Since 1991, India has seen a meteoric rise in the field of digital technology including modalities of surveillance. Such modalities include technological advancements in the form of genetic, biometric, financial and physical monitoring. Augmented by the advent of social media, an urgent need for the establishment of a data protection mechanism in order to protect the privacy of its users was felt.
To fulfil that need, the government constituted the Justice Srikrishna Committee to develop a data protection mechanism for Indian privacy law. The committee put forward a report[i] consisting of recommendations and a draft bill.[ii] The recommendations were contrary to international guidelines, giving the government surveillance power which was excessive in nature. Having said that, The Personal Data Protection Bill, 2019 is even more regressive in its approach, disempowering the recommendations made by the committee.
The Bill is tabled in Lok Sabha merely two years after the Supreme Court laid down that privacy is a fundamental right.[iii] On the surface of it, the bill seeks to formulate a constitutional framework for the protection of privacy but a closer analysis reveals otherwise.
Causing Mayhem through Subtle Changes
The bill contains provisions that empower the government to have a carte blanche authorization over-collection of data. An example of this is Section 35 of the Bill which provides the government with the power to set aside privacy protections in certain circumstances such as:
- It can be set aside for the protection of sovereignty and integrity of India, its security, public order, and foreign relations.
- It can be set aside for the prevention of commission of a cognizable offence against the sovereignty and integrity of India, its security, public order or foreign relations.
According to the recommendations of the Srikrishna Committee, surveillance should be done firstly, by an authority authorised by law and secondly, in accordance with the procedure established by the law. Such recommendations are in line with the judgement of K.S. Puttaswamy v Union of India [iv], where the apex court emphasised the importance of following the global constitutional standards of proportionality. Instead, the Bill disregards the aforementioned guidelines, entrusting wider scope of power to the government.
Such provisions are in not in accordance with the procedural and content-based mandate of Article 21 of the Indian constitution and have raised grave privacy concerns.
Giving Rise to Retributive Form of Policy Making
In addition to the aforementioned provisions, the Bill also empowers the government to gather anonymized “personal” and “non-personal” data from data companies. There is a legal ambiguity surrounding these terms as there is no legal definition in the Bill. Recent studies[v] have also proven that the collection of anonymized personal data is not protected from re-identification. This raises privacy concerns with regard to the potential misuse of data collected. There is a real possibility that the government might use such data in order to filter out individuals who embrace political sentiments against the government. Such use of data will give rise to a retributive form of policymaking.
Discretionary Powers with the Government
The 2018 Bill had envisaged salaries and allowances of Chairperson and the member of the Data Protection Authority of India could not be varied to their advantage. Such a provision encouraged the independence of such authorities. The new 2019 Bill does not provide any of the aforementioned guarantees, reducing such authorities to be dependent on the government for financial assistance. As a result, the Bill puts the financial security of the Data Protection Authority of India at the discretion of the government. Such provisions ensure that data collecting agencies are forced to place more importance on the demands of the government than the protection of the democratic rights of the citizens.
The selection committee empowered by the Bill to appoint the chairperson and the members of the Data Protection Authority of India is another area of concern. Judicial members have been substituted in the Cabinet Secretary, Law Secretary, and Electronics and Information and Technology Secretary, making the appointments susceptible to judicial influence. This is not in accordance with the US Supreme Court ruling[vi] which stated that judicial authorization is imperative for the operation of domestic surveillance. The Bill fails to check abuse of executive power and does not protect the citizens from excessive executive measures.
It is evident from the arguments presented by this article that The Personal Data Protection Bill, 2019 has failed to protect privacy, a fundamental right, of the citizens and instead has exacerbated it. It has legitimised domestic surveillance by the government without providing checks for abuse of power. Therefore, it is imminent that there is an urgent need for safeguards against the unfettered powers of the executive which will have a detrimental effect on data privacy.
The Bill has legitimised the intrusion of the executive in private digital spaces. It is a direct violation of the fundamental rights bestowed by the Indian constitution onto its citizens. The right to privacy can no longer be considered as a fundamental right if it is a subject of executive convenience.
[iii] K.S. Puttaswamy v Union of India, (2019) 1 SCC 1.
[iv] K.S. Puttaswamy v Union of India, (2017) 10 SCC 1.
The author is currently a third-year student at O.P. Jindal Global Law School.