- State security and interests have been put above individual rights and interests in the bill
- Structure of grievance redressal mechanism under the bill can prevent people from raising complaints
- The bill fails to adhere to the principles laid down in the Puttaswamy judgement and can be struck down in court
- DPA needs to be made more independent and capable, to hold government to account
“It should not be “Data Protection Bill”, but we should call it “Data Access Protection Bill” with the intention to protect any means to access data,” Saikat Datta, Founding Partner at DeepStrat, a think tank, said during the session on ‘Government Access to Data’ at MediaNama’s ‘Decoding India’s Data Protection Bill’ event held on January 20, 2022.
Datta was joined by Anushka Jain, Associate Counsel at the Internet Freedom Foundation, a digital rights organisation; Jhalak Kakkar, Executive Director of the Centre for Communication Governance (CCG), National Law University Delhi, a think tank; and Vaneesha Jain, Associate Partner at law firm Saikrishna & Associates, in the session.
The latest version of the Data Protection Bill in the Committee’s report allows government agencies to collect and process personal data without consent, and receive an exemption from all or any provisions of the bill, among other aspects. Amid news reports about the alleged purchase and use of Pegasus spyware by the Indian government, the bill’s provisions which virtually enable such government surveillance, have been hotly debated.
This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Broad exemptions under the bill
Bill enables surveillance: According to Anushka Jain, the bill enables surveillance by providing very broad standards for exempting government agencies from its purview under Section 35. The term expedience, as laid out in the section, could mean necessity, useful, practical, or even moral impropriety.
“So in a situation where the government thinks that, for example, for national security, it is expedient to carry out mass surveillance through facial recognition technology, it can use the Clause 35 exemption, I’m pretty sure it’s going to use the Clause 35 exemption to exempt authorities such as probably the Delhi Police or the NCRP, which is going to carry out a facial recognition surveillance,” she said.
Talking about the possibility of harm, she gave the example of the Ministry of Aviation’s Digi Yatra programme whereby ‘paperless’ travel can be undertaken by providing Aadhaar details and submitting to facial recognition at airports.
“You gave your facial details, or your you know, you connected your Aadhaar or any other identity card, and you gave your details there and then now, the government is actually using it to track your movement across the country, which can result in problematic situations, and it can also end up violating your right to travel freely throughout the country,” she said.
Recommendation: “It should be mandatory that any data collected has to within a certain timeframe end up in a court of law,” Datta recommended. According to him, this will let people know that they were under investigation, that their data was accessed during surveillance, and what data was accessed. Further, he recommended that if the person is not found guilty in that investigation, there should be a procedure to:
- Destroy all that data
- Take action against the people who asked for that data and did not find anything amiss about it.
“The moment you do a few tweaks like this, you will ensure that there is a third party, which is now being asked to look into the data and also judge it by the merit of whether this actually helped for the allegation or for the investigation that it was purported to be, therefore making it necessary, therefore bringing in proportionality and therefore bringing in legalities,” he added
Might be struck down in court: Reflecting on the conditions for exemption laid down by section 35 – necessity, expedience, and proportionality – Kakkar doubted whether it would be able to pass the legal muster in court.
“It is very likely that it’s going to be challenged in court and it’s fairly likely that the court is going to hold that this is sort of unconstitutional and doesn’t comply with a very, very basic standard that the court has sort of laid down,” Kakkar said.
Recommendation: Citing the court’s interpretations of the three tests prescribed in the Puttaswamy judgement, which the bill should follow, Kakkar said “If we go back to the language of Puttaswamy, which actually uses the word proportionate, and we try to sort of peel apart what does proportionate signify, basically it’s something that is appropriate to protect the legitimate aim. So it’s sort of the least intrusive instrument that you can use to receive that desired outcome or result that the government is working on.” According to her, international jurisprudence developed around the test for ‘necessity’ interprets the term as something having a legitimate aim.
