right to be forgotten

Data Protection Bill Is Riddled With Arbitrary Provisions That Violate the Right to Privacy

While the Bill takes several commendable steps to ensure that it complies with global standards of data protection, it nevertheless suffers from several infirmities that render its constitutionality questionable.

After a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India recognised the right to privacy as a fundamental right, several attempts have been made to enact a data protection regime in India. The newest iteration of the Personal Data Protection Bill was released on November 18, 2022, for public consultation.

While the Bill takes several commendable steps to ensure that it complies with international standards of data protection such as the General Data Protection Regulation (GDPR), it nevertheless suffers from several infirmities that render its constitutionality questionable.

This article will seek to test the provisions of the Digitial Personal Data Protection Bill on the anvil of Puttaswamy and other similar judicial pronouncements to analyse whether it passes constitutional muster.

Deemed consent

The introduction of the Bill drew mixed reactions from legal experts. While some lauded it for enacting a strong consent-based regime of data privacy, others have expressed concern over the broad powers given to the government.

To analyse such infirmities in detail, let us look at Section 8 of the Bill. While generally, the Bill mandates that personal data must only be processed after the express and unambiguous consent of the data principal, Section 8 provides that such consent may be ‘deemed’ in certain circumstances.

This provision draws from Section 15 of the Personal Data Protection Act of Singapore, which recognises that there may be situations where the processing of data is reasonably necessary without express consent. Non-consent-based grounds for processing data are also mentioned in Article 6 of the GDPR. However, the Personal Data Protection Bill goes even further, by providing for deemed consent on a broadly defined ground of ‘public interest’ in Section 8(8).

Also read: Activists, Information Commissioners Fear Data Protection Bill Will Crush RTI Act Provisions

Public interest has been defined under Section 2(18) as including the sovereignty of India, security of the State, public order, etc. However, Section 8(8) provides for deemed consent in cases of credit scoring, which is wholly incompatible with even the most liberal definition of public interest.

Credit scoring involves the collection of highly sensitive personal information including financial data and history. Collection of such data without the express consent of the principal constitutes a clear threat to their privacy.

Puttaswamy has clearly prescribed a requirement of ‘narrow tailoring’ of a law infringing the right to privacy, i.e., the law must be framed restrictively to achieve its stated objective. The object of the Bill being to enact a data protection regime which balances the importance of consent and larger public interest, needlessly broadening the ambit of public interest to include unrelated grounds, is uncalled for.

The apex court in Puttaswamy also emphasised the importance of the non-discrimination principle of data protection, which prescribes that the collection and processing of data must not discriminate on the basis of race, ethnicity, religion, and other similar characteristics. The new Bill, unlike its 2018 iteration, has also done away with the distinction between non-sensitive and sensitive personal data.

For instance, under Section 16 of the old Bill, employment was a basis for processing only non-sensitive personal data. The new Bill is couched in broader terms wherein Section 8(7) gives employers the authority to process sensitive information of the data principal without express consent.

In the old Bill, details such as sexual orientation, sex life, transgender status, caste, religious affiliation, etc. were covered under ‘sensitive personal data’. If employers can obtain broad-based consent to process such sensitive information of their employees, it may lead to unfettered workplace discrimination of gender, sexual, caste, and religious minorities.

Representative image. Photo: Reuters

Government exemptions

Section 18(2)(a) empowers the Union government to exempt instrumentalities of the State from the application of the provisions of the Bill. It is pertinent to note that this is a blanket exemption without any procedural safeguards.

Maneka Gandhi propounded that a transgression of Article 21 must meet the threshold of a ‘fair, just, and reasonable’ procedure. Puttaswamy further introduced the requirement of ‘proportionality’. The proportionality test, now concretised by judgments such as Anuradha Bhasin vs Union of India, contains four prongs – (a) the law infringing on privacy must have a legitimate goal, (b) it must bear a rational nexus with the said goal, (c) there must not be a less restrictive but equally effective alternative, (d) it must not have a disproportionate impact on the right-holder.

Under Section 18(2)(a) the government can exempt instrumentalities of the State on grounds akin to those enumerated in Article 19(2), which is evidently a much lower threshold than the proportionality review. Furthermore, this provision violates prongs ‘(b)’, ‘(c)’ and ‘(d)’ of the proportionality test.

It is not denied that there may be a necessary and compelling State interest in granting an exemption to the government in the interests of national security. However, a blanket exemption from all provisions of the Bill is excessive.

Also read: Why India’s Proposed Data Protection Authority Needs Constitutional Entrenchment

The State is already permitted to process personal data without the express consent of the data principal in furtherance of public interest under Section 8. This provision should be sufficient to allow the State to counter illegal activities without having a heavy procedural burden, i.e., it is a lesser restrictive but equally effective measure.

Exempting the State from general obligations under Section 9, which includes taking reasonable safeguards to prevent data breaches, or Section 10, which provides for the protection of children in relation to data processing, bears no rational nexus to the object of preventing public disorder or maintaining national security. It is a disproportionate measure which expands State power at the expense of individual privacy.

