Data Protection Bill 2019: A Bill For Data Protection Or A Tool Of Mass Surveillance By Government?

Image Credits: LiveMint

Data Protection Bill 2019: A Bill For Data Protection Or A Tool Of Mass Surveillance By Government?

"If the State itself is entrusted to decide when the reasonable restrictions have to be put in, there is a possibility that certain situations would be made to appear in the interest of the nation to get a go-ahead to violate the right to privacy, thereby, misusing the order."

  • Whatsapp
  • Telegram
  • Linkedin
  • Print
  • koo
  • Whatsapp
  • Telegram
  • Linkedin
  • Print
  • koo
  • Whatsapp
  • Telegram
  • Linkedin
  • Print
  • koo

In August 2017, the Supreme Court of India in its landmark judgment in Justice K.S Puttaswamy (Retd) vs. Union of India declared the right to privacy as a fundamental right protected under the Indian Constitution.

The nine-judge bench signed an order that declared, "The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."

It is important to note that the judgment stated right to privacy a natural right that subsists as an integral part of the right to life and liberty. It, therefore, protects an individual from the scrutiny of the State in their space, of their movements and over their life choices, food habits and other preferences.

Hence, any action by the State that would result in the violation of the right to privacy is subject to judicial review.

The judgment further clarified that the right to privacy is not absolute and will be subject to reasonable restrictions.

The State is entitled to impose restrictions, however, such restrictions should be in accordance with a law that justifies the privacy encroachment, a legitimate State interest to justify the need, and the means that are adopted are proportional to the objects sought to be fulfilled by the law.

There should be adequate procedural safeguards in the mechanism before the State encroaches an individual's right to privacy.

Speaking to The Logical Indian, Sidharth Deb, Policy and Parliamentary Counsel at the Internet Freedom Foundation clarified on the need of an independent institution to lay down such procedural safeguards.

"If the State itself is entrusted to decide when the reasonable restrictions have to be put in, there is a possibility that certain situations would be made to appear in the interest of the nation to get a go-ahead to violate the right to privacy, thereby, misusing the order."

Sidharth also explained that there are archaic surveillance and interception mechanism in India. The two distinct frameworks, the Indian Telegraph Act, 1885 deal with the interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data.

"The provisions of both laws allow the government to intercept/get access to your communication either through the telephone lines or the digital platforms. What is problematic is that there are no adequate safeguards for such surveillance," he said.

He also added that the government agencies entrusted with the task of interception during such a situation do not stem from legislation, i.e. they lack an actual legal basis.

Sidharth asserted that the privacy laws need a distinguished interception and surveillance reform component.

The Personal Data Bill, 2019 that seeks to regulate the use of individual's data by the government agencies and private companies, was introduced in the Parliament in December 2019 and has been referred to a joint parliamentary committee for review.

"The arguments directed towards the law gets interesting once you compare the 2018 draft and the 2019 bill," stated Sidharth.

Both the 2019 bill and the 2018 draft lay emphasis on the same concerns: obtaining consent before accessing an individual's data, penalties for violating the law, setting up a Data Protection Authority (DPA), and storage of most data collected in India within India.

The 2019 bill, however, seeks to empower the government agencies to be exempted from all the provisions of the law citing reasons of national security, which will include access to personal data without consent, investigation, and prosecution of any offense.

Sidharth throws light on Clause 12, Chapter III of the bill, which encapsulates the grounds for the processing of personal data without consent.

"Clause 12 (a) and (b) states that the State can access and process personal data by the citizens for the performance of any function authorized by law. In another scenario, the government just needs to pass a law to be able to access an individual's personal data without consent," he said.

The government has been granted broad exemptions under such provisions for policy-making and for schemes that would override the basic requirement of obtaining consent from an individual.

Hinting at the provisions contained in Clause 14 (2) of the bill, Sidharth clarified that the law authorizes consent-free access to the personal data for the purposes that included credit scoring and the processing of publicly available personal data.

In simpler terms, the government can attempt to monitor, penetrate and control social media by getting the right to access personal and sensitive data without consent.

"Since the government is also a data fiduciary, it can legitimately process publicly available personal data about individuals without any meaningful consent. What that allows is a backdoor through which profiling can take place and the government cannot be held accountable," exclaimed the Counsel.

