Guarding our Privacy: Cosmetic solutions?
Professor Alan Westin, American professor of law, recognised as the father of modern data privacy law, laid down the basic principles of privacy law decades ago in his books, ‘Privacy and Freedom’ and ‘Databanks in a Free Society’. Westin defined privacy as the “claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others”.
But the recent report of the Joint Parliamentary Committee (JPC) tends to overlook citizens’ claims while strengthening the case for the government to gain access. The JPC appears to talk less about ‘data protection’ and more about creating a ‘data access’ law, making it easier for the government to access citizen’s data, while laying down stringent restrictions for some private sector companies. The fact that the government can also enable access to citizen’s data to a few chosen private companies, is another aspect that has not been debated at length in the report.
Committee members and MPs Manish Tewari and Jairam Ramesh are some of the members who have pointed out flaws in the Committee’s report. Tewari in a dissenting note asserts that the proposed law creates two parallel universes – one for the government and another for private corporations. This is not only highly unusual but also goes against the very intent of the Constitution.
Fundamental rights were enshrined in the Constitution to limit the powers of the government and protect the citizens. By ensuring that the government has special access through exemptions, the proposed law undermines the citizen’s fundamental right to privacy. Clause 35 of the draft Data Protection Bill, 2021 retains the ‘necessary or expedient’ standard for curtailment of civil liberties. This could lead to curtailment of civil liberties on the ground of ‘expedience’ without establishing that the curtailment is ‘necessary and proportional’ to the harm.
The Supreme Court specifically outlawed ‘expedience’ as a standard and mandated ‘necessity’ in the Rangarajan judgement of 1989. Hence, the broad exemptions given to the government to access data under the proposed Clause 35, under the garb of ‘national security’, are problematic. Similarly, Clauses 12 to 14 dilute the need for consent from citizens before accessing their data.
The proposed exemptions also go against the mandate and standards laid down by the Supreme Court in the Puttaswamy judgment. These have come at a time when a Supreme Court-appointed committee is investigating the government’s alleged misuse of a malware called ‘Pegasus’ to spy on journalists and human rights activists, among others. The fundamental right to privacy is meant to be a major protection against illegal and intrusive surveillance by the government.
The Parliament was paralysed over Pegasus malware and yet JPC has not touched upon surveillance reform. If the executive has powers of access to data in an emergency, should the different layers of executive supervise it without any independent oversight? The JPC, comprising members of all parties, did not even suggest Parliamentary oversight of Intelligence Organizations. Here was a time for a structural reform which the JPC failed to deliberate upon and recommend.
The Bill envisages the creation of a Data Protection Authority (DPA) to operationalise and adjudicate future violations of privacy. The stature and autonomy of the institution would be a critical issue, so the JPC has suggested domain experts in the selection committee. However, the selection of the committee itself would be done by babus and the convener would also be a babu. DPA is too important a body to be left alone and will surely be headed by a retired babu.
The proposed law has thus failed to learn from earlier laws like the Right to Information (RTI) Act of 2004 or Supreme Court judgments that established a well laid down norm for selection of heads to key organisations like the Central Vigilance Commission (CVC) or the Central Bureau of Investigation (CBI). To make DPA, which will play an important Constitutional role, a preserve of retired bureaucrats, hired and fired by the government of the day, would be a serious erosion of DPA’s authority and mandate.
The RTI and the Consumer Protection (CP) Acts also throw up an important aspect ignored by the JPC. The Constitution separates the powers and duties of the central and state governments. Unlike the RTI and CP Acts that recognise this constitutional separation of powers, the proposed Data Protection Bill puts all powers within the purview of the Central government. How will such an authority adjudicate issues over data that lie within the state government’s jurisdiction, such as land records, health or law and order? Committee member and Biju Janata Dal MP, Amar Patnaik, in his dissent note points out that this creates an inevitable “strain on federalism.”
The Dialogue, a think tank, reveals another gap in the Committee’s deliberations. Any privacy framework will lead to conflict with the need for data by regulators or investigators of various hues. According to The Dialogue, while the Committee states that such conflicts can be resolved by coordination between the DPA and other regulators such as SEBI or RBI, it offers little clarity or guidelines. Such clarity is essential to set the terms of engagement between the DPA and other regulators following the principles of “necessity, legality and proportionality” as laid down by the Supreme Court earlier.
Over the years, a number of bills by MPs too, on protection of privacy of an individual have been introduced in the Parliament. The JPC report is also a body of recommendations. The nation still eagerly awaits a law outlining the contours of data protection. The onus is on the government to enact a law which affirms an individual’s control over his data with rare interference by the executive. A vibrant democracy owes this to its people.
(This article was first published in the Millennium Post.)