As per Section 18(4), instrumentalities of the State are also exempt from the requirement of purpose limitation, i.e., erasing personal data after its need has been fulfilled. This, too, is devoid of any procedural safeguards and allows the government to arbitrarily retain data for an indefinite period of time. This is a plain violation of the data principal’s right to be forgotten.

While the jurisprudential acceptance of the right to be forgotten as a standalone right is murky, judgments such as Vasunathan vs Registrar General (delivered well before Puttaswamy) have recognised the importance of the same. This right is based on the importance of the autonomy of the data principal.

As Justice Kaul in Puttaswamy explained:

“People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individual should have the capacity to change his/her beliefs and evolve as a person. Individuals should not live in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves.”

Thus, an individual should be able to control (as far as practicable) the use of their data to protect their dignity and autonomy.

Obviously, there ought to be exceptions to this right in light of the legitimate interests of the third parties. This may include interests based on other fundamental rights (such as use of the data for journalistic purposes) or the interests of the government in protecting the security of the State.

Clearly, all sorts of third-party users can have legitimate interests in the use of such data, but this has to be determined on a case-to-case basis. For guidance, the European Court of Justice in Google Spain discussed several factors that the court may consider while balancing the right to be forgotten with the legitimate interests of the third parties.

What is not permissible is giving an arbitrary and blanket exemption to the government. The Bill has created a distinction between the government and private entities which lacks an intelligible differentia and a rational nexus with the purported object of the Bill. This is a patent violation of Article 14 as well as the proportionality test.

While it has been repeatedly stressed that data retention mandates must be specifically reasoned, there is no clear justification given as to why the state is exempt from the storage limitation requirement. Clause 20 of the Explanatory Note to the Bill provides that “a clear grounds-based description of exemptions has been incorporated in the Bill”. However, such ‘clear grounds-based descriptions’ are visibly absent from Section 18(4).

It is hard to determine whether there exists a legitimate state aim or a necessary purpose that this provision is seeking to fulfil. In the absence of a legitimate aim, it is impossible to ascertain if the proportionality criteria have been satisfied.

Even in Puttaswamy- II, the court struck down a regulation that allowed the Unique Identification Authority of India (UIDAI) to retain certain transaction data for a period of five years. The bench noted the disproportionate nature of the provision and recognized that it affected the RTBF of citizens.

Aadhaar, privacy, EC, Election Commission, 2019 elections

Illustration: The Wire

Conclusion

The Personal Data Protection Bill is an ambitious yet gravely flawed attempt at creating a data protection regime in India. While it purports to enact a consent-based system for processing personal data, the government has practically given itself carte blanche to ignore the safeguards in the Bill.

The immense powers given to the government, coupled with the fact that the distinction between sensitive and non-sensitive data has now been eradicated, may lead to undue targeting of gender, sexual, and religious minorities. The Bill is riddled with arbitrary provisions that are contrary to the right to privacy judgment.

The infirmities highlighted above ought to be rectified if the government is serious about complying with international standards in data protection.

This article was originally published on the blog Indian Constitutional Law and Philosophy.

Govt Panel’s Report on Data Protection Bill Recommends Tougher Norms for Social Media Platforms

The report, however, did not recommend any major dilution of the contentious exemption clause, which gives powers to the government to keep any of its agencies outside the purview of the law.

New Delhi: A parliamentary panel on December 16, Thursday, recommended tougher norms to regulate social media platforms by holding them accountable for the content they host while asserting that it is imperative to store data in India and restrict access to it by categorising it as sensitive and critical personal data.

It recommended widening the scope of proposed data protection legislation to include both personal and non-personal data with “a single administration and regulatory body”, and sought greater accountability for social media platforms by treating them as ‘publishers’.

Raman Jit Singh Chima, Asia-Pacific policy director at Access Now, a global tech policy think tank told Hindustan Times that the panel’s proposal to treat social media companies as publishers and determine their liability “is a first for any data protection law”.

The report, however, did not recommend any major dilution of the contentious exemption clause, which gives powers to the government to keep any of its agencies outside the purview of the data protection legislation. Clause 35 of the Bill grants sweeping powers to the government to exempt any of its agencies from the provisions of the Bill and Data Protection Act.

Privacy advocates have been opposing the said provision, and some opposition members of parliament (MPs) too had flagged concerns through their dissent notes.

“The committee has added “reasonable and necessary” to Clause 35, but it is no safeguard and can be easily circumvented. The committee should have recommended the deletion of this clause in entirety,” Chima told the newspaper.

Also read: Privacy Delayed Is Privacy Denied

The 30-member Joint Committee on Personal Data Protection Bill, 2019, headed by Bhartiya Janata Party MP P.P. Chaudhary, tabled its report in both houses on December 16, after two years of deliberations.

The key takeaways from the report include widening the scope of the draft legislation to also cover non-personal data, tighter regulation for social media platforms along with the establishment of a statutory media regulatory authority on the lines of Press Council of India.

The committee in its report observed that since India has become a big consumer market, there is a large collection, processing and storage of data happening daily.

“…the committee opined that it is imperative to store data in India and to restrict access to it by categorising them as sensitive and critical personal data, thus giving impetus to data localisation,” the report said.

