Justice Srikrishna Report: Muddying the Waters

Above: Justice BN Srikrishna and Law Minister Ravi Shankar Prasad share the dais after submission of the data protection report prepared by the Committee Justice BN Srikrishna report has not taken a clear stand on privacy and seems at variance with the government’s Aadhaar scheme. It relies heavily on assumptions of laws that may be created or amended ~By Sujit Bhar The much-awaited report on data privacy by the Justice BN Srikrishna-led committee of experts has dealt with a large number of issues, and yet is short of expectations. One of the reference points of the report is the landmark judgment of the Supreme Court in Justice KS Puttaswamy (retd) vs Union of India which elevated privacy to the level of a fundamental right. While that gave teeth to the report’s recommendations, it also had some restricting effects. The report, titled “A Free and Fair Digital Economy—Protecting Privacy, Empowering Indians”, was presented to Union Law Minister Ravi Shankar Prasad (in his capacity as also the electronics and information technology minister) at a media event and will now be forwarded to Prime Minister Narendra Modi. While on the one hand it talks about explicit consent in availing of and using personal data for “clear, specific and lawful” purposes, on the other it also says how the government may decide to use such data if considered necessary for any function of Parliament or state legislatures. This lends teeth to the government’s push to universalise the use of Aadhaar, which carries vital biometric data, and which could now be used as the centre deems fit. Incidentally, the Supreme Court’s judgment on Aadhaar and related privacy issues is yet to be delivered, and a recent bench headed by Chief Justice Dipak Misra (who also headed the constitution bench that heard the Aadhaar case) refused to admit a plea that the Srikrishna Committee report should be included among documents to be considered while delivering the Aadhaar judgment. This means that the judgment would not be influenced by this report. Technically, the Aadhaar judgment would not be just about privacy and related policy, but would also reflect on all government schemes that intend to gather information from the public for use. If the judgment on Aadhaar and allied linkages is negative, then the Committee’s recommendation on the function of Parlia­ment or state legislature clause for gathering data would bite the dust. Under such circumstances, the Data Protection Bill that has accompanied the report will also need extensive reworking. The confusion arises in the committee’s other recommendation, which is the data principals’ (original owners of the data) “right to be forgotten”. This is fundamental to the Aadhaar scheme which is a veritable database of all citizens and the government would hardly agree to delete data of its citizens. The Supreme Court’s judgment on Aadhaar has the potential to change the contents of the Bill that has accompanied the report There have been incidents in the public domain when a criminal had wanted his database (fingerprints, pictures, etc.) with state CID departments to be removed. Many databases can be traced back decades or even after the death of the person concerned. Also, as one CID director of fingerprints confided to India Legal, authorities are unwilling to throw away “valuable” data just because it is old. Often, old databases have helped in solving recent cases, even if the person concerned has been acquitted or served his sentence. Hence, even if the original owner of the data withdraws his or her consent, there will be no way for him to find out if that data still exists, in any mirror server elsewhere. Therefore the right of ownership of personal data remains on paper. The other suggestion of the committee is data localisation. This emanates from jurisdictional issues that Indian courts have faced in cases dealing with internet giants such as Facebook, Google, Microsoft, WhatsApp, and so on, on objectionable content. Their servers are across the globe and when information is stored abroad, no Indian law can exercise jurisdiction over it. In the EU, recent legislation called the EU GDPR (in force from May 25) replaced the Data Protection Directive of 1995. The report takes this as a reference point and says: “It is a comprehensive legal framework that deals with all kinds of processing of personal data while delineating rights and obligations of parties in detail. It is both technology and sector-agnostic and lays down the fundamental norms to protect the privacy of Europeans, in all its fa­cets. We are informed that 67 out of 120 countries outside Europe largely adopt this framework or that of its predecessor.” Such acts are not new; a large number of countries across the globe have laws/policies that force data localisation. Apart from the EU, in Russia, China and Indonesia, this is “forced” localisation and is applicable to a large spectrum of industry where data must stay in servers within respective borders. Australia, Germany, South Korea and Venezuela have enacted industry-specific laws involving financial, health and medical information, online publishing and telecommunications data. Even in the US, it is mandatory that data related to specified government transactions or important national security be stored locally. With Indian servers, information is stored in servers in Scotland and Tex­as instead. It is