The story so far : The Joint Parliamentary Committee (JPC) constituted to examine India’s proposed data protection law, the Personal Data Protection Bill, 2019 , released its report on Monday. It contains a number of suggestions that could strengthen the final law, among others, a recognition that promotion of the digital economy cannot take precedence over the protection of citizen rights. However, it fails significantly when dealing with a critical issue – that of protecting individuals vis-à-vis the State.
What is the State exempt from?
The State is one of the biggest processors of data, and has a unique ability to impact the lives of individuals, not least due to its monopoly over coercive powers as well as its obligation to provide welfare and services. However, as demonstrated by the Pegasus case or indeed the instances of privacy violations concerning COVID-19-related interventions, the current frameworks for protecting citizens from arbitrary and intrusive State action lack robustness.
For instance, Section 35 of the Bill, permits the Central Government to exempt any agency of the Government from the provisions of the law, if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms to be prescribed by the Government. This is a very wide power that enhances the significant asymmetry in the relationship between the citizen and the State.
In comments to the JPC, co-authored by Vrinda Bhandari, Smriti Parsheera, Faiza Rahman and myself, we point to numerous problems with the provision.
Why is it problematic?
First, the use of this provision on grounds of expediency is an extremely low bar for the Government to meet. Second, there is no requirement for an exemption order to be proportionate to meeting a particular State function. Third, there is no scope for oversight over the executive’s decision to issue such an order or any safeguards prescribed for this process. The provision also lacks any oversight mechanism or periodic review of the need for and scope of such an exemption. Fourth, there does not appear to be sufficient reason for government agencies to be exempted in toto from basic provisions of the Bill such as the need to put in place data retention norms, appoint data protection officers, or ensure security safeguards, etc. This is particularly relevant when one considers that not all processing by law enforcement entities need directly concern their law enforcement functions.
What are the best practices followed in the world?
The JPC recognises that balancing privacy interests with those of public needs (such as that of State security) is difficult. However, it falls short of engaging with international precedents. For instance, the JPC notes that the European GDPR (General Data Protection Regulation), commonly seen as the pinnacle of data protection regulation worldwide, exempts from its ambit certain types of processing carried out in public interest (such as for law enforcement purposes). It, however, ignores the fact that first, EU law typically does not engage with issues concerning national security (implying that armed forces and intelligence agencies are usually not regulated by EU law), and second, that the EU has in place a separate law (Directive 2016/680) that deals with the processing of personal data by law enforcement agencies. Accordingly, countries do put in place regulations concerning processing of personal data by law enforcement agencies. For example, the U.K.’s Data Protection Act dedicates Part 3 to dealing with law enforcement processing and in this context, liberalises certain obligations while at the same time ensuring that data protection rights are also protected.
What are the other exemptions granted to the state?
As noted in our comments to the JPC referred to previously, Section 12 permits non-consensual processing by the “state” in various circumstances. However, the term “state” is of extremely wide import. It has been interpreted by courts to encompass a range of state entities such as state electricity boards, research and educational institutions and statutory corporations such as the LIC. This implies that a host of entities will be permitted to exercise the option of non-consensual processing in a range of circumstances (where providing a “service or benefit” or engaged in a “function of the state”). This not only threatens privacy rights of individuals, but also creates different regimes for private and public sector entities providing similar services (such as related to education and health).
Similarly, Section 36(a) of the Bill provides for an exception in situations where personal data is being processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law. However, the provision is not restricted in its application only to law enforcement entities. This implies, for example, that any private entity could set up CCTV cameras in a public place under the guise of preventing any criminal activities. The provision could therefore encourage vigilantism or enable privatised surveillance.
As with Section 35, this section too lacks any mention of oversight or proportionality.
What lies ahead in Parliament?
While the JPC did solicit comments from the public, academia and civil society were largely excluded from committee hearings.
However, a number of Opposition MPs have submitted dissent notes to the report highlighting these lacunae (amongst others). The Bill now will be debated in Parliament, where one can only hope that adequate time and attention is given to finding a better balance between competing interests.
Rishab Bailey is a technology policy researcher at the National Institute of Public Finance and Policy, New Delhi.