National security at the expense of citizens’ privacy
After two years of deliberation, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (JPC) tabled its report this week. The recommendations are accompanied by a revised version of the law, titled “Data Protection Bill, 2021”. The constitutional principle of a data protection law was enunciated in the judgment of Justice KS Puttaswamy of the Supreme Court of India which reaffirmed the fundamental right to privacy. Judge DY Chandrachud said that “the creation of such a regime requires a careful and sensitive balance between individual interests and the legitimate concerns of the state”. There are three clear reasons why the Data Protection Bill 2021 clearly leans in favor of the central government and against the fundamental right to privacy.
The first notable feature of the 2021 data protection bill remains a questionable design choice by which it escapes any supervisory reform provision. The supervisory reform was deliberately omitted by the Justice BN Srikrishna committee which issued the first Personal Data Protection Bill (PDP) in 2018. However, even then he said: “No general law in India currently does not allow non-consensual access to personal data. or the interception of a personal communication ”. Quite simply, what good is a data protection law if it does not regulate mass surveillance projects like the Crime and Crime Network and Tracking Systems (CCTNS), Central Surveillance System (CMS) or the national intelligence grid (NatGrid)? Not only does this not improve Judge BN Srikrishna’s bill, but the Data Protection Bill, 2021 makes it worse. It inserts the phrase “to ensure the interest and security of the State” in its long title. Therefore, a data protection law that one seeks to legislate to protect the privacy of individuals now has state security as one of its primary objectives.
The second point of concern arises from the power of the central government to exempt departments from the application of the 2021 Data Protection Bill, as contained in Article 35. This provision, originally proposed by the Srikrishna committee , has experienced considerable dilution. The exemption clause of the 2018 Data Protection Bill was originally linked to the conditions of legality, necessity and proportionality. This was diluted when the 2019 Data Protection Bill was introduced to Parliament to meet the conditions of ‘necessity’ and ‘expediency’, leading Judge Srikrishna to call this exemption a ‘dangerous trend’, potentially leading to an “Orwellian state”.
Instead of rectifying this provision, the 2021 Data Protection Bill cemented it. First, it adds a non-obstinacy clause, giving this provision primacy over any other law. Second, it stipulates that the procedure to be followed by the government agency must be fair, equitable, reasonable and proportionate. However, this change only applies to the “procedure” and not to the substantive standards for invoking the exemption by the government. In other words, the government does not need to establish that the exemption from the entirety of the proposed data protection law is necessary or proportionate to the achievement of its national security or orderly interest. public.
There is no doubt that data protection rights may not apply in their entirety when it comes to national security concerns. However, such exceptions, being in the nature of an “exception to the rule”, must be limited and precise. For example, under the UK Data Protection Act 2018, the national security exemption does not extend to the entire law; requires a certificate to be signed by the Minister of the Crown; and can be challenged by the person concerned in court.
In contrast, in India, even the reasons for granting the exemption do not have to be tabled in Parliament. In fact, the order invoking the exemption is not an official notification and will likely be exempt from the RTI procedure. Thus, the government can, without any oversight, exempt its own departments or ministries from the application of the data protection law in perpetuity.
The third and final part of the 2021 data protection bill concerns the Data Protection Authority, which is responsible for ensuring compliance with the law. Judge BN Srikrishna’s panel proposed a nomination committee made up of judicial members, chaired by the Indian chief justice, to choose the members of the Data Protection Authority. This was watered down in 2019; the panel now included the cabinet secretary, the legal secretary and the IT secretary. This has been heavily criticized for compromising the independence of the appointment process. Changes have been made to Article 42 (2) of the Data Protection Bill, 2021 by which the Attorney General, an expert, a director of an IIT and a director of an IIM are included in the selection committee. This does not solve the problem that the Center appoints candidates as it sees fit. In addition, the choice extends to the government to choose an administrator from among the multiple IITs and IIMs across India. In contrast, in the UK, under the Data Protection Act, the Information Commissioner is supposed to be appointed on the basis of a ‘fair and open competition’, with candidates having to appear before a committee. member of parliament before their appointment.
Under Article 87, the JPC extended the power of the central government, when it declared that “the authority should be bound by the directives of the central government in all cases and not only on matters of policy”. This is linked to an unguided legislative allocation under Article 92, which makes policies developed by the central government trump any protection or obligation under the Data Protection Bill, 2021. This It is not without reason that Jairam Ramesh, a member of the JPC, noted in his dissent that “government agencies are treated as a distinct privileged class whose operations and activities are always in the public interest and considerations of individual confidentiality. are secondary ”.
The JPC report and the Data Protection Bill, 2021, by protecting the government rather than the personal data of Indian citizens, recall the ironic spirit of Yes Minister: “The Official Secrets Act is not of to protect secrets is to protect officials.
This column first appeared in the printed edition on December 20, 2021 under the title “Un weak rampart”. Gupta is the executive director of the Internet Freedom Foundation; Bhandari is a practicing lawyer in Delhi