Justice Srikrishna calls new Data Protection Bill a blank cheque to the state..https://in.finance.yahoo.com/
This picture appeared in an article in Yahoo.com yesterday and quotes Justice B N Srikrishna who authored the famous report on Data Protection which finally led to the current version of the bill which is before the JPC for finalization. It also has DSCI representative who was part of the Srikrishna Committee and submitted a dissenting note on Data Localization. It also has other vocal champions of Privacy who have been clearly opposing the Bill for many reasons. Cumulatively the group wants the Bill not to be passed in the near future unless major changes as suggested by them are incorporated.
None of these people can say that they donot want the Bill to be passed since they have themselves once demanded for a strong legislation on Privacy Protection and their objection is that the law is not to their liking.
Considering the respect that Justice Srikrishna commands, it is necessary to check what his main objections to the latest version of the Bill are and whether they are in deed justifiable.
There are two main objections that Justice SriKrishna has.
The first is that the committee which selects the DPA consists of the Cabinet Secretary, the IT Secretary and the Law Secretary and does not consist of the Chief Justice of India as he recommended.
The Second objection is that under Section 35 of the proposed Act, the powers with the Government to exempt itself from the provisions of the Act are unwarranted.
Appointment of DPA
Let us take the first objection. According to Sri Krishna, the new provision “does away with the Judicial Oversight completely” to the selection of the DPA. According to Mr Srikrishna, judicial oversight is required right at the selection of the members of DPA.
What this means is that Justice Srikrishna wants the DPA to be elevated to the level of a Chief Election Commissioner or CVC or a Judicial appointment like a Tribunal. The Government however has considered DPA as more like a TRAI, IRDAI or SEBI. It is a body to regulate certain industry segment. While other regulators are meant to regulate all aspects of a given industry sector, DPA regulates one aspect of business namely “Personal Data” across multiple industry segments. It does not even regulate “All Data”. The objective of this law is to bring Indian Data Protection regulation on par with the global approach.
It is not necessary that every top appointment of the Country is done only with the involvement of the CJI. If this argument holds good for DPA, then questions rise why not CJI be involved in the appointment of RBI Governor, or IRDAI Chairman or TRAI Chairman. Question can also be raised on why the leader of the opposition in the Parliament should not be made part of the selection panel?.
While the demand to raise the DPA to the level of a Constitutional position is laudable, one has to point out that this expectation is impractical.
We can note that the Act prescribes some criteria such as 10 year experience in relevant field under an age group of persons less than 65 years of age for persons to be appointed to the DPA either as chairman or as members. It is well known that “Privacy” has been a concept which we the Indians never considered as a great virtue in the past. India has always supported “Freedom of Expression” as a key right much more than Privacy. The concept of Privacy and more importantly the concept of “Data Protection for Privacy Protection” is the concept popularized by EU and it is not easy to find persons with “Experience” in “Privacy Protection through Data Protection”. We may be able to find persons who are in “Information Security for more than 10 years” or “Advocates who have fought privacy related cases in the Courts”. But finding a 10 year experienced person who understands the current “Techno Legal concept of data protection for privacy protection” is not easy since not many are available in the field.
Had the CJI been in the selection committee, his knowledge of people would have been restricted to judges and advocates and not to who amongst them understands the concepts such as Artifical Intelligence, Big Data, Anonymization, Pseudonimization , Privacy by Design, a Data Protection frameworks under ISO 277001 or PDPSI etc. He would have to depend on the IT Secretary for such information. Now between the IT Secretary and the Law Secretary, a short list of knowledgeable persons can be made and the Cabinet Secretary can act as the third wise man to facilitate the final choice. A CJI in a similar position would have an overbearing influence in making the DPA look more like Judicial forum rather than a body that can regulate the Data Protection Eco system.
At the same time, since the appointment of the Chairman or other members can always be challenged in the Supreme Court if a person with no credentials is appointed.
Had the appointment was made un-impeachable even in a Court of law, the allegation could have been accepted. Just because the CJI is not involved in the appointment, holding that Judicial oversight is completely ignored is unacceptable.
Powers of the Government
The second objection raised by Justice Srikrishna is on section 35 which provides exemption to the Government under such reasonable exceptions that the constitution provides for all fundamental rights.
Justice Srikrishna appears to make PDPA more stringent than the Constitution and restrict the powers of the Government even beyond what the Constitution itself does.
In the earlier version, (pdpa2018) it had been stated
“Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”
“Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.”
The above were in addition to the exemption provided for legal proceedings, research etc.
The essential difference was the legal implication of the way the restriction was expressed. In the new version the provision is stated differently as
” Where the Central Government is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”
Both versions provide that that exemptions are available for the security of the state and would be subject to necessary safeguards.
The objection is therefore more a clash of drafting technique. We know that the Supreme Court has read meaning into even our constitution where there were no specific mention of a provision (Read the judgement of Aadhaar and Privacy) and has ignored the specific mention of words in the law many a times (Scrapping of Section 66A of ITA 2000 is an example). Hence, whatever way the act is drafted, the Supreme Court has the power to interpret it in its own way and hence there is no harm in the wordings either in the way PDPA2019 has expressed or PDPA 2018 has expressed.
There is no doubt that Justice Srikrishna appearing in the group of traditional opponents of the Bill who mainly opposed the Data Localization part of the Bill which Justice Srikrishna himself had drafted puts the Government in an embarrassing light. But Justice Srikrishna has failed to explain why he is no longer supportive of the data localization aspect that he himself recommended and Ms Rama Vedashree who was part of the committee dissented.
The MeitY in its new version has yielded on the earlier objections on data localization which was also a set back to the persons who supported the upholding of “Data Sovereignty” principle and the possibility of economic benefits of data localization. I wish the JPC has the courage to reverse this amendment and go back to the earlier version of the data localization where it was mandatory to keep a copy of all personal data transferred out of the country.
A third aspect which Justice Srikrishna brought up in the round table reported by yahoo is a new objection he has added and it relates to the “Social Media Intermediary and inclusion of Non personal data”. He is quoted as having expressed that they should have been left out of this law, without substantiating why he feels so.
The provision on social media intermediary as well as the empowerment to seek anonymized community data have certain reasons and hence there is no need to make any changes there in.
(Views expressed here are the views of Naavi as a person and comments are welcome)
Naavi