The Wire: New Delhi: Saturday, December 23, 2017.
If the Centre
endorses states having the right to control access to their own records, it
will also be forced to have a relook at the RTI Act, 2005.
As India
debates the requirement of a data protection law, an important issue that is
not getting much attention is whether data protection is a subject on the state
list, central list or the concurrent list. As per the constitution, legislative
powers are distributed between the parliament and the state legislatures as per
the scheme laid down in Schedule VII to the constitution. This schedule
contains three lists – only the parliament can enact laws for subject matters
listed in List I, only state legislatures can enact laws for subject matters
listed in List II and both can legislate on matters listed in List III, subject
to certain restrictions. For all residuary subjects, which are not in any of
the three lists, only parliament can legislate. Schedule VII ensures a federal
India where power is not concentrated with the central government and allows
states the flexibility to chart their own course on most matters.
So, where on
Schedule VII is data protection listed? Understandably, none of the entries in
the schedule specifically mention the subject matter of data protection. This
does not automatically mean that it falls within the residuary subject matter,
thereby giving the parliament the right to legislate on a law for the entire
country. Determining the legislative competence under Schedule VII does not
come down to finding the exact subject matter in one of the three lists.
Rather, courts use the test of “pith and substance” to identify the essence of
a legislation and identify which of the entries in the three lists best covers
the issue. This doctrine was recognised by the Supreme Court in its early days
in the case of The State of Bombay and Another vs F.N. Balsara where the court
had to decide on whether the Bombay Prohibition Act was within the ambit of
List I or List II.
The “pith and
substance” of a data protection law is a slightly complicated issue because
such a law deals with records which are an intrinsic part of every aspect of
governance and administration. There are, however, a few parliamentary
legislations which deal exclusively with data and information held by the
government and those can serve as a starting point for the discussion.
Public
Records Act, 1993 – covers only central government
The first is
the Public Records Act, 1993, which lays down the procedure to maintain public
records in the custody of the central government. The same law also lays down
the procedure to archive records with the National Archives. At the time the
parliament was enacting the legislation, there were calls for extending it to
even those public records that are held by the state governments. At the time
the government told the parliament that it would not be possible for the
parliament to control the manner in which states held their public records. The
then deputy minister of HRD Kumari Selja gave the parliament the following
reason for not enacting a single uniform law for both the central and state
governments:
“Considering
this all-round demand, the Government had appointed an Archival Legislation
Committee in 1959, which in its Report submitted in the next year, suggested
enactment of a Single Uniform Law on Public Records of the Union Government,
Governments of the States and the Union Territory Administration by amending
the Constitution. Since the proposed course of amending the Constitution was
not very easy, and there is no single entry in the Constitution under which
such a law could be framed, consultations with the State Governments were
initiated, permitting the Parliament to frame a law on their behalf.
Unfortunately, none of the State Governments wished to give such an
authorisation.”
In short, the
Union government had then conceded that parliament could not legislate on a law
controlling the manner in which state government maintained their records.
Logically, this position makes sense because a state legislature should have
the power to make laws on how records generated by its legislation can be held
or released by the state government.
Right to
Information Act, 2005 – covers both the state and the central government
This takes us
to the second legislation which controls access to public records. This
legislation is the Right to Information (RTI) Act, 2005, which was enacted by
the parliament and which covers public records held by both the state and
central governments. Before discussing the competence of the parliament to
enact such a legislation, I should point out that several states like Tamil
Nadu, Goa, Maharashtra, Karnataka and Rajasthan had enacted their own RTI
legislation long before the UPA enacted the RTI Act, 2005. Tamil Nadu, for
example, had enacted a state-level RTI Act in 1997, although it is generally
accepted that none of these laws were as powerful as the version proposed by the
National Campaign for the People’s Right to Information and enacted by
parliament in 2005.
The
inevitable question at this point is how exactly did the parliament, in 2005,
enact an RTI Act covering even the state governments when in 1993 the Union government
had conceded that the parliament lacked the power to pass a legislation
covering public records held by the state governments? The answer to that is
available in one of the parliamentary debates in the Rajya Sabha over the
Freedom to Information Bill, 2002, introduced by the NDA government. Pranab
Mukherjee, then in the opposition, had headed the parliamentary committee that
examined the legislation and spoke at length about the deliberations
surrounding the legislation. In his speech, Mukherjee had argued that the
parliament had the legislative competence to enact a law covering all states
because the right to information was not specifically listed in any of the
lists thus bringing it under the residuary power in List I, giving the
parliament the power to enact the law. His submission was as follows:
“the Central
laws would be made available to them. If I understand correctly – if I am
wrong, the Minister may correct me – the legislative competence of the Union
Government is arriving in this case from Entry 97 of the List I in the Seventh
Schedule, because in List I of the Seventh Schedule, on which the Parliament
has the competence to make laws, specifically, the right to information is not
mentioned there. But, as early as in 1997, the Department-related Parliamentary
Standing Committee on Home Affairs, while examining the Demands for Grants for
the Department of Personnel, recommended that if the Government suffered from
lack of legislative competence, it can take the help of Entry-97, which is a
residuary clause, where the power is vested in the Union Government to make
legislations through Parliament, if it is not specifically mentioned from Item
Nos. 1 to 96.”
