On 24 August 2017, a nine-judge bench of the Supreme Court handed down a resounding judgment, unanimously affirming that privacy was a fundamental right, placing individual dignity and autonomy at the heart of the constitutional order. The Cambrige Analytica scandal revealed that privacy was not a luxury concern of the elite, but something that impacted every individual in this age of ubiquitous data. The Aadhaar case was heard in full, for over four months. At the end of July, the government-appointed Justice B.N. Srikrishna committee came out with a report and a draft data protection bill on data protection.
This Independence Day, therefore, we stand at a vital moment in the history of the Republic. The collection, storage, transmission, and use of data now impact every thread of the fabric of our daily lives. Data mediates relationships between the individual, the State, and big corporations. Data can turn elections, reshape the market through personalised advertising, and serve as a weapon in the hands of the State to surveil its citizens. But a legal landscape in which the individual has genuine control over her data—and can choose how and on what terms to engage with data collection regimes—can also be liberating. Data can reinforce the threads of the fabric, instead of pulling them apart. The Supreme Court’s right to privacy judgment provides us with a blueprint of how that must be achieved. The national conversation around the draft privacy bill now gives us an opportunity to work towards its implementation. There are three crucial issues that a future privacy law must address.
Edward Snowden’s revelations revealed the scale and the extent to which governments spy on their citizens. Unregulated surveillance—whether bulk or targeted—has a chilling effect on the freedom of speech and expression, impacts the vulnerable and the marginalised, and has had demonstrably limited success in combating terrorism. In India, the legal framework for surveillance remains The Indian Telegraph Act, 1885 and a rather vague 1997 judgment of the Supreme Court, on the limited issue of phone-tapping. The process is heavily bureaucratised, and oversight is negligible.
While the B.N. Srikrishna committee report on data protection regulates data collection for State purposes, it does not tackle the issue of surveillance directly (leaving it to future legislation). While the committee may have been bound by its terms of reference, now that the Bill has been submitted, the national floor is open (so to say) for debate. It is vital to understand that without addressing surveillance head-on, a data protection law will remain incomplete and ineffective. The State’s collection of data to “prevent crime" must be part and parcel of a comprehensive data protection regime, instead of standing outside it.
Surveillance reform must address two issues. The first is that dragnet or mass surveillance—where the State mops up data indiscriminately, without any reasonable cause to suspect an individual—must be outlawed. India’s Constitution and laws have long abandoned the (colonial) theory that entire groups, communities, or populations were “presumptively criminal". The legal instrument that implemented this idea—the Criminal Tribes Act—was repealed soon after independence and it is too late to regress to a time where invoking “law and order" was blanket justification for any kind of rights violation.
The second is that targeted surveillance—based on credible suspicion—may be allowed, but subject to judicial oversight. In practice, this can be implemented through different models. At the very minimum, however, it requires that every surveillance request be considered by a judicial authority, in an adversarial proceeding where the interests of the target are represented by a publicly-appointed advocate.
Necessity & Proportionality
In its right to privacy judgment, the Supreme Court acknowledged there are occasions where the interests of the State require the collection, storage, and processing of data. We also live in a world where every moment, private parties handle our data. The Supreme Court therefore articulated a set of constitutional principles to regulate data processing, from the point of collection onwards.
These principles can be synthesised into two injunctions: necessity and proportionality. The principle of necessity stipulates that even if the State establishes a legitimate purpose for collecting data, it must demonstrate that data collection is necessary for achieving its goals, and that no more is being collected than is necessary. The principle of proportionality requires that the collection of data and the importance of the State’s purpose must be proportionate to the extent to which an individual’s right to privacy is being infringed.
For example, the State cannot invoke the (legitimate) aim of maintaining law and order to create a nation-wide DNA data bank, in which the DNA of every individual is compulsorily taken and stored permanently. Such an exercise, in its scale, sweep, and scope, violates both necessity and proportionality. The State may, however, in the course of investigating whether an accused has committed a crime, extract a DNA sample in accordance with Section 53 of the Code of Criminal Procedure.
The requirements of necessity and proportionality should be at the foundation of a data protection law, both to curtail the power of the State, and to regulate private parties’ use of data. In cases the State seeks to compulsorily extract data, the very act of collection—and of creating a database —should be subjected to these twin requirements. In cases where an individual has freely and genuinely consented to their data being collected, the principles should apply to the subsequent stages—that of storage and use. Through its clauses on purpose limitation, further use, and necessity for the stipulated purpose, the Srikrishna committee’s Bill takes a step in the right direction. However, we need to go further. A clear and enforceable set of provisions mandating compliance with the principles of necessity and proportionality can improve the Bill before it becomes a law.
Lastly, the best laid plans can founder on the rocky shoals of implementation. The Srikrishna committee’s Bill sets up a Data Protection Authority (DPA), and sets out provisions for the selection of the officials who will run it. However, it also gives the Central government wide-ranging powers to control the functioning of the DPA, and how it will work in practice. A final law must go further in ensuring that the regulatory authority is both independent, and— equally crucially, but often forgotten—accessible. Data protection concerns are equally urgent in the big metropolises and in the rest of the country. It would be a pity if, like so many of our other tribunals, the future data protection tribunal also becomes an urban fortress.
These are some of the vital issues facing the public and our lawmakers, as we move to the next step of debate and consultation over the Srikrishna Bill. And these are issues already in the public domain: in June, a group of lawyers and legal scholars (of which this author was a member) drafted a comprehensive Citizens’ Privacy Code. There is the accumulated wisdom of the years, starting with Justice A.P. Shah’s nine principles of privacy, and the Centre for Internet and Society’s draft privacy bill. Some parliamentarians have also drafted privacy bills. The onus is now on all of us to take this conversation forward, and ensure a data protection law that fulfils B.R. Ambedkar’s dream, when he stated in the Constituent Assembly: “I am glad that the draft Constitution ... has adopted the individual as its unit."
Gautam Bhatia is a Delhi-based lawyer. His second book, The Transformative Constitution, will be published in 2019.