Personal data bill and dissent

As another Parliament session gets underway, we are still some steps away from a data protection law. The Joint Parliamentary Committee led first by Meenakshi Lekhi and subsequently by P P Chaudhary, is reportedly set to seek time until the last week of the session to submit its final report. Given the scant regard for the need for parliamentary debate and deliberations that several bills have seen, it is yet possible that the Bill may be passed in this session. However, as of now, it looks increasingly unlikely.

In a country where the government’s flagship governance project is Digital India, which places its digital identification scheme, Aadhaar, at the centre of its welfare strategy, and which has seen an increased focus on data-driven business models in the last decade, the continued absence of a data protection law while we flirt with crypto-currency legislation, and venture into unchartered regulatory waters in limiting safe harbour, is perhaps emblematic of the curious mix of over and under regulation that plagues Indian digital policymaking.

Also read: Mukesh Ambani backs data privacy, cryptocurrency bills

As we move another step closer to a data protection law, let us quickly recap its history. The process towards the latest version of the data protection law began in 2017. During the Supreme Court hearings in the referral matter before the constitution bench to clear the judicial uncertainty around the existence of the right to privacy in K S Puttaswamy and Anr v Union of India and Ors 2017 (the Puttaswamy judgement), the Government of India announced the setting up of an expert committee to frame India’s data protection law. The Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee led by retired Supreme Court judge B N Srikrishna. This was not the first exercise towards the creation of India’s data protection law.

In fact, over the last decade, there have been other such efforts and bills. In 2012, Justice A P Shah had led another committee of experts and provided detailed recommendations towards the creation of a data protection regulation (Agarwal 2017). Before the MeitY, the Department of Personnel and Training had been the nodal authority working on a privacy legislation, and there were at least two different drafts, one from 2011 and another from 2014 that were produced. The Srikrishna Committee submitted a draft of the Personal Data Protection Bill, 2018 to the MeitY, along with a report titled “A Free and Fair Digital Economy” (Srikrishna Committee). In August, MeitY invited public comments on the bill. Even though there were reportedly over 600 submissions, the MeitY refused to make these public. Once the bill was referred to the Joint Parliamentary Committee in early 2020, we have heard talk of it being tabled in every subsequent session before being postponed to the next one.

The original draft bill prepared by the Srikrishna Committee had several issues. Three years down the line, there has been public discourse which have highlighted these issues and ample opportunity to remedy them. However, it seems that every subsequent version of the Bill has been only more problematic. For instance, under Clause 13, personal data of individuals can be processed “for the exercise of any function of the State”. This can be done without the consent of the individual as long as it is to provide a service or benefit to the individual. This is a matter of concern especially for two reasons. The Indian State now collects a humongous amount of personal data. This provision effectively means that for most interactions between the State and the citizen, there is no requirement for the State to obtain consent of citizens to process their data. Second, this runs directly counter to the articulation of informed consent as central to informational privacy in the Puttaswamy judgement.

Also read: Changes needed to ensure robust privacy law

Similarly, other grounds of processing, such as ‘purpose related to employment’, are poorly worded and provide employers an unhealthy degree of discretion on how they can deal with their employees’ data. These problems have only become more amplified in the light of increased focus on digital governance and welfare delivery after the Covid-19 pandemic started, and the various healthcare governance steps taken.

One of the foremost privacy issues that India has been grappling with, most recently highlighted by the Pegasus scandal, has been the complete lack of surveillance governance either in the form of legislative oversight or judicial review. Without going into detailed questions of surveillance governance, the PDP Bill identified the globally accepted principles of necessity and proportionality as pre-conditions for any exemptions from data protection obligations for the security of the State and domestic law enforcement activities. These provisions, while far from being perfect, provide a potential window for surveillance reform, either through the data protection authority or through legal proceedings that can be initiated in furtherance of these provisions.

Also read: Data Bill offers blanket exemptions to State, its agents, says Derek O'Brien

With the data protection authority being set up to exercise judicial functions as well, this was an ideal opportunity to bring the oversight of surveillance and interception activities under the data protection authority. However, subsequent versions of the bill have done away even with these limited protections giving the government a veritable carte blanche. The “necessary and proportionate” standard - recognised both in constitutional and international law - was done away with and replaced with the term “necessary and expedient,” which is not a legally recognised standard and gives far greater discretion to the government.

The delays in arriving at a robust data protection law can largely be attributed to a lack of political will in successive governments over the last decade. In recent times, there has been significant pressure from the judiciary as well as other actors, including voices from civil society, to create a strong law. At the same time, there has been greater recognition of privacy as a social and economic good among the general public. It is also clear that the two primary interests of any data protection law - protecting the privacy of the citizens and using citizens’ data for economic gain - sit uneasy with each other, and a failure to meaningfully resolve this conflict has only extended this delay. There is a need to see the privacy of the citizens as the primary end goal of data protection legislation.

(The writer is a lawyer and the Executive Director, Centre for Internet and Society, Bengaluru)