ADVERTISEMENT

Personal Data Protection Bill Fails To Deliver On The Promise Of Privacy, Experts Say

The data protection bill gives unbridled powers to government, compromises DPA independence and dilutes punishment.

The face of an attendee is reflected in a laptop computer screen and overlaid with code. Photographer: Luke MacGregor/Bloomberg
The face of an attendee is reflected in a laptop computer screen and overlaid with code. Photographer: Luke MacGregor/Bloomberg

(This is the fourth part in the series of BloombergQuint’s coverage on Personal Data Protection Bill, 2019. The first part on obligations proposed for data fiduciaries can be found here, the second on rights of users here, and the third on data localisation provisions, here.)

The right to privacy is a fundamental right and can only be restrained if there exists a law that justifies such encroachment; the restriction serves a legitimate state aim and meets the test of proportionality. In saying so, the Supreme Court had laid down the key principles for a personal data protection regime in its Aadhaar ruling.

After an over two-year-long wait, the Personal Data Protection Bill has finally seen the light of day. Has the government’s version stayed true to the principles laid down by the apex court in its right to privacy judgment and does it adequately protect users’ privacy from state and non-state actors?

Supreme Court Advocate Vrinda Bhandari and Trilegal’s Technology Partner Rahul Matthan shared their views on The Fineprint- BloombergQuint’s weekly show on law and policy.

Opinion
All You Need To Know About The Personal Data Protection Bill

Bill Strays From Privacy Principles?

The Justice Srikrishna committee, tasked to propose specific provisions for a privacy regime, had recognised that the government must get partial exemption from the data protection law for legitimate state interests. But it had suggested certain safeguards so that this power isn’t abused by the government or its agencies.

It had said data processing by the government for the country’s security or for prevention, investigation, prosecution for violating a law must be authorised by a separate law passed either by the Parliament or the State Legislature. The processing itself should be necessary for and proportionate to the purpose for which the data is processed, it had said.

All these safeguards are missing in the 2019 Bill.

This is a complete departure from the Supreme Court’s privacy judgment principles, Bhandari said. Section 35 of the bill allows the government to exclude any of its agencies from the application of the entire law. I think that flies flat in the face of the Puttaswamy judgment, she added.

Bhandari explained that the necessity and proportionality tests are extremely important—what’s the kind of data that the government wants and how much of it? It could be that the government believes that an individual’s call detail records, for instance, are important for security of the state purposes. The proportionality requirement would mean—can the government exempt the application of the Bill and take the call detail records for the last five years or does it have to be for a period in which they think the individual may have committed a crime?

The necessity and proportionality tests are very important in narrowing the exemption to the government. This having gone, the government obviously now wields a much stronger power.
Vrinda Bhandari, Advocate, Supreme Court

The grounds for exemption have expanded as well, and that’s a further cause for worry, Bhandari pointed out.

Justice Srikrishna’s version provided for an exemption to the government only on grounds of security of state. The 2019 Bill extends it to include:

  • Sovereignty and integrity of India.
  • Friendly relations with foreign states.
  • Public order.
  • Preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order.
I think is one of the most problematic elements of the Bill combined with the current surveillance infrastructure—the fact that a lot of our intelligence agencies aren’t regulated by law. A lot of the surveillance projects that have been carried out are not regulated by law.
Vrinda Bhandari, Advocate, Supreme Court

If these provisions continue in the final version, they will be challenged on grounds of being contrary to the apex court’s Puttaswamy (right to privacy) judgment, Bhandari opined.

Matthan agreed, saying if some law enforcement agency chooses to go ahead and undertake disproportionate surveillance, then regardless of the fact that the language of section 35 seems to allow her to do so, the action can be challenged before the courts based on the basis of Puttaswamy judgment. The worry is, he added, by the time a court decides on such a matter, a lot of harm is already done, which is why the safeguards must be built into the law itself.

Opinion
Will The Personal Data Protection Bill Pass The Litmus Test Of Trust?

Offences: Dilution of Criminal Provisions?

The 2019 Bill has considerably narrowed the list of offences compared to the version authored by the Justice Srikrishna committee. Only re-identification and processing of de-identified personal data comes with imprisonment compared to a long list that was proposed by Justice Srikrishna Committee, namely:

  • Obtaining, transferring or selling of personal data.
  • Obtaining, transferring or selling of sensitive personal data.
  • Re-identification and processing of de-identified personal data.

Narrowing the list of offences reduces the effectiveness of the data protection regime, Bhandari said. Further, the 2019 Bill says an offence will be committed only if the violation is done “knowingly” or “intentionally”, whereas the Justice Srikrishna standard added the word “recklessly”, she pointed out.

This is important because it’s very hard to prove knowledge or intent in court. Recklessness is key, especially when you talk about anonymised data. Given the way anonymised data has been treated in this Bill, I think the removal of “recklessness” is very significant and may limit the actual success of the provision during trial.
Vrinda Bhandari, Advocate, Supreme Court

But Matthan viewed the narrowing of offences list as positive.

He said that in a world of big data, and when you’re using artificial intelligence, it’s possible that some algorithms will get something wrong. At the same time, algorithms that could eventually cure cancer might get a lot of things wrong before they cure cancer. So, if you impose criminal penalties on recklessness, you are going to significantly hamper the ability of companies to innovate, he said.

You absolutely must have companies accountable for what they do and I think the law has provisions which make them accountable, but I certainly don’t think that criminalising provisions and criminalising statutes, which deal with data particularly in a world that we are in right now, is helpful in any way.
Rahul Matthan, Partner, Trilegal 

DPA: Independence Compromised?

Every company or authority which is processing personal data must appoint a data protection officer based in India who will be considered as their representative in the country. This entity will be the point person for redressing the grievance of users whose data is being processed. If a complaint isn’t resolved with 30 days, a user can approach the Data Protection Authority to file a complaint.

It’s the provisions relating to appointment, selection, terms of service, among others, of the DPA that’s alarming, experts said.

Justice Srikrishna committee had suggested that a selection committee, comprising of the Chief Justice of India or his nominee, the cabinet secretary and a civil society expert, must recommend members, chairman to be appointed to the DPA. This requirement has been done away with. The selection committee, the 2019 Bill proposes, must include three government officers.

This will affect the independence of the DPA, Bhandari said, adding that 2019 Bill has also removed the provision that the terms and conditions, salary of this authority cannot be varied to their disadvantage during their tenure.

This protection was given in the Justice Srikrishna version. When you see both changes together, combined with the fact that the government is going to be in charge of funding the DPA, you do start to worry about the independence of this authority.
Vrinda Bhandari, Advocate, Supreme Court

This authority wields a lot of power since a criminal complaint can only be filed by it. We’ve seen a similar debate playout in the context of Right To Information Commissioners—the terms and conditions of service are actually hugely important in determining the independence of the authority, she said.

Opinion
How To Sign Up For BloombergQuint Story Notifications