Govt of India's draft data protection bill "undermines" RTI, gives unique powers to UIDAI to adjudicate: Report

By Our Representative
The Government of India's new data protection Bill a year after it constituted a committee of experts chaired by former Supreme Court judge BN Srikrishna to prepare a draft on it, may mire into controversy. Reason: It's proposed amendments to the Aadhaar Act, 2016, and the Right to Information Act, 2005, seek to empower the bureaucracy even more than what it is today.
Called Protection of Personal Data Bill, 2018, the view has gone strong that its amendments. could "upend" the "fragile balance" between transparency and privacy in the exemption for personal information, allowing public officials to withhold details, making them less accountable in proving information under the Right to Information (RTI) Act, 2005.
Simultaneously, the proposed amendments to the Aadhaar Act would create a new adjudication process for disputes arising out of the Act that would only strengthen the Unique Identity Authority of India's (UIDAI’s) iron grip over Aadhaar-related legal action. Interestingly, the draft goes so far as to propose an “offline verification” system, which, it is pointed out, raises more questions than it answers.
A recent report, seeking to analyse the draft bill, recalls that the RTI Act is known to restrict the right to privacy under Section 8(1)(j), which notes that any to personal information, which has no relation to any public activity or interest is exempt from disclosure, unless the “larger public interest justifies the disclosure.
This section is known to have been routinely invoked by information officers to deny RTI requests, particularly those pertaining to the functioning of public officials, such as the case of the RTI applications seeking Prime Minister Narendra Modi’s college degree. As a result, RTI activists have demanded clear definitions of key terms such as “public interest” and “public activity.”
While the draft bill seeks to drop Section 8(1)(j) altogether, in its place, the new provision, says the report, published in "Caravan", puts an exponentially higher burden for disclosure of personal information by placing new conditions in order to ensure that any "personal" data is disclosed.
Thus, the proposed amendment defines personal data as those related "a function, action or any other activity of the public authority in which transparency is required to be maintained having regard to larger public interest in the accountability of the working of the public authority."
Even as insisting that any RTI disclosure would need to be seen in the context "larger public interest", the amendment goes so far as to "avoid" any harm that may possibly be caused to data by an RTI disclosure. This way, it craves to outweigh by the interest of the citizen in obtaining such personal data, the report, by scribe Arshu John, a former lawyer, says.
The amendment, it is felt, is likely to have the effect of protecting public officials from having to disclose any remotely personal information. "In its enthusiasm to raise the standards of data protection in India, the Srikrishna committee appears to have failed in its obligation to account for the competing rights of public accountability", says the report.
As for the amendments to the Aadhaar Act, there is a proposal is to establish a new adjudication and appeals process for disputes arising from the Act, increasing or creating civil and criminal penalties for contraventions of the Act, and introducing an offline verification system for Aadhaar authentication.
Introducing a new position of adjudicating officer, not below the rank of joint secretary to the Union government, with the power to inquire into any contravention of the Aadhaar Act, it proposes the addition of a new chapter on civil penalties, under which any such violation could invite a penalty of up to Rs 1 crore.
Says the report, these amendments have been made, apparently, as over the past year, the aadhaar programme has suffered leaks and data breaches, reaching a point where a Tribune reported the largest breach so far: Gaining access to a portal with the data of every aadhaar card holder by paying a middleman a paltry sum of Rs 500.
The amendment also includes penalties for the failure to seek the consent of an individual before obtaining their identity information, the unauthorised use of biometric information and the unauthorised publication of an Aadhaar number or photograph.
The report, however, underlines, "These provisions would have held considerably more weight if not for one fundamental shortcoming -- the draft bill states that only UIDAI would be empowered to make a complaint to the adjudicating authority."
The report says, ironically, this amendment comes at a time when UIDAI is under criticism for the misuse of this provision abounds—for both the UIDAI’s dogged pursuit of legal action against reports identifying grave breaches of aadhaar data, and its failure to identify and prevent these breaches themselves.
"The exclusive power to initiate criminal proceedings for any violation of the Act, as proposed under the draft data-protection bill, would only serve to reinforce the UIDAI’s control over legal action arising from the Aadhaar Act", the report says.
Worse, it is pointed out that to seal this monopoly of the UIDAI, the amendment also seeks to bar the jurisdiction of any civil court over cases arising out of the Act -- "simply put, only the UIDAI can initiate cases, and only the adjudicating authority can pursue them."
Further, the draft bill proposes a series of amendments that would create a new system of offline verification of an Aadhaar number. The analysis points out, this new system should be understood in the context of the ongoing national discourse on privacy and data protection, though adding, it does not suggest how to go about it.
Accrding to the report, it appears likely that the offline-verification system will rely on QR code scanning of e-Aadhaar or Aadhaar letters. Citing a recent UIDAI a tender seeking an Expression of Interest (EoI) for Participating in QR Code Scanner for Aadhaar, it says, the question which is being asked is: Where is the data of the aadhaar card holders stored for the offline verification to work?