News clipping on 30-07-2018

Date:30-07-18

निजता की चिंता

संपादकीय

व्यक्तिगत डेटा संरक्षण विधेयक 2018 का मसौदा और श्रीकृष्ण समिति की रिपोर्ट, दोनों मिलकर वह आधार तैयार करते हैं जिन पर सिद्धांत रचकर लोगों के निजता के मूल अधिकार की रक्षा की जा सकती है। मसौदा विधेयक इस लिहाज से प्रगतिशील है कि यह निजता की बात को आगे बढ़ाता है। विधेयक बताता है कि व्यक्तिगत डेटा क्या है और वह इस श्रेणी को आईटी ऐक्ट में उल्लेखित दायरों से परे ले जाता है। अब पासवर्ड, वित्तीय डेटा, स्वास्थ्य संबंधी डेटा, आधिकारिक पहचानकर्ता, यौन जीवन, यौन रुझान, बायोमेट्रिक डेटा, जेनेटिक डेटा, ट्रांसजेंडर दर्जा, अंतर्यौनिक दर्जा, जाति या जनजाति, धार्मिक या राजनीतिक विचार और आस्था आदि सभी व्यक्तिगत डेटा में आते हैं। महत्त्वपूर्ण बात यह है कि लोकेशन को अभी भी संवेदनशील नहीं माना जा रहा है। डेटा प्रसंस्करण निष्पक्ष और तार्किक ढंग से किया जाना चाहिए ताकि निजता को बचाकर रखा जा सके। विधेयक कहता है कि स्पष्ट, विशिष्ट और विधिक उद्देश्य के लिए केवल सीमित व्यक्तिगत डेटा ही जुटाया जाना चाहिए।

इसके अलावा संबंधित व्यक्ति को यह बताया जाना चाहिए कि कौन सा डेटा लिया गया है। व्यापक रियायती मामलों के अलावा डेटा लेने में विशिष्ट तौर पर सहमति हासिल की जानी चाहिए। परंतु इस विधेयक में कई खामियां हैं और ऐसी रियायतें शामिल हैं जिनके आधार पर बिना सहमति के व्यक्तिगत डेटा लिया और इस्तेमाल किया जा सकता है। मसौदे में सुधार, उन्नयन और डेटा पोर्टबिलिटी को शामिल किया गया है लेकिन भुलाने के अधिकार (इंटरनेट से या अन्य जगह से डेटा हटवाने का अधिकार) को भ्रामक अंदाज में तैयार किया गया है। राइट ऑफ डिलीशन या आपत्ति करने के अधिकार को लेकर कुछ नहीं कहा गया है। प्रस्तावित डेटा संरक्षण प्राधिकरण को अधिकार होगा कि वह तय करे कि डेटा जारी होने से लोग प्रभावित हुए हैं या नहीं। इसके अलावा निगरानी कम करने के लिए कोई उपाय नहीं किया गया है। बल्कि डेटा लोकलाइजेशन के प्रावधान तो निगरानी बढ़ाने वाले हो सकते हैं। रिपोर्ट में अनुशंसा की गई है कि आधार अधिनियम में बदलाव किया जाए लेकिन विधेयक इस अहम मसले पर खामोश है।

सहमति के अलावा डेटा सरकारी काम के लिए भी जुटाया जा सकता है। मसलन कानूनी आदेश के अनुपालन के लिए, आपातकालीन परिस्थितियों में, रोजगार से जुड़े मामलों आदि के लिए। सरकार के कामकाज बहुत व्यापक हैं और वह विशिष्ट श्रेणी है। इसके अलावा कानून को उचित वजह की व्याख्या भी करनी पड़ सकती है। उदाहरण के लिए आधार को बिना सहमति के मंजूरी दी जा सकती है क्योंकि वह सरकार से जुड़ा हुआ मामला है। विधेयक हर व्यक्तिगत डेटा को देश में रहने की बात कहते हुए सरकार को यह अधिकार देता है कि वह अहम व्यक्तिगत डेटा को गोपनीय कर सके। वह उसे देश में उसके भंडारण और प्रसंस्करण का अधिकार भी देता है। समिति के दो सदस्यों ने इस प्रावधान से असहमति जताई है। यह कई वजहों से असंतोषजनक है।

