Mridul Pateriya, GNLU
Shikhar Nigam, GNLU
The right to privacy has consistently remained a contentious subject of controversy for all walks of life whether individual, state or legal entities. It is recognised as an inalienable human right in International Jurisprudence i.e. UNHRC in its General Comment 16 of 1988 recognised it as a basic human right deriving the conclusion from Article 17 of ICCPR. On 29 of June 2020, the Government of India (Information and Technology Ministry) has barred the use of 59 Chinese Applications citing concerns regarding the Sovereignty and Integrity of India and on 27 of July 2020, they have further barred 47 Chinese Applications necessitating a review of the existing and proposed Indian Data Protection Statutory Framework and to see if the proposed statutory framework will be able to withstand technological challenges in the long run.
Existing Indian Jurisprudence on data privacy
Though India’s jurisprudence goes back to several decades, however, that was only focused on minimising harms from the privacy violation. It was Justice K.S Puttaswamy v. Union of India case, where the apex court held Right to Privacy is an inherent part of Right to Life as enshrined in the Indian Constitution. The Judgment laid down a test which holds that Right to Privacy cannot be impinged without a just, fair and reasonable law: such law has to fulfil the test of proportionality i.e. (i) existence of a law; (ii) it must serve a legitimate state aim; and (iii) proportionality.
Afterwards, a Committee was convened by the government, chaired by Justice (retired) B.N Srikrishna, which published a report and a Draft Personal Data Protection Bill 2018; on which Personal Data Protection Bill 2019 is largely based. Draft Bill 2018 provides better checks and balances to prevent any future abuse of the law, which is not the case with the 2019 Bill which apparently appears biased towards executives. Justice Puttaswamy Judgment further resulted in amendment of the Information Technology Act to counter challenges in cyber-crime and two important provisions Sections 43A and 72A were introduced.
Pursuant to Section 43A, where a corporate body possesses or handles any Sensitive Personal Data or Information in a computer resource that that body owns or operates negligently in implementing and maintaining reasonable security, and therefore causes wrongful loss or wrongful gain to any person, that body shall be liable to pay damages as compensation to the person concerned. The Section 72A extends the scope of Section 72 to the disclosure of a person’s personal information without consent while providing services under a lawful contract and not merely to the disclosure of information obtained by virtue of powers granted under the Information and Technology Act.
Indian Government Chinese Application Ban seems more of a damage control measure instead of preventive action, as in the present stage of globalisation you can’t truly boycott a country. The Information and Technology Act does have an established framework for data protection, but they lack an enforcement mechanism as there is no actual statutory regulator in the form of the Data Protection Authority of India (DPAI) who can properly address data protection issues at its infancy instead of containing it when it’s blown out of proportion. It is intriguing to note that India does have regulators in the form of Competition Commission of India to enforce Competition Law, Insolvency and Bankruptcy Board to enforce IBC 2016 etc., but we only just don’t have such regulators when it comes to data protection. Hither comes the Personal Data Protection Bill 2019 which intends to fill such lacunas.
WAY FORWARD: Personal Data Protection Bill 2019
General Obligation under the Bill
Free consent is the bulwark of this bill, as it provides that data can only be processed on the basis of free, specific and removable consent and that any such data processed without such consent would constitute a violation. Regarding it, a notice has to be provided to the principal that contains a brief background of data collection purposes and methodology in an explicit manner. This increased burden on enterprises and its compliances is likely to develop hindrance on ease of doing business. A reprieve of a sort is provided as if data processing of personal data is used in a fair and reasonable manner with proper regard to the privacy of an individual; multiple consent notices will not be required. It limits the use and collection of the data for lawful purposes only i.e. for which it was intended and what reasonably can be inferred. Furthermore, there is an obligation on data fiduciary to take steps to preserve data in an inaccurate and updated form and that it shall neither be misleading nor it is stored beyond the necessary period.
