In 2018, the right to privacy was recognised by the Supreme Court, to be within the ambit of Article 21 of the Constitution of India, after which the Justice Srikrishna Committee was constituted to provide recommendations towards codifying a privacy law, which led to formulation of the Data Protection Bill. To regulate the right to privacy, the legislature has revised the Data Protection Bill, that is now on its fifth iteration with the Digital Personal Data Protection Bill ("Bill") which has now been approved by the Union Cabinet and is likely to be placed before the impending monsoon session of the Parliament. Each iteration has taken inspiration from the European Union's General Data Protection Regulation ("EU GDPR") in respect of the regulatory compliances and harsh penalties on the Data Fiduciary (i.e., person(s) determining the purpose and means of processing personal data) in the event of a failure to adhere to the same. The Bill applies to processing of digital personal data in and outside of India, if such processing is in relation to profiling of citizens, or the activity of offering goods or services to Data Principals (i.e., person(s) who the personal data relates to) within India. In this article, we discuss the method by which the Central Government can exercise the power to exempt themselves from the application of the provisions of the Bill.
The Bill defines 'personal data' as, "any data about an individual who is identifiable by or in relation to such data". The obligations on a Data Fiduciary are to make reasonable efforts to ensure the personal data being processed is accurate and complete; make reasonable security safeguards to prevent a data breach and other obligations listed thereunder. Section 18(2) of the Bill provides that the Central Government through a notification, may exempt the processing of personal data by any instrumentality of the State from the provisions of the Bill in the 'interest of the sovereignty and integrity' of India, 'security of the State', 'maintenance of public order', 'friendly relations with foreign States', 'preventing incitement of cognizable offences', or for 'research, archiving or statistical purposes'. The scope of the exemptions; through public order, sovereignty and integrity of India, security of the State, and maintenance of public order are in line with the reasonable restrictions imposed on the Fundamental Rights under the Constitution of India.
Interestingly, the exemption is also granted for maintaining diplomatic relations, research, archiving and statistical purposes. Since these terms have not been defined under the Bill, the same may lead to interpretational issues.
Foreign jurisdictions have a different approach to reasonable restrictions and certain jurisdictions apply thresholds on the consent required from a data principal. The European Union has provided most nations with a model privacy legislation with the EU GDPR, wherein its Member States are required to balance fundamental rights and any restriction which it may provide. It does not allow the processing of data unless consent has been provided or it is expressly permitted by law. The United States of America does not have a centralised law on privacy, but its States may have their own legislation on privacy. For example, one of the States allow data processors to process data without the consent of the data principal, however they are given the right to demand a halt on such processing. While China requires consent for processing data, however under certain circumstances consent is not required.
Under the Bill, the citizens are permitted to provide, review as well as erase some or all of their collected data. Contrary to this, the Government, under this Bill has the authority to forego such compliances and process personal data by means of only issuing a notification, as emphasised above. A 'notification' being a form of delegated or subordinate legislation, may in the aforesaid circumstances eliminate the democratic process. However, procedural restrictions which scrutinise the exercise of such authority could be legislated in the Bill.
Further, substantial financial penalties may be imposed on a person who is guilty of significant non-compliance of certain provisions of the Bill. Although the intent appears to be to provide additional safeguards against misuse of the Bill, but such measures may turn out to be illusory, especially against the Government. Also, it is yet to be examined whether such penalties will provide a sufficient deterrent against misuse of the Bill by the Government, or will result in the misapplication of the taxpayer's money.
Considering the shift to providing a world class digital ecosystem, the Government may consider facilitating acceptability of such changes in the foreground and instil confidence, by creating awareness about the measures of transparency and accountability. As the language of the fifth iteration of the Bill has not been made public yet, it is not clear what changes have been made to the Bill published in November 2022.
Authored by Ameya Deosthale, Partner & Mehak Gupta, Associate Partner. The contents of this article do not necessarily reflect the views/position of Stratage Law Partners but remain solely those of the author(s). This article is meant for general information and shall not be deemed to be a legal advice or opinion. This article is neither intended to be an advertisement or solicitation.