Tag Archives: privacy

Articles

The Personal Data Protection Bill, 2019: A Critical Analysis

Leave a comment

This Article is written by Arpita Mohapatra & Sanika Kapse, students of Modern Law College, Pune

Our own information is being weaponized against us with military efficiency. Every day, billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesised, traded and sold.” – Tim Cook

Introduction:

Data Protection Bill vis-à-vis EU’s General Data Protection Regulation

Consider Chaayos, the popular teahouse chain’s facial recognition technology at a number of its stores in Delhi and Bangalore which uses this technology to create profiles of its customers which is used to “remember” them on subsequent visits, enabling repeat orders and efficient payment. With reference to this Bill, Chaayos is the ‘data fiduciary’ and the customer is the ‘data principal’. 

Determining the objectives of any data protection legislation is always surrounded by conflicting interests of the privacy of data principal, state regulations and data commodification. The objectives of EU’s General Data Protection Regulation (hereinafter, the GDPR), are data principal centric, whereas, the Personal Data Protection Bill, 2019 (hereinafter, the Bill), which uses the GDPR as a template, focuses on data as a ‘national asset’. Therefore, to examine the scope of the Bill a comparative analysis with the GDPR is necessary. 

The right to be forgotten (RTBF), given in the Bill, has been made unnecessarily difficult to exercise. This right cannot be exercised by directly or indirectly requesting the data fiduciary. The data principal in this case needs to obtain an order from the Adjudicating Authority, which can exercise its discretion, based on wide considerations. This is in contrast to the Supreme Court’s decision in K.S. Puttaswamy which recognized the right to have control over personal data which also includes the right to control its existence on the internet. Similarly, the Delhi High Court and Orissa High Court have held that the RTBF is an inherent part of right to privacy under Article 21 of the Constitution. Conversely, the GDPR incorporates a more extensive right to be forgotten and imposes a requirement on the data controller to erase any data on request. 

Similarly, in case of breach of personal data, the GDPR, states that the data controller is to follow a two-step process– firstly, to inform the supervisory authority where there is a low risk to the rights and freedoms of natural persons and secondly, to the data subjects in case of high risk to their rights and freedoms. Whereas, under the Bill, the data fiduciary is to inform the Authority about the data breach and the discretion is vested on such Authority to determine whether the data breach should be reported to the data principal. This at the outset is contradictory to the “fiduciary” relationship which the Bill seeks to establish. 

Further, the word ‘consent’ in the GDPR has been used liberally in favour of the data subject.  The European data protection authorities have made it clear “that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent.” Contrarily, the Bill consists of an entire chapter which authorises the processing of personal data without consent- by the State and the companies. The Executive is allowed to process the personal data for the provision of “any” service or benefit to the data principal or the issuance of any certification, licence or permit for “any” action or activity of the data principal or for the compliance under any law. This directly contravenes the consent provision in the Bill, which mandates informing the data principal of the “purpose” for which their data is to be processed. Evidently, sweeping powers rest with the government to control citizen’s personal data without consent. The Bill also allows processing of personal data, necessary for purposes related to employment, without the consent of the data principal. The employer with this power can retrieve and process data available on the employees’ computers and mobiles. Another proposed ‘reasonable purpose’ exemption relates to “mergers and acquisitions”.  During the transactional stage of any merger or acquisition, dozens of lawyers, financial advisors, and other organizations are given access to the data stored by the companies involved in the transaction. If mergers and acquisition proceedings are treated as a blanket exemption to the requirement of consent for processing, this could act against the privacy-by-design structure of the proposed law.

Defective definitions in the Bill 

The Bill makes a deceptive distinction between ‘personal data’ and ‘sensitive personal data’ which is absurd as personal data is also dangerously vulnerable to profiling. For example, online identifiers (like devices, applications, IP addresses, cookie identifiers, etc.) can leave traces which, when combined with unique identifiers or other information received by servers and can be used to create profiles of data subjects.  

The requisites of “consent” in the Bill are watered down by the chapter on exemptions in processing of personal data and the chapter on processing of personal data without consent, which gives autonomy to the companies and the government to an extent where it negates the whole purpose of the Bill to protect personal data. 

It is pertinent to note that the distinction between ‘processing’ and ‘profiling’ under the Bill is not watertight, and that the term ‘processing’ covers a broad range of activities which may inevitably lead to profiling. The Bill not only allows ‘manual processing’ of data by the small entities which will leave the data even more prone to profiling, it also attempts to put a blanket ban on accountability of data fiduciaries and puts a rider on the rights of data principals. 

