Saturday, September 29, 2018

Watching markets work: Structural change in the Nifty implied volatility

by Surbhi Bhatia, Anjali Sharma, Susan Thomas.

When options are actively traded, a new fact about the economy is revealed in option prices: what option traders think that the market volatility is going to be. This derived volatility forecast is called 'implied volatility' (IV). The Nifty IV measures the Nifty volatility that market participants forecast for the coming two to four weeks.

This was not visible without derivatives trading. Nifty options trading began in year 2000. This gives us close to 20 years of data on market volatility forecasts in 2018. We used this history to calculate the daily IV time series. We used the official daily settlement prices of eight at-the-money options, for both the call and put options.

In the early years, the options market was quite illiquid, so the IV every day could be quite noisy. On some days, the computed IV was wrong in overstating the views of market participants, and on other days, the computed IV was wrong in understating the true views of market participants. If we wish to know the IV at a point in time, we have to bring options market liquidity integrally into the calculation. For the present purpose, we find it useful to use monthly averages, which we feel are adequately reliable. Our estimates of IV are protected, first by the averaging that goes into the official settlement price, and second when we average the daily values across the month.

Such a time series allows us to examine the views of traders about future volatility through these years. Were the traders' expectations of market volatility the same today as when the markets started? Did the market volatility rise to reflect the turmoil in the markets during the global financial crisis? How do IV values compare across the two banking crises, of 2001/2002 and 2017/2018?


Our first step is to look for structural breaks. If there are different IV regimes in the series, this test will identify time points at which the regime shifted from one to another. We use the Perron-Bai algorithm as implemented by Achim Zeileis et. al. (the `strucchange' R package). This yields the following result:



This shows four phases of the story of Nifty IV:

June 2000 to April 2006: The first regime is from the outset till April 2006. This period started after the nuclear tests of 1998, when Nifty had gone to its lowest value (887). IV surged when the UPA won the elections and the stock market crashed on 17 May 2004. The average IV in this period was 21.1%.

April 2006 to August 2009: The second period ran for around three years, from April 2006 till August 2009. Roughly speaking, this corresponds to the global crisis. In this period, the average volatility was 35.4%, with a peak value of about 70%. This value of 70% reminds us of the peak value seen with the S&P 500 implied vol, in October 2008, where the VIX touched 87% intra-day.

August 2009 to June 2012: The market returned to an average IV of 21.9%, which is quite close to the value seen in the previous period.

June 2012 to May 2018: The final period is one of calm, starting from Jun 2012 onwards, where IV has averaged a level of 15.2%.


The IV is the market's perception of future volatility. It is interesting to think about what changed in the economy that changed the views of financial market participants across each of these break dates. Why was the IV low in the first period, then high, then low again? Why is this latest period the lowest?

This was the period of demonetisation and Donald Trump. The world is beset with economic and geopolitical risk. In India, the trailing P/E has risen to historically high levels. There is a banking crisis and a large fraction of the equity index is banks. The market seems to have conquered these fears and thinks that the future Nifty volatility will be low. This is not only true for Indian equity: the US VIX also achieved its lowest values ever (about 9%) in November 2017.

It is interesting to look back at previous periods of calm and of stress. For instance, we see that in 2007, implied vols were unusually low. Once again, this was similar to the behaviour of the US VIX before the crisis as well. There are concerns about the extent to which market participants are good at thinking about one security at a time vs. being good at macro forecasting.

Friday, September 14, 2018

Privacy, Aadhaar, Data Protection: Statist Liberalism and the Danger to Liberty

by Anirudh Burman.

Kings will be tyrants from policy when subjects are rebels from principle.

                                         - Edmund Burke, Reflections on the Revolution in France

Edmund Burke wrote these lines in a scathing critique of the demise of ancient traditions of allegiance, fealty and "dignified obedience" in the wake of the French Revolution. These lines today apply in a very different sense to the search for state-centred solutions to protecting privacy and personal data. The discourse over privacy, identification and data protection shows that liberal concerns with state power co-exists with a preference for state coercion in the name of furthering ostensibly liberal objectives. This discourse is marked by the absence of underlying liberal principles based on societal and associational freedom, and instead, repeatedly shows a preference for state coercion for achieving its ends.

This discourse and the policy responses to the same fail to address two fundamental questions: first, what does the right to privacy seek to protect? Privacy is treated as an end in itself, and this has significant ramifications on how we think about constituting liberty in our society. Second, what institutional and associational processes are necessary to protect privacy? Institutional and associational processes that rely overwhelmingly on state coercion are counter-intuitive and may ultimately harm individual privacy and autonomy.

I address three major strands of the privacy discourse that address different aspects of the right to privacy, but share a common problem: the discourse is framed in a manner that treats privacy as an end in itself. The result of the nature of this discourse is that state power to infringe on privacy seems to have strengthened rather than weakened. I begin with analysing the existing discourse on the debate over whether India's increasingly ubiquitous identification system, Aadhaar, violates privacy rights or not. I argue that by focusing on Aadhaar's constitutionality vis-a-vis the right to privacy and not examining the ends for which Aadhaar is being used, the existing debates fail to question the use of state power via Aadhaar and its implications for privacy and liberty.

The next major strand of the privacy debate, the judgement of the Indian Supreme Court in Justice K.S. Puttaswamy v. Union of India ("Privacy judgement") also treats privacy as an end, rather than a means to protect other ends. As I argue, the consequence of the judgement is to provide clarity for the use of state power with respect to privacy rights rather than to elucidate those aspects of social existence that need protection from the state through privacy rights. Data protection, and the Personal Data Protection Bill proposed by the Justice Srikrishna Committee is the third major strand of the privacy debate. The Bill also treats privacy as an end. In seeking to protect data as an end in itself, it confers a wide jurisdiction on the proposed Data Protection Authority. By doing so, the Bill gives the Authority the power to potentially surveil all data in India in order to, ironically, protect data privacy.

I argue that by treating privacy as a broad right and an end in itself, we have defined the role of privacy in society narrowly. Instead, privacy as a right has to be discussed in specific contexts such as marriage, sexuality, crime records and employment history. Each context reflects a different tension between a specific public interest and the privacy interests of specific individuals. Only such specific discussions on how privacy rights can help individuals protect their freedoms, can further the interests of liberty in our society.

Efficiency, Privacy and Aadhaar

In the decades since independence, Indian politicians and intellectuals by and large agreed on the need for a social welfare state. Specifically, a State that would strive to provide health, education, food, and infrastructure to its populace. Despite the mixed record of the State in achieving these objectives, the premise of what the Indian State should do has not been challenged to any substantial degree. While the State has withdrawn from running industries and fostered private markets over the past three decades, the assumption that welfare is a fundamental task of the Indian State has not been questioned. In fact, the welfare state character of the Indian State has been significantly expanded in the past two decades through initiatives such as NREGA and others addressing food security and debt relief.

A central task before a welfare state is identification, or what James C. Scott calls the quest for "legibility". The search for legibility is rooted in policy makers' inability to comprehend complex realities and their consequent search for symbols or markers that make society comprehensible or "legible" to them. For the purposes of the State, individuals must be defined primarily in terms of specific traits (e.g. age, education, residence, income, profession, ethnicity, caste, etc.) While this quest for legibility is not confined only to the state, no state can act on its welfare mandate without making individuals legible. Benefits are distributed to individuals based on how a state identifies them. Thus, if only "the poor" can avail of LPG subsidies, defining who is "poor" becomes of central importance. Aadhaar is the product of this search for better identification, required due to ever-increasing welfare and regulatory functions the Indian State has to perform.

In the decades before Aadhaar was implemented, the manner in which the state identified beneficiaries was critiqued as being deeply flawed. The systems were rife with documented instances of poor implementation and fraud. Additionally, many in need of what the welfare schemes sought to provide lacked the documents to prove their eligibility for the same. While concerted efforts were made to improve public distribution systems through initiatives like computerisation, significant exclusions continued to take place. These improvements were also unevenly distributed across state governments, and subject to sustained political commitment.

Any improvements in targeting/identification however, have remained subject to new political diversions and demands from the State. NREGA for example, was a new social welfare scheme that required the determination of eligibility on metrics that were different from say, traditional PDS schemes. It required the State to collect and maintain information about individuals based on metrics that the Indian State had not collected in a systematic manner prior to its introduction. Every new scheme that requires benefits to be conferred to individuals had and continues to have its own metrics for eligibility (Jan Dhan Yojana requires very different kinds of identification requirements than say, Start-up India).

The demand for better and different forms of identification therefore increase each time a new benefit has to be made available to individuals. If the state has to perform an ever-increasing number of welfare functions, it will require ever-increasing information about intended beneficiaries, as it needs to know whom to include and whom to exclude. Over time, therefore, the extent of information collected about individuals increases due to the numerous functions the state is required to perform.

This is not just confined to welfare measures. Any state action that intends to regulate individual conduct has to determine whom to regulate and on what basis. If, for example, persons with criminal backgrounds are to be excluded from contesting elections, the state needs to collect and analyse information about the criminal backgrounds of those contesting elections. If the state intends to regulate banking, it needs to collect information about banks and financial firms.

The increase in the collection of information for discharging the functions demanded from the state constitute the source of the concerns with privacy. The largest threat to individual privacy therefore comes not from the existence of Aadhaar, but from the ever increasing number of regulatory functions and welfare measures demanded of the Indian State. Problems of identification systems are downstream of these demands. State-centred solutions, and unprincipled welfarism pose a greater threat to individual privacy and liberty than any single identification system used by the Indian State.

This is borne out by a careful analysis of the main points of contention in the Aadhaar and data protection debate.

Aadhaar is a database that maintains bio-metric and other personal identification information about individuals. If a government or private agency wishes to verify the identity of an individual, the Unique Identification Authority of India (UIDAI), as the custodian of the Aadhaar database, enables such authentication through specified mechanisms. Aadhaar does not maintain records of what was authenticated. It retains a record only of when a person's identity was verified and by whom, not for what purpose.

Aadhaar is therefore more or less a value-neutral utility. In itself, it does not have a fixed use other than to identify individuals. It is up to the user (the government or private agencies) to use it as a means of identification for a specific purpose. Such use depends solely on its utility as an accurate system of identification. It does not pre-suppose what the system is going to be used for. Its raison d'etre is to enable the state to identify individuals accurately, if required. Its existence, in fact, promotes discourse on what it ought to be used for, and how it ought to be used.

When Aadhaar was conceptualised and being created, the state promised that the system would be used for identifying beneficiaries of social welfare schemes. This has however, not remained the case. From tax compliance to school admissions and new phone connections, the use of Aadhaar has extended well beyond social welfare purposes. It is, however, important to note that this growth is demand-led for the large part. Government departments and agencies, as well as private firms, are using Aadhaar because it is a largely accurate database compared to other mechanisms for verifying individual identity. State authorities and private agencies are mandating Aadhaar-based authentication because they see value in it, not because the UIDAI says they must. The alleged threat to privacy has therefore come about not because Aadhaar exists, but because the State chooses to use it for discharging the functions demanded of it.

Some detractors have argued that Aadhaar is unconstitutional as some individuals are unable to access social welfare benefits due to authentication failures. In many such cases, the implementation by these departments and agencies has been faulty. Aadhaar authentication requires a connection to the central Aadhaar database, and this becomes problematic in cases of poor internet connectivity. In such cases however, it is the user agencies that are at fault. Making Aadhaar authentication mandatory in remote areas with low internet connectivity is an example of poor planning and implementation. It is the use of Aadhaar that must be debated.

This and other issues have been brought up in a clutch of cases currently pending before the Supreme Court. The cases in the Supreme Court however lay the blame on the existence of Aadhaar rather than its uses. Additionally, of the many grounds of challenge, there are some that are simply not amenable to effective redress through judicial mechanisms. The first is the question of exclusions. Any system of identification is designed to exclude. The purpose of identification is to enable inclusion at the cost of exclusion. The danger is that of unintended exclusions. People should not be excluded from benefits that were intended to be made available to them. The detractors of Aadhaar claim that the implementation of Aadhaar is leading to arbitrary exclusions, with persons who were previously included now being excluded. However, one must distinguish between the role of Aadhaar in unintended exclusions, and the uses of Aadhaar leading to unintended exclusions. For example, if there were no scheme called NREGA being implemented, there would be no Aadhaar-related exclusions from NREGA. In such a case Aadhaar would continue to exist, but not be the cause of any exclusions in NREGA. Exclusions are occurring because there is a welfare function that the state is discharging.

Another point of detraction has been that of data security and data leakage. The claim is yet again, that because of its potential for misuse, the use of Aadhaar for seeding information about citizens creates a potential for misuse. However, any information that the state stores by aggregating data using some other central identification ID (PAN numbers, passport numbers, Voter ID cards, etc) is subject to the same potential issues. Any central identifier that could be used to link multiple databases is likely to suffer from similar issues. If PAN numbers or mobile phone numbers are used to aggregate data about individuals instead of Aadhaar, the same fear of profiling is still likely to exist. The problem is therefore not with Aadhaar, but with the process of profiling individuals. It is therefore necessary to problematise the issue of profiling, rather than the use of Aadhaar for profiling.

The discourse on these issues reflects undue focus on means rather than ends. It is important to distinguish between Aadhaar as an instrumentality of the state, and the purposes for which Aadhaar can be used. It is the latter that leads to privacy concerns, not the existence of the instrumentality itself. The same privacy concerns will remain tomorrow if Aadhaar is replaced by another system of identification. The Indian state will continue to violate individual privacy, liberty and dignity if the ends to which systems of identification are used are not carefully examined, questioned, and thought through.

Some of these issues require political solutions, others judicial ones. The judiciary can provide judicial answers to legal questions. It is not a forum that can provide answers to questions of efficiency. It cannot help society decide on what is the most effective method of identifying individuals while respecting individual privacy. This is a political decision that has to be reached through a political process. The judiciary can also not answer questions as to what are "good" methods of data aggregation and storage. These are technocratic decisions that also have to come from the political process.

This is due to the very nature of the judicial process which seeks blunt answers to blunt questions - "is Aadhaar constitutional or not?". Any path the Supreme Court takes to balance competing interests such as privacy versus efficiency will be, at most, a second-best alternative to what sustained political engagement could have created. The nature of judicial outcomes is to provide perfect legal certainty by ending political contestation with legal certainty. Judicial interpretations of constitutions have the effect of ending political and legal disputes, not to create space for further political negotiations.

Any future negotiation can only take place by treating the court's decision as a given. A good example is the spectrum allocation case, where the Supreme Court held that telecom licenses were arbitrarily allocated, and that future allocations can only happen through auctions (subsequently modified by the Supreme Court in another case). Any further discourse on the subject had to deal with the fact that spectrum had to be mandatorily auctioned, with no possibility of discussions over better methods of spectrum allocation. This is what happens in most cases that come before constitutional courts. In the judcialisation of Aadhaar, we may have lost a significant opportunity to negotiate politically and improve its functioning.

The nature of relief claimed from the Supreme Court in the Aadhaar case asks some legitimate questions that the Supreme Court is well placed to answer, particularly with respect to whether the law should have been passed as a money bill, and in which instances Aadhaar can be made mandatory. But it also asks many questions that do not help address the real concerns about privacy - if all identification systems lead to exclusion, in what circumstances is exclusion constitutionally impermissible? If all data aggregation systems are potentially vulnerable to leakage and theft, in what circumstances is data leakage unconstitutional? If all state welfare functions lead to some kind of profiling, what kinds of profiling are constitutionally impermissible? In short, what are the values that the right to privacy seeks to protect?

Privacy judgement: Clarifying the use of state power

If the expectation from the Supreme Court in the case of Justice K.S. Puttaswamy v. Union of India ("Privacy judgement") was that it would explain what underlying values the right to privacy seeks to protect, it was belied. While the Supreme Court bench that decided this case was constituted because the Aadhaar bench made a reference to it, this case itself did not decide on privacy rights vis-a-vis Aadhaar.

In a remarkable feat of judicial activism the Court not only declared that there is a fundamental right to privacy, but that this right is an end in itself. The leading judgement (given by 4 out of 9 judges) states that the purpose of the Court in writing the Privacy judgement is to expound upon the right to privacy by providing a "doctrinal formulation".

The judgement lists a series of Indian cases in which a right to privacy has been claimed. As the Court itself notes after discussing these cases, many past judgements have held that a right to privacy exists under the Indian Constitution. What then, one might ask, was the need for this nine-judge bench? The answer provided by the Court was,

"...The deficiency, however, is in regard to a doctrinal formulation of the basis on which it can be determined as to whether the right to privacy is constitutionally protected..."

The Court therefore intends to assert the existence of a right to privacy as an end in itself, rather than a means to an end. Unlike all previous cases the Privacy judgement itself notes, this judgement was written with no applicability to a specific dispute before the court.

A long line of jurisprudence listed in the Privacy judgement highlights the fact that privacy has always been used to protect a specific interest or value: In Kharak Singh's case, it was privacy in the context of night-time domiciliary visits. In RM Malkani v. State of Maharashtra and PUCL v. Union of India it was privacy in the context of telephone tapping. In Gobind v. State of MP, the discussion on privacy was in the context of history-sheeting under state police regulations. In Malak Singh v. State of Punjab it was a surveillance register of specified categories of convicts. In Rajagopal, the judgement on privacy centred around the question on whether the autobiography of a convicted prisoner, allegedly co-authored by someone else, could be published. In Mr. X v. Hospital Z the issue of unauthorised disclosure of a patient's HIV status was in question. In Sharda v. Dharmpal the question of privacy rights arose in the context of a court order forcing a person to undergo a medical examination as part of divorce proceedings. In District Registrar and Collector, Hyderabad v Canara Bank, the question of privacy was in the context of the confidentiality of documents submitted to a public official. In the US Supreme Court case of Griswold v Connecticut that the Privacy judgement cites as well, - the right to privacy was held to exist in order to address a specific concern, namely the right of a married couple to use contraceptives.

In fact, globally, one would be hard pressed to find a judgement that is totally divorced from a factual dispute, that does not treat the right to privacy as essential to protecting other specific rights. Why does this matter? It matters because in treating privacy as an end, the judgement and the detractors of Aadhaar fail to deal with the underlying issues that infringe upon privacy and liberty. This in turn leads the Court to formulate tests that on closer inspection, clarify the use of state power with respect to privacy rights, without adequately explaining what those privacy interests are.

The Court notes that privacy is essential for the protection of individual autonomy and dignity. But it does not elaborate on what aspects of autonomy are worthy of being protected by privacy. Other than illustrating some examples of how the right to privacy could be applied to specific situations such as sexual orientation and data security, it provides no guidance on how this right to privacy is expected to interact with situations where individual privacy is subjected to larger societal interests. For example, the Court talks about the protection of individual identity in the context of data protection, but provides no explanation of what specific harms the right to privacy seeks to protect in the context of the misuse of personal data.

This is important as there are situations when individual autonomy and privacy may legitimately be circumscribed by societal interests. These include the disclosure of health records for buying health insurance or seeking health benefits, and the disclosure of income related information for claiming subsidies, etc. The judgement offers no consideration of the tension between individual privacy, liberty and public interest; this could only have been done in light of a specific dispute where the Court would have been forced to balance real and conflicting tensions.

Faced with this lack of factual circumstances, the Court in the Privacy judgement instead justifies possible constraints on privacy rights through a vague necessity doctrine. The Court states that the right to privacy can only be constrained by a parliamentary law made for a legitimate state interest, with constraints proportional to the object the law seeks to achieve.

It is, however, explicit in stating that the question of legitimate state interests in violating privacy rights can only be reviewed on the grounds of arbitrariness. In addition to laying down this test in the absence of specific circumstances, the judgement provides broad illustrations of what could be considered legitimate state purposes - national security, promotion of innovation, conferring social welfare benefits, etc. Unlike previous cases where the facts of the dispute ground the doctrinal points made by courts, the doctrinal points here can be construed widely or narrowly depending on the specific predilections of future courts.

The question of legitimate state interests is the question that should have occupied the attention of the Court - what kinds of infringements of privacy are permissible when specific actions of the State are claimed to be in furtherance of legitimate state interests? As per the Court, the only basis on which such a claim can be challenged is that of being arbitrary and disproportional. As long as there is no arbitrariness or disproportionality, infringements of privacy are permissible. However, neither arbitrariness or disproportionality are tests related directly to liberty and privacy in themselves.

For example, it is one thing to question whether the law related to telephone tapping is arbitrary or disproportional to the legitimate objectives of national security. It is another to question whether telephone tapping violates privacy or not. As per the test laid down by the Supreme Court, the law would not be unconstitutional if it were not arbitrary or disproportional. The test limits the discussion on the tension between privacy and national security only to the grounds of arbitrariness and proportionality. In doing so, the Court arguably missed an opportunity to create tests for legitimate state interests in interfering with privacy rights. Instead, the judgement of the Court illustrates a broad range of legitimate state interests where the state can interfere with privacy rights.

The same conclusion can be reached regarding the applicability of this judgement to other issues. If combating marital rape is a legitimate state interest, the Privacy judgement takes us no further in thinking about how to enter the private sanctuary of a bedroom in a way that respects the privacy of the married couple. Any law can be made as long as it is not arbitrary or disproportionate to a widely construed notion of a legitimate state objective. This is arguably an incomplete test, since it does not seek to balance the legitimate privacy interests of the married couple with the objectives of the state. The only balancing factors are that such laws not be arbitrary or disproportional. These tests are however, not related to liberty interests. The US Supreme Court in Griswold v. Connecticut found liberty interests that were violated by state laws that interfered with the use of contraceptives. Had that law been judged on the basis of arbitrariness and disproportionality, the outcome in the case may have been different.

State power has therefore been arguably expanded by limiting the grounds of challenge to arbitrariness and proportionality. It is therefore debatable whether we are better off than earlier, having created clear limits on the right to privacy, without any clear, substantive limits on state power. Only the state seems better off.

Personal Data Protection Bill: Leviathan On Steroids and the End Of Privacy

A logical consequence of treating privacy as an end in itself is the Personal Data Protection Bill proposed by the Justice Srikrishna Committee. Because the Bill treats data protection as an end in itself, it focuses only on the protection of data rather than the protection of interests that would be harmed by the unscrupulous use of data. The Bill casts a wide net, and in the process proposes the creation of arguably the most powerful and draconian state regulator India may ever see.

First, the lack of clarity of underlying values - the purview of the Bill extends to all data (in electronic form or otherwise). "Processing" of data is defined to include "collection" of data as well. So, the kirana store down the street that provides credit to customers for buying groceries on the basis of their previous repayments, a record of which it maintains in physical registers, would be subject to state supervision for its data management practices. The Bill mercifully provides some small exemptions for such "small entities" in Section 48 for manual processing, but they still have to comply with other data protection requirements.

Further, any discussion on specific privacy interests should have to deal with multiple conflicting interests - if individual privacy is important for the sake of, say, protecting individuals from online sexual harassment, a data protection law would have to deal with the tension between the right to access and participate on the internet freely and visibly, with the genuine potential for online abuse and harm. The provisions enabling data processing after consent would have to be tailored for this specific issue. Similarly, in its broad application of data protection requirements to the entire economy, the Bill fails to balance the tension between the conflicting interests of economic growth and data protection.

An example of the possible problems that may arise due to the lack of clarity on the ends of the Bill are the requirements regarding discrimination. The Bill states that "any discriminatory treatment" is a harm, and creates penalties and offences for causing such harm. But, devoid of any grounding of what forms of discrimination are permissible, this becomes an impossible standard to adhere to. Legitimate forms of discrimination such as preferring to lend money to people who pay back on time, over those who do not are essential to society. However, if a prospective borrower is refused a loan based on his or her credit history, this could constitute "harm" under the Bill.

Similarly, if an online matrimonial site shows its user only high net-worth suitors from Bihar based on an analysis of the user's past preferences, such discrimination would be beneficial for the user, but would be construed as discriminatory, unless there is clarity on what the provisions regarding discrimination seek to protect us from. But, since there is no real clarity on such ends, the supposedly safe route the Bill takes is to create a regulator with vague powers and ask it to protect data.

Parts of the Bill have been taken from the EU's General Data Protection Regulation (GDPR). The GDPR however sits on a bedrock of privacy jurisprudence (example) in the EU that goes back decades. We have borrowed the legislation without borrowing the privacy jurisprudence and the overall institutional ecosystem within which the GDPR operates. When the Bill is enacted, it will be interpreted and implemented without the underlying benefit of this jurisprudence. There will therefore be substantially less guidance for the proposed Data Protection Authority (DPA), and fewer checks on how it will interpret its powers.

Second, the claim that the DPA proposed by the Bill is a Leviathan on steroids is not a light one. One look at the definitions of "data" and "processing" confirms the wide scope of the law. In Section 60, the first function of the DPA is an ambiguous "monitoring and enforcing application of the provisions of this Act". In Indian state parlance this translates to: Use state coercion to solve every real or imagined problem provided you have the resources to do so. Even if the DPA were to construe such language strictly, it would have to intrude into almost all systems of data collection, storage and processing within the country to perform this function effectively. In the name of protecting data, it would necessarily have to supervise all data.

If for example, the DPA is to monitor compliance with the codes of conduct it is required to write for data processing, it will have to monitor the way in which data processors implement such codes with respect to their consumers. This will have to be done an economy-wide scale. One may argue that this can be done through less intrusive methods, but that is missing the point. The substantive power is there, and the powerful choice of how to regulate remains with the state. We shall remain at the mercy of liberal men, not liberal laws.

This broad jurisdiction is almost unprecedented for India. This is a huge departure from sector-specific jurisdictions carved out for other state agencies. The Reserve Bank of India can only collect data about banking and some other financial firms. SEBI can only do so with respect to the securities market. TRAI can only collect information about those in the telecommunications industry. The DPA is a regulator of data across sectors and jurisdictions. It will have the power to impose significant compliance costs and penalties on all individuals and enterprises that may collect data, even for purely incidental purposes.

Third, failure to abide by data protection requirements could land persons in jail. The offences under the Bill are proposed to be non-bailable. When combined with vaguely drafted provisions, this would have significant negative effects on society if the law is effectively applied. The Srikrishna committee report does not explain why such draconian punishments are required for the protection of data. Even serious crimes like murder are bailable. The report does not show any evidence to prove that misuse of data is a crime worse than murder.

The net consequence of the Bill, if enacted, would be this - the enactment of arguably the most powerful and intrusive regulatory agency in India, the enactment of draconian offences with great potential for misuse, and a punch in the face of private enterprise. Command and control is back, this time the driving force being the ideology of statism.

Conclusion: Privacy through the state, not from it

The ongoing discourse on privacy, Aadhaar and data protection leaves us with the inescapable role of the state as a mediating entity. In the Aadhaar discourse, the uses of identification will continue to be decided by the state without any clear agreement on what such uses should be. The right to privacy elucidated by the Supreme Court will have to evolve on a case-by-case basis as more state action relevant to privacy emerges. The Personal Data Protection Bill empowers the state to protect our data with broad and vaguely defined powers.

The fight for privacy as a means to protect individual liberty has, in the forms it takes today, led us to a point where state power on the whole, has been arguably strengthened vis-a-vis society. Contradictory to its stated aims, the current outcomes of the privacy debate are predicated on state coercion as a tool for protecting liberty.

It is a grave error to presume that the state will act benignly to uphold liberal values of privacy and autonomy. One reason is that these privacy values have not been sufficiently articulated - the discourse is almost entirely around means and not the specific interests the right to privacy seeks to protect. This can only be done by discussing privacy in specific contexts - if land records are to be made publicly accessible for increased efficiency in land markets, what is a reasonable expectation of privacy in such a context? Or, if the state wishes to build a sex offenders registry, how do privacy interests militate against such a system? As stated earlier, problems of identification systems are downstream of these issues. By not questioning the ends of identification systems like Aadhaar, its detractors are attempting to have their cake and eat it too. Even if Aadhaar is struck down, it is doubtful if privacy interests will be served in the long run.

Second, a liberal state cannot be built in isolation from the larger state apparatus. A state that habitually violates the rule of law and relies on draconian laws cannot be trusted implicitly to uphold liberal values just because the law empowering it is for a seemingly benign purpose. The Right to Education Act, a seemingly benign law, provides everyone the right to free and compulsory education, but does so by seriously constraining the right of private educational providers to actually provide education. This is routine for the Indian state - the pursuit of seemingly liberal objectives through coercive mechanisms. A state that routinely treats dissenters as traitors, evicts helpless landowners, and uses torture as an investigative tool, cannot reasonably be expected to act liberally in the interest of liberal values, especially if it is given draconian powers with vague objectives. It is reasonable to presume that the data protection law will suffer from the same illiberalism that we see in the Indian state.

A lot has been said of the misuse of data by private firms. A reasonably responsive state acts as a bulwark against such misuse. There is no bulwark against the state. If it is determined to take a certain course of action, whether it is the imposition of an emergency or the demonetisation of currency, no system of checks and balances is sufficient. Additionally, in the case of the data protection Bill, there has been no evidence shown by its proponents that the scale of the proposed data protection requirements is in any way commensurate to the dangers posed by private data companies.

Perhaps the greatest threat to individual liberty, autonomy and dignity comes from the fact that state action crowds out non-state action. State regulation operates to the exclusion of self-regulation. If, for example, the State determines the prices of essential commodities, private persons cannot negotiate and agree on the prices of such commodities. Though it has its problems, civic-associational regulation is often capable of much greater nuance and compromise than state regulation. State regulation in contrast, operates largely within binaries - permission versus prohibition, legality versus illegality, all enforced with coercive power behind it.

Those arguing in favour of privacy must avoid resorting to similar binaries. The present discourse rests on absolute moral claims about privacy, where political arguments should be made. Escalating political arguments to moral ones hastens the end of democracy. Since the moral claims of one side are considered odious and abhorrent by the other, no middle ground can be reached because collaboration with the opposition is treasonous in a moral fight. This spells greater danger for the survival of democracy; the only beneficiary is the increasingly-powerful State, and the stakes for capturing power become higher and higher. The impulse to turn to state-centred solutions has to be checked if individual privacy and dignity are to be preserved.

 

The author works with the National Institute of Public Finance and Policy, and is extremely grateful to Suyash Rai and Vasudha Reddy for discussions and inputs.