In India, regulators are deciding the fate of sensitive data behind closed doors · Global Voices
Rohith Jyothish

A biometric data collection center in India. Photo by Bishwarup Ganguly via Wikimedia Commons (CC BY 3.0)
On August 2017, a nine-judge bench of the Supreme Court of India unanimously upheld the privacy of Indian citizens as a fundamental right.
Since that time, a series of campaigns, petitions and legal battles citing this ruling have ensued, many of them arguing against India’s biometric identification programme, known as Aadhaar. They charge that Aadhaar runs afoul of the court verdict.
These critiques have made it clear that India needs a stronger definition of “data”, personal, sensitive and otherwise. This has been known for some time, and there have been numerous privacy bills and legislative efforts to address personal data privacy in India, from the IT Act of 2000 (which guarded individuals from privacy breach from the corporate sector), to a 2011 Personal Data Bill (which was proposed but never passed), to a 2012 committee report proposing criteria for a privacy protection law.
Despite all these efforts, the Ministry of Electronics and Information Technology formed a new committee in August 2017, that also intended to draft a data protection law.
Headed by former Supreme Court judge Justice B.N. Srikrishna (and thus titled Srikrishna Committee), the committee's job is to “ensure the growth of the digital economy while keeping personal data of citizens secure and protected.”
Although it has existed for nearly a year's time, the Committee has yet to release meeting minutes or a draft of the bill that they are developing.
On June 23, 2018, online media outlet The Print reported on a leaked copy that the outlet had obtained, along with a report from the committee stating that the bill will “not apply to any processing activity that has been completed prior to this law coming into effect.” This triggered consternation among civil society and privacy advocates, as it indicates that the data protection act will have no bearing on the Aadhaar system.
The only official document released by the committee has been a November 2017 white paper on data protection which left many citizens with more questions than answers. It reflected uncertainty regarding the level of control over how much data can be stored and limited to the country itself, and failed to describe what rights individuals hold over their own data.
Along with the Srikrishna Committee’s output, leading scholars and lawyers have criticized the committee for demonstrating a lack of transparency, over-representing the interests of people who are in favor of — or stand to gain from — Aadhaar, and lacking representation from civil society.
A group of lawyers in India wrote a letter to the Committee, putting forth their concerns regarding the bill and emphasizing the need to review the Aadhaar data processing scheme in its entirety. The letter explicitly states that Aadhaar stands in conflict with data privacy and argues that the data protection law that could be citizen-centric.
Noted researcher and expert on law and poverty Dr. Usha Ramanathan spoke about this at a consultation held by the Committee in Bengaluru, as tweeted by civil engineer and internet researcher Srinivas Kodali:
Usha Ramanathan asking for the expansion of data protection committee and how there is no civil society representation plus individuals in committee having a conflict of interest by supporting #Aadhaar
Usha Ramanathan asking for the expansion of data protection committee and how there is no civil society representation plus individuals in committee having conflict of interest by supporting #Aadhaar pic.twitter.com/OHZE3oviNq
— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) January 5, 2018
Letter to Justice Srikrishna regarding the lack of transparency in functioning of the committee of experts examining the data protection framework. Minutes of meeting illegally denied under RTI stating“This information currently is not in public domain”. pic.twitter.com/ILNMxM1GJJ
— Anjali Bhardwaj (@AnjaliB_) January 3, 2018
Others have charged that consultations have been too short or lacking sufficient structure to accomplish the task at hand.
The composition of the committee has also been at issue. Vidhi Centre of Legal Policy, a team of lawyers, headed by Arghya Sengupta is currently working on the Data protection Bill, even when they contributed in the drafting of Aadhaar Act and later defended it in court as well.
Here is Bangalore-based lawyer Malavika Prasad's thread on the role of Vidhi Centre for Legal Policy:
Some thoughts on @Vidhi_India handling Government's legal/policy work for pay & the response pictured below:
1. The government, no doubt, has freedom to contract. A contract with Vidhi is a government contract for services. However, government never has unfettered discretion. 1/5 pic.twitter.com/aoDmJWBSC9
— Malavika (@MaLawdy) March 27, 2018
Researcher Malavika Raghavan published a thread on Data Protection:
Tweetstorm coming up on the 9 distinguishing points of our thinking on #DataProtection ☔ @dvararesearch @benichugh @julupani @binduananth 1/n https://t.co/Ia7zAPHEiI
— Malavika Raghavan (@teninthemorning) February 7, 2018
The committee is expected to release a draft of the bill in late July 2018, just as the Aadhaar verdict is also awaited.
As the Supreme Court edges closer to a final judgment on the constitutional validity of its biometric scheme, all eyes will be on the terms set by the Sri Krishna Committee which will define the contours of data protection and privacy in India for the foreseeable future.