Under the Bill, the Central government can obtain anonymized personal data and non-personal data for the delivery of services and policy formulation. Such anonymized personal data can nonetheless be de-anonymised; for example, an anonymised Netflix dataset of film ratings was de-anonymised by comparing the ratings with public scores on the IMDb film website in 2014. Such de-anonymisation of personal data by the government can lead to its arbitrary use.

Arbitrary control of government in every sphere of data regulation regime

Every social media intermediary which is notified as a ‘significant data fiduciary’ is to enable the users to voluntarily verify their accounts in such manner as may be prescribed by the Central government. This power given to the State is evident of its arbitrary interference in a place where this role should unquestionably be exercised by the significant data fiduciaries. Additionally, the provisions like data protection impact assessment, maintenance of report, auditing of policies and conduct of processing etc., have limited applicability only to significant data fiduciaries. The data fiduciaries that do not come under the ambit of significant data fiduciaries can violate the objectives of the Bill if left unchecked.

The Bill provides for exemptions to the Central government to exempt any governmental agency to process personal data in the interest of sovereignty and integrity of India, the security of the State or to preserve public order or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India. The terms used in these sections are vague and autocratic and warrant the violation of privacy by the government. Further, the establishment of a Data Protection Authority (DPAI), which will be at the helm of affairs for the implementation of the Bill, is marred with prejudice. The selection committee for the constitution of DPAI will be comprised of Cabinet Secretary as the chairperson, Secretary, Department of Legal Affairs, and Secretary, Ministry of Electronics and Information Technology. The committee lacks legal and subject experts when compared to the former draft Bill of 2018. Therefore, the Data Protection Authority will be executive-oriented rather than being an independent regulator.

Impact of Data Localisation 

According to the Bill, all sensitive and critical personal data must be stored in servers located in India. Sensitive data may be processed outside the country but must be brought back to India for storage. Critical data cannot be taken out of the country at all. There are no restrictions for general data. Digital companies currently store and process their data wherever is economically most efficient. This locational divide, proposed by the Bill, would impose additional costs on digital companies, leading to subeconomic storage and processing capacities, and might result in “splinternet” or the fragmentation of global digital supply chains. The impact of data localisation on protection of personal data of users is contingent upon the robust infrastructural and technical capacity to protect such data within the borders. Unless these conditions are fulfilled, storage of personal data within or outside the country would make no difference for the data principal, who in either case will be exposed to risk of data breach.

Conclusion  

 The Bill provides a mere skeleton, the intricacies of which will take shape only after the constitution and working of the Data Protection Authority begins. This Bill uses the term ‘data fiduciary’ as against ‘data controller’ to emphasise on ‘duty of care’ on the part of the data fiduciary to lawfully process personal data. This ‘duty of care’ cannot be reasonably exercised by the data fiduciaries towards the data principals, if they are constantly under the radar of the government. The data principal is at the losing end, in either case of control over data by the government or data fiduciaries. Also, there is hue and cry over the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (IT Rules) which brings social media platforms under the ambit of government supervision. These regulations mandate the social media platforms to give details of the origin of messages on demand by the government. Coupled with the new IT Rules, the Personal Data Protection Bill will further increase surveillance over significant data fiduciaries which are mostly social media intermediaries, making this framework a tool to build an Orwellian State.  

Case Summary

CENTRAL PUBLIC INFORMATION OFFICER, SUPREME COURT OF INDIA V. SUBHASH CHANDRA AGARWAL (Civil Appeal no. 10044/2010)

Leave a comment

This Case Summary is written by Sushrita Mishra, a student at University Law College, Utkal University , Bhubaneswar

SYNOPSIS

The Apex Court of India passed a landmark judgment on 13 November, 2019 in a constitutional bench comprising of Ranjan Gogoi. CJ, NV Ramana. J, Dr.  DY Chandrachud. J, Deepak Gupta.J, Sanjeev Khanna. J with respect to the harmonization of Right to Information Act, 2005 and judicial independence. The Court vide its decision held that the office of Chief Justice of India (hereinafter “CJI”) comes in the public domain. The decision has given a new dimension to the “public interest test” in case of conflict between the right to privacy and right to information, both being fundamental rights of citizens. It has also interpreted various terms and phrases including “fiduciary”, “beneficiary”, “public interest”, “information”, “personal information” etc.in the light of various sound legal precedents. It has also highlighted that judicial independence and accountability are complimentary to each other.

BACKGROUND

India is a democratic country. The Constitution of India is the suprema lex of the land. It has granted its citizens as well as non-citizens a set of fundamental rights among which Freedom of Speech and Expression under Article 19(1)(a) and Right to Life and Personal Liberty under Article 21 are two vital rights. The Right to Information Act, 2005 (hereinafter “Act”) was enacted by the Parliament, making the right under Art.19 (1) (a) more prolific, with an object to empower the people of India in decision-making process by giving them access to information by public authorities. The Right to Privacy was also declared to be an important facet of Article 21. A situation of conflict between both the rights arose when Subhash Chandra Agarwal, an activist, sought for information relating to the asset declaration to the CJI by the Judges, collegium system and independence of judiciary.

