On 27 July, almost a year after it was constituted, a committee of experts chaired by the former Supreme Court judge BN Srikrishna submitted its report and bill on the framework for India’s foremost law on data protection and privacy. Earlier this week, The Caravan accessed drafts of both the bill and the report. In one piece based on these drafts, I detailed how proposed amendments in the bill would strengthen the Unique Identification Authority of India—the parent agency of Aadhaar—and dilute the provisions of the Right to Information Act. Another piece revealed that the proposed data-protection bill would require the parliament to enact a law overseeing Indian intelligence agencies.
While the bill submitted by the Srikrishna committee is largely identical to the draft bill accessed by The Caravan, the few changes introduced in the final draft are startling—they take a nearly opposite position to that of the earlier draft. Some of these changes are positive. In the earlier draft of the bill, the first, second and third schedules appended to the bill, respectively, sought to amend the Information Technology Act of 2000, the Aadhaar Act of 2016, and the RTI act of 2005. As I wrote earlier, the amendments to the Aadhaar act sought to introduce a new offline verification system for Aadhaar without any prior public consultation, and conferred the UIDAI with a monopoly over legal proceedings arising out of the act. The final bill, however, omits the Aadhaar Act amendment altogether. It contains only two schedules—the amending acts to the IT act and the RTI act. While the amendment to the IT act proposes minor changes and has remained the same, the amendment to the RTI act has been altered significantly—also for the better. The final bill also modifies the provisions for non-consensual processing of data by the state.
But there are worrying changes as well: the final bill has modified the provisions concerning data localisation—essentially, that data-processing entities, termed data fiduciaries, would be required to store data or copies of it within the physical territory of India.
The draft bill proposed to amend Section 8(1)(j) of the RTI act, which accounted for the right to privacy by allowing public information officers to withhold “personal information ... which has no relation to any public activity or interest.” The proposed amendments would have put an exponentially higher burden on the request for such a disclosure of personal information, mandating that it fulfil a three-fold requirement. It proposed that information could be disclosed only if: it related to a function of a public authority and required the maintenance of transparency and accountability; the disclosure was “necessary to achieve the object of transparency”; and any potential harm to the concerned individual from the disclosure would be outweighed by the interest of transparency. The amendment in the final data protection bill, however, has largely remained the same as the provision in the 2005 RTI act, and adds a clause stating that the disclosure of information would be “notwithstanding anything in the Personal Data Protection Act, 2018”—effectively, that a disclosure under the RTI act would not be constrained by the proposed data protection law. The draft bill contained no such provision.
This change has come against the backdrop of an on-going public discussion on the possible dilution of the RTI act itself. Civil-society activists have raised concerns that the government’s suggested amendments to the RTI Act would be detrimental to its ultimate goals of transparency and accountability. The propositions of the earlier draft of the data protection bill would have further weakened the act, and their removal appears to recognise the need to balance privacy with public accountability.