The committee’s report made it clear that “India may no more leave its data to be governed by any other country”.

“The committee, considering the immediate need to regulate social media intermediaries have expressed a strong view that these designated intermediaries may be working as publishers of the content in many situations, owing to the fact that they have the ability to select the receiver of the content and also exercise control over the access to any such content hosted by them,” the report said.

The panel recommended that all social media platforms, which do not act as intermediaries, be treated as “publishers” and be held accountable for the content they host.

“Further, the committee has recommended that a statutory media regulatory authority, on the lines of Press Council of India, may be set up for the regulation of the contents on all such media platforms irrespective of the platform where their content is published, whether online, print or otherwise,” it said.

A mechanism should be devised where social media platforms, which do not act as intermediaries, will be held responsible for the content from unverified accounts on their platforms.

“Once an application for verification is submitted with necessary documents, the social media intermediaries must mandatorily verify the account,” said the report.

The changes it has proposed to the Bill include classifying social media platforms as significant data fiduciary.

The committee suggested that no social media platform should be allowed to operate in India unless the parent company sets up a local office.

It has sought to bring non-personal data in its ambit too, saying restricting the new legislation only to personal data protection or to name it as Personal Data Protection Bill is “detrimental to privacy”.

In their joint dissent note on the joint parliamentary committee (JPC) report, Rajya Sabha MP Derek O’Brien and Lok Sabha MP Mahua Moitra had criticised the excessive powers given to the government on various aspects and the inclusion of non-personal data in the Bill.

According to India Today, the committee has said that self-regulation and existing media regulators are insufficient and ill-equipped to regulate the journalism industry.

Therefore, the committee has desired that “Clause 36(e) may be amended to empower any statutory media regulator that the government may create in the future and until such time the government may also issue rules in this regard”.

Clause 36 of the Bill makes the “right to be forgotten” inapplicable to the processing of personal data by any court or tribunal in India that is necessary for the exercise of any judicial function.

(With inputs from PTI)

Top EU Court Holds ‘Right to Be Forgotten’ on Google Is Limited to Europe

Tuesday’s ruling means that the EU’s privacy standards don’t have to apply outside its borders.

The European Court of Justice ruled that, while a search engine operator such as Google must carry out “de-referencing” of links as demanded by a regulator or court in an EU state to all European versions of its sites, the “right to be forgotten” need not go any further.

The right to be forgotten was enshrined by the EU’s top court in 2014, when it said Google must delete “inadequate, irrelevant or no longer relevant” data from its results when a member of the public requests it.

The US internet giant, backed by tech heavyweights including Microsoft, had argued that the removal of search results required under EU law should not extend to its google.com domain or its other non-EU sites.

Free speech campaigners also worried the case was an attempt by Europe to police a US tech giant beyond the union’s jurisdiction.

Also read: Looking Beyond Privacy: The Importance of Economic Rights to Our Data

Fighting censorship

Tuesday’s case arose after France’s data protection office (CNIL) fined Google €100,000 for failing to remove links containing damaging or false information about a person across all its domain names – not just those in the EU.

In 2016, Google introduced a geoblocking feature preventing European users from being able to see delisted links, but resisted censoring search results for people in other parts of the world.

The firm argued that such decisions push the internet into dangerous waters and could be abused by authoritarian governments trying to cover up human rights abuses were it to be applied outside of Europe.

“Since 2014, we’ve worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people’s rights of access to information and privacy,” the firm said in a statement following the ECJ ruling.

“It’s good to see that the court agreed with our arguments.”

Protecting privacy

However, the court did stress that de-referencing on EU sites must include measures to “seriously discourage” a European internet user being able to get around the “right to be forgotten” by accessing unrestricted results from a search engine on a non-EU domain.

That demands “geo-blocking”, which Google says it already uses effectively in Europe.

Savvy internet users, however, can get around that measure with a VPN that masks the user’s location, or by going to some non-Google search engines.

Also Read: India’s Proposed Data Protection Measures Don’t Do Enough to Protect Data or Privacy

National tribunals must now weigh if Google goes far enough with geoblocking efforts to prevent viewers from one location seeing such delisted links.

EU meddling

The case touched on the thorny issues of balancing data privacy and protection concerns against the public’s right to know and was watched closely around the world.

If France had won, it could have deepened a rift between Europe and the US, which is home to most of the internet’s behemoths and whose President Donald Trump has railed against what he sees as EU meddling in US business.

This article was originally published on RFI.

In India’s Right to Privacy, a Glimpse of a Right to be Forgotten

While Justice Kaul’s opinion identifies a ‘right to be forgotten’, India’s upcoming data protection framework needs to resolve a number of hurdles before we carve out such a right.

It’s clear that there’s still a lot more legal work to be done before India can have a workable right to be forgotten. Credit: Reuters

The landmark right to privacy judgment delivered by the Supreme Court in Justice Puttaswamy v. Union of India is significant for a lesser known holding – the right to be forgotten.

