wordpress blog stats
Connect with us

Hi, what are you looking for?

Over 19 countries agree on tougher principles for government access to personal data

The Global Privacy Assembly backed these restrictions even as India’s draft PDP bill lets government agencies off the hook.

Governments should not undermine cryptographic systems by mandating backdoors and their access to personal data should be under independent oversight, a resolution adopted by the Global Privacy Assembly on October 25 said.

The resolution, titled “Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes,” was sponsored by 19 privacy commissioners from across the world, including the European Union, Japan, and the United Kingdom.

As India gears up for a personal data protection law, whether adequate safeguards around government access to data will be included remains a major concern. Such safeguards outlined by the GPA might be key to ensuring the right to privacy and enabling cross-border data flows.

In what conditions should governments access personal data?

The GPA resolution outlines several conditions under which governments can access the personal data of users:

1. Legal basis: Government access to personal data must be duly authorised by approved legislation. Such legislation should be:

Advertisement. Scroll to continue reading.
    1. Enacted after public debate and scrutiny
    2. Publicly available
    3. Written in clear, easily understandable language
    4. Precise and specific as to the scope of personal information for which the law is granting governmental access and the conditions for such access.
    5. Have respect for the rights to data protection and to privacy, other human rights, and be non-discriminatory.

2. General principle of necessity and proportionality: The specific usage of personal information must be linked to a demonstrably necessary function or activity of government, and the intrusiveness must be proportionate to the goal.

3. Transparency: Any agreement for government access should require proactive, baseline public reporting and publicly available accountability process for government agencies involved, and permit information to be provided to affected individuals.

4. Data subject rights: Government access to personal data should integrate a dedicated framework for data subjects to exercise their rights, including by addressing directly their requests to public authorities. In particular:

  1. Individuals should have the right of access and to get personal data corrected or deleted
  2. Affected Individuals should be able to seek effective redress and remedies

5. Independent oversight: Laws authorizing access should consider providing for both independent advance oversight (e.g. prior judicial authorization) as well as retrospective review (e.g. auditing of processing by independent regulatory body), taking into account the impact on fundamental rights and freedoms of individuals.

6. Statutory limitation on government’s use of data acquired: Law authorising government access to personal data for one specific purpose should regulate and frame any secondary use or onward transfer for other purposes.

Under the GPA agreement, governments can choose not to comply with the transparency and data subject rights requirements only in instances where such non-compliance constitutes “a necessary and proportionate measure in a democratic society.”

What best practices does the resolution outline for governments?

In light of the conditions outlined above, the GPA resolution also listed best practices that governments should follow:

  • Ensuring that cryptographic systems are not undermined by government access requirements through deliberate introduction of cybersecurity vulnerabilities (e.g. mandated ‘backdoors’)
  • Transparency reporting by commercial firms documenting numbers of government requests
  • Providing avenues for private sector redress in response to government requests
  • International regulatory cooperation for oversight of government access to personal data

How is India planning to regulate government access to personal data?

While a new version of India’s Personal Data Protection (PDP) Bill is currently in the works, the previous draft released in 2019 granted significant leeway to public bodies:

  • Exemptions for public authorities:  Section 35 of the draft PDP bill 2019 proposed giving the government the power to exempt any public agency from the entire Act for reasons such as:
    • national security
    • integrity & sovereignty
    • public order
    • friendly relations with foreign states
    • preventing any cognizable offence relating to the above
  • User rights: Certain rights of users under the PDP bill will be suspended if personal data is processed for law enforcement, judicial reasons, journalism, and for personal reasons, the draft bill proposed.

Key stakeholders from across the world have raised concerns that the draft bill accords too much power to public authorities. Dr. Ralf Sauer, the Deputy Head of International Data Flows & Protection at the European Commission, highlighted some of these concerns at PrivacyNama 2021, a global conference on privacy regulations hosted by MediaNama:

We had some question marks on some of the grounds for processing for public authorities, and whether they were always sufficiently framed. The corollary to this is that there was a clause at some point that allowed for broad exceptions from the data protection rules which put a shadow over the law. There are certain safeguards that would be limited or completely restricted on grounds of public interest or public policy — Ralf Sauer (emphasis added)

Also read:

Advertisement. Scroll to continue reading.

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Reporter at MediaNama. Email: nishant@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.


Find out how people’s health data is understood to have value and who can benefit from that value.


The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