• The Data Protection Bill draft reportedly covers topics such as data localisation, protection, and creation of a data protection authority
• It 'proposes' offline verification of Aadhaar and strengthens the UIDAI’s grip on Aadhaar-related legal action
• The draft is also said to propose the removal of Section 8(1)(j) of the RTI Act, thereby weakening the Act
While there is still no confirmation on whether the Justice Srikrishna Committee has submitted its report on the Data Protection Bill, reports have emerged that the proposed draft not only weakens the RTI Act, but also maintains much of the status quo of Aadhaar Act.
It also reportedly strengthens the Unique Identification Authority of India (UIDAI)’s powers when it comes to Aadhaar-related legal action by maintaining that only the UIDAI can approach courts in case of any Aadhaar disputes.
Last year in August, a 10-member committee headed by Justice Srikrishna was constituted to draft a Data Protection Bill for India. This came in the wake of a historic judgment by the Supreme Court (SC) on August 24, 2017, in which a nine-member bench of the SC gave a unanimous verdict that the Right to Privacy is a fundamental right. After several delays, the Committee was supposed to submit its draft last month.
Meanwhile, the TRAI has also released its recommendations on privacy, security, and data ownership in the telecom sector.
Earlier, it was reported that the Committee has recommended that data companies operating in India store Indian data locally. This includes global companies such as Google, Facebook, and Linkedin.
Online magazine Caravan claims to have access to the draft of the proposed law, which has been entitled ‘The Protection of Personal Data Bill, 2018.’
The draft reportedly contains more than 15 chapters on topics such as data localisation, the creation of a data protection authority, data protection measures, and separation of personal and sensitive data.
It is also said to propose some amendments to the Aadhaar Act 2016, and the Right to Information Act, 2015.
Expected Amendments To Aadhaar Act, 2016
According to reports, the changes proposed in the draft Data Protection Bill to the Aadhaar Act will include an offline verification process for Aadhaar, and increasing or instating civil and criminal penalties for contravening the Act.
Further, a new adjudication process to address disputes arising out of Aadhaar is said to be introduced.
The draft reportedly includes a new proposal for the appointment of an adjudicating officer above the rank of a joint secretary in the Union government, who will have the power to make inquiries in case the Aadhaar Act is found to be violated in any manner.
It also proposes that the Telecom Disputes Settlement and Appellate Tribunal act as the appellate body for any appeal against the appointed adjudicating authority. After the tribunal, the appeals will be heard only by the Supreme Court.
According to the reports, the draft maintains that only the UIDAI can approach courts in case of any disputes. This is a major flaw, as despite having a series of Aadhaar-related data breaches, the UIDAI has washed its hands off the matter and never admitted to any data breaches or dispute.
There are also some suggestions on the offline verification of the Aadhaar Act, which seem to be incomplete. Offline verification under the Aadhaar Act cannot be considered a method of identity authentication as any authorised body seeking Aadhaar verification registers a real-time query with the Central Identities Data Repository (CIDR), which is maintained by the UIDAI.
Offline verification through the CIDR raises several pertinent questions: how will the Aadhaar identity be verified; does this mean that the agency doing the offline verification will have access to a local CIDR database; will the data be stored on a new type of Aadhaar card; and what about potential data breaches in such cases?
The draft reportedly doesn’t provide any clarity about offline verification and its execution.
Expected Amendments To RTI Act, 2015
According to the reports, the draft Data Protection Bill also proposes the removal of Section 8(1)(j) — which accounts for the right to privacy — of the RTI Act. The Section 8(1)(j) aims to fine-tune the balance between one’s personal information and the need for transparency in public. This was one of the sections invoked to deny information in the RTI queries seeking access to PM Narendra Modi’s educational degrees.
The Section 8(1)(j) of the RTI Act states: “Information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”
The removal of Section 8(1)(j) and its replacement with another provision will enable officials to withhold details even more easily and make them less accountable under the garb of increased privacy.
The section is said to have been misused by RTI officers to deny information requests, resulting in RTI activists demanding a clear definition of the terms — “public interest” and “public activity” — which restrains people from seeking personal information even if it could be in the public interest.
The committee, in a white paper released previously, sought to discuss the RTI Act, claiming that it might overlap with the Data Protection Bill. The committee had then observed, “Similarly (like PMLA — Prevention of Money Laundering Act, 2002), information which would impede the process of investigation or apprehension or prosecution of offenders is exempted from disclosure under the Right to Information Act, 2005.”
The draft Data Protection Bill reportedly introduces a new provision which requires three conditions to be fulfilled for disclosure of any personal data under the RTI. The conditions are as follows:
a) The personal data relates to a function, action or any other activity of the public authority in which transparency is required to be maintained having regard to larger public interest in the accountability of the working of the public authority
(b) If such disclosure is necessary to achieve the object of transparency referred to in clause (a)
(c) Any harm likely to be caused to data principal by the disclosure is outweighed by the interest of the citizen in obtaining such personal data having regard to the object of transparency referred to in clause
The amendment to the RTI ACT will give information officers enhanced freedom to choose not to disclose personal information as the above conditions don’t contain a clear definition of “public interest”.
Unbalancing The Act: Right To Privacy And The Need For Transparency
The proposed bill, thereby, unbalances the equation between transparency and the need to protect personal information, which wasn’t exactly the intention of the RTI Act, 2005.
This has also been highlighted by former Supreme Court Judge M Jagannadha Rao, who criticised the committee report, saying that it referred to the collection of data but “not to the boundaries of the right to collection of data, which is the essence of the Supreme Court judgment.”
“There is absolutely no discussion on these vital aspects as to where the privacy rights start and where the state’s surveillance must stop,” he wrote.
The final draft of the Data Protection Bill is yet to come out in the public domain, but the proposed amendments to the two major acts have raised a lot of concerns from various quarters.
Inc42 had earlier reported how the Data Protection Bill will not only talk about Aadhaar but also about big data and emerging technologies, the scope and exemptions of the law, the grounds of processing data, the rights and obligations of parties, and enforcement of the law.
[The development was reported by Caravan]