The concurring opinion delivered by Justice Sanjay Kishan Kaul affirmed the ratio of the case, namely that right to privacy is a fundamental right and not merely a common law right. It went a step further and identified the right to be forgotten, in physical and virtual spaces such as the internet, under the umbrella of informational privacy. The right to be forgotten puts individuals in control of the information they put out, and to seek erasure of data concerning them. Kaul stated, “The right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet”. This ties into his reasoning that the public does not have a claim to access all truthful information.

The ambit of the envisaged right to be forgotten would not be absolute extending to an unqualified erasure of history. The opinion subjects it to restrictions on the basis of a) other fundamental rights (especially freedom of speech and expression) b) compliance with legal obligations (such as taxes) c) public interest d) public health e) archiving f) scientific, historical or statistical research and g) defence of legal claims. Individuals would be enabled to control dissemination of their information in physical and virtual spaces. Recognising that people may make mistakes in the past which should not be held against them through the digital footprint left behind, Justice Kaul seeks to bolster the ability of the right to privacy to nurture the ability to evolve.

The court places reliance on the 2016 European Union Regulation (Article 17) that created the right to erasure.

However, any attempt to carve out a right to be forgotten would need to be cognisant of several caveats. In the absence of a data protection law in India, many of these concerns would remain unresolved and dependent on ad-hoc judicial attention of the courts. First, even accounting for the restrictions outlined by Kaul, what would be the ambit of a proposed right to be forgotten? Would it only remove a search result from a search engine, or the very source itself? For instance, in a recent Karnataka high court judgment (Sri Vasunathan v. Registrar), the remedy was extended only to copies of the order yielded on an internet search. It did not erase certified copies of the order on the high court website. This is a limited right to erasure via delinking, and not a broader right to be forgotten. Kaul’s judgment does not appear to account for this distinction.

Second, the conceptual thicket is aggravated by the lack of dedicated statutory provisions in the IT Act, 2000 and the IT Rules, 2011. Rejecting a request for erasure, the Gujarat high court (Dharamraj Dave v. State of Gujarat) pointed out the petitioner’s inability to establish which provisions of law were attracted and how the uploading of the concerned judgment constituted a violation of Article 21. Even though section 69A of the IT Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 hold relevance, there is a dearth of clarity about the parameters of an individual’s right to be forgotten and what restrictions can be imposed on the same.

These statutes only relate to virtual information and do not extend to physical spaces as envisaged by Kaul. Furthermore, in what manner would the right to be forgotten apply to public figures such as politicians and actors?

The lack of a legal framework in the form of a data protection law addressing the issue has meant that the right to be forgotten, in the nascent form it exists at present, is primarily enforceable by approaching the court. Alternatively, an individual can resort to requesting the search engine to take down the contentious result. Google has a case to case mechanism for the same. In the former route, the courts are entrusted with ad-hoc resolution of a probable ‘right’ whose content is nebulous. In the latter, adjudication of fundamental rights, incursions on free speech and public access to information are left to the good sense of a private entity.

As India awaits a data protection law, calls for the right to be forgotten must acknowledge the hurdles in its path. The pronouncement of a fundamental right to privacy does not resolve them.

Sohini Chatterjee is Research Fellow, Vidhi Centre for Legal Policy.

Modi Wants the DNA Profiling Bill Passed Right Away. Here’s Why It Shouldn’t Be.

The Human DNA Profiling Bill which the Narendra Modi government wants to pass in the current session of Parliament is one of the most intrusive enactments of its kind anywhere in the world, a measure that will render obsolete the national debate on privacy before it has even begun.

Drafted by the Department of Biotechnology (DBT) in the Ministry of Science & Technology, the Bill’s pithy title belies the ambitious, even disturbing, goals that its text envisions. To be sure, that it was drafted at the outset to expedite civil and criminal disputes where possible, to help identify the unclaimed dead, and to track down missing persons is a benign, even desirable, intention to have. Where it fails is in situating this agenda in an accountable and secure framework of rules.

Once passed, the law will set up a national DNA database, a DNA Profiling Board and a mechanism for the use of DNA profiles to resolve criminal and civil disputes with few safeguards to guard against the abuse of this information.

For example, in the Bill, a version of which The Wire was able to access, the Board gives itself wide-ranging discretionary powers about whose name gets into the database (sometimes without consent), who gets to access the DNA profiles, what the database could be used for (“population” studies), and who watches the watchers (in a word, nobody) – readying a potent cocktail of abuse.

The Bill has been processed for the necessary approval

The Bill is set to be tabled in the monsoon session of Parliament, which began on July 21. But that could be too soon given the scope and seriousness of the issues the draft raises. The proposed laws’ failures broadly have four facets – reliability, costs, privacy and accountability – and if passed in its current form could gravely jeopardise the integrity of sensitive biological information as well as poison the criminal justice system with a false conviction of judicial infallibility. In the absence of a reason to expedite its passing, the draft Bill could instead be referred to a Parliamentary Standing Committee before it’s tabled.

DNA profiling

Credit: johnnieb/Flickr, CC BY 2.0.

After human fingerprints were pressed into the service of criminal investigations in 1892, DNA profiles have been the only other biological marker discovered by scientists to be unique to each individual. Since fingerprints at a crime scene can be easily obfuscated, or not left behind at all, and it is almost impossible for a criminal to not leave behind a clue bearing his or her DNA, DNA profiling has assumed great importance in modern forensic science.

