Justice B.N. Srikrishna believes that the government’s approach to data as an asset is dangerous. He wants the public and civil society to put pressure on the government to pass a data protection law, believes that MeitY can now easily reveal details of public consultation on the Draft Personal Data Protection (PDP) Bill, and thinks linking Aadhaar to electoral rolls is a bad idea. Justice Srikrishna had headed the committee that had drafted the Personal Data Protection Bill 2018.

Speaking at Privacy Supreme, an event organised by the Mozilla Foundation and Internet Freedom Foundation (IFF) to mark the second anniversary of the Puttuswamy judgement that upheld the right to privacy as a fundamental right on August 24, Justice Srikrishna gave his opinion on a variety of topics:

On how data collation enables profiling: “The difficulty is not collection of data, particularly in regard to Aadhaar; the difficulty is that if you can collate the data, you can profile human beings. For example, it was being argued, and rightly so, that DNA, fingerprints are collected from all the people who have to be in the police station. Now, anytime a fingerprint is lifted from a crime scene, that is tied to this larger database. Now, this is one way of doing it. If the fingerprints of all the citizens are there, then it is easy to figure out who has committed the crime. Now similarly, if the DNA evidence is there, it’s easy to figure it out. Now look at the flip side of that, if my fingerprint is there, and if somebody does some goof-up, if somebody deliberately does a mismatch, I am the one who is going to be thrown in jail.”

On whether electoral rolls should be linked to Aadhaar: “You had a Cambridge Analytica, you will get a Delhi Analytica, a Mumbai Analytica, a Calcutta Analytica. That is the danger. Are we happy with what Cambridge Analytica did? We made so much noise about it. We called them all kinds of bad names. Now you’ll have that here, in your country, in your backyard. I don’t think that’s a good idea. And I don’t trust the Election Commission with its mutton-headed ways.”

On the government’s motives with data, as outlined in Chapter 4 of the Economic Survey, “Data of the people, by the people, for the people”: “That chapter on data privacy … should be [called] ‘Data of the people, by the people, for the government’. … [Nowhere] they have said that data is being collected today as well. Now, data are being collected by different agencies of the government and they are in silos. … Thus, the same data will be collected by the education department, the agriculture department, the traffic department. Now, isn’t it better if they had it all together so that ‘we can give you the benefit of our wisdom’? Now, that’s a very nice way of putting it, very attractive, very seductive way of putting it. But look at it from the point of view of the citizens — it’s bad enough that I have to give you this data, give it in quadruplicate when it is not necessary … Now all of you are going to put it in that data, so what remains of me? Nothing remains with me, so all my data is in your pocket. It is a dangerous situation.”

If community data should be a part of the Personal Data Protection Bill as the MeitY is already considering: “We had recommended that community data should be available to every one of the citizens. Now, for example, community data means what? The data that is put into the net by individuals. For example, take your Google Maps, that’s community data. So it should be available to everyone, and everyone should have a right to access it. Not the government, we have not said that the government has a monopoly on that. Every citizen says what is happening today is this. Now whether I have a barbershop here or not comes up on Google Maps because I put it there, or somebody else put it there. It should be permitted.

On MeitY denying access to minutes of the meeting and to the submissions made to the PDP Draft Bill: “Government takes a long time to get over its inertia. I suppose an RTI application was made, but it was rejected. One thing is there, with regard to a work in progress, it is unfair to ask every time that what is happening. But once it is over, it should be available. Now it should be available, there is no any difficulty.

On data localization and the way the government is handling it: “I am not happy with it, with the way the government is handling a number of things.”

On politicians using CCTV surveillance as a political tool in the absence of a data protection law: “You know, I am scared about it because [people] are arguing that marital rapes should be stopped, so far that purpose, how do you stop? Put a CCTV in my bedroom? Yes, it should be stopped, but by a method that does not impinge upon my privacy.”

On operationalising consent in the Indian context: “Consent can be operationalised by telling the person that I need informed consent, [that is by telling him/her] for what purpose, how am I going to use it, how long for. … But in a country like ours, where we have … 20-30 official languages, and each language is radically different from the other and the person who speaks each language, refuses to recognise another language, what are we going to do? Take consent in each language? This is a big problem. We understand that there can be some kind of a universal language in which we can ask for consent. There is a person who don’t even know what to do except leave their thumb impression on a piece of paper. They are not able to understand. How do you teach them to give informed consent? Therefore, the report talked of visual symbols. How do you do visual symbols? You see this on signals and crossings. You communicate to them that [s/]he is entitled to give me consent, [s/]he is entitled to refuse consent. It is about making the person understand what is consent, and what isn’t. That is going to be a very major challenge in this country. And as far as people who are educated are concerned, people who are capable of understanding the implications are concerned, we had recommended something like consent dashboards. And for children, up to a particular age, parental consent was to be taken, because law doesn’t permit any kind of contract with a minor to be valid. Children otherwise will be deprived of access to internet.”

On why the committee report was titled “A Free and Fair Digital Economy” instead of singularly focussing on the right to privacy: “The focus is on digital economy because thanks to the focus on digitisation in every field, economy is going to be impacted by digitalisation, whether it is this department, or that department, including the law and judiciary, even the courts are going to be digitalised, one way or another. Therefore, the emphasis was on that and rightly so. But the question is that digitisation and right to privacy are seen as antithetical concepts, so even assuming that they are antithetical, where is the line to be drawn and how far should the line go? Should it go nearer to digitisation, or nearer to right to privacy? That was the issue to be considered, and that is what the bill has tried to work on.”

