[This is a guest post by Rahul Nair.]
Since 1991, India has seen a rise in digital technology with a concomitant increase in the modalities of surveillance, which includes genetic, biometric, financial, and physical monitoring. Amidst this ever-growing surveillance society that is ably complemented by the exercise of deliberate data penetration of social media, the concept of privacy has gained traction once again, with the need for a robust mechanism to protect it.
A committee of experts headed by Retd. Justice Srikrishna was constituted by the government to develop a consolidated framework for Indian data privacy law. The Committee submitted its report of expert recommendations to the government in 2018, including a draft bill. The 2018 Bill was hardly perfect. Commentators have argued that it granted excessive surveillance and mandated disclosure powers to the State, contrary to international guidelines. The Personal Data Protection Bill, 2019, however, dilutes even the most essential components of the Srikrishna Committee’s Recommendations and significantly regresses privacy rights in India.
Merely two years after the Supreme Court ruled that privacy is a fundamental right, the Personal Data Protection Bill, 2019 was tabled in the Lok Sabha. The tabled Bill purportedly seeks to provide for the protection of the privacy of individuals by, inter alia, establishing a Data Protection Authority of India. Though the Bill appears to formulate a legal framework in the spirit of privacy jurisprudence, a closer look reveals something entirely different.
Wreaking havocs through subtle changes
Section 35 of the Bill, for instance, empowers the Government to grant a carte blanche authorization to any of its agencies to gather personal data, thereby overriding privacy protections and categorically undermining the two main components required to limit an aspiring surveillance state: accountability and transparency. Privacy protections, the Bill states, can be overridden
(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order
The Srikrishna Committee’s Draft Bill, on the other hand, permitted surveillance only if “authorised pursuant to a law” and “in accordance with the procedure established by such law” if “necessary for, and proportionate to, such interests being achieved.” This was in line with the judgment in K.S. Puttaswamy v Union of India, which emphasised that infringements upon privacy must meet the global constitutional standards of proportionality. The 2019 Bill eliminates these procedural restraints and does away with parliamentary or judicial oversight. Moreover, while the draft Bill provided such an exemption to the Government only in the interests of the security of the State, the current Bill further enhances the scope and boundaries of the broad scheme of power the Government enjoys.
The Government’s sweeping power invokes grave privacy concerns, disregards the procedural and content based mandate of Article 21 of the Constitution, and strikes at the very root of the interpretive advance made in the Privacy judgement.
Grabbing the ‘not so’ Anonymised Data
As if this were not unconstitutional enough, the Bill allows the Central Government to collect anonymized “personal” or “non-personal data” from data fiduciaries. Neither term is distinguished nor defined in the bill. This provision is especially alarming in the wake of recent studies, which suggest that no anonymized personal data is protected from re-identification, thus raising a grave concern about confidentiality, privacy, and the ethical use of data. It is hardly a stretch to assume that this Bill, for all practical purposes, might seriously jeopardise the privacy of those set of individuals who espouse political sentiments that the Government may find unfavourable and thereby giving rise to a retributive form of policy making.
Weakening the Watchman
With regard to the Data Protection Authority of India (DPAI), the contrast between the two Bills could not be more pronounced. While the 2018 Bill explicitly stated that the salaries and allowances of the chairperson and members of the DPAI would not be varied to their disadvantage, the current bill gives no such guarantees, hence leaving the matter of financial security, that facilitates independence of such institutions at the discretion of the Central Government. One might recall that a similar change was undertaken in the RTI (Amendment) Act, 2019 as well. Such an act is bound to make the members of the authority subservient to the demands of the government, however bad it may be, instead of protecting the democratic rights of the citizens for which they are employed in the first place.
Another change which is a cause of worry is the substitution of the judicial members in the selection committee, which is responsible for the appointment of the chairperson and the members of the DPAI, as was envisioned in the draft Bill, with the Cabinet Secretary, Law Secretary, and Electronics and Information and Technology Secretary, thereby making it impervious to judicial and expert influence. While the US Supreme Court maintains that judicial authorization is required before the operation of certain kinds of domestic surveillance, the current Bill mentions no such prerequisite. The Bill further fails to grapple effectively against executive overreach and does not stand the scrutiny of the proportionality jurisprudence, i.e., the principle which seeks to safeguard citizens from excessive Government measures.
It wouldn’t be an overstatement to say that this Bill in general and some of its provisions in specific take us down a dangerous road towards the legal legitimising of electronic surveillance. The Bill has a very detrimental effect on data privacy, and instead of mitigating privacy concerns rather exacerbates it, and has veered off from the course that was initially conceptualised. Thus, it is necessary to introduce legal safeguards against such unbridled powers of the executive which is impeding the effective operation of data privacy and corroding the democratic values and the rule of law in the process.
While the government has on various occasions indicated that data protection is a priority, the Bill is a manifest and overwhelming rejection of the idea that there are private digital spaces immune from state intrusion. Instead, the Bill is replete with arbitrary measures that empower the State in direct opposition to the citizen, and in violation of the Right to Privacy Judgment. The present Bill does not enshrine data privacy as a legal right. Instead, it relegates it to a footnote, amenable to every conceivable exception. A right no longer deserves the name if it is a matter of executive convenience.