The Cambridge Analytica scandal and the Aadhaar database security concerns have provoked a citizen advocacy group to launch a campaign to protect the privacy of individuals in India.
A set of lawyers and policy analysts have put together a model Bill — the Indian Privacy Code, 2018, — with an overriding effect over the Aadhaar Act. The initiative, backed by the Internet Freedom Foundation (IFF), is looking to garner public awareness and nudge the government into adopting a strong law focused on user rights.
The model Bill envisages a law that will prevent some of the fundamental features of the Aadhaar Act from allegedly operating against citizens. This, the advocacy group expects, will shift power from the Unique Identification Authority of India (UIDAI) to the people.
Advocate Apar Gupta, a co-founding member of IFF, said fundamental features of the Aadhaar Act make its use mandatory while being a universal digital ID not tied to a specific purpose.
Sensitive form of data
“It relies on biometrics, which are an incredibly sensitive form of data. It results in mass surveillance as precondition to availing essential services. Due to its architecture, it makes people vulnerable to data breach and identity theft,” Mr. Gupta said.
However, the model Bill seeks to allow people the option of knowing how much of their data are collected, what information is parted with and what are its consequences. More importantly, it will clearly demarcate an option for the people to refuse consent. This undercuts the Aadhaar Act but more importantly the administrative practices which have resulted in making it mandatory, Mr. Gupta said.
IFF members were also part of the ‘Save the Internet’ campaign that was instrumental in pushing back Facebook’s Free Basics in India.
The advocacy body said its latest campaign, ‘Save Our Privacy’, was to make sure that India gets a privacy and data protection law that protects the fundamental right to privacy.
There is no separate law in India on privacy and data protection. While many drafting efforts have been made since 2010, little has come out of it. In 2012, an Expert Group on Privacy, chaired by former Delhi High Court Chief Justice A.P. Shah, had submitted a report to the Planning Commission. The report had recommended passing a law that makes privacy safeguards technology-neutral and applicable to both government and private sectors.
During the Aadhaar hearing before the Supreme Court in mid-2017, the Centre had constituted a committee of experts under the chairmanship of former Supreme Court Justice B.N. Srikrishna. This committee had released a White Paper and is expected to recommend a draft law to the Ministry of Electronics and Information Technology.
A nine-judge Bench of the apex court had last year declared privacy as intrinsic to life and liberty, and an inherent right protected under the Constitution. This means that an ordinary citizen can now directly approach the court in case of violation of his/ her privacy. The verdict armed the common man against unreasonable State intrusions and protected informational privacy in a digital age.
During the hearing, the top court had expressed apprehensions against the State passing on personal data collected from citizens to private players.
The model Bill is built on seven progressive privacy principles, including use and purpose limitation (personal data collected for specified purposes cannot be further processed for other purposes) in collection and processing of data. It said a strong and independent privacy commission was necessary to ensure that data protection rights are enforced. The model Bill provides the privacy commission wide powers of investigation, adjudication, rule-making and enforcement.
The model Bill said the government, its arms, bodies and programmes should be made compliant with the privacy protection principles through a data protection law. “We support the use of digital technologies for public benefit. However, it should not be privileged over fundamental rights,” the advocacy group said.
“The government is responsible for delivery of many essential services to the public. These services must not be withheld from an individual due to such individual not sharing data with the government...Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare,” the advocacy group said.
The group said the data protection law will have to limit mass surveillance as it contravenes the principles of necessity, proportionality and purpose limitation. It said that evidence gathered illegally, such as telephone intercepts without valid tapping orders, is inadmissible as proof in legal proceedings. To ensure further accountability, all such orders need to be communicated to the person who was surveilled.
Collection of data
The model Bill seeks to ensure that no government or private entity collects sensitive personal data without consent from an individual. The individual will have the right to obtain information from the data controller. This information will include purposes of storage and processing; categories of personal data; recipients to whom personal data have been or will be disclosed; the right to lodge a complaint with a supervisory authority; and existence of automated decision-making.
More importantly, the individual will have a right to request erasure and destruction of data at any time, and data controllers and processors will have to comply with such requests within a fixed time frame.
Offences and penalties
The model Bill also seeks to provide punishment for those found illegally collecting, receiving, storing, processing, disclosing or otherwise handling any personal data. Punishment for this offence may include a fine of ₹1 crore and a three-year imprisonment. Even illegal surveillance of another person will be liable to a fine, which may extend to a fine of ₹10 crore and a five-year jail term.
The foundation has sent an e-mail to the Srikrishna Committee, with a copy of the model Bill. It said this was a policy fix for recurring concerns and controversies, including issues such as Aadhaar, Cambridge Analytica, the social media communication Hub and Edward Snowden’s revelations on mass surveillance.