On the government acting on individuals’ data in the absence of a PDP law (with reference to NCRB’s Automatic Facial Recognition System and the sale of vehicular data to private companies): “In the absence of the law, … what happened was that data privacy came from Puttuswamy. Before that nobody debated it. There were just vague references in the Supreme Court. This was happening regularly. Data was being collected by the government regularly. So how did you oppose it at that time? Therefore, build up pressure to say [to the government] that you pass the law, with your overwhelming majority which is just like an ATM machine where a bill goes in and comes out as law. Such a complex subject, my hope is that one day it will pass. My only question is about the form in which it will be passed. There’s a very famous Sanskrit saying [about] how a person started to make a Ganesh, but created a monkey instead. Let’s hope that we’re not made monkeys ultimately.”

On whether he is confident about the PDP Bill in its current form: I am not very confident. In fact, I was [discussing] with a few judges that there should be a pre-judicial determination, but then the answer given to me was that if the secretary of financial matters can’t handle it, the judges will never be able to handle it. So I stepped back and said, just make sure that you don’t have access unless there is a parliamentary act which permits you to [so] in which the case the parliamentary act will have to say who can do it, for what purposes, under what circumstances, and what is the method of doing it. Just take for example, you are infringing the personal right of a human being under Article 21 by preventive detention. See how preventive detention has been put into straitjacket. I was hoping that something like that would come. Then the other alternative was something like the FOIA [Freedom of Information Act] in the United States, but when I studied it, I said that it didn’t make much sense because it is a very secret thing, RTI people have more access to that record.”

On the rise of surveillance and fall of RTI: “The only exception under RTI Act is under Section 8(1)(j) which is that personal data ought not to be accessed unless there is another exception to the exception, that is, if the officer comes to the conclusion that it is overwhelmingly necessary in the public interest to do so, or that this information is already available in the public domain. This is precisely what the drafted bill also said. Now, to turn this into a situation of RTI versus the right to privacy, is an absurd one. And I don’t think that’s the correct way of going about it. And I am not sure. Today, I don’t know what the government’s stand is … I don’t know what the government’s version is.”

On whether the government’s draft bill is following the parameters for data security his report laid out: “When you talk of security, two aspects are there. One is how technically sound the security is. Now that’s a question that technical people will be able to answer. And the other question is, even if it is technically secure, does the government treat it as a tool for playing the Big Brother breathing down your neck all the time. Now that’s possible. … You want it [the data], but then there should be [something] to ensure that you can’t use it for the opposite reason. This is one danger that I envisage. … When I had a discussion in the committee, I was told that somebody at the level of department secretary would take care of this. I asked the secretary of the department. In this wire-tapping business, he said that in a day, ‘500-600 matters come to me’. I said, ‘Do you really have the time, patience or the ability to run through [all of them]?’ Otherwise, what happens in a criminal procedure court, the court requests a judicial application of mind. … [And the judge determines if s/]he is a criminal and therefore I allow the warrant by which he can be put under surveillance, or by which his residence can be raided. That’s the prism I am looking through. Now, reverse it. If it’s in the hand of an executive, which executive in this country at whatever his[/her] level, whether [s/]he is the cabinet secretary or a desk officer, will go against the government wanting to do it? … But let me tell you, do you think that data is not being collected today? Forget the data privacy bill. When you phone somebody, data is just taken away. Therefore, it is necessary to have a barrier. This is an act that empowers the citizens, not because you get benefits under something or the other, make sure that your privacy remains with you.

On the process through which his committee put out the draft PDP Bill and his expectations from the process: “When I started this, I kept saying from Day 1, till Day X, when I finished it, that here, look, are we now creating something that is going to gobble up the person for whose benefit we are making it? What should be done in order to ensure that this does not turn out to be a Frankenstein ultimately. I was able to persuade the committee to put whatever we were thinking before the public. Therefore, first … we had the white paper [where] we looked at all that was happening in different jurisdictions. … We looked at England, GDPR, South Africa, Singapore, Australia and all that. This was exactly the exercise that was carried out when the Constitution of India was drafted. …  Let the public understand what your tentative thought process is, and let them react to it. And therefore, the committee went and had interactions with the public in 5 or 6 metropolises. And, everybody was invited — right from academicians to technicians to law students to economics graduates and everyone like that. And after taking inputs from them, we churned over the inputs. … And then we produced a report. And then I said, let’s tell the public at large what’s the tentative nature of the bill that should be there. … Let there be a draft bill. The intention was that the draft bill would also be in public domain and there will be a debate on that, there will be inputs on that, and of course, there will be a debate in the parliament. And I expect that on a complex subject like this, there should be a reference to a select committee, evidence taken before the select committee and things like that.”       

On whether internet should be declared a public utility, and governed/regulated as one: “You’ll have a regulator sitting on your head all the time. … Are you happy with how [existing regulators] are functioning? Actually, there is going to be a regulator in this field also. Data Protection Authority is a regulator. I think it would be a wrong idea to declare it as a public utility because then you’ll have unnecessary problems. … If it becomes a part of public utility, you have had it. It will lead to greater surveillance; you’ll have greater restraint on your freedom.

On Google and Facebook’s global dominance over internet: “Competition law should be applied to them. Competition is not always in terms of money only, it is also in terms of how the market is being used, how your dominance in the market is going to make difficulties for the consumer.”

On future-proofing with respect to location data and IoT data, which Reliance had said would be a ₹20,000 crore market: “The point is this: is the data mine? Do I have control over the data? Then I don’t care if you have a 2 billion operator, or a 200 billion operator. You shall not do anything to my data without taking my permission. That is the bottom line. Now on that bottom line, what kind of superstructure you want to build, is again up to the manner in which the parliament debates it.”