Mukherjee’s
submission is not very convincing for the reason that the “pith and substance”
of the RTI Act is essentially the management of public records and the right to
access the same. Land records, public expenditure from the state consolidated
fund and state taxes are essentially subjects on the state list and only the
state legislature can enact laws on those issues. It is only logical that state
legislatures be responsible for regulating access to such public records. It
does not make sense to argue that state legislature enact laws that create
these public records which the parliament can then regulate through laws like
the RTI Act. The logical extension of my argument is that portions of the RTI
Act that create mandates for public records created and stored by state
governments, are most certainly unconstitutional.
Apart from
these two laws, there are laws such as the Census Act, 1948 and the Collection
of Statistics Act, 2008 which deal with collection of huge amounts of data from
citizens. Both of these are parliamentary legislations – the census is clearly
listed on List I, while the latter is on List III, which means that the
parliament can enact laws on these issues.
The ‘pith
and substance’ of a data protection law
But returning
to the subject of discussion, which is a potential data protection law, I think
the essence of the argument remains the same. Just because data protection is
not enumerated as a separate subject in Schedule VII, it does not automatically
fall within the residuary powers that lie with the parliament under Entry 97 of
List I. The pith and substance of a data protection law, in the context of the
state, is basically the right to regulate access to state records. Therefore,
it is the legislature that enacts the laws creating the state record or
information in a particular sector that should have the right to enact a data
protection law regulating access to those records. So, for example, when it
comes to records maintained by the state government in context of state taxes,
financial records, state services governed by state laws, employment records of
state employees, land records, educational records and lower court records, a
data protection law can be enacted only by the state legislature and not the
parliament. The same logic applies for records created by the parliament i.e.
employment records of central government employees, educational records at
centrally-funded universities, income tax records, etc. which are already
subject to parliamentary law.
The next
question to be examined is that of data protection for the private sector. The
question of a central or state law will again depend on which legislature can
regulate that particular sector under Schedule VII. So, for example, Entry 31
of List I covers, “post, telephone, telegraph, wireless, broadcast” etc. This
clearly means that the parliament will also have the right to enact a data
protection law for the telecom and internet sector regulating how that data may
be accessed or used. Same goes for Aadhaar, which is a centrally-funded
project.
However, for
other sectors like hospitals, hotels, casinos which fall under List II, where
only the state legislature enacts legislation creating the public/private
record, it is only the state legislature that can enact a data protection law.
The pith and substance in these cases is regulation of those sectors and
transparency or secrecy of those records goes to the core of regulating any
particular sector. Any other outcome will lead to a rather strange scenario
where states can regulate certain sectors without having the power to define
the transparency of those sectors.
Also read:
India’s Data Protection Regime Must Be Built Through an Inclusive and Truly
Co-Regulatory Approach
If the
central government endorses this position of states having the rights to
control access to their own records as also the records of the private sectors
that they regulate, it will also be forced to have a relook at the RTI Act,
2005, because that legislation has an impact on the boundaries of a data
protection law. It does not make sense allowing states to enact their own data
protection laws if they don’t have the power to regulate access under the RTI
Act, 2005. This is easier said than done, given the immense popularity of the
current RTI Act throughout the country.
The other
question is whether state governments will even want to enact their own data
protection law. Do states have an incentive to have their own laws? Given that
information is power, I presume that state governments will eventually want the
right to control their own records. This may become a prickly issue between the
Centre and the states in light of the State Resident Data Hubs (SRDHs) that
will be a goldmine of data for state governments from a financial perspective
as well as a surveillance perspective. These hubs will contain data of all
beneficiaries of various government schemes and as the system is populated with
more data, it will become a critical tool of governance. I am sure the central
government is eyeing the data contained in these SRDHs. Whether state
governments are willing to share such data with the Centre remains to be seen.
I think public interest is better served by not concentrating all this data in
the hands of the central government. Allowing states to retain control over the
SRDHs will help to prevent this concentration of information.
Federalism
has many goals and decentralisation of power is one of them. If information is
power, I think we can all agree that we are better off with parliament not
having the exclusive power to regulate data. Other countries with a federal
scheme of governance follow a similar template for data regulation. Germany,
for example, has different data regulation laws at the federal and provincial
level. The same is true for the US, where the Privacy Act, 1974 regulates only
the federal government’s records, while different states have their own privacy
laws based on either common law or state constitutions. There is no reason for
India to not follow a similar path of decentralised data protection laws.
(Prashant
Reddy T. is an assistant professor at the National Academy for Legal Studies
and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt:
India’s Intellectual Property Dilemmas (OUP).)
.JPG)
.JPG)
