By Shaan Katari Libby
The Data Protection Bill has been in the pipeline for a couple of years and it is a mystery when it will become an Act. Justice BN Srikrishna had led the committee that drafted the Personal Data Protection Bill. An insight into the Bill and an analysis of it based on an interaction with the esteemed judge throws more light on the Bill.
What is data and why is it so important to Indians now?
Data identifies you—your name, telephone number, address and so on.
Can anyone take it without consent?
No. Yet, as Justice BN Srikrishna said, security cameras at malls or hotels do just this with implied consent for the purpose of protection. A thief or worse can be identified with this footage. However, what retail stores do is use data to propagate their products. Today, data is sold and hence, valuable.
Is data property?
No, because then it would fall under The Sale of Goods Act. Only if something can be physically sold, rented out or gifted, then it becomes a property.
Data is an intimate connection between the human being and the thing in question. It has tremendous value, hence, there are always people waiting to take it. This was a concern in Puttaswamy vs Union of India where the Supreme Court said: “Aadhaar is a serious invasion into the right to privacy of persons and it has the tendency to lead to a surveillance state where each individual can be kept under surveillance by creating his/her life profile and movement as well on his/her use of Aadhaar.”
Supreme Court Judgment
On August 24, 2017, a nine-judge bench of the Supreme Court delivered a unanimous verdict in Justice KS Puttaswamy vs Union of India and other connected matters, affirming that the Constitution guarantees to each individual a fundamental right to privacy. Although unanimous, the verdict saw six separate concurring decisions. Justice DY Chandrachud authored the decision and along with him were Justices JS Khehar, RK Agarwal and Abdul Nazeer. The remaining five judges each wrote individual concurring judgments. This historic pronouncement was with regard to the individual’s right against the State for violations of their privacy and will have repercussions across both State and non-State actors. It should be the precursor to the enactment of a comprehensive law on privacy.
In the case, Justice Sanjay Kishan Kaul (former chief justice of the Madras High Court) mentioned the European Union General Data Protection Regulation and observed that restrictions on the right to privacy may be justifiable on the ground of regulation of taxes and financial institutions. In Paragraph 640, Justice Kaul held: “640. It would be useful to turn to the European Union Regulation of 2016. Restrictions of the right to privacy may be justifiable in the following circumstances subject to the principle of proportionality:
“(a) Other fundamental rights: The right to privacy must be considered in relation to its function in society and be balanced against other fundamental rights.
“(b) Legitimate national security interest.
“(c) Public interest including scientific or historical research purposes or statistical purposes.
“(d) Criminal offences: The need of the competent authorities for prevention investigation, prosecution of criminal offences including safeguards against threat to public security;
“(e) The unidentifiable data: The information does not relate to identified or identifiable natural person but remains anonymous. The European Union Regulation of 2016 refers to ‘pseudonymisation’ which means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“(f) The tax, etc.: The regulatory framework of tax and working of financial institutions, markets may require disclosure of private information. But then this would not entitle the disclosure of the information to all and sundry and there should be data protection rules according to the objectives of the processing. There may however, be processing which is compatible for the purposes for which it is initially collected.”
It was then explained by the Court that the linking of PAN with Aadhaar was to ensure that duplicate and fake PAN cards used for tax evasion would be eliminated and how Aadhaar’s unique de-duplication based on biometric identification has been hailed as the most sophisticated system by the World Bank. Inclusion of Aadhaar with PAN eliminates the inequality between honest taxpayers and non-compliant, dishonest ones who get away without paying taxes. It also promotes rather than negates equality and is consistent with Article 14. As a result, Section 139AA was found to be fully compliant with the threefold test as laid down in Puttaswamy’s case. The Court’s majority opinion proceeded to uphold the Aadhaar Act and reiterated that the Aadhaar Bill, 2016 was not immune from judicial review.
The Justice BN Srikrishna Committee was set up soon after this judgment, in 2017, with the mandate to draft a data protection law. It submitted its report in mid-2018. The report was keenly awaited by all for its implications on data handling and processing practices by both Indian as well as foreign companies along with government departments.
The draft bill is a comprehensive and tough set of measures and includes the right to confirmation and access, the right to correction of said data and its erasure, the right to data portability and the right to be forgotten. These would apply to both private and public bodies.
Justice BN Srikrishna explained at a recent seminar that the committee had analysed data protection laws of England, Europe, South Africa and Estonia and taken the best parts of these and made it applicable to India. This Act would also require an amendment of the Aadhaar Act 2016 to add stringent data protection. Unfortunately, the draft Data Protection Bill has been on ice for two and a half years and counting.
Not everything is clear yet. The consent conundrum remains. With the age of majority being 18, all contracts under this age are said to have no value. Yet, when a child clicks “I agree”, it technically becomes a contract. Children often lie and say they are 18 and/or claim to have parental consent. Of course, it can have positive outcomes too. The Justice gave an anecdote of his grandson being aware of advanced mathematical concepts thanks to one Khan Academy. Consent should be given in a manner which is understood.
However, with regard to the Aarogya Setu app, Justice Srikrishna criticised it publicly. This led the government to backtrack, making it voluntary, not mandatory.
There are already some red flags in the way the Bill has been drafted. The Data Protection Authority is meant to be an independent regulator but no truly independent brave regulators exist today. The Bill says it will all be nominees of the government. This means that it is not likely to be independent and it is questionable if the Joint Parliamentary Committee (JPC) will look at this.
Also the provisions of the Act are meant to apply to all government agencies and the diluting of this provision is dangerous and needs to be reversed by the JPC. Having a Data Protection Act and involving an outspoken champion of the Constitution to head the committee is excellent. However, passing a diluted law in his name would be unfair to all concerned.
—The author is a barrister-at-law, Honourable Society of Lincoln’s Inn, UK, and a leading advocate in Chennai