Asheeta RegidiDec 26, 2018 11:09:11 IST
2018 has been a very significant year for privacy and data protection in India, triggered in part by the Aadhaar case and the affirmation of the fundamental right to privacy by the Supreme Court in 2017. A growing privacy consciousness can be seen among the people, with a view to safeguarding their data and their freedom, as can be seen with the outrage that followed the recent MHA notification.
The same consciousness can be seen in the government as well, but from the perspective of recognising the potential of data, and of privacy and data protection laws as a means to enable this, as opposed to protecting the people. The focus of laws and proposed laws thus, by and large, seems to be with the aim of maximising control and utilisation of data, as opposed to safeguarding people’s rights. The recently released draft Intermediary Guidelines are reflective of this as well.
Draft Intermediary Guidelines
Meity released a draft of the Intermediary Guidelines for public consultation on 24 December this year. These guidelines, in addition to various proposed provisions in relation to content regulation, propose a 72-hour time limit to respond to government requests for information. Given the broad definition of ‘information’ under the IT Act, this could include data of any form, even text, images, messages, databases, etc.. This also includes a requirement to trace the originator of such information on its platform. The proposed requirement is reflective of the traceability requirements which were to be imposed on WhatsApp for dealing with the fake news menace.
Such requirements are being proposed without any clarity on corresponding privacy protections for the people. It must be remembered here that while intermediaries like Facebook, WhatsApp, YouTube, etc. are often at the receiving end for their lack of privacy protections in relation to the use they make of the data, they have often turned out to be the only protection people have against governmental access of data (the FBI-iPhone struggle, for instance). These rules put in question the extent of governmental access to data with such intermediaries, and also with the use of encryption as a means of protection for users.
The MHA Notification
The recently issued MHA notification is another such instance, which appointed 10 governmental bodies such as the Intelligence Bureau as agents for the purpose of interception, monitoring and decryption. While the notification was widely misunderstood to be conferring unbridled surveillance powers on these agents, it did have the effect of bringing state surveillance to the forefront of people’s privacy concerns.
For the sake of clarity, the notification did not make any change to the existing situation or confer any new surveillance powers on the agents (Read here for a full explanation on this). These powers are already within the IT Act, and the issue with their constitutionality existed from the moment of their introduction into the IT Act, and not with this notification.
Another reason for the huge outrage that followed this notification was possibly owing to the introduction of the need for judicial oversight as a procedural safeguard for sharing of data under the Aadhaar judgment (the striking down of Section 33(2)). As a result, any step forward in relation to Section 69 was expected to be in relation to testing its constitutionality and those of the procedural safeguards under related rules. What was seen instead was the government taking the next steps for more efficient exercise of the existing surveillance powers.
Section 69 of the IT Act and its procedural safeguards have long since been in question for their constitutionality. This is owing to, firstly, their failure to meet privacy standards for surveillance possibilities today, the lack of judicial oversight as required under the Aadhaar judgment, and failure to meet the proportionality test as required under the Right to Privacy Judgment. The safeguards, moreover, are on the lines of those prescribed under the PUCL judgment, a judgment which was delivered almost 20 years ago (1996) and in relation to telephone tapping only. Review of these for their constitutionality is thus essential.
The Personal Data Protection Bill
The attitude of the state towards data protection is further reflected in the draft Personal Data Protection Bill, released in July 2018. On the one hand, it was a good step forward for India to move from next to no privacy law at all to a comprehensive privacy law. On the other hand, the fiduciary relationship put forth by the Bill leads to a situation where instead of giving the individual the ultimate control and ownership of his data, once he hands his data to a data fiduciary or controller, he can only trust that the data fiduciary will handle his data in compliance with the law. This is reflected primarily in the omission of the right to erasure (the right to have a data fiduciary delete all data that he has on the individual) among the rights granted to the individuals.
