Decoding the draft data protection law
The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill has tabled its report in Parliament. The good news is that two years after the JPC was appointed to consider the first draft of the bill, this marks a step forward in the journey of filling a crucial legislative vacuum. The bad news is that the text of the law recommended by the JPC is unable to safeguard people’s privacy, leaving a lot to be desired. The bill still needs further amendments before it can be enacted as a rights respecting law.
The JPC makes significant departures from the positive recommendations made by the Justice Srikrishna-chaired committee, which spearheaded the development of a personal data protection framework in 2018, and the Supreme Court (SC)’s Puttaswamy judgment in 2017, which recognised the right to privacy as a fundamental right under the Constitution. Recently, Justice Srikrishna referred to the draft law as “Orwellian”, owing to the expansive and unchecked powers granted to the State. The JPC’s recommendations don’t address this issue, and in some ways, aggravate it.
The report adds a provision, which would trump any law in force, exempting government agencies from complying with any provision in the data protection bill. The central government can pass an order granting this blanket, unqualified exemption on all-encompassing grounds such as “public order”, with no oversight on the substantive merits of such an order. The report only stipulates that the procedure must be “just, fair, reasonable and proportionate”, which falls short of the necessity and proportionality standard espoused by the SC and international human rights law.
There are other ways in which the government’s powers are enhanced. The previous draft permitted data processing without consent for the performance of two specific State functions: Provision of any service or benefit; and issuance of any certification, license or permit to the data principal. However, the JPC’s draft enables such data processing without consent for a much wider range of State functions by inserting the term “including”, suggesting that the two categories mentioned above are merely indicative.
A crucial element of an effective data protection framework is an independent regulatory authority. The independence of the data protection authority from the executive has been a contentious issue since the first draft of the bill, but the JPC does not recommend the necessary corrections. Certain changes have been made to the selection committee that will appoint the chairperson and members of the Data Protection Authority (DPA). It will include an independent expert and directors of Indian Institutes of Technology, Indian Institutes of Management, nominated by the central government, and the attorney general. All the members of the selection committee, however, either serve at the pleasure of the central government or are nominated by the central government. This creates ample room for government influence and severely undermines the independence of the DPA.
Further, the JPC recommends that the DPA should be bound by the directions of the central government in all cases, and must take the government’s interests into account while framing its policies. These obligations, devoid of necessity and proportionality and beyond what existing Indian laws provide for regarding the relationship between a regulator and the executive, fundamentally undermine the independence of the DPA.
The JPC further expands the ambit of the draft law to include regulation of social media and non-personal data. It presses for social media platforms to be treated as publishers of content, potentially losing their safe harbour protection, which shields them from liability for content posted by third-party users. This recommendation could have a chilling effect on free expression, and it ventures into areas far beyond the mandate of the JPC and the personal data protection bill.
Splitting the focus of the bill between personal and non-personal data also results in dilution of privacy protections, and in a legislation which does not accurately capture the difference between the two categories of data that warrant separate considerations and regulatory treatment.
There is no precedent globally for such a catch-all legislation that governs personal data, non-personal data, and social media — each of these areas requires separate and nuanced consideration, consultation and legislation.
Crucially missing in the JPC’s report is any recommendation on surveillance reform. This is a missed opportunity given that India has long faced demands for an overhaul of its surveillance regime, owing to its incompatibility with human rights. A privacy-oriented data protection regime is hollow if it remains toothless against invasive surveillance guided by centralised power, opaque procedures and absence of oversight.
At present, we have a draft data protection law that undermines privacy; holds the government to a much lower standard of accountability as compared to the private sector; and makes unwarranted advances into areas beyond its mandate, while not sufficiently addressing those within.
Members of Parliament will have their work cut out for them ensuring that the bill is enacted only after further consultation with civil society, and with necessary changes that put privacy and people’s rights where they belong — at the core of our incoming dataprotection regime.
THE DRAFT DATA PROTECTION LAW UNDERMINES PRIVACY; HOLDS THE GOVERNMENT TO A MUCH LOWER STANDARD OF ACCOUNTABILITY; AND MAKES UNWARRANTED ADVANCES INTO AREAS BEYOND ITS MANDATE, WHILE NOT SUFFICIENTLY ADDRESSING THOSE WITHIN