Wednesday, Sep 26, 2018 | Last Update : 08:58 PM IST

To ensure data safety, a better vision needed

The writer is adviser, Observer Research Foundation
Published : Aug 4, 2018, 1:45 am IST
Updated : Aug 4, 2018, 1:44 am IST

In the context of private data protection versus the State, the committee’s recommendations are fairly status quoist.

This is convoluted, but has the advantage that it preserves the existing Aadhaar Act while also bringing the UIDAI under the mandate of the DPA.
 This is convoluted, but has the advantage that it preserves the existing Aadhaar Act while also bringing the UIDAI under the mandate of the DPA.

Outsourcing the government’s job to an independent regulator has become the standard institutional solution for lack of specialist skills, low motivation or poor integration of mandates across silos. The Justice B.N. Srikrishna Committee’s recommendations on data protection are par for the course.

A new Data Protection Authority (DPA) is to be created as an “independent regulator” for monitoring, enforcement, standard setting, adjudication and grievance handling. Will this regulator work when so many others have failed to deliver? Only time will tell. But it cannot worsen the present levels of data protection. It may cost a bit more. But it will also create additional “good” jobs. So, on the whole, we should probably go for it.

The committee also recommends, somewhat surprisingly, that the Unique Identification Authority of India (UIDAI), which has the mandate to issue Aadhaar and manage its database, should also be given regulatory functions, its autonomy enhanced with enforcement powers over the entities which, in turn, are authorised to access the Aadhaar information. Simultaneously, UIDAI will also become a data fiduciary regulated by the proposed DPA, like any other data fiduciary, through amendments in the Aadhaar Act.

This is convoluted, but has the advantage that it preserves the existing Aadhaar Act while also bringing the UIDAI under the mandate of the DPA. Clearly, this device diffuses potential resistance. However, wouldn’t it be sufficient for the UIDAI to be regulated by the DPA? The issue of data privacy in Aadhaar using fiduciaries could be directly regulated by the DPA. Data privacy leaks happen not within the UIDAI database, but in agencies like banks or food distribution centres which are required by the law or by executive order to access the Aadhaar base.

In the context of private data protection versus the State, the committee’s recommendations are fairly status quoist. The committee has ceded regulatory ground near completely by exempting all authorities controlled by the government, as defined in Article 12 of the Constitution, from the need to obtain the consent of individuals (termed data principal by the committee). The only restraint is the triple test laid down by the Supreme Court (Puttaswamy case 2017) — permitted by law; the principles of “necessary” and “proportionate” use, and finally use only to promote a legitimate interest, such as the “security of the state”.

Civil society is almost certain to be unhappy that better and more explicit safeguards haven’t been suggested over public agencies to curb the practise of gathering “intelligence” or exercising “surveillance” in the manner of a “fishing expedition” — casting the net wide to gather all possible information.

The safeguard today is that approvals for interception, under the Telegraph Act 1885, are given by a three-person committee of top bureaucrats. The number of requests — around 8,000 per month — are huge. The secretary-level committee can only hope that their junior staff has sifted the requests carefully. A similar architecture exists in state governments. Under the Information Technology Act 2000, private information stored in computers can be similarly accessed for reasons of state, including crime prevention and detection.

The committee suggests that a new law is needed to exercise better oversight over intelligence-gathering, including wider parliamentary and judicial participation. That will take time. An earlier bill to regulate the functioning of the intelligence agencies had lapsed in 2011.

Surely, even within the existing laws, there is much scope for improvement. Enhancing the capacity and willingness of government agencies to adopt a minimalist approach to data use is one such. Why not use artificial intelligence to handle the huge workload of identifying unreasonable requests or those drafted without proper application of mind? Why not empower the committee of top government officials to discipline line agencies submitting unreasonable requests? Further, can these high officials themselves not be disciplined if they fail in exercising due care? Why not have a group of ministers exercise regular and specific oversight over them? It is the minister, after all, who is answerable in Parliament.

Consider that the most egregious cases of privacy intrusion relate to the use of state power. A new law to improve state functioning is a narrow and time-intensive approach to the problem. It ignores the fact that “gold standard” laws in a poor, developing country, with massive functional illiteracy, does not really work.

The recommendations with respect to safeguarding privacy versus business interests are broadly aligned with the “gold standard” of the European Union General Data Protection Regulations of May 2018. We have a fatal instinct for legislating for gold, but settling finally for results equivalent to baser metals.

The committee has sought inspiration from the Directive Principles of the Constitution. Article 39(b) and (c) enjoin the State to work towards redistribution of the material resources of the community for the common good and to avoid the concentration of wealth and means of production. These are non-justiciable segments of the Constitution meant to guide lawmakers. It is worrying for business when the judiciary starts second-guessing the lawmakers. Consider that applying these principles bluntly could imply that private data aggregators should be discouraged since they extract enormous value which grows exponentially when aggregated. This could be disastrous. Concentration of wealth versus the common good varies with the context. It is unfortunate that the committee has introduced these heavily ideological considerations into the narrower issue of data protection.

Businesses and bureaucrats will also view with considerable apprehension the recommendation that severe criminal liability should extend to incidents of “intentional or reckless” harm caused to data principals, including making such offences “cognisable” — arrest by the police without a warrant and “non-bailable”. Experience shows in the case of criminal penalties, unlike in negotiations, the heavier the stick wielded, the lighter becomes its actual use. The low efficiency of our judicial system also needs to be considered. Such draconian provisions only serve to dissuade honest, lawful businesses, but do little to discipline criminal intent. The direction for change recommended by the committee is positive, the narrative outstanding and information collated impressive. An incremental approach and a near-term vision would have helped a lot.

Tags: uidai, data protection authority