Will India's new data protection law serve as a government surveillance tool?
A bill that ostensibly sets out to mirror Europe's GDPR regime has drawn criticism over the powers it grants central government, reports Abhinav Mathur
With the advent of digitisation, it has become increasingly important to safeguard citizens’ privacy, particularly regarding third-party access to data.
India’s Supreme Court in the matter of K. S. Puttaswamy vs. UOI, (2017) 10 SCC 1, held a citizen's right to privacy as a fundamental right under Article 21 of the Constitution of India. The Personal Data Protection Bill 2019, which was introduced in parliament on 11 December 2019, sets out to align India's data protection regime with the EU’s General Data Protection Regulation, by protecting citizens' data as well as the cross border flow of data. It also creates a Data Protection Authority (DPA), which is entrusted with regulating the interests of individuals pertaining to data protection.
The bill has, however, drawn criticism over the intervention powers it gives India’s central government and the exemptions granted to it. There has been a particular focus on clauses 12 and 35 of the bill, with civil rights groups claiming that they give central government overreaching powers to impede the protection of citizens’ data that undermine the fundamental right to privacy under Article 21 of the India's constitution.
The power of the central government to process individuals’ personal data without their consent is outlined in clause 12 of the bill. This allows the government to process personal data for the provision of any service or benefit provided by the state to the data principal (individual to whom the data belongs) under any law currently enforced by parliament or by the state legislature and in compliance with any order by India's courts.
Critics of the bill argue these powers to process personal data without consent are too broad, and prone to subjective manipulation by the government.
Clause 14 of the bill provides ancillary grounds for data fiduciaries to process individuals’ data without their consent for reasonable purposes, notably the public interest. Fiduciaries must also take reasonable steps to obtain consent and consider the effect of the processing activity on the rights of data principals and their reasonable expectations regarding the context of the processing. They must also keep their actions proportionate and reasonable.
Again, this is subject to interpretation, with data fiduciaries able to interpret public interest on a subjective basis; in many instances, what is public interest for a few people may not be public interest for the majority of people.
Clause 35 of the bill renders the central government, or any of its agencies, exempt from the act in circumstances where it is necessary to protect the sovereignty, integrity and security of the Indian state. This effectively removes central government from the full scope of the bill, while the other data fiduciaries are committed to honouring their obligations even if it adversely affects the nation.
This has led the bill's critics to claim it will be used by central government as a surveillance tool with the Social & Political Research Foundation arguing that the proportionality principle requiring authorities to balance the means used with their intended aims has been jeopardised.
The exemptions the bill grants the government have been the source of considerable controversy with commentators arguing that they undermine the adjudicating power of DPA, which has been established in order to formulate a code of practice compliant with the interests of the data principal, transparency and the obligations of the data fiduciary.
It is headed by a chairperson and composed of six members who are appointed by central government following recommendations made by a selection committee. However, the selection committee is comprised primarily of civil servants, who include the cabinet secretary. This combined with the government's powers to appoint and remove members of the committee has led to fears of bias.
Clause 86 of the bill also requires the central government to issue periodic data protection directions which are binding on the DPA in the ‘interest of sovereignty and integrity of India, security of the state and friendly relations with foreign states or public order’. While the DPA is entitled to express its views, the central government ultimately has the final say. This serves to reflect the ultimate power held by India’s central government.
While the sentiment behind the formation of the bill was undoubtedly positive, its critics argue that it falls well short of its its stated ambitions due to the exemptions it grants the government and the discretionary powers it gives it to form policy, impose additional requirements and exercise control over the operation of the DPA.
Much of the criticism would have been headed off it the DPA had been granted greater autonomy in order to ensure a system of checks and balances on the wide-ranging powers of the central government. Involvement of judicial members in the DPA would also have undoubtedly strengthened the trust of stakeholders.
Ultimately, there is a strong case to be made that the overarching power afforded to the government by the bill defies the jurisprudence of proportionality and the rigours of competing interest as outlined by the Apex Court in the K. S. Puttaswamy (supra) case.
There is no doubt India is going to benefit economically from the digital world in the future. This affirms data’s status as a valuable asset which must be protected in all circumstances.
Abhinav Mathur is a senior associate at Chir Amrit Legal