In a watershed moment for India’s law on privacy and data protection, in August last year, nine judges of the Supreme Court unanimously held that the right to privacy was a fundamental right. The judgment came less than a month after the union government constituted a committee chaired by the former Supreme Court judge BN Srikrishna, to formulate a data-protection law for India. But the Srikrishna committee has since received criticism for its opaque functioning and its refusal to disclose the contents of the bill. Though the committee has not announced when it will release the draft bill, The Caravan has accessed the draft, titled “The Protection of Personal Data Bill, 2018.” The Caravan also accessed a draft of the Srikrishna committee’s report on the proposed legal framework for the protection of privacy and data in India.
In an earlier piece, I detailed the amendments that the bill proposes to the Right to Information Act of 2005 and the Aadhaar Act of 2016. The proposed amendments, if introduced, are likely to weaken the RTI act, and to strengthen the Unique Identification Authority of India’s monopoly over any legal action arising out of the Aadhaar act. While these are worrying consequences, other aspects of the draft bill may bring welcome change to status quo. For instance, it proposes exemptions from data-protection obligations for intelligence agencies that are significant. In this regard, the bill makes an unprecedented proposition—compliance with the proposed data-protection bill would require the parliament to enact a law that will oversee India’s intelligence agencies and intelligence gathering mechanisms. The draft report states that such a law “should provide for both parliamentary oversight as well as judicial pre-approval of all requests for non-consensual access to personal data and metadata.” It would take considerable political will, but if implemented well, the Srikrishna committee’s recommendations could fundamentally alter the functioning of intelligence agencies in India.
In order to understand the significance of these exemptions, it is necessary to first examine the obligations imposed on those entities that are not exempted and would be processing personal data. In the draft bill, the phrase “personal data” refers to any information that may be used to directly or indirectly identify an individual. It defines “processing” to incorporate a wide range of activities, including the collection, use and storage of personal data. With this broad ambit, the Srikrishna committee proposes several obligations to ensure the protection of personal data, and imposes a high standard for the nature of consent required for its processing.
These requirements, however, are not absolute—the committee proposes to grant a partial exemption for certain scenarios of data processing. But pertinently, the proposed exemptions are not absolute either—the bill mandates that all entities dealing with personal data ensure that it is processed in a fair and reasonable manner that respects the privacy of the concerned individual.
The legislative intent behind the regulations on data processing is to prevent any harm to the individual in question, identified as the “data principal.” According to the draft report, “the cornerstone of such regulation is the consent of the data principal.” In this regard, the bill mandates a framework for consent that is described in the report as “notice-and-choice”: the entity or individual seeking to process any personal data, or the “data fiduciary,” must inform the data principal about how their data would be used, and seek express affirmative consent to do so beforehand.
The draft bill also imposes a wide range of other obligations, including on the purpose for processing—stating that it may only be done for a “clear, specific and lawful” purpose—and on collection of personal data—limiting it only to what may be necessary for the specified purpose. The bill also directs data fiduciaries to ensure that any processed personal data is “complete, accurate, not misleading and updated,” and to store such data only till it is “reasonably necessary” for the specified purpose. Additionally, data fiduciaries are also mandated to employ measures to ensure transparency and accountability, such askeeping a record of all their data-related operations. The draft bill also directs data fiduciaries to inform the data-protection authority—a regulatory body proposed to be established to ensure compliance with the law—of any security breaches. The authority will be empowered to then decide if the data fiduciary needs to inform the data principal of the breach, and if any mitigating action is required.
None of these obligations are applicable to the exempted scenarios of data processing—in other words, the provisions of the bill would only be partially applicable in certain cases. The underlying principle behind the partial exemptions granted under the act is that the processing of personal data may be relevant in certain scenarios even without the consent of the data principal. The committee’s draft report notes, “While consent, as an expression of autonomy is constitutive of a free and fair digital economy, so are other interests.” The draft bill proposes partial exemptions for a range of activities, including the prevention and prosecution of crime, processing for legal proceedings, research or statistical purposes, personal or domestic purposes, the security of the state and journalistic purposes. All these exemptions are constrained only by the few obligations contained in the bill.
The Srikrishna committee justifies the imposition of the minimal obligations on the basis of Justice DY Chandrachud’s lead opinion in the right-to-privacy judgment. Chandrachud, writing on behalf of himself and three other judges, states, “While it intervenes to protect legitimate state interests, the state must nevertheless put into place a robust regime that ensures the fulfilment of a three-foldrequirement.” This three-fold requirement mandates that first, there must be a law in place to “justify an encroachment on privacy,” second, that there must be a legitimate state need for which such encroachment is reasonable, and third, that the encroachment should be proportionate. The Srikrishna committee has extended the partial application of the provisions to non-state data fiduciaries, and modified the three-fold requirement to state that data must be processed in a “fair and reasonable manner that respects the privacy of the data principal.”
