New Delhi: The word “consent” was mentioned so many times that one could have mistaken it for being a gala convention of feminists. Except it was, in fact, the government’s first public consultation on their promised and incoming data protection legislation, which hopes to quell the criticism on Aadhaar and the enforcement of India’s right to privacy.

The event in Delhi on Friday was the first of four such consultations taking place around the country. At least 200 people – from civil society, industry bodies and academia – had gathered to discuss a white paper on data protection which the government put in public last year for comments.

“We support the need to take informed consent as well as the ability of people to revoke their consent,” said Venkatesh Krishnamoorthy of The Software Alliance, during the consultation. “If a consumer does not trust the security protocol of a company, there will be no use to the company. So we are saying the focus should, in fact, be on the consumers, and their consent, and work backwards on the law from there,” he explained further after the event.

“We favour consent. This should be a primary ground for processing data,” said a representative from Tata Consultancy Services. He then went on to describe a “slabbed model” to the audience, wherein parents could perhaps consent for young children on issues of data, a combination of parents and children could be asked for consent in older children, and on attaining maturity, individuals could consent for themselves.

The consultation came just a day after an investigation published by The Tribune newspaper, which reported a massive data breach in the Aadhaar database of the Unique Identification Authority of India (UIDAI). According to The Tribune’s story, their reporter was able to enter the UIDAI database and access details of any person enrolled in it by paying only Rs 500. The investigation was repeatedly referred to by several speakers at the consultation.

What is the white paper on data protection?

The event was organised by the government to get civil society and stakeholder views on the 243-page white paper which the government made public last year for comments. The white paper lists seven principles which it says India’s data protection framework should have. They include being ‘technology agnostic’ and flexible to future change and covering both private and public sector. Informed consent, minimising the amount of data being processed and accountability of those in control of the data, are other guiding principles to the committee and their work.

To the concerns raised about the privacy of data, the government has repeatedly said both in court and in parliament that they planned on drafting and passing a new law on data protection for India. “Very soon we will come up with a data protection law,” said IT minister Ravi Shankar Prasad during this winter session of the parliament.

To this effect, the government set up this ten-member committee in August 2017 headed by former Supreme Court judge B.N. Srikrishna. Its mandate is to “identify key data protection issues” in India and also come up with solutions. They also have to draft a data protection bill.

National security remains an itchy issue for the committee

Srikrishna brought up the issue of national security himself and threw it open to the floor for their thoughts. “We keep hearing this mantra of national security. How to neutralise this?” he asked. He proceeded to explain the concept of ‘eminent domain,’ which is a legal concept pertaining to the idea that the state can exercise a right over land and natural resources, in public interest. Noted lawyer Usha Ramanathan first raised this idea, following which Srikrishna took it up to discuss national security.

In chapter seven of the white paper, the committee discusses “Exemptions for household purposes, journalistic and literary purposes and research.” In this section, the paper also discusses exemptions for “Investigation and Detection of Crime, National Security.” Provisionally, the white paper suggests that the new law could provide exemptions for data sought and collected for investigation of a crime, apprehension of prosecution of offenders and for maintaining national security and public order. It has also asked several questions on what stakeholders feel about this.

For example, the paper asks: “What constitutes a reasonable exemption on the basis of national security? Should other related grounds such as maintenance of public order or security of state be also grounds for exemptions under the law?”

The consultation in Delhi had many people pitching in with views on what kind of protocol could be required for security agencies to claim exemptions to their existing data or to data they intend to collect. The issue of the ‘public defender’ was raised: should the new law prescribe for a public defender in these cases of exemptions and how would that person be selected? “We do not require blanket exemptions for national security. There should be some sort of judicial oversight on these cases,” said Raman Chima, lawyer and policy director at Access Now.

