A committee of experts chaired by retired Justice BN Srikrishna was set up in July 2017 to recommend a legal framework for the protection of Indian citizens’ personal data. The committee was set up on the last day of court hearings on privacy, at a time when Government of India was arguing that the right to privacy is not a fundamental right. This was seen by many as a last-ditch attempt by the government to convince the Supreme Court that statutory provisions are enough to protect individual privacy. The Supreme Court went ahead and reaffirmed that the right to privacy is indeed a fundamental right, and observed that in the context of personal information, this right needs to be protected by way of a statutory framework.

A year later, the committee has published an ambitious report, along with a draft bill, aiming not only to put in place a data protection law in India but also to set an example for other developing countries. The bill, even if enacted as is, would ensure much better protection of personal data than we have under current laws.

However, our current laws do not provide much by way of high standards to meet, and simply improving upon them is not enough. In the week since the publication of the report and bill, many problems have been picked up on already – some glaring and obvious, some that lie in the details. This has given cause for concern, in the absence of any clarity on whether there will be more public consultation on the bill or not.

Many of the issues in the committee’s report and the bill can be traced back to the terms under which it was set up – keeping in mind “the need to ensure the growth of the digital economy while keeping personal data of citizens secure and protected”.

A white paper published in November 2017, with the committee’s provisional views, clearly gave precedence to the “digital economy” part of it in several ways. The data protection principles that were recommended were internationally accepted but basic. The digital economy issues were seen as unique to India. Although this position was backed by several members of the technology and other industries during the consultations, others criticised the heavy focus on the digital economy and ease of doing business.

In the report published along with the bill, the committee seems to have made an attempt to correct that, by insisting that the concepts of ‘protection of personal data’ and a ‘free and fair digital economy’ are integral to each other – almost interchangeable. As pointed out by many over the last week, the State should aim to protect personal data because it is a fundamental right, inherently available to each of us.

This exercise should be undertaken irrespective of any cause or effect relationship such actions may have with the (digital) economy – fair and free or not. However, amidst all this, something more dangerous has emerged in the report – a deference to the State when it comes to data protection obligations.

The report seems to assume a landscape where the State is a promoter of a ‘free and fair digital economy’, and the function of the law is to regulate (mostly private) use of personal data in furtherance of such an economy. While this is definitely an important aspect, the consequence of this somewhat narrow focus is that the bill excludes from its purview many uses of personal data by the State that do not have a direct focus/impact on the economy.

Most important among these are the State’s surveillance efforts. That is the collection and use of personal data in the interests of the security of the State and law enforcement (collectively referred to here as law enforcement). The bill provides an almost blanket exemption in the case of such activities, as long as they are undertaken under the provisions of constitutionally valid laws. Laws that do not currently exist/function in India.

It is true, as some have suggested, that government functions such as law enforcement and national security could, and maybe should, be governed by other, targeted laws. It is an approach taken by many other countries as well. However, this doesn’t have to be the case. A few issues to think of in this context are discussed below.

First, the government’s law enforcement function, as it relates to personal data (and much of it does), could be regulated to a large extent under the data protection law. The context and circumstances in which these law enforcement functions become imperative are larger issues, described under constitutional and other jurisprudence. However, the actual activity of collection and use of personal data could very well be addressed under a data protection law, with provisions suitably adapted for this purpose. As I have argued before, even with the bill as it stands, many procedural obligations could be made applicable to the government, to safeguard individual privacy. The focus on promoting a ‘free and fair digital economy’ gives the committee a way out from taking this step.

Second, the need for high standards of data protection, especially in relation to surveillance activities, needs to be read in the context of historic and contemporary actions of the State.

At all levels of government, ranging from the local police to the central government, extensive surveillance activities have been undertaken over the years. In several instances, the Supreme Court has taken the government to task and put in place some minimal safeguards. However, with the rapid development of technology, and the implementation of mass surveillance programmes, these safeguards are nearly obsolete.

Edward Snowden’s revelations about US mass surveillance efforts shocked the world and have been discussed extensively in the Indian media. However, multiple research efforts suggest that India’s surveillance programmes are just as bad, if not worse. These research efforts also suggest that there is almost no oversight, transparency or accountability for surveillance activities in India.

A look at contemporary policy and law-making processes shows that there is an equally heavy focus on mandating data localisation, that is, retaining at least a copy, if not all personal data, in India. The Reserve Bank of India has already undertaken this step. The draft national e-commerce policy is said to do the same. National security and the need for law enforcement to access personal data in India easily is often considered justification enough for these exercises.

Even the committee’s report, in its discussion on data localisation, barely references any actual benefits of such an exercise in the context of personal data protection. It relies almost entirely on arguments that further the cause of domestic industry and law enforcement.

The DNA Profiling Bill, which aims to maintain a registry of DNA profiles to be used to identify individuals in criminal investigations, is set to be introduced in parliament and is controversial. The government also intended to create a social media communication hub to monitor all social media communications in India – a move that caused much concern. This plan has only now been withdrawn after a petition was filed before the Supreme Court challenging it.

In the context of all these issues, the data protection bill could have gone a few steps ahead, even if it was to just provide us more information about the way personal data could be used for surveillance.

If the committee does want to set an example for the global South, it could do more under the data protection law, without falling back on the data protection practices of the West, where established legal processes for surveillance activities exist, even if their enforcement is questionable.

(The writer is Programme Manager, Centre for Communication Governance, National Law University, New Delhi) ​

Also read: Thank TRAI chairman, he’s alerted us all

What is to be protected?