The Problem with India’s Personal Data Protection Bill, 2018

The Supreme Court, as it has done so often in the recent past, broke new ground by passing its decision that the right to privacy is a fundamental right on 24 August, 2017[1]. By doing so, it became clear that the global agitation against the misuse and abuse of personal data did not leave India untouched. The Puttaswamy judgment was celebrated in the growing circle of privacy enthusiasts, whose fears of unbridled surveillance and paranoia towards a 1984-esque future had lingered on their minds. Unfortunately for them, the judgment was not followed by the kind of urgent, decisive action that legislation must adopt while dealing with technology. As of now, retired SC Justice B.N. Srikrishna’s Personal Data Protection Bill, 2018 remains just that – a bill.

It is not hard to make arguments for the exponential growth of technology. In a span of just over ten years, computing has gone from servers in backrooms to pockets in classrooms. In the same vein, it is not easy to make excuses for lawmakers. In about the same amount of time, our Information Technology Act has seen one amendment (in 2008). This amendment penalised the sending of “offensive messages”, gave authorities the power to intercept / monitor / decrypt any information through any computer resource, and was passed by the Rajya Sabha the day after the Lok Sabha passed it with no debates whatsoever.

One could argue that the 2008 amendment has caused more problems than it has solved, and would likely face a similar amount of debate.

The Personal Data Protection Bill, 2018, however, was received with much aplomb. It was incumbent upon lawmakers to formulate new regulations for governing the methods used by companies and authorities that were controlling or processing personal data (under the GDPR, data controllers and processors; or under the Bill, data fiduciaries). In this regard, it spoke volumes that the Bill was prepared and proposed at all. The world’s need to create uniform, enforceable legislation for the collection, use and transfer of data was acknowledged, and India’s need to keep at par with the global community seemed to be satisfied.

However, critics raised concerns with the lacunae in the Bill, including the broad limitations of privacy for matters of national security, the lack of an independent enforcement authority, no transparent mechanisms for safe data transfers to other countries, no apparatus for public consultation mandates, and more. One of the faults that the political, legal and privacy communities were quick to collectively point out was the immunity of Aadhaar to the Puttaswamy judgment, and by extension, the Bill, which makes exemptions in the name of “security of state” and “exercise of state functions”, and doesn’t make any attempts to bring about true surveillance reform.

In the most ideal scenario, the Bill would seek to prevent any unwanted and unwarranted surveillance of India’s citizens. It would help people monitor their online profiles, prevent non-consensual data transfers, allow them to edit and delete what they choose, and keep them safe from the kind of abuse that often springs from uncontrolled corporate opportunity. However, the dilution of the rights of the citizen under the Bill becomes prominent when held against the standard set by the European Union’s GDPR. One of the most interesting assessments of the Bill came from accessnow.org, who prepared a report on what the Indian Bill could learn from Europe’s experience with the GDPR[2].

Some other issues are likely to raise problems in implementation and enforcement:

Power to try violators criminally

The Data Protection Authority, or DPA, who is the national-level authority under the Bill, has the power to arrest and detain persons in breach of the Bill without the approval of any Court.

The discretion to report breaches

The responsibility of data fiduciaries to report breaches, only if, in the opinion of the data fiduciary, such a breach is likely to cause harm to any data principal (i.e. individual) does not inspire confidence in the privacy-wary individual. Though the provision is intended to reduce the burden on the DPA, it represents a conflict of interest where the party in breach is required to assess the importance of its own breach. The interest of data fiduciaries to downplay the faults in their privacy regimes is quite obvious.

State’s exemption to requirement of consent

Consent is not required where the State seeks to provide benefits or services. Under Justice Srikrishna Committee’s Report[3], this exemption is proposed to be limited only to those government bodies which are performing functions directly related to the provision of welfare benefits or regulatory functions. In contrast, the Bill grants this exemption for all services of the State, and for any function of the Parliament or state legislature. The open-ended interpretations that can be arrived at with a minimal amount of imagination, especially if the State were to become so-inclined, are worrisome.

In fact, the Bill provides exemptions to certain data processing activities, where the individual will not have the rights otherwise available to him under the Bill, including for national security, the prevention, detection, investigation and prosecution of contraventions to a law, legal proceedings, personal use, and journalistic use. Though these broad exemptions are subject to processing in a fair and reasonable manner and ensuring appropriate security safeguards, they expose the potential to subvert the intention of the Bill.

Copies of personal data to be stored within India

The Bill requires data fiduciaries to store a copy of personal data within the country, to make it accessible to law enforcement. This ‘serving copy’ of personal data is not well defined. Neither are the benefits of this requirement made clear. Notably, this is not a requirement in either the GDPR or the data privacy regulations of other nations. Certain categories of personal data (“critical personal data”) can only be processed on servers located in India.

The right to (request to) be forgotten

The right to be forgotten is left to the discretion of the DPA, to whom a written request must be made, and an Adjudicating Officer shall determine whether the rights of any other citizen would be violated should the request be granted. Though the decision of fundamental rights is usually left to the Courts, the Adjudicating Officer may be an expert in a particular field and not necessarily a legal expert.

Variations from international precedents

Other variations made by the Bill include the inclusion of financial data and passwords in the category of sensitive personal data, the requirement to get cross-border data transfers approved by the DPA, the discretion of the DPA in reporting breaches to concerned individuals, and the criminal penalty for breaches.

If the intention of the Bill is to make it easier for data fiduciaries to handle personal data, then one could say that the Bill has met the mark. Though data fiduciaries must now maintain copies of personal data in India, and go through an unclear process for cross-border data transfers, the essential requirement to report data breaches has been diluted, and left to interpretation and convenience. If the intention of the Bill is to protect the privacy of individuals, the Bill has missed the mark, though not by much. With productive parliamentary debates, public consultation, appropriate reactions to constructive criticism, and further course correction to meet global standards, the privacy of India’s citizens can be safeguarded.

[1] Justice K.S. Puttaswamy (Retired) vs. Union of India, 24 August, 2017

[2] https://www.accessnow.org/cms/assets/uploads/2018/09/Assessing-India%E2%80%99s-proposed-data-protection-framework-final.pdf

[3] https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

Authored by Koustubh Athavale, Associate, Legasis Partners