An unequal balance

The B.N. Srikrishna Committee report on the protection of personal data was recently unveiled along with the personal data protection bill, 2018. The primary reason for both these initiatives was the public controversy relating to the data breaches within the Aadhaar system and the clear signals of the Supreme Court. 

By Nupur Chowdhury & Rashmita Sunkara
  • Published 5.09.18
  •  

The B.N. Srikrishna Committee report on the protection of personal data was recently unveiled along with the personal data protection bill, 2018. The primary reason for both these initiatives was the public controversy relating to the data breaches within the Aadhaar system and the clear signals of the Supreme Court. The latter took cognizance of the breaches and, in its judgment pertaining to the right to privacy, urged the government to protect personal data. The apex court's signals give the impression that unless the State takes adequate steps to secure privacy, the Aadhaar project will not pass the test of constitutional validity. Both the report and the bill are designed to address the court's expectations of the State. The obvious question to ask, then, is whether they are adequate in terms of upholding the fundamental right to privacy.

First, both the report and the bill espouse that 'consent' should be the fundamental basis for all revelations and sharing of personal data. The rationale for this is that the fundamental right to privacy is an emanation of dignity and autonomy of the individual. This presumes that consent will be an expression of free will and, therefore, will ensure that it does not cause self-harm. In order for consent to be valid under this bill, it needs to be informed, specific, clear and capable of being withdrawn.

However, the pertinent issue of information asymmetry between the data fiduciary and the data principal needs careful consideration. It is the former who will collect, process and make various uses of the data, and therefore will have overall control over the data provided by the data principal. This highly asymmetrical relationship can be regulated by both legislative provisions as well as supervision of the implementation by an independent authority. Transparency in the collection and processing of the data and voluntary public disclosure obligations are critical to addressing the power asymmetry between the data principal and the data fiduciary. A public information registry, overseen by an independent authority, and a civil right of action by the concerned data principal in case of unauthorized disclosure leading to harm of the data principal are, therefore, critical. This civil right of action should not be limited to the concerned data principals. It should be provided to any person or any representative body or organization aggrieved by such unauthorized disclosure. This will enlarge the right of action for organizations that may be aware of such unauthorized disclosure, even if the concerned data principal is unaware or unwilling to take action. This civil right of action should include a right to request restraint by the independent regulator in case of anticipation of imminent harm.

Second, while assessing who potentially comes under the banner of data fiduciary, the State cannot be ignored. The State is an "interested party" in the regulation of data protection in India, because it undertakes many activities that will entail the collection and processing of personal data of its citizens. In that sense, as a data fiduciary, no difference should be made between a private entity and the State in terms of its downstream obligations upon collection of personal data. Under the constitutional mandate, the 'right to privacy' is not an absolute right. It can, therefore, be restricted by the State in pursuance of legitimate and compelling interests. The bill looks at these factors in terms of functions of the State, including processing of data for 'any public interest'. These avenues within the bill provide the State with sweeping powers. The State, as a data fiduciary, should have a continued obligation once in possession of personal data. In other words, although the State might be given power to process personal information, it should not forfeit its responsibility as a data fiduciary, specifically in its obligation to protect the personal data from unauthorized access and potential harm.

Third, in order to ensure the review of State action, it is necessary for the data protection authority of India to remain absolutely autonomous and independent of the executive. The fast expansion of technology requires the DPA to take an active role by intervening in data privacy violations, tracking the consequences of such violations and taking suo motu actions when necessary, including taking restraining action in the face of imminent harm. Further, due to the extra-territorial nature of this issue, it is essential for the DPA to have competence, legitimacy and authority to collaborate both with other regulators in India, such as the Central Information Commission and the Telecom Regulatory Authority of India, as well its international counterparts in other jurisdictions. However, the mechanism provided by the bill for the formation of the body is overwhelmingly dominated by bureaucrats appointed by the executive. This will give the State direct influence over the DPA.