The Supreme Court’s seminal Right to Privacy judgement – a unanimous declaration that the Constitution has always guaranteed its citizens their privacy – came about as an unintended consequence of the Union government’s strategy in court to insulate the Aadhaar programme from challenge as it was being rolled out.
Another happy consequence was that in the course of arguing the unconvincing case against the constitutional right to privacy, Attorney General for India attempted to assuage criticism of Aadhaar and like programmes by stipulating that a data protection and surveillance oversight legislation for the protection of citizens was in the works.
The Committee
On July 31, 2017, the Union government set up a Committee of Experts to deliberate on a data protection framework for India under the chairmanship of Justice BN Srikrishna, a retired judge of the Supreme Court. Among the eight men and two women who made up the Srikrishna committee were government servants, representatives of industry, even the head of the Unique Identification Authority of India, the organisation that authored the Aadhaar Act. Conspicuous by their absence were representatives of the ordinary citizen.
The committee released a long-winded White Paper in November and invited comments from the public and undertook public consultations in Delhi, Hyderabad, Bengaluru and Mumbai. On Friday, it released a report and a draft bill on the subject of data protection. We have no public record of the deliberations of the committee, nor of the responses it received.
The committee’s ironical resistance to citizen input in a law meant to give life to a right of citizens threatens to defeat the very purpose of a data protection law.
The flaws
These flaws in the committee’s work (narrow consultations limited to urban areas, opaque functioning) and in its design (lopsided, unrepresentative composition) are not academic quibbles. The capacity of unrepresentative processes to dissolve or discount whole swathes of citizen voices and interests is clear from what the committee has produced. The report is dry, technical and verbose.
We have little in the way of objective criteria through which to accurately measure how diverse or representative the views aired in the committee were. Nor do have any way to ascertain whether the committee was presented with a sufficient diversity of stakeholder interests in writing or to assess whether all such submissions were considered by it.
At the heart of the difficulty with the committee’s work is a fatal misunderstanding. In effect, its report upends citizens’ understanding of the Indian Constitution and their place in the Republic, even as its draft bill opens with the ultimately unrealised statement that the law would protect informational privacy. Where its White Paper insisted on the need to foster innovation, its final output takes the growth of a free and fair digital economy to be its first object.
The outcome
Among the various facets of the right to privacy, the right to information privacy was recognised by the court as being critically important for contemporary times. Speaking for four judges, Justice Chandrachud recognised that putting information privacy to work is a complicated task, and recorded that the state was under a clear obligation to protect it through data protection legislation. Justice Kaul set out the usual aphorism that information is power. Justice Bobde gave us an easy definition of what privacy ought to be in practice – it is simply the right to choose and specify. Taken together, the Right to Privacy judgement set out that the job of data protection legislation is to ensure that governments and companies – all entities that wield a great amount of power over us – are prevented from exploiting their position of power to further enrich themselves without our knowledge and free consent.
From these flow data protection principles that are codified in laws on the subject in all democracies worthy of the name. These are high level statements of the obligations that any entity (‘data fiduciary’ in the language of the draft law) must: a) ensure free and active consent before collecting our data, b) limit the time and uses that data can be put to and c) remain accountable for the accuracy and safekeeping of that data for the whole period that it is held.
The draft bill does well enough in identifying these rights, but as is the case with matters of law, the devil is in the details. Because of its use of wide and ambiguous language, the bill does not spell out how these rights will be enforced as the Supreme Court’s Right to Privacy demands. These defects in the draft bill can still be remedied, but we – citizens of the republic – must all engage now.
Ujwala Uppaluri is a lawyer and volunteer with the Save our Privacy Campaign