Justice Srikrishna committee report has done well to reiterate that the privacy of citizens must be respected and that all personal data collected must be used fairly and responsibly with the consent of individuals.
Given how widespread the breaches in data privacy have been, globally, the Justice Srikrishna committee report has done well to reiterate that the privacy of citizens must be respected and that all personal data collected must be used fairly and responsibly with the consent of individuals. In fact, the definition of sensitive data has been broadened to include passwords, information on health and finances and also sexual orientation etc. The current law, the Committee notes, does little to protect individuals against the collection of data against their wishes and if the right to privacy is to be a meaningful one, the state must put in place a data protection framework that would protect citizens from dangers to informational privacy emanating from both the state and non-state players. It also suggests changes to the Aadhaar Act which would help strengthen data protection and, at the same time, advocates stringent penalties to deter misuse. It is a fact that most individuals today are unable to even comprehend rules and regulations relating to consent because it is so full of legalese and the Committee has done well to say these must be crisp and comprehensible. Insisting on data portability, and a data protection agency to ensure data is truly secure, are other good suggestions.
However, while attempting to close in on all the problems that individuals face, it opens up a window that will allow the state to collect and use personal information without consent. Section 42 of the draft Personal Data Protection Bill, 2018 enables “an exemption to the processing of personal or sensitive personal data if it is necessary in the interest of the security of the state”. While the law needs to be framed keeping in mind the interests of the state, citizens and corporations, the exemption suggests the state may have gained the upper hand. On the one hand, the report calls for ‘welfare functions of the state’ to be recognized as a separate ‘non-consensual’ ground for processing and clearly states that processing on this ground is only available for ‘certain entities and certain functions’. However, the corresponding provision, Section 13 in the draft law, experts say, doesn’t make this abundantly clear since it allows processing of personal data “for any function of Parliament or any state legislature”. It can be no one’s case that using Aadhaar for some welfare scheme needs to have the same consent requirements that a Facebook needs, but this blanket permission doesn’t quite make sense when the Committee itself says “despite the fact that the State is able to exercise substantial coercive power, and despite ambiguous claims to personal data that may not be necessary for its functions, the State remains largely unregulated on this account.”
The committee has argued for autonomy for the UIDAI and for arming it with regulatory powers similar to those given to a traditional regulator. This, it believes, would enable the UIDAI to better enforce regulations, protect consumers and prevent and redress any breaches of privacy. But, when the UIDAI itself is a repository of personal data and oversees its usage, it is difficult to argue that it can also be a regulator at the same time—ideally, a separation of powers would have been preferable. The Bill requires mirroring of all personal data within the country; the draft Bill notes every ‘data fiduciary’ shall store data on a server in India, either in its original form or a copy of it. While there are those who argue the infrastructure—cloud capacity, for one—required may be inadequate, this requirement will go a long way in creating demand for Indian cloud solutions and also making it possible for Indian authorities to access the data in real time, subject to the court’s consent.