Every cell of the body contains a copy of the DNA molecule, a total of three billion base pairs of smaller molecules called nucleotides neatly arranged into structures called chromosomes. Consider this a giant word with three billion letters. Some 99.9% of those letters are identical for every individual – but that 0.01% difference amounts to three million letters that are arranged in a different configuration. Among them, there are parts that contain a short combination of letters repeated a few times. These are called short tandem repeats (STRs), and the frequency of their repetition differs from person to person so much so that no two (known) people have the same DNA overall – unless they’re identical twins or closely related. Identifying this difference forms the basis of DNA profiling, also known as DNA fingerprinting.

The idea of the Bill was first mooted by the DBT in 2003, during the National Democratic Alliance government of Atal Bihari Vajpayee. In 2007, the DNA Profiling Advisory Committee, which had been put together by the DBT, developed the Human DNA Profiling Bill 2007 that has seen changes between 2007 and 2012. In January 2013, a committee of experts was formed to scrutinise the 2012 draft: J. Gowrishankar, Director, CDFD; R.K. Gupta, adviser (C&I), Planning Commission; Jacob P. Koshy, science writer, Mint; Kamal Kumar, retd. IPS, retd. DGP of Hyderabad; C. Muralikrishna Kumar, senior adviser (ICT), Planning Commission; Usha Ramanathan, researcher and advocate; T.S. Rao, adviser, DBT; N. Madhusudan Reddy, staff scientist, CDFD; Raghbir Singh, fmr. Secy., Ministry of Law; Alka Sharma, Director, DBT.

Till late 2014, the committee continued to deliberate and make changes to the draft Bill. Then, it was circulated within the Ministry of Science & Technology for comments, which were then incorporated in the draft.

By January 2015, the revised document had wound its way to the Legislative Department of the Ministry of Law & Justice. According to DBT Secretary K. VijayRaghavan, the department has now finished drafting the Bill and “processed it further for the necessary approval”.

In the same period, 2003-2015, the Central and various state governments have toyed with the idea of collecting and storing DNA profiles. Notably, the Tamil Nadu government sought to amend the Prisoners Identification Act 1920 intending to set up a database of prisoners’ profiles. In 2012, the Uttar Pradesh government made it mandatory for the DNA profiles of dead persons to be saved along with the postmortem.

There are errors in profiling that a law – and the courts admitting that law – must be cognisant of

Although the draft Bill banks on an amendment to the Criminal Procedure Code made in 2005 – to allow DNA evidence to be admissible in a court – its principal and most problematic feature is the central repository it envisages of DNA profiles belonging to crime suspects, criminal offenders, missing persons, unknown deceased persons, and volunteers.

Its contents and operation will be managed by a DNA Profiling Board and a Databank Manager that the Board will appoint, who altogether have too many discretionary powers that drag the credible parts of the document down. These parts include useful mechanisms such as for post-conviction DNA-testing (where a conviction can be overturned by allowing the defendant to appeal for a DNA test).

Overall, the draft Bill has four major flaws:

Reliability of DNA profiling
Visible and hidden costs
Privacy and anonymisation
Power and sunset clauses

I. Reliability of DNA profiling

Credit: kaibara/Flickr, CC BY 2.0.

What are the chances you’ll be killed in an airline accident? There is a number ascribed to this high-cost enterprise, and it is calculated using statistics because it’s hard to estimate how the failure of one of thousands of the components constituting it will or won’t precipitate the failure of the overall entity. So, the chances that you’ll be killed in an airline accident are 1 in 4.7 million. That means if 4.7 million flights are undertaken, one of them will result in a fatal accident, right? Not exactly, because the chances of an accident could be significantly increased if certain components of an aircraft fail, and engineers are not aware of all such precipitant failures.

Analysing the DNA of an individual to look for clues about her/his identity is subject to similar stochastic caveats. This is because, despite the many unique properties of the DNA molecules in our bodies, our ability to preclude errors in indexing them isn’t perfect. The implication is that DNA profiling throws up fewer errors when validating or invalidating less systematic proof, but there are errors nonetheless that a law – and definitely a court interpreting that law – must be aware of.

Moreover, the proofs are also dependent on how rarely or often the STRs have been observed in the past. Estimates of their rarity are based on studying some preset locations on the DNA: the CODIS database of DNA profiles in the US looks at 13 locations, the NDNAD in the UK looks at 10, whereas Interpol analyses look at 12. The CDFD (Centre for DNA Fingerprinting and Diagnostics) – the nodal agency for DNA analysis in the country – plans to look at 17, according to Dr. J. Gowrishankar, its director. These locations were determined to be important in the early days of DNA forensics, and according to lawyers in the US and UK are overdue for a reexamination.

The Human DNA Profiling Bill, on the other hand, is dismissive of this aspect of the technique it is centred on, with its January 2015 draft saying in its introduction that DNA profiling can distinguish between any two people “without a doubt”. The words give the impression that the experts involved in drafting it have no reason to believe that DNA profiles could ever be fallacious. In fact, conspicuously missing from the document are the statistical procedures (performed on DNA information) that will be admissible as evidence in a court of law.

