The furore and migrations of to other messaging apps have led to WhatsApp postponing the date for the new ‘policy’ coming into effect.
But with the Centre asking WhatsApp questions, questions are arising over laws and regulations over risks to personal data by encroachment from both, private companies as well as the executive.
Former Supreme Court Judges, Justice (retd) BN Srikrishna, who headed the government-appointed committee to study questions of personal data protection and propose a draft of a bill to protect data spoke to journalist Seema Chishti about some of the important issues at stake here in the light of current developments. India does not have a Data Protection Law at present.
Q: As you watch the privacy debate unfold, over WhatsApp, what are your thoughts, for a large, near monopoly-level instant messaging platform (WhatsApp) giving out a new policy like this?
A: The problem today is that while data privacy has been declared to be a Fundamental Right by the Supreme Court, there is no law which effectively prescribes the nuts and bolts at the ground level.
As for the monopolies of data, they can be appropriately dealt with by the Competition Act, if creatively interpreted as it is, or by tweaking it with required amendments. Absence of such a deterrent may encourage data monopolies.
Q: While privacy violations by big technology companies must be stopped, what about the government collecting data on citizens, what are the safeguards in India vis a vis those violations by the executive?
A: While the right of privacy is a Fundamental Right, like any other Fundamental Right that too can be subjected to reasonable restrictions. As the Court pointed out in Justice K.S. Puttaswamy vs. Union of India (2017), that can only be done by a legislation enacted by a competent Legislature which must be mandatorily comply with the triple conditions enumerated by the Supreme Court in that judgment. The triple mandatory conditions that will ensure the constitutional validity of such a legislation are:
- Law passed by a competent Legislature;
- The law must declare the public interest object to achieve which the law is enacted;
- A methodology which is proportionate to the objective to be achieved; just that much, and no more than required.
If these conditions are not met, any restriction on or abridgement of the Fundamental Right is liable to be declared unconstitutional and void pro tanto. Finally, the task of balancing public interest with individual’s Fundamental Right is always that of the Constitutional courts.
Q: After wading through this public health crisis, what lessons do we need to draw to prevent governments from demanding unfettered access to data of citizens, like with the Aarogya Setu app and other apps, what are the lessons learnt on safeguards that need to be put in place for the future?
A: The executive all over the world has the tendency to accumulate more and more power, occasionally by utilising an emergent situation for this purpose. While an attempt to gather data to combat the pandemic can be appreciated, there is no need to do it otherwise than by the legal methodology. That too must be done by a law as envisaged by the Supreme Court in order to be Constitutionally valid. Any attempt to short circuit the process is dangerous and must be opposed inside and outside the courts. There is always the danger that, what was done as a temporary measure to meet an emergency may become a permanent measure. The law must have appropriate safeguards for securing the gathered data and for deleting it once the emergency is over. Else, we shall be sliding down the path of Orwellian State.
Q: The localization of data question has been controversial, the Centre has asked nine questions of Whatsapp, but how is data localization, if a big operator like Ambani was to hold it here, be better?
A: There is a difference between localisation of data by multinationals and local entities. In the former case, if the data is stored on a server across the border, its access would be subject to the law applicable in that country. In the latter, the data stored within the country is always accessible here as the entity would be subject to local laws. Of course, I am assuming that there would be an appropriate law in this country which compiles with the Constitutional parameters indicated by the Supreme Court in Justice K.S. Puttaswamy vs. Union of India (2017). If there is such a Constitutionally valid law, the data can be accessed by the State here lawfully, which is not so if the data is subject to a foreign jurisdiction.
Q: Has enough happened on surveillance reform? In hindsight, did the committee you headed too think enough about it? If you could change some things about how that was handled, what would that be?
A: As for the efficacy of the proposed law in protecting the Fundamental Right of privacy, it can only be judged after we know the shape in which a Bill is put before the Parliament and the shape in which it is passed by Parliament.
Yes, our committee considered various options and decided that a legislation that compiles with the triple Constitutional parameters would be the best solution. That is why in the draft Bill of 2018 you will notice that the three sections authorising access of data by the Govt without consent were made subject to such a law.