadhaar card. What the apex jurisprudential body of the nation said then has tremendous significance today and should be must-reading for all the snoop-addicts and Big Brother promoters in the executive branch of government.
On August 24, 2017, in Puttaswamy vs Union of India, the Supreme Court said:
“Aadhaar is a serious invasion into the right to privacy of persons and it has the tendency to lead to a surveillance state where each individual can be kept under surveillance by creating his/her life profile and movement as well on his/her use of Aadhaar.”
This was a unanimous verdict by a nine-judge bench of the Supreme Court affirming that the Constitution guarantees to each individual a fundamental right to privacy. Although unanimous, the verdict saw six separate concurring decisions. Justice DY Chandrachud authored the decision and along with him were Justices JS Khehar, RK Agarwal and Abdul Nazeer. The remaining five judges each wrote individual concurring judgments. This historic pronouncement was with regard to the individual’s right against the State for violations of their privacy and should have had repercussions across both State and non-State actors.
As Katari writes: “It should be the precursor to the enactment of a comprehensive law on privacy.” In the case, Justice Sanjay Kishan Kaul (former chief justice of the Madras High Court) mentioned the European Union General Data Protection Regulation and observed that restrictions on the right to privacy may be justifiable on the ground of regulation of taxes and financial institutions. In Paragraph 640, Justice Kaul held that it would be useful to turn to the European Union Regulation of 2016. Restrictions of the right to privacy may be justifiable in the following circumstances subject to the principle of proportionality:
“(a) Other fundamental rights: The right to privacy must be considered in relation to its function in society and be balanced against other fundamental rights.
“(b) Legitimate national security interest.
“(c) Public interest including scientific or historical research purposes or statistical purposes.
“(d) Criminal offences: The need of the competent authorities for prevention investigation, prosecution of criminal offences including safeguards against threat to public security.
“(e) The unidentifiable data: The information does not relate to identified or identifiable natural person but remains anonymous. The European Union Regulation of 2016 refers to ‘pseudonymisation’ which means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“(f) The tax, etc: The regulatory framework of tax and working of financial institutions, markets may require disclosure of private information. But then this would not entitle the disclosure of the information to all and sundry and there should be data protection rules according to the objectives of the processing. There may however, be processing which is compatible for the purposes for which it is initially collected.”
While the Court’s majority opinion proceeded to uphold the Aadhaar Act, it reiterated that the Aadhaar Bill, 2016 was not immune from judicial review. The Justice BN Srikrishna Committee was set up soon after this judgment, in 2017, with the mandate to draft a data protection law. It submitted its report in mid-2018.
“The report was keenly awaited by all for its implications on data handling and processing practices by both Indian as well as foreign companies along with government departments. The draft bill is a comprehensive and tough set of measures and includes the right to confirmation and access, the right to correction of said data and its erasure, the right to data portability and the right to be forgotten. These would apply to both private and public bodies.”
Justice BN Srikrishna explained at the seminar that the committee had analysed data protection laws of England, Europe, South Africa and Estonia and taken the best parts of these and made it applicable to India. This Act would also require an amendment of the Aadhaar Act, 2016 to add stringent data protection.
“Unfortunately, the draft Data Protection Bill has been on ice for two and a half years and counting. Not everything is clear yet. The consent conundrum remains. With the age of majority being 18, all contracts under this age are said to have no value. Yet, when a child clicks ‘I agree’, it technically becomes a contract. Children often lie and say they are 18 and/or claim to have parental consent. Of course, it can have positive outcomes too.”
Katari’s analysis of the recent interaction with Srikrishna contains some of the following caveats that bear repetition:
- There are already some red flags in the way the Bill has been drafted. The Data Protection Authority is meant to be an independent regulator—but no truly independent brave regulators exist today.
- The Bill says it will all be nominees of the government. This means that it is not likely to be independent and it is questionable if the Joint Parliamentary Committee (JPC) will look at this.
- The provisions of the Act are meant to apply to all government agencies and the diluting of this provision is dangerous and needs to be reversed by the JPC. Having a Data Protection Act and involving an outspoken champion of the Constitution to head the committee is excellent. However, passing a diluted law in his name would be unfair to all concerned.
The first is that it wants to enter into the payment systems, health insurance and pension schemes where it will start collecting “sensitive personal information”. The second and more important reason could be that India is likely to come up with its own Personal Data Protection Act sometime in February-March. That could make some changes to the system of collection of personal information and how companies which have already collected personal information need to regularise the legacy data. WhatsApp perhaps sees an advantage in pre-empting the legislation.