इसके लिए जरूरी बुनियादी ढांचे की कमी है। न तो तेज ब्रॉडबैंड है, न सर्वर क्लाउड क्षमता। डेटा रखने और प्रसंस्कृत करने का भी खर्च है। डेटा का अनिवार्य स्थानीयकरण एजेंसियों की निगरानी बढ़ा सकता है। ये पहले ही ‘सरकार के काम’ के अधीन आता है। दुख की बात है कि मशविरे की प्रक्रिया अस्पष्ट थी और समिति के समक्ष प्रस्तुतियों को गोपनीय रखा गया। अधिकांश मसौदा विधेयकों के उलट इसमें अंशधारकों की प्रतिपुष्टि की व्यवस्था नहीं है। ऐसे में गंभीर चिंता के ये मसले विधेयक के कानून बनने पर भी हल नहीं हो सकेंगे। मसौदा नागरिकों के डेटा संरक्षण की दिशा में एक शुरुआत करता है लेकिन यह यूरोपीय संघ के जनरल डेटा संरक्षण नियमन के आसपास भी नहीं है।


Date:30-07-18

Srikrishna Data Bill Has Serious Flaws

ET Editorial

Critics of the Srikrishna Committee proposals on data privacy would seem to have missed one large point and several subsidiary points. The large point is that with Big Data a reality, a major nation-state can’t simply look at data as a tradeable commodity when it comes to adopting a legal framework. The committee does this and fails to see data as a strategic asset, which defines key characteristics of the Indian collective. This limited perspective can have profoundly serious consequences, as will be clear from the following related shortcomings in the committee’s proposals.

First, the committee limits its definition of data offences to those related to processing of personal data in India and by Indian entities. This dilutes existing provisions that define offences as those related to computers, computer systems and computer network in India. Should the relevant sections of the committee’s Bill supercede extant law, law enforcement will be weakened. Second, the Bill doesn’t address misuse of personal data if such data is used by entities by ‘deidentification’, that is, by retaining the data but removing personal particulars from it. This is a serious weakness that needs rectification because a great many Internet companies, especially giant ones headquartered abroad that depend on data for their revenues, can simply ‘de-identify’ data and put it to as many uses and misuses as they wish. De-identified data can still cause harm. The Bill doesn’t see that.

Third, there are questions about the committee’s approach to consent. The Bill works on the basis that users’ consent, once given, is an effective way to prevent abuse of data. But a system that depends on consumers and service users saying ‘yes’ to terms of service as the principal means to enforcing good conduct on data-using entities will be weakened by what is known as ‘consent fatigue’—ordinary people will mostly agree to terms that may have implications not clear to them. For all these reasons, the data privacy and protection legal framework suggested by the Srikrishna Committee needs to be thoroughly debated before the government moves to enact the Bill.


Date:30-07-18

Beyond Consent

With personal data adding up to big data, ownership must rest with citizens

TOI Editorial

India is finally nearing a statutory framework for privacy and data protection with the committee of experts headed by Justice Srikrishna submitting its report along with a draft personal data protection bill. In line with global concerns about big data analytics and emergence of data as a transactional entity in AI applications, business decisions and personal lives, the committee essentially delineates the rights of data principals – to whom personal data “relates” – and responsibilities of data fiduciaries who decide the purpose and means of processing this data.

Ensuring a data principal’s consent before collection, use, sharing, disclosure and processing of data by fiduciaries, which will be for clear, lawful and specific purposes, and seeking “explicit consent” where personal data is sensitive like financial, health or Aadhaar data, passwords, sexual preferences, etc, is critical to the legislation’s success. The difficulty for the regulator – a proposed Data Protection Authority of India – is to ensure anonymisation and de-identification by data fiduciaries so that the collected personal data do not render users vulnerable to privacy violations.

Srikrishna committee has broadly pursued the approach of European Union’s General Data Protection Regulation (GDPR), including by requiring data fiduciaries to maintain servers or data centres in India. However there has been a serious dilution on the ownership issue, where GDPR deemed telecom and service providers, mobile device-makers and other intermediaries as “mere custodians” of data whose primary rights remain vested with the consumers. Even the recent Trai recommendations recognised consumers’ “ownership” of their personal telecom data. But the expert committee worryingly sees data principals only in a “relationship” with their personal data.

Everyday even as India sees impressive growth in smart internet users and the e-commerce market it is the big data companies like Google, Amazon and Facebook that gain more control over the country’s digital ecosystem. It was hoped that the Srikrishna committee would hammer in the principle that while business and technology are global, data is fundamentally local. But the draft bill has fallen short of expectations. It is now over to government to write a much stronger law, which should keep up with how competing jurisdictions are recognising the strategic importance of data and striving to regulate its usage accordingly. The long rope given to the state in accessing personal data also needs shortening.


