When the Supreme Court recognised the ‘Right to Privacy’ as a fundamental right in the Puttaswamy judgement, it underscored the need for a balance between data regulation and individual privacy with an emphasis on protecting the autonomy of the individual.

The apex court urged the state to put into place a robust regime for data privacy, while acknowledging that there could be several reasons for data mining by the State, such as the implementation of welfare schemes, prevention and investigation of crime and protection of revenue.

Inherent in this acknowledgement, however, was the recognition that the data which the state collects have to be utilised for legitimate purposes of the state and ought not to be utilised in an unauthorised way for extraneous purposes.

The Supreme Court noted in its order that the union government had constituted a committee chaired by Justice BN Srikrishna (Retd.), to review data protection norms in the country and to make its recommendations. The committee submitted its report on July 27, 2018 along with a draft of the Personal Data Protection Bill, 2018.

The Bill recognises the ‘personal’ nature of data, allows processing of data by fiduciaries if consent is provided and only recognises five exceptions to this rule: (i) where processing is necessary for the state to discharge welfare functions, (ii) in compliance with the law or with court orders in India, (iii) when necessitated by the requirement for prompt action (medical emergencies, breakdown of law and order, etc.), (iv) in employment contracts, in limited situations (such, as where giving the consent requires an unreasonable effort for the employer) and, (v) other reasonable purposes such as prevention and detection of any unlawful activity including fraud, whistle blowing, network and information security, etc. provided safeguards to ensure the protection of the rights of data principals are laid down.

The Bill was submitted to The Ministry of Electronics and Information Technology (MeitY) which opened it for comments, but it is anybody’s guess as to when the data protection law is likely to see the light of day.

Meanwhile, the Draft National e-Commerce policy was released on February 23 with a two-week response deadline ending on March 9. The policy, on Page 14, discusses the ownership of data in rather alarming terms. It states that data about a group of individuals and derivatives from it, is the collective property of the group.

It is described as “a national asset, that the government holds in trust, but rights to which can be permitted”.

The policy fails to distinguish between irreversibly anonymised data which ceases to fall within the definition of personal data and personal data, and treats all of it as one whole. It furnishes no basis for making a case for “collective” ownership of all data in the form of a ‘societal commons’, nor treating it is a ‘national resource’ or ‘collective resource’ that the ‘government holds in trust’.

The dangers of treating data as property owned by the state and commercially licensed to those who seek to mine it cannot be emphasised enough. It contains sweeping statements on how the policy is “about how to exploit this national resource, for maximising growth and for delivering the greatest benefits to all sections of society”.

Interestingly, the policy also contradicts the July 16 recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector issued by TRAI, which accurately notes that “the individual must be the primary right holder qua his/her data.”

TRAI suggestions contradicted

The TRAI recommendations state that “it would appear illogical/inequitable to permit complete transfer of rights over an individual’s personal data” and that, “while data controllers may indeed collect and process personal data, this must be subject to various conditions and obligations — including importantly, securing explicit consent of the individual, using the personal data only for identified purposes, etc.”

The policy disregards the TRAI recommendations by reclassifying data as a collective resource. It is however on the same page as the Aadhaar and Other Laws (Amendment) Ordinance 2019 (the Ordinance) and the Aadhaar Act, 2016.

The latter provides that the Unique Identification Authority of India (Authority), which is responsible for the online enrolment and authentication under the Act, will “ensure the security of identity information and authentication records of individuals”.

What is key in the Aadhaar Act is the use of the phrase “not being authorised by the authority” (Section 38). In other words, if the Authority, in its capacity as repository of data licenses it for royalty or exploits it as a “national resource” as the policy suggests, the owner of the personal data, the individual, has no redressal.

No surprise therefore, that the Ordinance and the policy are being pushed ahead as far greater priority than a robust data protection law.

The writer is Principal, Fidus Law Chambers, an IPR law firm

Related Topics
comment COMMENT NOW