The roadmap towards securing citizens’ sovereignty over their data and fundamental right to privacy has been set down by the Srikrishna Committee report and the draft Data Protection Bill. But potholes remain, roadworks will be in progress for a long time yet — many details must be worked out through case law — and the bill is hardly bulletproof, though it seems to draw inspiration from Europe’s cast-iron General Data Protection Regulation (GDPR). The bill defines the essentials of a regulated and uniform data ecosystem, on the lines of the GDPR, laying out the conditions under which data may be collected, stored and processed, consequent fiduciary responsibilities and penalties, and the appointment of data protection overseers. It also interprets personal data in an open-ended manner, to include identifiers like caste, religion, political beliefs and associations, gender, health and financial data, official identifiers — everything that can be cross-indexed to arrive at the identity of an anonymised person. The notion of informed consent is central to the collection and processing of data.
However, there are significant departures from the GDPR. Most egregious is the infiltration of “reasonableness” and “practicability”, which have proved to be the landmines of Indian legislation, particularly the Income Tax Act. Since what is reasonable and practicable is discretionary, the door is opened to corruption and unnecessary case law. India has been online for over two decades and the contexts in which these terms will be read are clearly understood. Spelling them out would have reduced the burden of the courts. Besides, while recognising the right to be forgotten, which was established by Spanish case law years ago, the draft is silent on the right to deletion, which is as important.
But most significantly, while specifying a credible deterrent of 4 per cent of global turnover for corporate fiduciaries who violate data security, it leaves the state fairly free to do as it will. Section 15 of the draft surrenders the right to privacy to matters of national interest which, like the question of reasonableness, are left uncalibrated. The state retains unbridled powers to collect and process data, without the need for consent, for the national interest, which it is allowed to define. Such blanket permissiveness can have pervasive implications. The Supreme Court may be hearing the Aadhaar matter pointlessly, if the law that follows from the Data Protection Bill allows the government to declare that the collection and processing of Aadhaar data is in the public interest and therefore non-consensual. The draft and report are steps in the right direction, but they are not giant strides. Much case law will be required to clarify issues, reducing the value of this much-awaited development.