Date:30-07-18

A Free & Fair Digital Economy

Draft data protection bill asserts our sovereignty and safeguards citizens’ interests

Arghya Sengupta, (The writer is Research Director; Vidhi Centre for Legal Policy.)

The draft data protection law recommended by the committee of experts to the government of India is a template of how the Global South can safeguard the interest of its citizens and assert its sovereignty in a digital age dominated by giant American tech corporations. It recognises the immense power of data to empower citizens by providing a range of services accessibly and affordably. It is equally cognisant of the debilitating harms that unexpected sharing of data might cause to individuals, tracking their online behaviour, storing their preferences, often on intimate matters, and breaching their privacy.

To understand the importance of the proposed law, one needs to step back from technical details of legal drafting and understand the larger headwinds in the global digital economy. The growth of the internet has been the single most revolutionary innovation of our time. Like most good innovations, it too has changed over time. In the last decade, the internet has seen a distinct shift away from a true commons to a cluster of fenced spaces.

Take a simple example – imagine if one could only send emails from Outlook accounts to Outlook accounts alone or Gmail accounts to Gmail accounts alone. The thought is patently absurd. Yet this is precisely what happens when messages from WhatsApp cannot be delivered to Snapchat. This change of business model – from service delivery to targeted advertising – is owing to the recognition of the immense potential to monetise personal data. Exclusionary control over personal data is critical to this business model.

If the foundation of the digital economy is to be personal data and the quest to gather it the new Gold Rush for corporations, the autonomy and privacy of the Indian citizen must be fully secured. This is the constitutional mandate of the Puttaswamy judgment that has been translated into actionable law by the committee in four primary ways. First, the individual, denoted worldwide as the data ‘subject’ is, in the committee’s formulation – the data ‘principal’. The entity who seeks her data, instead of being termed the data ‘controller’ is the data ‘fiduciary’. This is not a mere symbolic change.

When an individual gives her personal data to a railway ticket booking website, she expects it to be used only to book her railway ticket and not to be controlled by the website, irrespective of what the legalese-filled consent form might contain. This is because the relationship between the individual and the website is one of trust – the individual expects her data to be used in a certain way and trusts that the entity will do so. This is the cornerstone of a fiduciary relationship. The bill, by making all data processing entities, fiduciaries, holds them liable if such trust is betrayed. Second, the consent framework is itself fundamentally modified. Today, each one of us is perhaps culpable of saying “I agree” to long consent forms on our smartphones while downloading apps without really knowing what we agree to. As a result, an app that provides me with a taxi can read my messages, and an app to book tickets can access my photos.

The bill addresses this anomaly by introducing the principles of collection and purpose limitation. Entities will only be allowed to collect information necessary for their service and the purposes to which such information will be used will be clearly communicated. Taxi apps cannot ordinarily, in this formulation, read my messages. Third, if any individual is aggrieved today that their data is being used in a manner that breaches their privacy, there is no easily accessible remedy. The bill sets up a Data Protection Authority (DPA), an independent body with an adjudication wing and offices across the country.

The DPA has the power both to penalise companies up to 4% of their worldwide turnover and compensate individuals for harm suffered. Critically, if the data fiduciary is a government department or a public sector entity, it too will be liable to pay a penalty up to Rs 15 crore. Finally, India has the unfortunate distinction of being a country that is long on prescription and short on enforcement. To prevent this law from going the same way, the committee recommends a strict mandate for local storage of data. Some critics view local storage as a fig leaf for surveillance. This is ill-conceived fear mongering. Local storage of data does not mean a giant honeypot allowing the state to play big brother.

It envisages hundreds of data centres in the country on the strength of which India can build an Artificial Intelligence ecosystem, create jobs and remain at the vanguard of innovation in the world. It equally allows the state to hold private entities accountable if personal data that they hold is needed for security of the state and prevention of crime. As the Supreme Court itself has noted, these are critical functions of the state. This state was created in 1950, when our founding fathers wrote a Constitution that enshrined freedom and fairness as the cornerstone of our new Republic, ending our dominion status. In 2018, the bill and report channel the same spirit and show the way for India to become a digital leader and not remain a mere digital dominion. While debate on the provisions of the bill, will and should continue, we must all work together to give India and the Global South, the free and fair digital economy that we deserve.

