Draft Indian Privacy Code Reminiscent of the Aadhaar Hearings

A group of lawyers associated with the Aadhaar hearings under the aegis of #SaveOurPrivacy has drafted a model Indian Privacy Code, 2018. The draft Code has been published online and the group has invited comments and suggestions from the public. Almost all of the concerns associated with the Aadhaar project, as well as those regarding how private entities use data have been addressed in this draft Code. Section 85 of the draft Code, for example, lists all the legislations and provisions that the Code should override, and includes several provisions of the Aadhaar Act.

Apart from the general principles of privacy, the draft Code also envisages creating a statutory body appointed by the president at the union level and by the governor at the state level. The statutory body named the Privacy Commission has under it: the Office for Data Protection and the Office of Surveillance and Interception Reform. Interestingly, all the offices created have a five-year cooling period at the end of the tenure. The draft Code has also listed offences and penalties which are all cognisable and non-bailable. This means that committing an offence would invite arrest where bail is not a matter of right. The provisions allow even corporations through their directors to be proceeded against.

However, one aspect on which the draft Code is silent on, is the nature of contracts in the form of privacy policies. For example, though the draft states that the privacy policies must be drafted in plain and simple language, there is no provision for the individual to choose what aspects of the privacy policy they agree with and which they do not. The modern contract – whether an End User Licence Agreement (EULA) in a software or a privacy statement – follows a set format. If a service is required, a person has a few options, but to agree to the terms that would under other circumstances be unacceptable. Therefore, a user being able to limit the extent to which their data is utilised in the course of using the service, is an aspect the draft Code could have emphasised. One example would be a form system where a user would have ‘yes’ and ‘no’ options for each clause in a privacy policy as well as a ‘yes to all’ option.

Several draft provisions have directly challenged the government's position in the Aadhaar hearings. For example section 13 of the draft Code places a bar on denial of essential services for want of the prescribed ID. This is a direct challenge to the Aadhaar Act that allowed the government to prescribe Aadhaar as the sole mode of identification for 'essential services'. The essential services are all in the realm of welfare schemes, such as the PDS and MGNREGA. The draft provision entitles an aggrieved person who has been denied services to damages. This means if a person has been denied rice under the PDS for not having the prescribed ID, then the person is entitled not only to the food grains, but also to the monetary compensation.

Section 37 of the draft Code goes so far as to place a bar on mass surveillance as it is “neither necessary [n]or proportionate to any stated purpose”.  The bar extends to all the defences mentioned by the government in the Aadhaar hearings such as the identification of welfare beneficiaries, the security of state and interests of public order. Under this draft provision, the bar extends even to surveillance for preventing, investigating or prosecuting a cognisable offence.

The substantive aspects of data privacy dealt with by the draft Code deal with the generating the data and its use. The draft Code also contains exceptions for exigencies that may arise. The first part concerns consent. Consent here is a requirement which translates as 'informed consent', which is mandatory for any information sought. This means that the person parting with their personal information must be sure of why it is being sought as well as what it will be used for. The next part deals with retention. Retention, in this context, is only for the period for an objective is to be met. Once the objective is met, the purpose fulfilled, or the time period expires, the data is required to be destroyed or rendered anonymous. The part that deals with the destruction of data refers to all the data whose purpose has ended. Exceptions have been made here concerning research and archival data; however, these two exceptions require data to be anonymised. It is only when the data concerns something of social importance or something in the public domain that the provisions do not apply.

Finally, issues concerning surveillance have been dealt with. This part tries to balance the interests of security and investigation with citizens' privacy. The draft Code proposes a rigorous procedure for commencing surveillance, the final approval in this regard lies with the Office of Surveillance and Interception Reform. Further, the period of surveillance cannot exceed 60 days. Once the period ends, a fresh application would need to be submitted if the agencies wish to continue surveillance.