It is an important exemption since it can allow public profiling through online behaviors and interactions and can even lead to serious outcomes on preferences, activities and political outlook.

"These explicit carve-outs for personal data in public domain should be removed if the law seeks to meaningfully protect an individual's right to privacy," he said.

He further drove attention to Chapter VIII of the bill that contains the exemptions. Clause 35 of the bill covers the Power of the Central government to exempt any agency of government from the application of Act, which fundamentally cites "national security", the reason for overriding the law.

The power to exempt certain government agencies from the provisions of the law stands strikingly in contrast to the Supreme Court judgment on the right to privacy and the essence of what the 2019 bill stands should stand for, which is to ensure that the citizens have the autonomy on their personal data.

Taking cognizance of the drawback of such wide exemptions being made available to the State, Sidharth said, "This is clearly a privacy violation, a particularly concerning the provision in the bill and it requires remedy."

Clause 36 of the bill, further, exempts the State in deriving informed consent for investigation purposes.

On the list of complicated provisions, Clause 38 of the bill covers exemptions that allow processing of personal data is necessary for research, archiving, or statistical purposes, which can possibly be linked to exercises of National Population Register (NRC) and National Register of Citizens (NRC).

Clause 91 of the Bill empowers the government to direct any private entity to provide them with any personal data anonymized or other non-personal data for framing of any policy for the digital economy, which includes security, integrity, and prevention of crime.

"It is significant to understand at this point of time that there are no defined standards for what would constitute anonymized data or non-personal data. Both the 2018 draft and 2019 bill, which are supposed to conform to protecting the citizens' right to informational privacy, are somehow being compromised with issues of national integrity and security, muddling the law," informed Sidharth.

Sidharth reiterated that the right to privacy should be the central objective of a Personal Data Protection Bill. The issues of economic growth and security should be secondary to this Bill.

Another controversial provision, Clause 28 (3) and (4) relates to social media and states that any user shall voluntarily verify his account. This verification, however, is in such a manner as may be prescribed.

"This could create a scenario where social media companies would ask its users to verify their accounts using identification documents may be, with passport records, voter id, or aadhar and that is arguably in contrast to the laws of privacy," he explained.

Reiterating the need for an independent institution to monitor the existing surveillance mechanism of the government, Devdutta Mukhopadhyay, Associate Counsel (Litigation) at Internet Freedom Foundation said, " There is no independent judicial body that determines what kind of surveillance activity is being carried out and if the surveillance is actually necessary."

"Clause 35 of the Personal Data Protection Bill 2019 makes the existing situation worse by allowing the central government to exempt any agency from data protection obligations. Three main problems with this provision are:

• It does not limit its scope to situations where such exemption is "necessary" and "proportionate."

• Even while conducting surveillance, the government must adhere to minimum data protection obligations like adherence to security standards and preservation of the quality and integrity of data.

• Any exemption for government surveillance must be granted on a case-by-case basis after proper scrutiny by an independent body," Devdutta clarified.

Justice Srikrishna, the architect of the 2018 draft bill reportedly said that the bill in its current form can be 'deemed constitutionally invalid', as it does not adhere to the Supreme Court's 2017 judgment on the Right to Privacy.

Therefore, it can be said that the current bill is not faithful to the Supreme Court's Right to Privacy judgment. A data protection bill cannot be guided by parameters of the nation's economic interest or integrity.

A 2019 Report from the Ministry of Electronics and Information Technology, in partnership with McKinsey, stated that India could create over $1 trillion of economic value from the digital economy in 2025, which makes data a valuable asset, and data protection of the citizens without any compromise, the need of the hour.

With the support of Internet Freedom Foundation, The Logical Indian is running a campaign to make people aware of the Data Protection Bill and then fix it. Through #SaveOurPrivacy initiative we are taking our voice to a Joint Committee of Parliament that is, at present, considering and taking inputs. By clicking on the pledge you sign on to the campaign and bring a change.

Also Read: What Happens When Personal Data Protection Bill Becomes A Law?

Contributors Suggest Correction
Editor : Prateek Gautam
By : Palak Agrawal

Must Reads