Date:30-07-18

ब्रिक्स के हासिल

संपादकीय

दक्षिण अफ्रीका की राजधानी जोहानिसबर्ग में संपन्न हुए ब्रिक्स देशों के दसवें सम्मेलन में भारत ने औद्योगिक और डिजिटल तकनीक के इस्तेमाल से नई और बेहतर दुनिया बनाने की जो बात कही है, वह अफ्रीकी देशों के लिए एक बड़ा संदेश लिए हुए है। भारत के प्रधानमंत्री का यह आह्वान इसलिए भी महत्त्वपूर्ण है, क्योंकि डिजिटल तकनीक ही उभरती हुई अर्थव्यवस्थाओं की नींव है। तीसरी दुनिया के गरीब देश जिस विकास की बाट जोह रहे हैं, उसका सपना डिजिटल और औद्योगिक तकनीक के बिना पूरा नहीं हो सकता। डिजिटल क्रांति ने विकास और निवेश के जो दरवाजे खोले हैं, उसमें तीसरी दुनिया के देशों को भागीदारी बनाना वक्त की जरूरत है। इसीलिए भारत ने ब्रिक्स के मंच से कृत्रिम बौद्धिकता यानी रोबोट की दुनिया, औद्योगिक तकनीक का विकास, कौशल विकास जैसे पक्षों पर जोर दिया। ब्रिक्स देश आज दुनिया की तेजी से उभरती अर्थव्यवस्था हैं। भारत, चीन और रूस परमाणु शक्ति संपन्न राष्ट्र हैं। रूस और चीन जैसे देश दुनिया की महाशक्ति हैं। दो सदस्य रूस और चीन सुरक्षा परिषद के स्थायी सदस्य हैं, जिन्हें वीटो का अधिकार हासिल है। सबसे बड़ी बात यह कि इन पांचों राष्ट्रों के पास विशाल बाजार है। इसलिए ब्रिक्स देशों का यह सम्मेलन आपसी सहयोग के अलावा बड़े बाजार तलाशने की भी कवायद बना रहा।

पिछले कुछ सालों में ब्रिक्स देशों का समूह दुनिया में एक बड़ी ताकत के रूप में उभरा है। इसमें शामिल देश दुनिया की इकतालीस फीसद आबादी का प्रतिनिधित्व करते हैं। अगर आर्थिकी के हिसाब से देखें तो इन पांचों देशों की साझा अर्थव्यवस्था चालीस लाख करोड़ डॉलर से भी ज्यादा बैठती है। इन देशों के पास साढ़े चार लाख करोड़ डॉलर का साझा विदेशी मुद्रा भंडार है। यानी ब्रिक्स ऐसे ताकतवर समूह के रूप मौजूद है जो अमेरिका सहित पश्चिमी देशों के लिए चुनौती पेश कर रहा है। जी-7 जैसे समूह को अपना विस्तार कर जी-20 बनाने की दिशा में सोचना पड़ा। इसलिए ब्रिक्स के मंच से अगर कोई बात दुनिया में पहुंचती है तो उसके अपने नीहितार्थ होते हैं।

भारत के प्रधानमंत्री ने ब्रिक्स सम्मेलन में जाने से पहले अफ्रीका के दो देशों- रवांडा और युगांडा की यात्रा की। किसी भारतीय प्रधानमंत्री का इन देशों का यह पहला दौरा था। भारत ने रवांडा में जल्द ही भारतीय उच्चायोग खोलने की घोषणा भी की। रवांडा और युगांडा जाकर प्रधानमंत्री ने यह संदेश दिया है कि भारत अफ्रीकी मुल्कों के विकास में हर तरह से सहयोग देने को तैयार है। रवांडा को भारत ने बीस करोड़ डॉलर कर्ज भी दिया और एक रक्षा सहयोग समझौता भी किया। पूर्वी अफ्रीकी देशों के साथ भारत के रिश्ते वक्त की जरूरत हैं। चीन ने भी तेजी से अफ्रीकी देशों की ओर रुख किया है। अफ्रीकी देश भारत और चीन के लिए बड़ा बाजार और निवेश का ठिकाना तो हैं ही, साथ ही इनका रणनीतिक महत्त्व भी है। चीन पूर्वी अफ्रीकी देशों के साथ मिलकर वहां सैन्य अड्डे बनाने की जुगत में है और इसके जरिए वह हिंद महासागर में पैठ बनाने की कोशिश कर रहा है। यह भारत के लिए बड़ी चुनौती है। ब्रिक्स में चीन और भारत दोनों के हित हैं। पर दोनों देशों के बीच सीमा विवाद और चीन का पाकिस्तान प्रेम एक बड़ी बाधा है। ऐसे में भारत के लिए यह आसान नहीं है कि वह चीन के साथ ऐसे समूह में रहे भी और उसकी चुनौतियों से भी निपटे।


Date:30-07-18

Sins of Commission

National Commission for Women lives up to its record of being a foot-soldier of frivolousness

Editorial

This is a particularly fraught time in gender relations across the world. Institution after institution is struggling — and largely failing — to respond to the unmasking of sexual predators in its midst. None seems as utterly clueless as India’s National Commission for Women (NCW).