time these technical is­sues are sorted out on a priority basis. How­ever, the legal requirement cannot be overlooked if courts and law enforcement authorities in India are to be provided the ability to implement directives. The report also talks about borderless data, an urgent issue that needs to be taken into consideration. It says: “Despite attempts by some countries and private entities making the internet a walled garden for its citizens and consumers, the internet is free to access and use from any jurisdiction. This is central to our conception of a free digital economy. Thus, any website operating out of any foreign jurisdiction which is accessed by a person present in India may collect and process some personal data relating to such person. They should not be disincentivised from doing so. “If such personal data is collected and further processed but is neither large scale nor capable of causing significant harm in case of misuse, Indian law should not apply to this case. If this were to be done, every entity on the internet would have to comply with a plethora of laws on the basis of the off chance that an individual from that country would access the service... India should desist from making its law applicable to these instances... For example, a globally popular music streaming app is not available in India. However, some Indians may access it, either abroad or through usage of a virtual private network. This will not make the company subject to the Indian data protection law.” The only problem that would arise in India is the country’s poor record and legal structure on Intellectual Property Rights, but that’s another related issue. Following international examples, the commission has also recommended that a Data Protection Authority be set up to “protect the interests of data principals” by preventing the misuse of personal data at “data fiduciaries” (or those who process such data). While the commission says that data fiduciaries will have the responsibility of conducting audits and ensuring they have a data protection officer and grievance redressal mechanism, many of those centres (also called authentication centres or agencies) who have struck deals with UIDAI are in the private sphere. It would be impossible for authorities to keep track of the large amount of data passing through these portals. The report says: “After having examined the powers and functions of existing statutory regulators such as TRAI, SEBI, CCI, and so on and the deficiencies in the existing framework for Aadhaar, the Committee is of the considered view that the UIDAI must be vested with the functions of ensuring effective enforcement, better compliance, consumer protection and prevention and redress of privacy breaches. Accordingly, powers should be given to the Authority to impose civil penalties on various entities (including requesting entities, registrars, and authentication agencies) that are errant or non-compliant... This will work in tandem with the provisions of the draft data protection bill which will allow all aggrieved individuals to approach the Data Protection Authority in case of violation of the data protection principles, against any entity in the Aadhaar ecosystem, including the UIDAI itself, when it is a data fiduciary. Taken together, this will ensure that aggrieved citizens have appropriate remedies against all entities handling their Aadhaar data and errant entities in the Aadhaar ecosystem are subject to stringent enforcement action.” It can also be inferred from this that the commission had little respect for the way the UIDAI has been pushing Aadhaar and the Aadhaar Act itself. The inadequacies of the Act have been highlighted in the past. This is made clear when the report talks about processing of sensitive personal data. It categorises them as passwords, financial data, sexual orientation, biometric data, religion, caste, and so on. The processing of these should re­q­uire consent from the owner of the data. Hence, even if the data (biometrics, for example) was forcibly taken from citizens by the government, they will not be able to use it without explicit consent. This means that if the government uses such data to classify citizens into, say, religious sub-groups, it would be tantamount to misuse of data. And where will the citizen get relief? From the UIDAI, as per the commission. Yet, it also says that the government can use this if it was essential for Parliament! Obviously, the right hand does not know what the left hand is doing. The confusion comes out in no small measure in the commission’s recommendation to rewrite the RTI Act. It wants to dilute Section 8(1)(j) of the RTI Act, which talks about the disclosure of personal information in the larger public interest. While it says there would be no obligation to reveal personal information which was not related to “public activity or interest”, or would be an invasion of privacy, the commission wants this to be diluted to a balance between public interest and the harm caused to the data principal. It is apparent from the report that the issue of personal privacy is foggy. While this verbose report has some positives and negatives, it relies heavily on assumptions of laws that may be created or amended. Prasad has made it clear that this being a massive legal work, it needs to be widely debated, and hence it will go through many checks, before the accompanying Bill even starts getting vetted.