The constitutionality of the National Population Register [“NPR”] – authorised by the Citizenship Rules of 2003 – is presently under challenge. Grounds of challenge include questions about excessive delegation, the doctrine of ultra vires, disproportionate burdens upon rights, and so on. At its heart – as the Citizenship Rules show – the NPR is a data collection exercise, involving the collection, storage, and processing of personal data (for the purposes of preparing a National Register of Indian Citizens [“NRIC”]). Consequently, issues around data protection and the right to privacy (as set out in Puttaswamy) come to the fore.
In this context, the Internet Freedom Foundation has prepared an important briefing paper that examines the interface between the NPR and the ongoing legislative discussion around the proposed Personal Data Protection Bill. IFF’s intervention is particularly important because it engages in a reflective analysis of the NPR and the PDP, in a manner that brings out crucial shortcomings in both.
Constitutional principles stipulate that in cases of non-consensual collection of personal data (as in the NPR), at the minimum, (a) data protection best practices, including data minimisation and purpose limitation must be followed, (b) data collection must follow the principles of necessity and proportionality (especially if rights are affected). Within this framework, some issues come to the fore immediately. The first is the disjunction between the statutorily stipulated “purpose” of the NPR, and the public discourse around it. The IFF Brief points out that – as per the Citizenship Rules of 2003 – the only statutorily mandated use to which NPR data can be put is the preparation of an NRIC. In public discourse, however, the government has claimed that the purpose of the NPR is to ensure targeted delivery of welfare schemes. This – naturally – finds no mention in the Citizenship Rules. This is a classic case of “function creep”, and was witnessed for many years in the case of Aadhaar (until under pressure because of litigation, the Aadhaar Act was passed in 2016).
For this reason, the IFF Brief suggests that Section 5 of the PDP make clear that purpose limitation requires the specific and concrete purposes for which the data will be collected to be “anchored” in primary legislation. This is important for three reasons: first, once the purposes are set out, the proportionality of data collection can be examined with respect to each purpose, separately (for example, in the Aadhaar Case, the Supreme Court found that the proportionality standard was not met for bank accounts and mobile phones, but was met for welfare subsidies and income tax); secondly, it ensures that citizen and resident databases are not open-ended enterprises that – once data is collected – can be used for any purpose at any time; and thirdly – and following from the first two reasons – it rules out interlinking of databases and the accompanying profiling and surveillance (which was explicitly deemed unconstitutional by the Supreme Court in the Aadhaar judgment).
Indeed, the IFF Brief points out how a rigorous implementation of purpose limitation – along the lines suggested above – would bring out clear and evident shortcomings in the NPR process itself. If the statutorily stipulated purpose of the NPR is to prepare an NRIC (caveat: contrary to IFF’s suggestions, this is part of the Rules, and has not been set out in primary legislation), then only that much data as is required for the purposes of establishing citizenship may be collected (caveat #2: this is without prejudice to the overall arguments against the NPR). Thus, for instance, the NPR process cannot mandate the collection of Aadhaar details (as Aadhaar is not a proof or even an indication of citizenship), and the NPR database cannot be seeded with Aadhaar (as has already been partially done).
The IFF Brief points out, in addition, that the PDP Bill’s broad exemption clauses enable the possibility that the entire NPR exercise could be taken out of the ambit of data protection principles altogether. This is obviously a serious problem, and it is worthwhile to note that in the original Srikrishna Bill, the Government was not authorised to simply dispense with the requirements of necessity and proportionality when engaged in non-consensual data collection. The potential non-application of the PDP Bill to an exercise as important and sensitive as the NPR, therefore, demonstrates an urgent need to tighten the Bill’s provisions in order to ensure constitutional compliance.
In sum, therefore, the NPR process is precisely the kind of large-scale, nationwide data-gathering and database-creating exercise that requires principles of data protection to be applied rigorously. When, however, we measure the NPR and the PDP against those constitutional principles (as set out in Puttaswamy and elsewhere), we find important shortcomings in both. The IFF Brief provides an important starting point from which to identify these shortcomings, and also indicates what a strong data privacy regime would look like in practice.