Draft data law falls short

The much-awaited recommendations of the Justice Srikrishna committee, which was appointed to suggest and create a legal framework for protection of personal data and privacy, have fallen short of expectations in some important respects. The committee has presented its report and a draft legislation which deal with matters relating to data protection, seek to address concerns, and put in place solutions. The basic issue is the relationship between those to whom the data belongs — principals in the committee’s phraseology — and the firms, state or state agencies which collect, process or use this data, whom the committee calls fiduciaries. Genuine data protection and privacy would demand that the principal be accepted as the owner of the data and the fiduciaries be considered only as custodians. The committee does not seem to accept this basic premise. It treats the issue as one caused basically by the private companies with which people share their data and by the offshore location of data, and tiptoes around the issue of State surveillance using personal and sensitive data.

The bill has laid down that the principal’s consent is essential for the use of data but assumes that consent given once will not be misused later. This is a wrong assumption. Worse, it provides exemptions to the State in the matter of taking the owners’ consent for the use of data. When state agencies are exempted from taking the consent of data owners for procuring or processing data “in the interest of the security of state’’, it is bound to be misused. The clause that allows processing of personal data “for any function of parliament or any state legislature’’ is so vague as to allow any kind of intrusion into privacy, including in areas related to health and finances. Such powers cannot be vested in the State in a democracy. The bill will also enable state agencies to process personal data without permission from the courts. It proposes the setting up of a Data Protection Authority as a regulator but allows the central government to issue binding directions to the Authority. The report also recommends amendments to some 50 laws, including the Aadhaar and the RTI Acts, and these will strengthen the State’s powers over the rights of individuals. This is dangerous.

There are other issues also like the permission for companies to retain data after removing personal particulars from it. This is likely to be misused by companies. The draft bill provides only a broad platform for data protection, and a weak one at that. It should be debated, overhauled and strengthened before being made into law.