A future privacy law can learn from RTI
The Right to Information (RTI) Act provides an almost perfect template for any law that guarantees a particular right to citizens that is justiciable. It provides a reliable architecture for effective and accountable governance of any rights claim within the Indian context. With more than 12 years of experience, the foundations on which the RTI is built have been proven to be solid. By all accounts, RTI has been successful in fulfilling its basic purpose.
From the Supreme Court judgement on privacy, it is clear that we would need an actual law to define and protect privacy along with an empowered enforcement body. I suggest that if we want to craft and enforce a new Right to Personal Information and Privacy (RPIP) effectively, we should follow, albeit with appropriate modifications, the RTI template. It may seem counter-intuitive that an act to pry open information from government could offer lessons to protect information from government. However, despite their unique purposes, both RTI and the future RPIP have a common underlying thread—information.
In my view, there are four critical components of the RTI governance architecture that have made it successful. First, RTI clearly and comprehensively defined "information" that will be available or that will be kept secret. Second, it appointed a specific person, the public information officer (PIO), accountable for collecting and providing information within 30 days in each public authority. Third, it specified penalties for failure, not for the public authority in general, but for the specific accountable person, the PIO. And fourth, it defined a grievance-redressal process with the creation of State Information Commissions and the Central Information Commission as statutory bodies with requisite powers of a civil court.
These four components are essential for effective implementation of any rights claim, whether the right is about information, food, water or education. By way of a quick comparison, the Right to Education Act fails on all four counts. It does not define education in any meaningful way except as an age-appropriate class; in case of failure, the accountability is fixed not on any individual person, but on "appropriate government"' there is no penalty specified even for the "appropriate government"; and there is no clear grievance- redressal process with empowered adjudicating authority. No surprise then that RTE is a dismal failure compared to RTI.
There is one big difference between RTI and the new RPIP that has important implications on the design of the governance architecture. Personal information is collected not just by the state but also by private entities and so the concerns about its collection, use and abuse apply to both. The governance structure would have to apply equally to state as well as private entities. This surely adds more complexity and requires a different level or type of design thinking.
In addition to RPIP being applicable to government and private parties, there are several other features that are different from RTI. In RTI, how the information is collected is not of much concern while the process and entities that collect information would be of primary importance under RPIP. Similarly, defining appropriate and legally permissible use, and the time period for which the information can be legitimately kept and used would be unique to RPIP. Other important issues for RPIP include a clear delineation of what constitutes abuse, the level of consent necessary from the individual at different stages, the process through which individual's right to notice, right to object and the right to be forgotten are materialized, the type of information that should be given to individuals so that they could make informed choices.
Based on the RTI experience, the overall institutional architecture for the implementation of the RPIP should have at least the following: designated personal information and privacy officers in government as well as private entities who are trained in their responsibilities and obligations as well as the powers they have within their organizations, an internal ombudsman or appellate authority, and ultimately a network of local and central commissions with relevant powers of a civil court. In addition, the law should emphasize a requirement that each entity publishes an annual report, giving details on the implementation of the act where some specific details are mandated under the act, like types of data accessed/collected and from whom, the number of complaints received, the time it took to dispose them, etc.
Some may argue that attending each individual's concerns and complaints would take up significant time and resources of the government and private agencies. Actually the same was said when RTI was debated, with tens of millions of requests for information, the government would have no time to do anything else. But as we know the story of RTI has turned out to be far happier. Moreover, people have been sharing information all these years and by and large are able to make common sense judgements about their comfort levels with the issue of privacy. Most importantly, a right would have no meaning if it were not enforced properly so we must do what it takes.
The success of the RTI Act has given us an ideal template that we must use to draft and implement a future right to personal information and privacy. Even before such an act is passed, Unique Identification Authority of India (UIDAI) could take the lead in working towards the suggested governance architecture and in leading the way forward.
Parth J. Shah is the founder president of the Centre for Civil Society.