With Justice Srikrishna saying that the proposed law can be challenged in court, the govt should quickly relook it
With even Justice BN Srikrishna, who headed the committee that came up with the model data protection law, saying that portions of the government’s proposed data protection law can be challenged in the courts, the government should rethink the contentious provisions. The proposed law gives the Centre the power to exempt any of its agencies from “any or all” provisions of the law—this means the government has the complete freedom to snoop, and even get ‘data fiduciaries’ or the companies with which the user shares her data, to cough up such data. At the sidelines of a conference in Bengaluru last month, Justice Srikrishna has told the Economic Times that the proposed law can be challenged because it doesn’t adhere to the Supreme Court judgment in the Puttaswamy case that held privacy to be a fundamental right, and talked of the need for all intercepts to meet the tests of “necessity, proportionality and due process”. He also said that the government retaining control of the Data Protection Authority (DPA)—the body is supposed to oversee the data rights architecture—weakens its independence, and the body should be a constitutional authority.
To be sure, data protection in the current system is largely a grey area. There exists, for instance, no system under which information on rejected requests for snooping on a user is made public, or even a system that assesses the objective gains of cyber-snooping on a case-by-case basis. The Justice Srikrishna committee has noted in its report that the current framework doesn’t have adequate legal safeguards to protect individual civil liberties. So, the data protection architecture the Bill proposes is surely a step forward. But, a framework that institutionalises some of the gaps of the system it seeks to replace is a bad idea; no wonder, thus, that the Srikrishna panel had pushed for a non-partisan system examining the processing of data interception, the motive behind ordering one and the gains flowing from it. Instead, the proposed law retains the arbitrariness of the existing system, not just by giving the government the right to keep itself out of its purview, subject to certain safeguards and oversight that are to be specified later, but also by ensuring the data privacy regulator effectively becomes the government’s footman.
The government, in the name of national security, public order, sovereignty and integrity of the country, etc, can shield any of its agency from the provisions of the proposed data protection law. It is true that absolute data rights can be an impediment in these areas, but what is to keep the government, more specifically, a rogue official or lawmaker who can order probes, from abusing this? After all, it won’t prove too difficult to colour a probe as a matter of national security or law & order, while all it could be is a fishing expedition to embarrass or blackmail rivals? The shape the safeguards/oversight ultimately take—the Bill talks about putting this regime in place in the future—will decide how effective the law will be, but with the DPA in the Centre’s hands, it is unlikely that it would do anything to dilute the sweeping sanction for the government to snoop. Indeed, digital giants like Google and WhatsApp have either explicitly or implicitly talked of the government’s propensity to snoop on citizens—Google had talked of 500 Indians being targeted by government-backed attackers using Pegasus software while WhatsApp had also alerted some prominent users about snooping by Pegasus; Pegasus has clarified that its software is only sold to governments. The need is either to follow Justice Srikrishna’s recommendation that the DPA be created as a constitutional body, or to have independent monitoring for possible breach of privacy.