As priests face allegations of sexual abuse of women and a minor, the church in Kerala is staring at a moment of crisis. Has that prompted the NCW to come up with ways of helping women to speak up against figures of religious authority? No, it has instead boldly blundered into this landscape, swinging its rusty sword at an imaginary foe. Off with the practice of confession, it has recommended. Only by whispering their secrets, believes the NCW, do women place themselves in positions of vulnerability vis-à-vis priests and other religious heads. In this worldview, a design change, a flip of a switch is all that is needed to counter the enormous force of patriarchal religion that binds women and children into obedience. The NCW’s suggestion is reckless and damaging. It is ham-handed needling of a minority’s right to decide its essential practices, particularly at a time of majoritarian excess. It pits matters of faith against the safety and bodily integrity of women — no better way to force women to scurry back into silence and fear.

But, given its past record, this is no surprise. Over the years, in many important debates, the statutory body has often played the role of a foot-soldier of frivolousness. Just recently, the current NCW head accused women of crying rape to settle property disputes and to claim compensation. This particular twist in logic was used to deflect the claim that India is the most unsafe place for women. Earlier heads have, on various occasions, revealed the name of a molestation victim, or questioned women’s failure to protect themselves at a Mangalore pub raided by the right-wing moral police. A lot has to do with the way the NCW has imagined its role: As a maximum noise, minimum value post for the ruling dispensation’s women politicians. Instead of amplifying the voice of women on various issues, or doing the hard labour of building alliances, or shaping the urgent debate around consent and sexuality and autonomy, it chooses to parachute into sensational media “events”. Sound bytes proliferate, silver-bullet solutions are offered but the commission remains toothless. For Indian women, the path to smashing patriarchy might be a long, unpredictable one. But one thing is certain: It doesn’t go via the NCW.


Date:30-07-18

Layers of Protection

Protecting honest public servants is important; so are anti-corruption efforts

EDITORIAL

The amendments to the Prevention of Corruption Act, 1988, adopted recently by both Houses of Parliament, are a mixed bag. Moves to make changes in this law, aimed at combating corruption in government, were initiated during the UPA’s second term in office and largely centred on the misuse of one provision — Section 13 (1)d. Former Prime Minister Manmohan Singh had criticised this section, under which public servants are culpable for securing a pecuniary advantage for another “without any public interest”, for ignoring a foundational principle of criminal law: mens rea. This resulted in many honest officials being prosecuted even when they gained nothing and merely exercised their power or discretion in favour of someone. Insofar as it had a chilling effect on governance and deterred bold decision-making, the amended form may have a liberating effect on honest officials. Besides, it is more concise and restricts criminal misconduct to two offences: misappropriating or converting to one’s own use property entrusted to a public servant or is in his control, and amassing unexplained wealth. There was concern initially with the wording, “intentionally enriches himself illicitly during the period of his office”, as it raised a doubt whether the ‘intention’ to amass wealth would also have to be proved. Now an explanation has been added that a person “shall be presumed to have intentionally enriched himself” if he cannot account for his assets through known sources of income.

By making citizens liable for offering a bribe to a public servant, the anti-corruption law has been brought in line with the UN Convention Against Corruption. The only exception to this rule is when one is forced to give a bribe. This exception kicks in only when the fact that one was forced to pay a bribe is reported to a law enforcement authority within seven days. The penal provision can empower people by allowing them to cite it to refuse to pay a bribe. At the same time, what happens when the police or any other agency refuses to register a complaint? People may be left in the lurch with no redress. Further, it may render them vulnerable to threats from unscrupulous public servants who collect money to speed up public services but do not deliver. The most unacceptable change is the introduction of a prior approval norm to start an investigation. When a prior sanction requirement exists in law for prosecution, it is incomprehensible that the legislature should create another layer of protection in the initial stage of a probe. Public servants need to be protected against unfair prosecution, but a genuine drive against corruption needs a package of legislative measures. These should contain penal provisions, create an ombudsman in the form of a Lokpal or Lokayukta, as well as assure citizens of time-bound services and whistle-blower protection. Laws to fulfil these objectives are either not operational or are yet to materialise.