The partial applicability proposed for data processing in relation to the security of the state is important, not because it is exempt—impunity for issues of “national security” is routine in India—but for the imposition of restrictions, however limited. In fact, the committee appears to be opposed to such impunity. The draft report notes, “It is thus critical to ensure that the pillars of the data protection framework are not undone by a vague and nebulous national security exception.”
Notably, the Srikrishna committee has made a conscious decision to avoid the phrase “national security” in the bill. While discussing the phrase, the committee states in its report, “Prima facie, the term itself is alien to Indian constitutional law.” Instead, the provision in the draft bill refers to “security of the state,” which, as the report observes, is the phrase used in the Constitution as well, as an exception to the freedom of speech guaranteed under Article 19. The report notes, “Implicit in this understanding of ‘security of the state’ is the indication of gravity of the act, as it must be of a nature that tends to overthrow the state itself or affect its security fundamentally. No like indication of gravity is implicit in ‘national security.’”
For the processing of personal data in the interest of the security of the state, the draft bill grants an exemption from the obligations applicable to non-exempt entities, except the standard of fairness and reasonability, and of implementing security safeguards during such processing. Interestingly, the bill also adopts Chandrachud’s three-fold limitation specifically for this provision, stating that any such processing must be “authorised by law made by Parliament” and that it must be “necessary for, and proportionate to, such interests being achieved.”
These obligations on the state are significant because, as the draft report notes, Indian intelligence agencies, including the Research and Analysis Wing, the Intelligence Bureau, and the Defence Intelligence Agency “have been set up by executive authorisation and continue to operate without a legal framework.” It adds that this is also true of other intelligence-gathering initiatives such as the Central Monitoring System and the National Intelligence Grid. The report further notes that the central government issues around 7,500–9,000 orders for interception every month, and that the review committee supervising these orders meets once in two months with “an unrealistic task of reviewing 15000–18000 interception orders every meeting.” Referring to Chandrachud’s three-fold requirements, the draft report accordingly states, “Current intelligence gathering by India’s intelligence agencies falls at the first threshold, since it is not done under law.”
As a result, to comply with the proposed bill, the parliament would have to enact a law that will oversee the intelligence agencies and the mechanisms they use to gather intelligence data. The draft report notes that post the right-to-privacy judgment, the absence of such a law is “potentially unconstitutional.” It adds, “The key rationale underlying such checks and balances is the need for ex ante access control as well as ex post accountability”—control before any action and accountability after. For the former, it proposes that a district judge could be appointed to decide on such requests in a manner that would be “time-bound and require renewal on the judge being satisfied that the purpose for processing remains relevant.” The draft report concludes, “This recommendation, albeit not a part of the data protection law, is important for the data protection principles to be implemented effectively, and must be given due consideration.”
Moreover, any such law would also have to comply with Chandrachud’s second and third requirements as well as the fair-and-reasonable standard under the draft bill. This change would be monumental—if the parliament enacts the data-protection bill without simultaneously introducing such a law, the intelligence gathering methods of all of India’s intelligence agencies would be rendered illegal.
However, the bill does not appear to prescribe clear consequences for the failure to comply with the minimum obligations imposed on intelligence agencies. It allows complaints of violations to be made before the data ombudsman—the adjudicating authority under the proposed bill—and contains a catch-all provision allowing the ombudsman to impose a penalty of upto Rs 50 lakh for any contravention of the act for which a prior penalty has not been specified. It leaves open the question of how a intelligence agency ought to deal with intelligence gathered relying on personal data that was improperly processed.
This is precisely where the provisions for exemption could find their undoing. Presumably, these questions will be answered in the laws and regulations that will follow the enactment of the proposed data-protection bill. The bill mandates that any processing of personal data must be on the basis of the law made by Parliament, which must ensure that such processing is reasonably necessary for a legitimate state purpose, and that it is a proportional measure. This leaves significant room that must be filled by corresponding political will. In order to have the effect indicated in the committee’s report, the accompanying law would have to comply with the draft bill in both letter and spirit. In this regard, the Srikrishna committee has merely set the ball rolling—it leaves it up to the ruling regime to transform India’s security establishment into one that respects the privacy of the citizens it seeks to protect.
This is the second in a series of pieces by The Caravan on the Srikrishna committee’s data-protection bill. The first piece can be read here.