Livemint: Opinion: Wednesday,
August 29, 2018.
Recently, information
commissioner Sridhar Acharyulu, in an attempt to save the right to information
(RTI) from dilution, cautioned against amending the RTI Act while implementing
the data protection framework suggested by the Srikrishna Committee report.
The public focus so far
has been on the conceptualization of personal data, consent fatigue and data
localization. But the report raises a crucial question. What would be the
mandate of the future data protection authority (DPA) it envisages? And how
would the mandate be reconciled with that of the information commissioner? This
concern becomes particularly relevant due to a history of bureaucratic conflict
in various countries stemming from the tension between the discordant mandates
of the two authorities.
Conceptually, RTI and
the right to privacy are both complementary and in conflict. While RTI
increases access to information, the right to privacy veils it instead. At the
same time, they both function as citizen rights safeguarding liberty against
state overreach. There are two possible frameworks for managing this tension.
A two-body model
In most jurisdictions,
the information commission and privacy commission are separate and distinct
bodies. In a few countries, however, the RTI commission is a single-function
body responsible for balancing competing interests. These jurisdictions include
Hungary, Mexico and the UK.
Countries which have
two commissions are able to champion both these rights distinctively. This is
because they are unencumbered by the onerous task of balancing competing
interests. However, this clarity of mandate and authority comes with a price
tag. Disagreements between the two authorities can heighten transaction and
opportunity costs involved in reconciliation, reducing overall efficiency in
grievance redressal.
Canada has witnessed
public tension between the two commissions due to politics and policy concerns.
These concerns include delineating the extent to which a request to access
“personal” information may be granted without undermining privacy. A Canadian
task force reviewing its two-body model acknowledged the confusion arising out
of conflicting recommendations. For instance, the two bodies could have
conflicting opinions on whether educational records of public officials or asset
records of spouses of public officials constitute “personal data” shielded from
RTI requests.
A single-body model
Adopting a single
commission (as in the UK) instead would remove the transaction costs associated
with conflict between two commissions. This would increase administrative
efficiency and, in turn, public welfare. However, the possibility of a conflict
between the two competing rights may end up prejudicing the authority in favour
of one of them, endangering their intended harmonization. Moreover, additional
mandates may over-burden the authority and undermine its efficacy, reducing
social welfare instead.
One body or two for
India?
The Supreme Court of
India, while declaring the right to privacy as a fundamental right in Justice
K. S. Puttaswamy (Retd.) and Anr. vs Union Of India and Ors, missed out on
defining its contours with respect to the right to information. The Srikrishna
Committee Report, while acknowledging that most commentators are in favour of
an independent data protection authority, falls short of explaining the
rationale behind it. These missed opportunities are regrettable. That said, the
optimal solution for India is indeed two independent bodies.
While the
cost-effectiveness of a single body model is attractive, in the Indian context,
it may have a number of drawbacks. These include high levels of corruption that
could encourage conflict of interest and a tendency to safeguard personal
gains.
Moreover, there might
be another kind of mismatch in giving an information commissioner the mandate
of enforcing a data protection law. The information commissioner’s mandate is
concerned with personal data only of public officials and not of citizens at
large. The enforcement of a data protection law, on the other hand, would require
familiarization with, and expertise in, a far broader mandate. Achieving these
may require a structural overhaul of the commission, which could prejudice the
existing regime. A body with specialized expertise in this field would be far
more suited to serve this purpose.
We admit that there may
be some agency costs involved in reconciling conflicts between the information
commissioner and the DPA. However, these costs would not override the larger
public interest served by ensuring the independence of a DPA. This is because
the agency costs would be relatively small compared to the harm arising out of
a prejudice to either of these rights.
Furthermore, a single
commission may lean towards hierarchizing the enforcement of RTI over the
realization of privacy. This fear arises from the false perception that a
dichotomy exists between privacy and welfare. This perception is based on
public attitudes that question the relevance of privacy within the Indian
sociopolitical climate as opposed to RTI, which is looked upon more favourably.
(Siddharth Sonkar and
Sayan Bhattacharya are students, respectively, at the National University of
Juridical Sciences, Kolkata, and Nalsar University, Hyderabad.)