Speaking to The Wire, Gowrishankar clarified that the three words “without a doubt” had been removed from the draft Bill in a later iteration – but only because the Bill would be tabled without that part in Parliament. However, he also added that he would be able to defend the infallibility of the technique.

In 2009, New Scientist reported the case of Charles Richard Smith. Smith was convicted of a sexual assault on Mary Jackson (not her real name) in Sacramento, California, which took place in January 2006. Jackson was sitting in a parking lot when a stranger jumped into her truck and made her drive to a remote location before forcing her to perform oral sex on him. When police arrested Smith and took a swab of cells from his penis, they found a second person’s DNA mixed with his own.

Mark Henderson’s 2012 book The Geek Manifesto: Why Science Matters elaborates on what happened during Smith’s trial (p. 158):

… a forensic scientist testified that the chances that the sample did not come from Jackson were just 1 in 95,000. Smith was convicted and jailed for 25 years. Genetic evidence, however, can be analysed in multiple ways. The analyst who provided the 1 in 95,000 number was convinced that he saw reliable ‘peaks’, indicating matches, at most of the 13 places in the genome where American forensic scientists compare DNA. His supervisor, whose evidence was also presented, thought fewer of these matches were reliable, and so put the probability that the DNA wasn’t Jackson’s at 1 in 47. A subsequent review of the case used a different technique, based on a computer algorithm, to compare the likelihood of the different interpretations of the evidence advanced by the prosecution and the defence. This suggested that this pattern of evidence was only twice as likely if the DNA was Jackson’s than if it belonged to someone else.

This isn’t to say that a reliable estimate can never be arrived at, but only that the draft Bill does not have the commensurate depth required to identify and tackle the sort of statistically motivated mistakes in DNA profiling. In fact, it also abdicates itself from specifying any best practices for the collection, storage and analysis of DNA samples – while in countries like the UK and USA, a more matured approach to DNA profiling has been instituted through laws like the DNA Identification Act 1994 (USA), the Criminal Justice and Public Order Act 1994 (UK) and the DNA Identification Act 1998 (Canada).

According to Gowrishankar, “The Bill has been drafted keeping the future in mind, so we have not included the different ways in which the information can be analysed. We want to keep our options open,” and that it was up to the defence attorneys to refute findings.

The examiner could assume wrongly that she is aware of all the sources of anomalies in human genetics

The upper hand that DNA profiling claims in being able to identify a person is bifurcated: it simultaneously relies on being similar to one set of data and being dissimilar to another. And how much a profile is closer to one and farther from the other can be interpreted in many ways – all of them reliant on a control group, a reference point based on which the analyst can say how much similarity and dissimilarity a profile exhibits. This control group is defined by a sub-database that contains the DNA profiles of volunteers. Gowrishankar said that the significance of each match (or mismatch) will be determined relative to how unique the ‘letters’ in the profiles are. As a result, the size of the volunteers’ database plays a critical role in determining the outcome of cases.

In 2007, the noted legal experts Michael Saks and James Koehler presented a problem called the individualisation fallacy that arises when examiners confuse infrequency with uniqueness – a flaw that can be eliminated (to a certain extent) only by enlarging the control, i.e. volunteers’, database. For example, if an anomalous pattern in the DNA of a person has a one-in-a-quintillion chance of occurring (based on its frequency of occurrence among the volunteers), the examiner will assert that given the population of all the people on Earth only that person’s DNA has that pattern (absolute uniqueness). However, the examiner assumes wrongly that he/she is aware of all the sources of that anomaly in human genetics (relative uniqueness). A similar mix-up between the two kinds of uniqueness results in the prosecutor’s fallacy exemplified in the infamous Sally Clark case of 1999.

Another issue that worsens reliability of results is that the draft bill doesn’t explicitly ask to regularly check if any samples have been contaminated, even if it goes to some length to talk about what will happen to those who are found damaging samples in any way. How credible those sanctions are is a different matter. In at least one high-profile human rights case, the murder of five Kashmiri civilians at Pathribal in 2000, DNA samples were tampered with in an attempt to absolve the security forces of the charge of murder. The police officer who orchestrated the tampering was never punished.

II. Visible and hidden costs

Credit: Wikimedia Commons

The CDFD charges Rs.5,000 for each blood sample or person and Rs.10,000 for each “forensic exhibit” – such as an item of clothing from a crime scene – and an additional 12.36% as service charge levied by the Government of India. Though the draft Bill proposes including the profiles of only those under the scanner of the criminal justice system, data from the National Crime Records Bureau shows that over 32.7 lakh people were arrested in 2012 alone on criminal charges (proven and unproven) And while Gowrishankar said the official estimates were Rs.5 crore a year for keeping the database updated, acquiring the DNA profiles alone would cost more than Rs.1,800 crore.