FACTS OF THE CASE

The respondent, Subhash Chandra Agarwal had filed 3 applications before the Central Public Information Officer ( hereinafter “CPIO”), Supreme Court of India, wherein he sought the information relating to the collegium decision regarding the appointment of some Judges to the Supreme Court superseding the seniority of some other Judges. He had also sought for information wherein there was a report that the decisions of Mr. Justice R. Reghupathi of the High Court of Madras was impacted by a Union Minister. The third application was for declaration of assets by the Judges to the CJI, in pursuant to a resolution passed in 1997. The information in all three applications were denied on the ground that those were not dealt with or available with the Registry of the Supreme Court of India. The Central Information Commission (hereinafter ‘CIC’) directed disclosure of information when the first two applications were appealed by the respondent. Thus, the CPIO, Supreme Court of India moved the SC to appeal against it. The denial of information sought in the third application was appealed to the CIC, wherein it passed an order of remit directing the CPIO to follow the procedure under Section 6(3) of the RTI Act and to inform the Respondent about the authority holding such information. The CPIO filed a Writ Petition before the Delhi HC which ruled in the favor of the Respondent. The decision was referred to the Full Bench, wherein the decision of the Single Judge Bench was upheld and the appeal was dismissed. The CPIO, SC filed a further appeal in the SC. Then all the three appeals were heard together by a 3 Judge Bench, wherein it was of the view that the matter involved a substantial question of law as to interpretation of the Constitution. Ergo, the matter was listed to be heard by a Constitution Bench.

ISSUES

  1. Whether the disclosure of information to the public relating to the office of CJI and collegium system amounts to the interference of in the judicial independence?
  2. Whether Section 8(1) (j) exempt the information sought for the public disclosure?
  3. Whether the disclosure of information sought for relating to judges would curtail or prevent the constitutional authorities from expressing their free and frank expression?

CONTENTIONS

On behalf of the Appellant 🙁 Represented by Mr. K.K.Venugopal, Attorney General for India and Mr. Tushar Mehta, Solicitor General of India)

It was contended on behalf of the appellant that the position of the Judges is sui generis, hence, cannot  be subjugated to litigative public debate as such disclosure of information shall transgress the independence of judiciary. It was submitted that the Right to Information is not an absolute right and is subservient to the Second Schedule and Sections 8 and 11 of the Act. It contended that the information sought is personal in nature and its disclosure has no relation with public activity or public interest. The revelation shall rather pave way to unwarranted invasion of privacy. It also stated that the consultation and correspondence between the office of the CJI and other constitutional functionaries is of fiduciary nature with the CJI as the pater familias. Thus, exemption from disclosure is not only justified but also essential. The contentions relied on the precedents of in Re Coe’s Estate Ebert et al v. State et. al , Bhudan Singh and Another v. Nabi Bux and Another , Kailash Rai v. Jai Ram and Dollfus Mieg et Compagnie S.A. v. Bank of England.

On behalf of the Respondents: (Represented by Mr.Prashant Bhushan)

It was contended on behalf of the respondents that openness and transparency are the parameters to highlight the independence of the judiciary, thus, the disclosure should not be immune. Moreover, the citizens have been bestowed with the statutory as well as constitutional right to information. The information sought has a significant concern for larger public interest. They also stated that there exists a fiduciary relationship, not between the CJI and other Judges/other constitutional functionaries, but between the CJI and the public. Therefore, the disclosure is legitimate. The contentions relied on the precedents of  State of U.P. v. Raj Narain and Others and S.P. Gupta v. Union of India & Others.

FINDINGS AND REASONING

The Hon’ble SC held that the SC of India and the CJI are not to be considered as two separate public authority. ‘Public authority’ u/Sec. 2(h) includes the SC of India which includes the office of CJI and Judges of SC. The CJI is the head of  the institution and is a ‘competent authority’ u/Sec.2e(ii) who is empowered, u/Sec 28 of the Act to make rules to carry out provisions of RTI. This ratio shall be analogous to the High Courts too.

The terms ‘information’, ‘right to information’, ‘record’ in the Act were interpreted. It was held that ‘information’ u/Sec. 2(f) is a pregnant term and stressed on the part that ‘information should be accessible by Public Authority and held by or under control of any Public Authority’. Sec. 22 is a non-obstante clause which mandates furnishing of information if it is accessible by Public Authority. But if accessibility by public authority is conditional or prohibited, then it cannot be furnished. Hence, there is no conflict between Sec.22, Sec.2 (f) and other enactments. The right to information is not absolute as Sec.3 starts with “subject to provisions of RTI Act”.

