Editor’s Note: This is first of a two-part series on the rebuttals to the supposed misrepresentation of the draft Data Protection Bill, 2018, on social media. In part I, the authors take a look at the fine print pertaining to the Right to Privacy, functions of the State and surveillance reforms.
The Srikrishna Committee’s recommendations on data protection released last week have elicited valuable responses. While some are deserving of closer examination and possible inclusion in the legislative process, others may have missed the point.
Three such concerns are addressed in this article, and each is associated with the broader theme of serving collective interests and processing of personal data by the State.
The right to privacy within a free and fair digital economy
At the outset, concerns have been raised that the report and the proposed bill proceed on misplaced notions regarding the significance of the right to privacy; and consequently places the digital economy on a higher pedestal than individual rights. However, this is not the case.
The opening chapter of the report reveals that the framework derives its normative bedrock from the Puttaswamy judgment, and seeks to insulate citizens from threats to their informational privacy. The Committee’s mandate has stemmed from its terms of reference, which include ‘unlocking the data economy while keeping data of citizens secure and protected.’
It may be premature to view the individual’s right to privacy and the interests of a free and fair digital economy as a reduced binary, necessitating the prioritisation of one over the other. ‘Freedom’ in the digital economy refers to the enhancement of individual autonomy in the flow of personal data. ‘Fairness’ denotes respecting the rights of the data principal in the backdrop of traditional inequality with data fiduciaries. Here, there is no false choice between data protection and economic growth. Protecting the personal data of individuals will promote a free flow of information, leading to economic growth. Framing a binary in this regard would neglect the conception of individual rights as tools for the collective good and the common constitutional objective of autonomy served by both. Thus, the realisation of the Puttaswamy judgment can take place within an equitable free and fair digital economy to empower Indians.
Functions of the State
Privacy advocates have argued that the provision on the processing of personal data for functions of the State sets the bar too low and accords a wide exemption to the State.
However, the proposed law contains exacting safeguards to prevent abuse. First, only bodies meeting the constitutional definition of ‘State’ may rely on this ground. This is intended to create a check on the types of entities authorised to process personal data. A second check is a requirement that such processing activities are necessary to satisfy a legitimate function of the Parliament. Processing is permitted only where it is necessary for the exercise of a function of the State authorised by law. Such functions must also relate to the provision of a service or benefit to the data principal from the State, or the issuance of any certification, license or permit for any action or activity of the data principal by the State. With regard to sensitive personal data, there is heightened protection, by permitting processing only where it is strictly necessary.
Obligations that restrict processing to those purposes necessary to satisfy the functions of the State ensure that privacy harms are minimised. However, it can often be unclear what functions a department of the government has, and which of these functions is being served by a processing activity.
The report thus recommends that an extensive exercise to identify various governmental bodies and to demarcate their specific functions needs to be carried out. Only those bodies performing functions bearing a direct nexus to these activities should proceed under this ground. This has the added advantage of streamlining government functions and rendering them more systematic, by pegging the use of personal data by the State to its predetermined functions.
Finally, the State continues to be subject to various obligations relating to data quality, data storage, security safeguards and notice.
Security of the State and Surveillance Reform
Attention has been drawn to the failure of the proposed law in safeguarding individuals’ personal data from the excessive collection by the State for the purposes of national security.
It is true that the Srikrishna Committee does not create a legal framework for intelligence gathering activities of the State, whether large-scale or targeted. However, the draft law seeks to improve the status quo by requiring the satisfaction of the three-part test set out by the Puttaswamy judgment, i.e. the proposed law permits the processing of personal data for the stated purpose only if it is authorised by a law made by Parliament, and is pursuant to the procedure established by such law. Such processing should be permitted solely if it is found to be necessary and proportionate to achieve the specific intelligence-gathering purpose.
A data protection law will work effectively in tandem with a law regulating surveillance. The security of State provision is intended to be a partial exemption to the data protection law and certain obligations will continue to apply in these situations, such as that processing must take place in a fair and reasonable manner, and that adequate security safeguards like encryption and de-identification must be implemented to protect the integrity of the personal data.
Continuing in this vein, there have been some concerns that the proposed bill is a missed opportunity for suggesting surveillance reform. Hastily creating a conjoined framework may have the effect of legitimising activities currently undertaken by intelligence agencies created by executive orders. In this regard, it may be imprudent to expect a data protection to also moonlight as a surveillance law.
The report has unequivocally recommended that the central government should expeditiously bring in a specific law to address the oversight in intelligence gathering, making provision for both parliamentary oversight and judicial approval. This is in addition to the existing executive review under the Telegraph Act and Rules and the Information Technology Act. The often covert and highly contextual nature of activities around security of the State demand a separate legislation to address systemic problems and blind spots not one mistakenly conflated with data protection.
As in other jurisdictions, surveillance reform in India is entitled to its own due.
The authors are Research Fellows at Vidhi Centre for Legal Policy. They are part of the team which assisted the Justice Srikrishna Committee by providing research and drafting inputs for the Committee Report and the Personal Data Protection Bill, 2018.