India: Does The Personal Data Protection Bill Really Protect Your Personal Data? Part 2

(This is the first part of a two-part article series which analyses and explores the various facets of the proposed Personal Data Protection Bill in the pipeline. The first part explores the backdrop in which the Bill was proposed, and the present article analyses the specific provisions of the Bill to assess whether it is an effective legislation.)

Since its introduction in the Parliament, the Bill has created quite a controversy, with experts split in two factions for and against the Bill. Those who are in favour believe that the PDP Bill of 2019 is a great step forward for India towards regulating and securing its citizens' personal data. They believe that the way to go forward is to put in place a framework which keeps evolving and rising up to the peculiar challenges which protection of personal data entails. To them, over legislation would do more harm than good. While on the other hand, people against the bill claim that it gives unbridled power to the government in terms of access to people's personal data, and the lack of regulatory provisions within the Bill leaves too much in the hands of the DPAI.  Let us take a look at the provisions of the PDP Bill 2019 to assess the validity of these claims.

The Statement & Purpose of the Bill states that it has been introduced to provide protection of privacy of individuals relating to their personal data and to create a relationship of trust between data principles and data fiduciaries. Section 3(14) defines a "data principle" as a natural person to whom personal data relates to and Section 3(13) defines a "data fiduciary" as any person, including State, a company, any juristic entity, or any individual who alone or in conjunction with others collects and processes personal data. Section 11(1) states that no one's personal data is to be processed without such person's consent. Section 3(31) defines "processing" in relation to personal data to inter-alia include collection, recording, organisation, structuring, storing, adapting, usage, transfer, and disclosure of such data.

Chapter V of the Bill confers certain rights upon the data principle. These rights include a confirmation by the data fiduciary of processing of personal data and access to the identities of data fiduciaries with whom their data has been shared;¹ right to correction of inaccurate data, upgradation of data, and the erasure of personal data after the purpose for which it has been collected has been fulfilled;²  right to data portability,³ and the right to be forgotten.⁴ All of these rights are aimed towards empowering the data principles by mandating their consent for the processing of data, creating a framework of transparency, and allowing the data principles to avail erasure of their data at any given instant. Section 16 lays down special provisions with regard to processing of personal data of children. Therefore, there is no doubt that the Bill is a step forward for Indian personal data legislation.

But at the same time, it is also important to take into consideration the fact that the Bill also provides several exemptions, thereby allowing for personal data to be processed without the data principle's consent. The protection of Section 11 of the Bill can be done away with when personal data is required for the performance of any function of the State authorized by the law.⁵ This provision makes sense since it allows for the collection of personal data for the provision of the benefits or services to the data principle, such as to deal with the pandemic situation we are in the middle of right now, to comply with the order of a Court of Tribunal, etc. Things, however, start to look problematic when we peruse Section 35 of the Bill. The section vests in the Central Government the power to exempt any Government agency from the application of the legislation. Section 35 of the 2019 Bill reads as follows,

1. in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
2. for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, it may, at by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed."

While it is true that sometimes such sweeping powers are necessary for the Government to carry out its sovereign functions, what is noteworthy is that Section 35 of the 2019 Bill is the modified version of Section 42 of the 2018 Bill which read,

1. Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved."

A bare perusal of the two provisions shows how the modified version is a rolled-back version of the old one. While the 2018 Bill required a procedure to be established by the Parliament for the State to process personal data in the interests of national security, and how the said procedure had to be necessary and proportionate (as laid down by the Puttaswamy judgement). However, the present version of the provision only requires the Central Government to be satisfied that there exists a necessity, and thereafter on the basis of a written order it can exempt any of its agencies from the application of the legislation. This aspect of the Bill has been heavily criticised by several sections of the public. The modifications made to the provision effectively undercuts everything which the legislation aims to achieve by handing to the Government the keys to our personal data based on their subjective satisfaction. As asserted by the critics, it is indeed a severe problem with the legislation.

To make matters worse, the 2019 Bill does not lay down any clear regulations regarding the processing of our personal data without our consent by the Government. The overarching nature of what would be in the interest of the "national sovereignty, integrity and security of the nation" provides the Government with unbridled power to do what they please with our personal data. In the past, the Government has used similarly worded provisions in other legislations in a routine and cavalier fashion to abrogate the rights of individuals.⁶ This is a slippery slope for a legislation meant to protect personal data. This was pointed out by none other than Justice Srikrishna himself when he stated that the new Bill "diluted the protection provided by the Bill" and allows the "State to unilaterally infringe the right to privacy".⁷ The Government processing the personal data of its citizens without any oversight and regulation can result in a surveillance State. The same was hinted by Justice Srikrishna himself as he made references to India turning into an Orwellian State.

Certainly, a legislation meant for the protection of personal data by no means should empower the Government, or any other organization to unilaterally do the exact opposite of that. We will be well-served if our legislators pay serious heed to these criticisms and improve the Bill to resonate with the true spirit of the right to privacy enshrined in Article 21 of our Constitution.

Footnotes 

1. Section 17, PDP Bill 2019.

2. Section 18, PDP Bill 2019.

3. Section 19, PDP Bill 2019.

4. Section 20, PDP Bill 2019.

5. Section 12, PDP Bill 2019.

6. Vinit Kumar v. CBI, W.P. 2367/2019 (Bom HC) (India).

7. https://www.livelaw.in/top-stories/personal-data-protection-bill-allows-the-state-to-unilaterally-infringe-right-to-privacy-158337

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.