The number of 32.7 lakh (even if only for reference) is too bloated for the database’s purposes because it also includes persons accused of minor crimes. Even if the size of the database has to be as big as possible to minimise the effects of the individualisation fallacy, its size becomes meaningless after a point, as the British government discovered in 2008. In that year, the number of profiles on the NDNAD jumped from 1.9 million to 4.1 million but the number of cases solved by the use of DNA profiles fell by 2,632 to 17,614. This was because the 2.2 million profiles were almost entirely of people who hadn’t been charged with any offences, making their DNA profiles irrelevant when it came to comparing those picked up from crime scenes. Similarly, the draft Bill would do well to include only the profiles of those charged with serious criminal offences – comparisons would be more efficient and costs would be lower.

Next, according to GeneWatch UK: “In 2010, putting someone’s DNA profile on the database in England and Wales was estimated to cost £30 to £40 and storing one person’s DNA sample was estimated to cost £1 a year.” The CDFD analysis rates are comparable to these numbers – so it must be noted that the capital costs of setting up the database in the UK was £300 million (Rs.3,000 crore approx.). Third, there is the operational cost – to maintain the communication and security infrastructure, and ensure it is compatible with indices like the CODIS. In fact, in September 2014, the FBI and the CDFD signed an agreement to install an instance of CODIS in CDFD’s Hyderabad office and train the personnel there. However, Gowrishankar said all of this would warrant only Rs.20 crore.

None of these expenses are mentioned in the draft Bill.

III. Privacy and anonymisation

Credit: home_of_chaos/Flickr, CC BY 2.0.

A person’s DNA profile contains similar information as a person’s password – however, it is more visceral. In the mammoth spatial configuration of the DNA’s atoms is encoded many of our characteristics and personal tendencies – including colour, race, behavioural features and susceptibility to some diseases. However, the few of the three million positions that the CODIS, NDNAD or the CDFD will be looking at are considered “neutral” – they don’t codify any of our features that might give our identities away, so it’s safe to store them without being anxious about what the government is finding out about us. That’s what Gowrishankar says, too, and that only information of those 17 positions that the CDFD will consider will be stored in the database.

However, this information is missing in the draft Bill, giving the impression that non-neutral information from people’s DNA profiles will be stored as well – and sans any safeguards beyond the Bill itself, like the USA has the Genetic Information Nondiscrimination Act 2008. Gowrishankar said that the Bill omitted this detail because some advancement in the future could require analysing more than 17 neutral positions, or fewer, or others altogether, and that if the Bill had been specific to that extent, it would have to be modified over and over again to keep up with the times. Be that as it may, the draft Bill in its current form neither withholds the database from holding distinctly personal information nor does it acknowledge that possibility.

In that context, the information should be accorded the same rights that information on the Internet, or anywhere else, is if not more. First, a person should be able to appeal the inclusion of her DNA profile in the database – although Gowrishankar insisted no profile could mistakenly enter the database as it would require either a court order or an expression of consent to get there. Second, the person should be able to access her/his own DNA profile whenever the need arises through appropriate legal channels – which he said wouldn’t be possible at all. Third, the person whose profile is under scrutiny should be able to know how the information contained is being used and why, and to ascertain its deletion when due. These three rights are missing in the draft bill.

Moreover, in a separate note, the committee says,

The Expert Committee also discussed and emphasised that the Privacy Bill is being piloted separately by the Government. That Bill will override all the other provisions on privacy issues in the DNA Bill.

But even as the draft DNA-profiling bill seeks to deflect the responsibility of securing privacy to the Privacy Bill, a Report of the Group of Experts on Privacy, Chaired by Justice A.P. Shah (former Chief Justice of the Delhi High Court), explicitly set out the missing privacy and security provisions in October 2012, and a majority of them remain unresolved or unaddressed. By neglecting them, the CDFD and the DNA Profiling Board run the risk of turning themselves opaque and, for all practical purposes, unaccountable. For example, the draft Bill does not:

Provide a notice that DNA samples were collected from so-so areas of the body
Inform anybody – particularly the individual – if and when her/his DNA is contaminated, misplaced or stolen
Inform a person if a case involving her/his DNA is pending, ongoing or closed
Inform the people when there are changes in how their DNA is going to be accessed, or if the way their DNA is being stored or used is changed
Distinguish between when DNA can be collected with consent and when it can’t
Say how volunteers can contribute their DNA to the database even though the draft Bill has a provision for voluntary submissions
Provide any explicit guarantee that the collected DNA won’t be used for anything other than circumstances specified in the Bill
Specify when doctors or the police can or can’t access DNA profiles

Without these protections, the DNA profiles could be collected for one purpose but end up being used for something else. Consider #7 – the draft Bill doesn’t aspire to be self-contained and leaves itself open to expanding in the future. At one point (Sec. 31(4)), it spells out the various indices according to which profiles in the database will be stored:

Every DNA Data Bank shall maintain following indices for various categories of data, namely:

(a) a crime scene index;
(b) a suspects’ index;
(c) an offenders’ index;
(d) a missing persons’ index;
(e) unknown deceased persons’ index;
(f) a volunteers’ index; and
(g) such other DNA indices as may be specified by Regulations.

Why bother to specify any of the indices at all if the committee has (g)? And without specifying what regulations those could be and who, apart from the DNA Profiling Board, has the authority to spell them out, the draft Bill signals it could just about bring anyone’s DNA profiles into the database.