On this, Srikrishna spoke about other Indian laws which have been criticised for their disproportionality and harshness, such as the Terrorist and Disruptive Activities (Prevention) Act. “Many of these laws have been declared unconstitutional by the court. Why? So that at least there would be some post facto scrutiny of the detentions that were carried out under these laws. So maybe here we could have a pre-facto scrutiny when security agencies want to claim exemptions?”

“In my view, this is possible,” said Chima. He went on to discuss the Foreign Intelligence Surveillance Act (FISA) of the US by which the FISA court receives requests from US security agencies, for intercepting communication and collecting other kinds of sensitive data. The court then decides prior to the collection, if the request is warranted or not. Presently in India, under the Telegraph Act and the Information Technology Act, surveillance orders can be granted by Home Secretaries at the centre or state. “Wake up the judge, if the matter is urgent,” said Srikrishna, while introducing this issue. “This does, in fact, happen in the US under FISA,” said Chima.

Several other challenging issues confront the committee

“Why wont people leave me alone? I will be happy to play with my grandchildren at home,” joked Srikrishna to the audience. He said this in context of a discussion on the ‘right to be forgotten,’ which has been a challenging idea for those involved in data and free speech debates around the world and India’s data protection committee is also discussing this.

The issue is contentious as some feel it interferes with the right to information and could also harm the freedom of the press. Chile’s Supreme court, for example, recently decided that the right to information overrides the right to be forgotten. Nikhil Pahwa brought up an incident that happened with his technology news website Medianama: “When the European Union’s ‘right to be forgotten,’ happened, we received a request from someone asking us to modify a three-year-old report we had written about them. We need to ensure that this right isn’t used as a tool for censorship.”

The issue of adjudication of grievances and liabilities was also discussed. Pankaj Sharma from Telenor said, “When you talk about accountability, then liabilities comes up. There should be limitations on the liabilities.” He said if companies had to insure themselves against liabilities, it would increase their cost of business.

To this Srikrishna commented, “Law is there to serve the people. If you are a good company, your cost of insurance will be much lower. So those who respect people’s privacy will survive and those who are errant will go away.”

The representative from Telenor argued, “Just because a breach of data happens, that doesn’t mean some loss has happened.” This line of argument is similar to UIDAI’s recent denial of The Tribune’s investigation on the UIDAI’s data leaks.

“Ultimately the question is not of actual harm. Volkswagen has had to pay large fines, not because someone died. But yet the possibility of an issue itself, has to be deterred proportionately,” reasoned Srikrishna. “The good boy gets the apple. The bad boys get the stick,” he said.

One personal grievance, dismissed by UIDAI’s chief

Although the bulk of those who attended the consultation were lawyers, corporates or those with think tanks, there were few with non-technical backgrounds.

One such person was a young man who narrated the case of his marriage. “I had been forced to get an Aadhaar card when I was trying to register my marriage few years ago. This was even before the Aadhaar Act was passed. My consent on the sharing of the data was not taken at the time of getting the Aadhaar.” He said that later on he found that the Aadhaar database records him as having given his consent to data sharing. “Although the UIDAI website says that consent can be revoked, I have not been able to get it revoked. There is no grievance redressal.”

To this, UIDAI chief Ajay Bhushan Pandey said, “Have peace of mind.” He explained that the Aadhaar Act in 2016 has overridden all the consent and privacy issues that were involved in the Aadhaar project prior to parliamentary sanction. “According to the new act, your data wont be shared unless you do a biometric authentication again.”

“This is a classic case of why we shouldn’t wait for patterns of abuse to settle, before we come up with a law to fix those,” said Ramanathan. “We need to use the Aadhaar experience to ensure that we don’t wait for misuse and damages to grow, and then say that everything under the prior project, has, in fact, been legal. What we have seen so far has destroyed people’s basic rights and the idea of autonomy.”

The government is organising three more consultations this month: Hyderabad (January 12), Bangalore (January 13) and Mumbai (January 23). The committee is also taking written comments on their white paper until January 31, 2018.