The effect is thus that while the law imposes a number of welcome obligations on the data fiduciaries, the people are not sufficiently empowered in relation to their data. The broad scope of exemptions for State related processing and provisions for non-consensual processing only adds to the lack of control that people have been given, particularly vis-à-vis the State.
TRAI Recommendations on Privacy
In particular, the Bill was a disappointment in comparison with TRAI’s Recommendations on Privacy released just prior to the Bill. This was not without its own problems, for instance, that the scope of the Recommendations, which were to apply to the entire digital ecosystem, encompassed a range of entities far beyond TRAI’s jurisdictional boundaries, such as browsers, handsets, tablets, OTT services, applications and the like. However, the recommendations put the individual squarely as the owner of his data. The recommendations thus placed the individual in a much stronger position in relation to his data than under the Bill.
Yet another consequence of the Data Protection Bill was the suggestion of data localisation of ‘critical personal data’, an undefined term, in a move that was criticised far and wide for its detrimental effects on innovation. This implies, for instance, that companies can no longer rely on global cloud storage, and that there will be a significant increase in compliance costs.
This is also supported by the RBI’s move to mandate data localisation for the data with payment service providers such as card networks and mobile wallets. While the scope of data localisation requirements under the Bill is still unclear, the impact of the RBI’s data localisation requirements is already being felt with the launch of payment services like Apple Pay being put on hold. While the aim of retaining the data within India might serve the aim of retaining governmental control of the data, it is unlikely to actually contribute to better security or privacy of the data itself.
The Aadhaar Judgment and its impact
The most significant development for privacy was, of course, the Aadhaar judgment. In a final hearing that spanned 38 days over almost five months, this was the second longest one in Indian history, and the people’s involvement, whether for or against Aadhaar, was just as tremendous.
After major arguments against Aadhaar, such as with the privacy implications of the large-scale collection and storage of biometric data, and its potential as a surveillance tool, among others, the Supreme Court finally gave a judgment which supported Aadhaar but largely reduced the wide-scale impact it was having. The major cause for this was the limitation of the use of Aadhaar to Section 7 benefits, as well to governmental use.
Thus, while the biometric database with all of its privacy and security concerns has been retained, the uses it can be put to has been limited, for the present. The limiting of its sharing with private companies has had wide implications, including with bringing an end to its rampant mandatory use, such as for children’s school admissions, the NEET, hospital admissions, etc. This has also brought an end to eKYC, in a move that affected not only several digital payment companies but also drone companies. This was followed with debates on whether voluntary use of eKYC was possible, and with the introduction of new, offline methods of verification such as the use of QR codes.
Mandatory linking to bank accounts and SIM cards, which was coupled with the threat to disable those accounts/numbers that were not so linked, was thankfully also brought to an end. However, since the judgment, rumours have already started to surface, of the possibility of the bringing in a new law which mandates the same.
The linking of Aadhaar with Voter IDs was another cause for strife that arose this year, with allegations that non-consensual Aadhaar-EPIC seeding was the primary cause for thousands of voters being missed from Telangana electoral lists this year. Among others, these allegations raise questions on whether the Aadhaar database and access to it are really as private as is claimed.
In addition to these primary concerns, a number of other concerns have emerged, which include, among others, the proposed Social Media Communications Hub which has been challenged before the Supreme Court at present, introduction of the draft DNA bill in Parliament for the creation of a national DNA databank for certain categories of persons, and the proposal of a national AI marketplace for data aggregation.
2019 for Privacy?
Looking at the year gone by for privacy, one can look ahead at 2019 only with concern, since many of these developments discussed here are currently in draft form. 2019 may well see these laws taking concrete form by being enacted. The involvement of the people has played a crucial role in reducing the rampant use of Aadhaar, if not bringing it to a complete halt. While there is a huge movement in the field of privacy and data protection, the people will have to continue playing this role to ensure that it takes the right direction.
The author is a lawyer specializing in technology, privacy and cyber laws.
2018 has been an eventful year, and here's our comprehensive list of year ender stories.
You can also read:
Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.