Data Protection Bill 2019: A Bill For Data Protection Or A Tool Of Mass Surveillance By Government?

Palak Agrawal

March 8, 2020

In August 2017, the Supreme Court of India in its landmark judgment in Justice K.S Puttaswamy (Retd) vs. Union of India declared the right to privacy as a fundamental right protected under the Indian Constitution.

The nine-judge bench signed an order that declared, ‘The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.’

It is important to note that the judgment stated right to privacy a natural right that subsists as an integral part of the right to life and liberty. It, therefore, protects an individual from the scrutiny of the State in their space, of their movements and over their life choices, food habits and other preferences.

Hence, any action by the State that would result in the violation of the right to privacy is subject to judicial review.

The judgment further clarified that the right to privacy is not absolute and will be subject to reasonable restrictions.

The State is entitled to impose restrictions, however, such restrictions should be in accordance with a law that justifies the privacy encroachment, a legitimate State interest to justify the need, and the means that are adopted are proportional to the objects sought to be fulfilled by the law.

There should be adequate procedural safeguards in the mechanism before the State encroaches an individual’s right to privacy.

Speaking to The Logical Indian, Sidharth Deb, Policy and Parliamentary Counsel at the Internet Freedom Foundation clarified on the need of an independent institution to lay down such procedural safeguards.

‘If the State itself is entrusted to decide when the reasonable restrictions have to be put in, there is a possibility that certain situations would be made to appear in the interest of the nation to get a go-ahead to violate the right to privacy, thereby, misusing the order.’

Sidharth also explained that there are archaic surveillance and interception mechanism in India. The two distinct frameworks, the Indian Telegraph Act, 1885 deal with the interception of calls, and the Information Technology (IT) Act, 2000, which deals with interception of data.

‘The provisions of both laws allow the government to intercept/get access to your communication either through the telephone lines or the digital platforms. What is problematic is that there are no adequate safeguards for such surveillance,’ he said.

He also added that the government agencies entrusted with the task of interception during such a situation do not stem from legislation, i.e. they lack an actual legal basis.

Sidharth asserted that the privacy laws need a distinguished interception and surveillance reform component.

The Personal Data Bill, 2019 that seeks to regulate the use of individual’s data by the government agencies and private companies, was introduced in the Parliament in December 2019 and has been referred to a joint parliamentary committee for review.

‘The arguments directed towards the law gets interesting once you compare the 2018 draft and the 2019 bill,’ stated Sidharth.

Both the 2019 bill and the 2018 draft lay emphasis on the same concerns: obtaining consent before accessing an individual’s data, penalties for violating the law, setting up a Data Protection Authority (DPA), and storage of most data collected in India within India.

The 2019 bill, however, seeks to empower the government agencies to be exempted from all the provisions of the law citing reasons of national security, which will include access to personal data without consent, investigation, and prosecution of any offense.

Sidharth throws light on Clause 12, Chapter III of the bill, which encapsulates the grounds for the processing of personal data without consent.

‘Clause 12 (a) and (b) states that the State can access and process personal data by the citizens for the performance of any function authorized by law. In another scenario, the government just needs to pass a law to be able to access an individual’s personal data without consent,’ he said.

The government has been granted broad exemptions under such provisions for policy-making and for schemes that would override the basic requirement of obtaining consent from an individual.

Hinting at the provisions contained in Clause 14 (2) of the bill, Sidharth clarified that the law authorizes consent-free access to the personal data for the purposes that included credit scoring and the processing of publicly available personal data.

In simpler terms, the government can attempt to monitor, penetrate and control social media by getting the right to access personal and sensitive data without consent.

‘Since the government is also a data fiduciary, it can legitimately process publicly available personal data about individuals without any meaningful consent. What that allows is a backdoor through which profiling can take place and the government cannot b…

#PoweredByYou We bring you news and stories that are worth your attention! Stories that are relevant, reliable, contextual and unbiased. If you read us, watch us, and like what we do, then show us some love! Good journalism is expensive to produce and we have come this far only with your support. Keep encouraging independent media organisations and independent journalists. We always want to remain answerable to you and not to anyone else.