Additionally, who will watch the watchmen? The DNA Profiling Board is tasked – rather tasks itself – with determining which DNA profiles enter the database, who gets to access them, and how the database will be organised and maintained, in effect establishing a low quality check over itself. Although Gowrishankar clarified that there would be a Parliamentary check on the Board’s activities and that Parliament would be the ultimate arbiter for all “major” issues arising due to the Bill, there is still a lack of supervision – and potential for abuse – in the day-to-day dispensation of duties. If the Human DNA Profiling bill has to be effective and honest, it must account for the privacy shortcomings described by the Group of Experts.

The DNA profiles could be collected for one purpose but end up being used for something else

Another concern is anonymisation – the process through which information contained in DNA profiles can’t be used to retrace the individuals from whom they were acquired. There is no description of a form or application of any kind that the draft Bill expects to be submitted along with the materials containing human DNA. If the Bill expects to use the form currently being used by the CDFD, there is an anomaly: the CDFD form asks for the applicant to mention her caste. Even if the draft Bill doesn’t explicitly mention that the database will have a ‘caste’ column, being able to associate an application form with a sample – and therefore ‘its caste’ – is plausible, especially in the volunteers’ database.

More troublingly, Section 31(6)(a) states that a DNA profile in the database will bear the identity of its source if its source is an offender, and that (b) all other DNA profiles will be relatable with the case reference number. The problem is that the case reference is not anonymised with respect to the people involved in the case.

IV. Power and sunset clauses

Credit: manoftaste-de/Flickr, CC BY 2.0.

The DNA Profiling Board overseeing the implementation of the bill (when enacted) has given itself, and the bill, some conflicting rules and powers that together result in ambiguity about the scope of the bill and its accountability. Some examples:

Conflicts of interest – Section 12(k) states that the board is responsible for “making recommendations for maximising the use of DNA techniques and technologies in administration of justice”. Then, throughout the bill, the board’s powers are also detailed as extending to specifying the rules for how DNA information is collected and secured. Put them together and the board’s essentially saying, “We’ll try to use DNA evidence for as many things as possible, we’ll decide how the information is collected for those purposes, and we’ll decide how we’ll use it.”

Ex post facto implication – Section 13 states that any laboratory that wishes to undertake human DNA-profiling must get prior consent from the board. Then, Section 14(2) allows any DNA laboratory that’s in existence at the time the bill is enacted to perform human DNA profiling without prior approval from the board.

Use of profiles – Section 39(g) states that “Information relating to DNA profiles, DNA samples and records relating thereto shall be made available” to a slew of judicial and executive agencies as well as “for any other purposes, as may be prescribed”. However, those prescriptions have not been detailed in the Bill, and appear to be at the discretion of the DNA Profiling Board. In fact, Section 39(e) states that the profiles, and “samples and records relating thereto”, may be used for creating a “population statistics” database. This is to facilitate population-wide studies of genetic characteristics, and in the absence of perfect anonymisation, could potentially become associated with caste data.

Given the scale of issues, and its potentially disastrous sidelining of privacy concerns, the draft’s scheduled introduction in the monsoon session seems hurried

Moreover, Section 35(2), which deals with the communication of DNA profiles to foreign states and institutions, doesn’t limit it to offenders and convicts but, by not discussing it in detail, allows for any profile in the database to be shared. Put this together with an individual’s inability to appeal the inclusion of her/his profile, and anyone’s profile – as long as it has wound its way into the database – can be shared with foreign entities. There are also no restrictions on if the foreign agencies can index the profile in another database.

Legal recourse after three months – Someone who’s been wronged by any of the provisions of the bill can approach a court only if he/she approaches the board first and gives it three months to act on a complaint. In those three months or before that, Section 57(1) of the bill prevents anyone from approaching the courts except the central government or a member of the board itself.

Finally, there’s the absence of a sunset clause – especially when its provisions will expire, and if there is a period after which a DNA profile will be removed from the database. For the latter, the draft Bill specifies that if a person has been acquitted in a case or if the case is set aside, the corresponding profile will be deleted, but nothing is said about the profiles of missing persons who have been identified, volunteers who have died, and other profiles that are likely to be collected at crime scenes. Moreover, no rationale is presented for retaining the profiles of those who are convicted of offences like rape or murder, who end up spending long years or a lifetime in prison. While Gowrishankar asserted that only the DNA profiles of the unidentified dead would be held forever, the draft Bill does not explicitly exclude the rest.

Given the scale of issues with the draft Bill, and its potentially disastrous sidelining of privacy concerns, its scheduled introduction in the monsoon session of the Lok Sabha seems hurried – despite having first been mooted more than a decade ago. Some of the issues may have escaped the drafting committee’s concerns by way of not having received appropriate feedback – such as the issue of hidden costs – but the committee must explain why there is a lack of access to data of the people by the people, why there are no sound anonymisation protocols, and why there are insufficient self-regulation and protection measures.

Download an annotated copy of the Human DNA Profiling Bill draft here (PDF).

Note: This article was edited on July 24, 2015, for clarity, to provide a link to the draft Bill and include references to some of the laws in other countries.