The Sections from 8 to 11 of the Act highlight the exemption and rejection. Sec.8 (1) is a non-obstante clause which implies that right to information is available when information is accessible under the RTI Act and is not covered under the exceptions enumerated. Again, the exceptions are bifurcated into two parts- absolute exemption [8(1) (a), (b), (c), (f), (g), (h) and (I)] and qualified exemption [8(1) (d), (e), and (j)]. The Section 8(2) speaks about discretionary disclosure if it the public authority opines that larger public interest warrants disclosure despite the exemption u/Sec.8 (1) and provisions of Official Secrets Act. The SC has endeavored to strike a balance between transparency and accountability enumerated in Sections 3, 4 and preservation of sensitive or confidential information enumerated in Sections 8, 9, 10, 11. The present case demanded examining the Section 8 (1) (e) and (j).

The Court has interpreted the term “fiduciary relationship and duties” in the light of precedents set and interpretation by dignified legal luminaries. It held that the relationship between the CJI and other Judges is not of fiduciary and beneficiary. Thus, the protection u/Sec. 8(1) (e) is not rendered in this case.

The Right to Privacy has been declared to be a fundamental right included in Art.21 of the Constitution.Sections 8(1)(j) and 11 pose restrictions on disclosure on the grounds of privacy and confidentiality respectively. Information has been classified as public, private and confidential. They can be disclosed only if the larger public interest overrides the protection or any possible harm or injury to the interest of the third party. In the instant case, Sec.8(1) (j) and 11 of the RTI Act cannot be obliterated on this cause.

Absolute transparency in all facets of government is not only impossible but also essential. However, the “test of public interest” is to be applied to justify a disclosure. It has to be assessed whether the right to know outweighs the possible public interest in protecting privacy or outweighs the harm and injury to third parties when the information relates to such third parties or the information is confidential in nature.

The Court held that “public interest” is incapable of a particular definition  and is distinguished from “public welfare”. The. public interest test in the context of the RTI Act will have to tested on the anvil of object and purpose behind the right to information, the right to privacy and consequences of invasion, and breach of confidentiality and possible harm and injury that would be caused to the third party, with reference to a particular information and the person. Thus, the legislative intent was to bestow the discretionary power  in the PIO to weigh the competing interests of right to access information and the ‘possible’ harm and injury to the third party and no conclusive determination can be made that one triumph over the other. 

The SC held that judicial independence is a basic feature of the constitution and includes both functional independence and decisional independence. When the public interest demands the disclosure of information, judicial independence has to be kept in mind and it is not an anathema to  accountability, but complimentary to it. It held  that there is a requirement of distinction between the final opinion or resolutions passed by the collegium with regard to appointment or elevation and transfer of judges with observations and indicative reasons and the inputs/data or details which the collegium had examined. In the latter, public interest test would have to be applied keeping in mind the fiduciary relationship, invasion of the right to privacy and breach of the duty of confidentiality resulting from the disclosure of such details and particulars.The public interest test is to applied differently in different circumstances with respect to the facts and circumstances.

DISPOSITION

The SC dismissed the appeal and upheld the order passed by the CIC directing the CPIO, SC to furnish information on the judges of the Supreme Court who had declared their assets. It passed an order of remit to the CPIO, Supreme Court of India to re-examine the matter after following the procedure under Section 11(1) of the RTI Act as the information relates to third parties, so far as the declaration of assets of Judges is concerned. Before a final order is passed, the concerned third parties are required to be issued notice and heard.

Critical Analysis

The SC has done utmost justice in re-investing public trust in its judiciousness and independence. It has reasonably harmonized two conflicting rights of information and privacy making a peaceful coexistent atmosphere. It has been rightly pointed out that absolute transparency is neither feasible nor fruitful. However, ‘how much transparent is transparent’ is a matter of fact and endeavour should be made from the respective public authorities to make themselves more accountable and transparent without much effort on the part of the general public. Again, ‘public interest’ and ‘interest of public’ are to be distinguished and the ‘right to privacy’ should be given priority only in the case of latter as confidentiality of certain information holds the public interest.

CONCLUSION

 The right to information is a human, constitutional, legal and fundamental right. Thus, it must be ensured and enforced by every public authority to enrich the essence of democracy and empower the general public. This shall promote in awareness of public, enhanced participation in decision making process and curtailment of corruption. However, it should also be noted that this right should not be used as a dangerous weapon to unnecessarily transgress the privacy of an individual or institution by camouflaging itself as a so-called-tool for transparency.