Governments should not undermine cryptographic systems by mandating backdoors and their access to personal data should be under independent oversight, a resolution adopted by the Global Privacy Assembly on October 25 said.
The resolution, titled “Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes,” was sponsored by 19 privacy commissioners from across the world, including the European Union, Japan, and the United Kingdom.
As India gears up for a personal data protection law, whether adequate safeguards around government access to data will be included remains a major concern. Such safeguards outlined by the GPA might be key to ensuring the right to privacy and enabling cross-border data flows.
In what conditions should governments access personal data?
The GPA resolution outlines several conditions under which governments can access the personal data of users:
1. Legal basis: Government access to personal data must be duly authorised by approved legislation. Such legislation should be:
- Enacted after public debate and scrutiny
- Publicly available
- Written in clear, easily understandable language
- Precise and specific as to the scope of personal information for which the law is granting governmental access and the conditions for such access.
- Have respect for the rights to data protection and to privacy, other human rights, and be non-discriminatory.
2. General principle of necessity and proportionality: The specific usage of personal information must be linked to a demonstrably necessary function or activity of government, and the intrusiveness must be proportionate to the goal.
3. Transparency: Any agreement for government access should require proactive, baseline public reporting and publicly available accountability process for government agencies involved, and permit information to be provided to affected individuals.
4. Data subject rights: Government access to personal data should integrate a dedicated framework for data subjects to exercise their rights, including by addressing directly their requests to public authorities. In particular:
- Individuals should have the right of access and to get personal data corrected or deleted
- Affected Individuals should be able to seek effective redress and remedies
5. Independent oversight: Laws authorizing access should consider providing for both independent advance oversight (e.g. prior judicial authorization) as well as retrospective review (e.g. auditing of processing by independent regulatory body), taking into account the impact on fundamental rights and freedoms of individuals.
6. Statutory limitation on government’s use of data acquired: Law authorising government access to personal data for one specific purpose should regulate and frame any secondary use or onward transfer for other purposes.
Under the GPA agreement, governments can choose not to comply with the transparency and data subject rights requirements only in instances where such non-compliance constitutes “a necessary and proportionate measure in a democratic society.”
What best practices does the resolution outline for governments?
In light of the conditions outlined above, the GPA resolution also listed best practices that governments should follow:
- Ensuring that cryptographic systems are not undermined by government access requirements through deliberate introduction of cybersecurity vulnerabilities (e.g. mandated ‘backdoors’)
- Transparency reporting by commercial firms documenting numbers of government requests
- Providing avenues for private sector redress in response to government requests
- International regulatory cooperation for oversight of government access to personal data
How is India planning to regulate government access to personal data?
- Exemptions for public authorities: Section 35 of the draft PDP bill 2019 proposed giving the government the power to exempt any public agency from the entire Act for reasons such as:
- national security
- integrity & sovereignty
- public order
- friendly relations with foreign states
- preventing any cognizable offence relating to the above
- User rights: Certain rights of users under the PDP bill will be suspended if personal data is processed for law enforcement, judicial reasons, journalism, and for personal reasons, the draft bill proposed.
Key stakeholders from across the world have raised concerns that the draft bill accords too much power to public authorities. Dr. Ralf Sauer, the Deputy Head of International Data Flows & Protection at the European Commission, highlighted some of these concerns at PrivacyNama 2021, a global conference on privacy regulations hosted by MediaNama:
We had some question marks on some of the grounds for processing for public authorities, and whether they were always sufficiently framed. The corollary to this is that there was a clause at some point that allowed for broad exceptions from the data protection rules which put a shadow over the law. There are certain safeguards that would be limited or completely restricted on grounds of public interest or public policy — Ralf Sauer (emphasis added)
- What It Means To Have ‘Adequate’ Data Protections In The Eyes Of The EU #PrivacyNama 2021
- Key Aspects Of The Personal Data Protection Bill, 2019
- Fresh Report On Data Protection Bill To Be Presented In Coming Parliament Session
Have something to add? Post your comment and gift someone a MediaNama subscription.