This bill further classifies data into three categories: personal data, sensitive personal data and critical personal data for data localisation amid the growing data theft and mass surveillance cases. Whereas Personal Data may be freely transferred; sensitive personal data may only be transferred for processing purposes and must be stored in India and explicit consent is required from the Principal and the Central Government; and critical personal data may only be transferred on limited grounds, such as health services, emergency services with the prior permission of the Federal Government.
Exemptions
Pursuant to the Bill, the central government has the power to exempt any government agency from consent necessity if it is necessary for the security of the state or public order, subject to the safeguards prescribed. Moreover, isolated exemptions are given for prevention or prosecution of an offence, in pursuance of legal proceedings, or if required for research, statistical or journalism purposes. Moreover, small entities (as specified by DPAI) which engage in manual processing are additionally provided with a partial exemption from conforming to provisions of the bill. Potential Drawbacks of this bill are inherent ambiguities of the meaning of word public order, the security of state and sovereignty and integrity of India leaving it open for interpretation and can justify mass surveillance otherwise unjustifiable by the state under the current statutory framework.
Data Protection Authority of India
Chinese application ban by the government is an act of last resort; what the government needs to ponder is how in the near future we need not be required to take such drastic measures and solve the problems at its beginning itself. Consent requirement provision is there even in the existing framework. What makes this bill unique is the presence of statutory regulators in the form of DPAI which can effectively enforce the mandate which is lacking in the present framework.
This bill intends constituting an authority which will look after the enforcement of the mandate as mentioned in the bill. The authority shall be composed of a chairperson and six members (appointed for a term of five years) without re-election, on the recommendation of a selection committee composed of the Secretary of the Cabinet, the Secretaries of the legal, electronic, information and technology department. Independence of the authority may be undermined as a selection committee composed solely of Union Executive members compared to a proposed selection committee composed of Chief Justice of India (CJI), Cabinet Secretary and one Domain Expert nominated by CJI in consultation with the Cabinet Secretary. Moreover, DPAI can hold enquiries, order searches and seizures, as it possesses all the powers of the civil court. Once an order is delivered by DPA, it can be challenged before the Appellate Tribunal.
Penalties, compensation and punishment
According to the bill whenever a fiduciary contravenes any of the provisions of the Bill he will be penalized and further failure will result in more punishment. Compensation provided to the victim will not interfere with any other awards of indemnification or penalty or appropriate punishment under any other laws. A person allegedly caught violating the provision can be imprisoned for up to 3 years with a punitive fine. Moreover, cognisable offences are non-bailable, but cognisance can only be granted by DPAI. In this tabled Bill, there is an oversimplification of penal provisions whereas as per Justice (retired) B.N SriKrishna headed concerned committee has recommended various forms of penal provisions ranging from different punishment quantum for obtaining, transferring or selling of Personal Data distinct from sensitive personal data and separate quantums for re-identification and processing of de-identified personal data.
Conclusion
Though this bill addresses Justice Puttaswamy Judgment requirement of the existence of the law, need of legitimate state aim, but it possesses the potential of falling short when it comes to proportionality as some lacunas can be exploited by the state to justify acts which otherwise cannot be justified. Such as lack of independent members in the selection committee produces the potential of undermining the regulator’s integrity ‘it can be cured by reverting back to the Srikrishna Committee suggested composition to make it politically autonomous.
Furthermore, Central Government power to exempt any government agency may result in abuse of power; it can be cured by limiting exemption power on the bases of the principle of necessity and proportionality. Though the bill provides for authority with regulation-making power, it fails to address proper consultation mechanisms with stakeholders (like industrial guilds, associations and other concerned statutory regulators). Oversimplification of penal punishment can take away the deterrence factor to counter it; the different quantum of punishment for various forms of breaches should be provided. These are some of the suggested changes to make this bill as unambiguous as possible and it will undoubtedly provide better enforcement.
Mridul Pateriya and Shikhar Nigam are students at Gujarat National Law University, Gandhinagar.
The Law Review Anthology 