A copy of the Bill and the discussions at CIS can be accessed over
here.
1. Regulating the government and the private sector under one legislation: My main objection to the CIS draft is that it seeks to cover both the government and private sector under one legislation. In countries like the U.S. , there is one privacy legislation controlling the manner in which the Federal Government collects and uses the data of its citizens. Then there are sector wise legislations governing how the private sector and state governments use and share data in the sectors of health, banking etc.
This approach makes a lot of sense because the fundamental nature of the relationship between the state and the citizen is very different from the private sector and the consumer. For example if I want to drive my car on a public road I have to give the State my information to qualify for a licence or if I want to access subsidized rations, I have to give my information to qualify for a ration card. I don’t have a choice in these circumstances since the State has a monopoly over these issues. However, the same is not true for the private sector. Most data intensive private sector businesses like Google or Gmail, are providing me services in exchange for me sharing my data with them. Our relationship is defined by a contract which can be enforced only in California. If I don’t like Google’s contract, I can skip along to the next best thing on the market. I can’t skip along to a different government for a drivers licence or a ration card.
Given the fundamental difference in the nature of the relationship between citizen-state and market-consumer, it does not make sense to place the same responsibilities on both sectors..
2.
Sidelining an independent judiciary in favour of a centralized Privacy Commission: One of the longstanding complaints against the current surveillance regime is the fact that all authorizations for surveillance are given by the Executive - mostly home secretaries. In fact, one of the main demands made by PUCL in its famous
‘privacy rights’ PIL before the Supreme Court in 1996, was for all phone-tapping requests to be sanctioned by the judiciary rather than the executive. The Supreme Court turned down the prayer but did direct the Government to install more safeguards.
The CIS Bill does seek to address this concern by requiring all requests for “interception of communications” or “surveillance” to be made to a Privacy Commission which is proposed to be constituted under the legislation.
The first problem with this setup is purely logistical: How does a Privacy Commission of just 7 commissioners handle all “interception” and surveillance” requests from across the country? Right now interception requests for communications are handled at the level of both the Central Government and individual state governments. “Surveillance” is defined in the Bill as “means any activity intended to watch, monitor, record or collect, or to enhance the ability to watch, record or collect, any images, signals, data, movement, behaviour or actions, of a person, a group of persons, a place or an object, for the purpose of obtaining information of a person.” In other words it would cover something as simple as a constable tailing a potential goonda. How are seven privacy commissioners sitting in Delhi going to deal with all such requests for a country of billion people? Is a police officer from Mizoram supposed to send a request all the way to Delhi for his constable to tail a local goonda?
The second problem is with the Privacy Commission itself - it is not an independent judicial body. Apart from the Chairperson who is appointed in consultation with the Chief Justice of India, none of the other Commissioners are required to be appointed in consultation with the judiciary. In other words the Government is going to pack these tribunals with its chosen people.
Instead, does it not make sense to vest this task with District Judges? After all if we trust these judges to pass death sentences, why can’t we trust them with granting permission for interception or surveillance? We already have District Judges around the country and these are judges with substantial experience under their belt. Why create a new body for the purpose?
3. Citizen v. Person: The Bill describes the “privacy” right as follows “means any activity intended to watch, monitor, record or collect, or to enhance the ability to watch, record or collect, any images, signals, data, movement, behaviour or actions, of a person, a group of persons, a place or an object, for the purpose of obtaining information of a person.” Under the Bill, all Indian security agencies are restrained from violating this right without the prior permission of the Privacy Commissioner. (Intelligence agencies have some limited exception when it comes to collecting information) The issue over here is that the Bill uses the word “Person” instead of “Citizen”. Should this Bill really be controlling what Indian agencies can do with a communications between two foreign citizens or surveillance of a foreign citizen? Personally, I don’t think Indian agencies need to be caught in such red-tape when it comes to foreigners - we should stick to protecting Indian citizens.
4. The blanket bar against surveillance and the exceptions: Clause 22 of the Bill prohibits the State from conducting any kind of surveillance unless the relevant agency makes an application to the Privacy Commissioner. The definition of surveillance, as reproduced above is quite broad. Going by this definition even a simple task like installing a CCTV on the premises of a public building will require an application to be made to the Privacy Commission. In a country of a billion people, that would be a lot of requests. Does that make sense?
5. Criminalization of vague offences: Chapter VII of the Bill criminalizes a whole series of offences with delightfully vague wording. For example Clause 43 reads as follows
“43. Punishment for offences related to personal data. – (1) Whoever, except in conformity with the provisions of this Act, collects, receives, stores, processes or otherwise handles any personal data shall be punishable with imprisonment for a term which may extend to [___] years and may also be liable to fine which may extend to [___] rupees.
(2) Whoever attempts to commit any offence under sub section (1) shall be punishable with the punishment provided for such offence under that sub-section.”
As you can see the clause does not refer to any provision in the Bill while defining the offence. If you look at Clause 6, there are a whole series of notice conditions imposed on anybody collecting information. Going by the CIS draft, a person violating even one of those notice conditions is looking at a prison term. It may sound ridiculous when I put it forth as a hypothesis but let’s not forget just how stupidly the Government has behaved with the IT Act. Drafters of potential legislations cannot become lazy when it comes to drafting the clauses on offences and penalties.
The above are only some of the potential problems that I see in the Bill - there is a whole bunch more but I’ll leave that for another day.
Until then, TGIF! Phew!