By Gautam Bhatia and Raman Jit Singh Chima
India is an outlier in the global democratic community when it comes to statutorily protecting the privacy rights of its citizens, along with attendant aspects involving data protection, surveillance and communications interception. As the report published last week by the BN Srikrishna-chaired committee of experts on data protection appeared to accept, we are one of the few major democracies in the world without a national privacy and data protection framework.
Privacy and data protection regulators exist in Canada, the UK, European states, several North African and Latin American nations, South Africa, Philippines, Hong Kong, Singapore, Australia and New Zealand. Even the United States has federal legislation on communications privacy (though often abused, as Edward Snowden revealed) and an institution with some regulatory powers over firms regarding consumer privacy in the form of the Federal Trade Commission, in addition to sectoral and state-level regulation. The absence of anything similar was noted in the Supreme Court’s famous Puttaswamy ruling in August last year, which clarified that we have a fundamental right to privacy, and also, that the state has an obligation to protect this right by enacting appropriate legislation.
Indeed, the process to improve these elements of Indian data protection and communications privacy law has been on for some time. After the late-’90s, most of the serious efforts on this front have been undertaken in the last decade since 2009, with attempts to have a nationally applicable privacy law. These attempts, however, had been stalled. And the Srikrishna Data Protection Committee was born in a situation of pressure. It was created to deal with the judicial concerns triggered by the Union government’s arguments against the fundamental right to privacy in the Supreme Court’s Aadhaar hearings, as well as concerns about the lack of effective regulation of private sector use, transfer, abuse of data that arose in the Supreme Court hearings on the challenge to the transfer of Indian user data from WhatsApp to Facebook, following its acquisition. It is in this context that we must critically examine the report’s recommendations, and its draft Data Protection Bill.
The Srikrishna Report is a small step ahead, and provides several elements of a foundation for an Indian data protection regime. But it is a foundation that we need to build on, and that requires more leadership from the government and our lawmakers. This begins with the framing of the report itself. At its core, data protection must be about protecting the rights of individuals, and about a society that respects privacy, given its importance to liberty, autonomy, and individual dignity. It must not be reduced to a single-minded focus on advancing the digital economy. Even Silicon Valley stalwarts, after the backlash following Cambridge Analytica and other concerns around technology firms aiding surveillance, have admitted that more regulation is needed, in the interests of preserving democracy and individual rights. For example, Microsoft President and Chief Legal Officer Bradford L Smith has gone on record stating that further public regulation of data focused, privacy intrusive practices such as facial recognition is required. At a moment when Silicon Valley itself is soul-searching, the Srikrishna Committee’s repeated focus on ensuring that the government prioritise the interests of the “digital economy” — and the wide loopholes that it leaves — is concerning.
For example, the model for data protection that the committee has proposed leaves too many exceptions, especially when the government is the data collector and user. It proposes that the basic requirement of notice-and-consent could be lowered or waived altogether for “state functions” or social welfare purposes, among others. These are broadly-worded carve-outs that can be abused (as the committee itself acknowledges), and need to be carefully reviewed. What is also concerning is a delayed onset of some of its provisions, which will leave at least a two-year gap from the day the law is enacted.
Any data protection law, however, needs to ensure its implementation period includes the immediate period in the run-up to the enactment of the law, and a true opt-out. Otherwise, we will just end up promoting the hoovering up of data until a law is enacted and brought into force.
An equally important issue is that of surveillance reform. Any data protection law will be incomplete without considering the vital question of surveillance which, at present, is conducted free of judicial oversight and at the near-arbitrary will of bureaucrats. In this context, it is important to note that the Puttaswamy ruling cited the global legal standards on privacy, including the International “Necessary and Proportionate” Principles pertaining to communication surveillance, which requires the application of judicial pre-approval for surveilling our protected information. Consequently, there is an urgent need for clear, effective institutions tasked with surveillance oversight. For example, in the model bill envisaged in the Indian Privacy Code released in June by the SaveOurPrivacy.in effort, this is proposed by a system of privacy commissions at the Union and state level (building on the model of the RTI Act) with a focus on preventing Union government regulatory capture, and mandatory judicial oversight of surveillance and interception requests.
Lastly, overriding the broken Aadhaar Act cannot be made into an optional recommendation. The report unfortunately does that, by outlining amendments to the Aadhaar Act, but not including it in the actual draft bill. Legal provisions to reform or override the ineffective and broken Aadhaar Act must be part and parcel of any effective data protection law.
Ultimately, privacy reform is about leadership and courage. It is about investing in institutions that make our republic operate better, particularly after a period when we have swung between regulatory absence and state-encouraged abuse. The Union government — including the cabinet — must consult all stakeholders, and send a stronger bill to Parliament. It must allow MPs to carefully study, openly deliberate, and finally enact the stronger legal standards on privacy that several of them — and countless Indian citizens, lawyers, and judges — have been demanding.