The right to privacy vs right to information

Finding the right regulatory structure is important in order to ensure that the two rights don’t come into conflict

Recently, information commissioner Sridhar Acharyulu, in an attempt to save the right to information (RTI) from dilution, cautioned against amending the RTI Act while implementing the data protection framework suggested by the Srikrishna Committee report.

The public focus so far has been on the conceptualization of personal data, consent fatigue and data localization. But the report raises a crucial question. What would be the mandate of the future data protection authority (DPA) it envisages? And how would the mandate be reconciled with that of the information commissioner? This concern becomes particularly relevant due to a history of bureaucratic conflict in various countries stemming from the tension between the discordant mandates of the two authorities.

Conceptually, RTI and the right to privacy are both complementary and in conflict. While RTI increases access to information, the right to privacy veils it instead. At the same time, they both function as citizen rights safeguarding liberty against state overreach. There are two possible frameworks for managing this tension.

A TWO-BODY MODEL

In most jurisdictions, the information commission and privacy commission are separate and distinct bodies. In a few countries, however, the RTI commission is a single-function body responsible for balancing competing interests. These jurisdictions include Hungary, Mexico and the UK.

Countries which have two commissions are able to champion both these rights distinctively. This is because they are unencumbered by the onerous task of balancing competing interests. However, this clarity of mandate and authority comes with a price tag. Disagreements between the two authorities can heighten transaction and opportunity costs involved in reconciliation, reducing overall efficiency in grievance redressal.

Canada has witnessed public tension between the two commissions due to politics and policy concerns. These concerns include delineating the extent to which a request to access “personal” information may be granted without undermining privacy. A Canadian task force reviewing its two-body model acknowledged the confusion arising out of conflicting recommendations. For instance, the two bodies could have conflicting opinions on whether educational records of public officials or asset records of spouses of public officials constitute “personal data” shielded from RTI requests.

A SINGLE-BODY MODEL

Adopting a single commission (as in the UK) instead would remove the transaction costs associated with conflict between two commissions. This would increase administrative efficiency and, in turn, public welfare. However, the possibility of a conflict between the two competing rights may end up prejudicing the authority in favour of one of them, endangering their intended harmonization. Moreover, additional mandates may over-burden the authority and undermine its efficacy, reducing social welfare instead.

ONE BODY OR TWO FOR INDIA?

The Supreme Court of India, while declaring the right to privacy as a fundamental right in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India and Ors, missed out on defining its contours with respect to the right to information. The Srikrishna Committee Report, while acknowledging that most commentators are in favour of an independent data protection authority, falls short of explaining the rationale behind it. These missed opportunities are regrettable. That said, the optimal solution for India is indeed two independent bodies.

While the cost-effectiveness of a single body model is attractive, in the Indian context, it may have a number of drawbacks. These include high levels of corruption that could encourage conflict of interest and a tendency to safeguard personal gains.

Moreover, there might be another kind of mismatch in giving an information commissioner the mandate of enforcing a data protection law. The information commissioner’s mandate is concerned with personal data only of public officials and not of citizens at large. The enforcement of a data protection law, on the other hand, would require familiarization with, and expertise in, a far broader mandate. Achieving these may require a structural overhaul of the commission, which could prejudice the existing regime. A body with specialized expertise in this field would be far more suited to serve this purpose.

We admit that there may be some agency costs involved in reconciling conflicts between the information commissioner and the DPA. However, these costs would not override the larger public interest served by ensuring the independence of a DPA. This is because the agency costs would be relatively small compared to the harm arising out of a prejudice to either of these rights.

Furthermore, a single commission may lean towards hierarchizing the enforcement of RTI over the realization of privacy. This fear arises from the false perception that a dichotomy exists between privacy and welfare. This perception is based on public attitudes that question the relevance of privacy within the Indian sociopolitical climate as opposed to RTI, which is looked upon more favourably.

Source: Livemint epaper, 29/08/2018