A group of 24 legal academicians and advocates have written to the Justice Srikrishna Committee of Experts on Data Protection, advocating for a citizen centric data protection law and making several suggestions to achieve this objective.
The group has also demanded that the consultation process be made more inclusive, claiming that the white paper released by the Committee failed to set out the bigger picture on data protection due to lack of a public consultation on key principles of a data protection legislation.
They have further raised concerns on the electronic participation mechanism designed by MeitY, in which people are expected to respond to 233 questions in individual form fields on MyGov.in. They explain, “Answering two hundred and thirty three questions is manually exhausting and unnecessarily arduous. This approach will limit participation to well resourced organizations with full-time employees focused on such tasks, and disproportionately increase the representation of commercial and private industry players to the detriment of the representation of other stakeholders and the wider spectrum of Indian citizenry.”
Moreover, they contend that the Committee must release information on its proceedings, meeting notes and draft bill, as well as the comments received by it. This is in view of the fact that the National Campaign for People’s Right to Information had been denied this information under the Right to Information Act.
The memorandum has been submitted by Anup Surendranath, Apar Gupta, Chinmay Kanojia, Gautam Bhatia, Jawahar Raja, Karan Lahiri, Kotla Harshvardhan, Kritika Bhardwaj, Mariyam Kamil, Maansi Verma, Mihira Sood, Ninni Susan Thomas, Paras Nath Singh, Prasanna S., Raghav Shankar, Rahul Narayan, Raman Jit Singh Chima, Sai Vinod, Shadan Farasat, Suhrith Parthasarathy, Tanvi NS, Ujwala Uppaluri, Vrinda Bhandari and Saurabh Bhattacharjee. They have also made the following recommendations:
- Individual rights are at the center of privacy and data protection
They assert that individual autonomy, dignity, and self-determination constitute the heart and soul of the Indian Constitution and submit, “…the Data Protection Law must not articulate and tackle the central problem as achieving an acceptable trade-off between “innovation” and “data protection”, but as achieving a legislative and regulatory framework which harnesses innovation in order to facilitate individual autonomy, dignity, and self-determination.
- Adopt a principle based approach
They advocate for adoption of the core principles of privacy and data protection as articulated by report of the Justice A.P. Shah Committee of Experts, and also incorporate the developments brought about by the recent Supreme Court judgment in the case of Justice Puttaswamy v. Union of India.
They further demand, “Exceptions should remain exceptions and should not swallow up the rule. Any exceptions to the privacy principles should be: (a) exceptions brought about through a clearly worded legal instrument, (b) narrowly tailored exceptions that proceed from an analysis of the necessity of the exemption, (c) the necessity and proportionality of these exemptions (in their creation and practical operation) must be closely connected to the aim for which they are created; and (d) exceptions must be accompanied by sufficient procedural safeguards for the preservation of individuals’ rights and of accountability to the regulator.”
- Create an empowered, independent regulator to enforce the privacy principles
They suggest a structure for the office of a privacy commissioner, asserting that such Commission should have powers of investigation, adjudication and enforcement. They explain, “These include the power to impose penalties in the nature of fines and also the power to file criminal complaints for willful non-compliance of the rules and regulations made by the Privacy Commission to build deterrence.”
- Aadhaar conflicts with privacy protections and any version of a citizen centric data protection law
The Committee, they suggest, should examine Aadhaar, asserting, “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights. Any digital identity scheme should be framed around the protection of individual rights through a data protection legislation, rather than a data protection legislation being framed to presumptively accommodate and work around an existing program such as Aadhaar.”
They further recommend that the Privacy Commission should have overriding power and superintendence over the Unique Identification Authority of India (UIDAI). They say that the UIDAI being a data controller and a data protection authority for Aadhaar data at the same time creates a “conflict of interest”.
- An effective, citizen friendly adjudicatory system
In addition to enabling people to make complaints to the Privacy Commission, they request that the remedy of approaching civil courts and filing police complaints directly should be retained. They, however, caution against creation of any new adjudicatory tribunals or conferring exclusive jurisdiction on existing ones, claiming that this is “likely to create barriers to access to justice for the general public”.
- A comprehensive data protection law is incomplete without surveillance reform
They demand that state security and intelligence agencies which intercept and record personal communications and data be given statutory recognition. Further, they assert that mass surveillance should be prohibited and that procedural safeguards for surveillance and interception orders be strengthened as the “existing ones are inoperational and deficient”.
- The right to public information needs to be strengthened and protected
They demand that the Right to Information Act should not be subjected to any change by the committee and that Information Commissioners should be exempted from interference or control by the Privacy Commissioner.
They also address the right to be forgotten and opine that it may “undermine the fundamental right to free expression”. They assert, “[the right] should be developed within the framework of the privacy principles by the Privacy Commissioner rather than being expressly present in the statute. Given the journalistic and public interest in the maintenance of public information, sufficient safeguards need to be adopted.”
- International harmonization that recognizes cross-border data flows to protect the open internet
They opine that any data protection regulation must have extra-territorial effect and should apply to web services and platforms which are accessible in India. They explain, “To ensure compliance, the Privacy Commission should also be empowered to confer adequacy status, in a transparent process, to foreign countries from which such global platforms carry out their operations.
At the same time, care and caution should be taken to preserve the global character of the open internet which is beneficial to Indians as they can access information, knowledge and services from all over the world. Hence, any suggestions, such as blanket data localization proposals, which would threaten and undermine the global open internet need to be resisted.”