Nearly a year ago, the government of India constituted a committee of experts chaired by the former Supreme Court judge BN Srikrishna to draft a data-protection law for India. Almost immediately, the committee became mired in controversy—it was first criticised for the lack of civil-society representatives among its members, and subsequently for the opacity of its proceedings, and its inefficient public consultation on the data-protection framework. In recent months, the media has repeatedly, and inaccurately, predicted the release of the bill. While the Srikrishna committee is yet to officially release it, The Caravan accessed a draft of the proposed law for data protection in India, titled “The Protection of Personal Data Bill, 2018.”
The draft bill is an extensive document comprising 15 chapters, covering data-protection obligations, the separate grounds applicable for processing personal and sensitive data, provisions to govern transfer of data outside India, and the creation of a data-protection authority. The final chapter of the proposed bill includes amending acts to two central legislations—the Aadhaar Act of 2016 and the Right to Information Act of 2005. These amendments are significant—the amendments to the RTI act could upend the fragile balance between transparency and privacy in the exemption for personal information, allowing public officials to withhold details, making them less accountable. Meanwhile, the proposed amendments to the Aadhaar act would create a new adjudication process for disputes arising out of the act that strengthens the UIDAI’s iron grip over Aadhaar-related legal action. The amendments further propose an “offline verification” system that raises more questions than it answers.
Soon after the constitution of the Srikrishna committee, the Supreme Court delivered a landmark judgment declaring that privacy is a fundamental right. In its aftermath, there was a prevailing fear among experts and activists that the verdict would adversely affect the disclosure of information under the RTI act. This has only increased in anticipation of the data-protection bill and the subsequent law.
At present, the RTI act accounts for the right to privacy under Section 8(1)(j), which notes that “information which relates to personal information ... which has no relation to any public activity or interest” is exempt from disclosure unless the “larger public interest justifies the disclosure of such information.” This section has been routinely invoked by information officers to deny RTI requests, particularly those pertaining to the functioning of public officials, such as the case of the RTI applications seeking the prime minister Narendra Modi’s college degree. As a result, RTI activists have demanded clear definitions of key terms such as “public interest” and “public activity.” The draft bill proposed by the Srikrishna committee, however, seeks to take a diametrically opposite position to the current act, by doing away with Section 8(1)(j) altogether.
In its place, the new provision puts an exponentially higher burden for disclosure of personal information under the act. The proposed provision in the bill requires three conditions to be fulfilled before any personal data is disclosed: