Among all the ongoing debates around the Personal Data Protection Bill, 2019, the most contentious issue that the Parliament will engage on—with the Joint Parliamentary Committee (JPC) submitting its report on the Bill in the Rajya Sabha—will be of exempting the application of various provisions of the Bill to state’s processing of personal data.
In the Indian context, the tug of war between privacy, in its various forms, on the one hand, and state, on the other, is one that long precedes the current Bill. However, the current debates in the context of the Bill gain significance for two reasons. First, unlike previous occasions where deference to state actions stemmed from an uncertainty over the status of the right to privacy, the current conversations on state exemptions are taking place in the context of a definitive establishment of the Right to Privacy as a fundamental right. Second, the Bill provides a rare opportunity to move these conversations from the confines of courts to Parliament, thereby adding democratic heft to the nature and design of state exemptions.
State Exemptions and Concerns in the Bill
Across jurisdictions, it is a well-established principle that states are entitled to exemptions from data protection and privacy laws to discharge certain functions, especially those related to law enforcement. However, what remains contentious is the scope of activities that are exempted, the extent of provisions from which the state functions are exempted and the safeguards that should accompany these exemptions.
This is visible in the differences in the draft submitted by the Justice B.N. Srikrishna Committee in 2018 and the Bill tabled in 2019. While the former was appreciated for safeguarding civil liberties, the latter, has come under criticism for derogating the same. The Bill has three provisions, primarily, that are concerned with state exemptions.
First, Section 12 of the Bill allows for non-consensual processing of personal data by the state where such processing is necessary for provisioning of a service or benefit or for issuance of certifications or permits to the person concerned (data principal). To this extent, it bears similarity to the 2018 draft put forward by the Justice Srikrishna Committee. However, the Bill goes on to add that non consensual processing would also be allowed for state actions authorised “under any law” made by Parliament or state legislature, without outlining the purposes such legislations should be aimed towards.
Consent is a central tenet of data protection frameworks in so far as it gives autonomy to the data principal over their personal data. It should not be done away with, lightly. As per Puttaswamy, state’s intrusion in privacy, in this case non-consensual processing, should be necessary and proportionate to achieve a legitimate state aim. However, Section 12 allows for non-consensual processing of data, just because it is authorised by law, without considering whether such processing is necessary or proportionate to the aim of the legislation or even providing, indicatively, what such aims should be. In disregarding Puttaswamy, it runs the risk of a constitutional challenge.
The second model of exemptions is more expansive than just non-consensual processing. This is reflected in Section 36 of the Bill. Section 36 exempts, in addition to consent, application of most provisions relating to obligations of data fiduciaries, rights of data principals and transparency and accountability measures, except security measures, if personal data is being processed “in the interests of prevention, detection, investigation of any offence or any other contravention of any law”.
Similar to Section 12, this formulation departs from the 2018 draft by not incorporating the “necessity and proportionality” elements provided therein. It treats all offences and contraventions of law at par and does not consider whether the nature of offence or contravention of law is grave enough to warrant such an intrusion in privacy. For example, investigation and prosecution of non-cognisable offences like criminal defamation do not warrant the same nature of personal data as offences against the state.
The third and most expansive model of exemption is provided for in Section 35 of the Bill. It provides that the central government may exempt the application of all or any of the provisions of the Bill, to an agency, if it is “necessary and expedient” in the interests of or for prevention of an offence relating to “sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order”.
It is a significant departure from the 2018 draft that allowed for only certain exemptions for processing of personal data on the ground of “security of state” alone. Section 35 is being seen as the government’s attempt to legalise mass surveillance and has been strongly criticised by civil society on several counts.
First, it replaces the test of “proportionality” with the more discretionary approach of “expediency”, second, it includes grounds such as “public order” which is amenable to much wider interpretation than “security of state”, third, it provides en blanc exemption from the Bill thereby depriving data principals of even basic protections like those of data security safeguards.
What is the Way Forward
The government does itself disservice by giving itself such wide exemptions. First, by clubbing and exempting personal data processing for various purposes in the same bracket, it attracts opposition even towards categories of personal data processing, such as “security of state”, that genuinely require such exemption. As such, overbroad exemptions dilute the government’s own cause.
Second, it also intensifies opposition towards the Bill. Between Justice Srikrishna terming the current draft a law that can “turn India into an Orwellian state”, dissent notes by as many as seven of the 30 members of the Joint Parliamentary Committee (JPC) and the rest of the JPC throwing its full weight behind the abovementioned provisions, it is clear that the Bill is not set for a smooth sailing in Parliament.
In this context, the government can possibly reduce opposition to the Bill, in its current form, by demonstrating that even if not through the Bill, it is serious about regulating personal data that it is processing. One of the ways to do this could be to initiate a parallel process of laying down an internal privacy and data protection framework for law enforcement agencies (LEA) that incorporates elements of “necessity and proportionality”. In the case of LEAs, this could be in the form of a LEA-specific privacy and data protection code that the LEAs would have to adopt with the Ministry of Home Affairs being designated as the nodal authority to monitor its compliance.
While relying solely on internal accountability measures is not the most ideal approach, it would lead to some resolution of the current deadlock between the transparency and accountability measures being demanded by civil society, on the one hand, and the Bill that endows carte blanche powers to the government, on the other. Moreover, existence of internal mechanisms that fetter discretion and provide for review processes in relation to exercise of such discretion have helped in upholding the constitutionality of certain provisions, for example Section 69A in Shreya Singhal.
Most importantly, the existence of such a framework would help law enforcement agencies (LEAs) in cultivating and institutionalising some amount of data protection measures while discharging their functions. This would not be a small gain in a country that has only recently recognised the Right to Privacy, with LEAs being its most sheltered sector in relation to privacy enforcement.
To some extent, these practices have been instituted under Rule 419A of the Telegraph Rules, 1951 and the Information Technology Rules, 2009. Both rules provide powers to LEAs to call for information that includes personal data, but both sets of rules also incorporate storage limitation measures by requiring that the LEA should destroy records of intercepted information within six months of collection. In light of this, there seems to be no reason why Sections 35 and 36 of the Bill exempt the application of storage limitation provisions. Such provisions should be carried forward.
They should, at least, be made applicable to LEAs through the proposed data protection and privacy code. The proposed code could also gain from the approach of other jurisdictions, for example, the EU’s Law Enforcement Directive, which exempts law enforcement data processing from the General Data Protection Regulation (GDPR) but still requires member states to regulate such processing separately.
Given the struggles that privacy and data protection law in India has gone through to make the progress it has made thus far, the government can ill afford to be seen as stalling the same by giving itself indefensible exemptions. The Bill, in the present form, is unlikely to be passed easily in Parliament and even if it does, it will be embroiled in extensive constitutional challenges, which would delay its implementation. Therefore, to save its own Bill, the government should regulate its own processing of data, if not through the PDP Bill, then through the initiation of a parallel legal framework.
This is the second in a four-part series on key issues around India’s data policy. You can read the first article here.
Trishee Goyal is a project fellow at at the Centre for Applied Law and Technology Research, Vidhi Centre for Legal Policy. The views expressed in this article are personal and do not represent the stand of this publication.