Bill puts the State’s interests before citizens: “So this is a Personal Data Protection Bill that is flowing out of the right to privacy judgment, but in the long title, it says interest in security of the state. So the data protection law is seeking to, you know, protect state security over individual privacy and state security is one of its primary objectives,” Anushka Jain said, responding to a question on whether the bill enables the use of National Intelligence Grid (NATGRID) or Pegasus spyware.
According to Anushka Jain, NATGRID could continue because it is being built by the government and the Data Protection Bill recognises ensuring interests and security of the State in its long title. However, Pegasus is illegal as it amounts to hacking, which is illegal as per the Information Technology Act.
Recommendation: Bill should define for what national security reasons individual privacy will be hampered, Anushka Jain recommended. This also has to flow from what has been laid down in the Puttaswamy judgment, she said.
Complete lack of oversight in surveillance: “The whole idea is that the Constitution and its limitations will ensure that the government and its power stay in check,” Datta said, adding that the intelligence agencies must have oversight that emerges from a law.
Recommendation: Datta referred to the Srikrishna committee’s report on the Personal Data Protection bill 2019 which recommended equal or higher oversight on agencies empowered to access citizens’ data.
Clarity needed by private sector on Section 35
Section 35 could translate into companies having to oblige with law enforcements’ requests for information, Vaneesha Jain and Anushka Jain (who are not related) said. The section allows the central government to exempt any agency of the government from all or any provisions of the Act.
Exemption gives wide leeway to agencies: According to Anushka Jain, exempted agencies don’t even have to disclose the reasons for such data collection to companies as per the bill. Further, processing under Clause 35 also means sharing and thus an exempt agency can share data with all exempted agencies. However she believed that for sharing with non-exempted agencies the purpose limitation requirement outlined in the bill may still apply.
Conditions of exemption may be defined by the central government: However, according to Vaneesha Jain, the conditions for processing under Section 35 will depend on the order passed by the government which would outline which agency is exempted, under what conditions, whether they can share the data with another exempted agency, whether they need consent to share it, and so on.
Recommendation: More clarity on the language of provisions like Section 35 should be provided by the government, Vaneesha Jain said. According to her, it may also help private organisations push back against such requests.
Capacity for oversight and grievance redressal
Existing capacity to review interception orders is poor:Datta flagged that an RTI response he received over 7 years ago showed that the government annually intercepts 1,00,000 phone numbers which translates to 300 requests authorised by the Union Home Secretary or Secretary at the State level per month. These requests have to go to a monitoring committee to see if the interception was justified, led by the Cabinet, Telecom, and Law secretaries, as per the Telegraph Act.
“What this decides is, again, they have to go through some 1000s of numbers and emails within a space of few hours, which, where you also have to leave some time for tea and snacks, etc,” Datta says.
According to him broad access to government was being provided through the DPB while existing procedures for surveillance barely have any thought process, procedure, or justification and oversight.
Structure will prevent citizens from protecting their data: Datta compares the bills provisions with the structure set up under the Right to Information Act.
“So a law which was supposed to help citizens’ access data of the government, which is actually their own data there you have created such a huge problem that you don’t for months hear from the first appellate authority as a result, you can’t go to the central information commission and even if you go to the central information commission, it will be probably years before you get heard and then by the time we land up in the High Court or Supreme Court, you’ve completely run out of steam,” he says.
According to him, a similar mechanism has been constituted through the DPA in the data protection bill which will prevent citizens from protecting their data.
Regulator of data protection principles needs expertise: “You know, you don’t necessarily think that the judiciary will be the right place to debate the nuances of the application of certain data protection principles, and you want sort of expertise and depth in that particular domain to navigate the complexity of those issues,” Kakkar said. According to her, in India, the default for getting justice is that it will only be given once a case reaches the High or Supreme Courts even though the idea of having regulators is to navigate complex areas.
Recommendation: Competence, capability (through technical expertise), and financial capability for the DPA to operate were recommended by Kakkar. She added that the DPA also has to have the capacity to be able to dig through, investigate, think through, put in place Codes of Practice, rules and regulations to hold the government accountable. This would also prevent issues from always escalating to the higher courts.
Comparison with international practices
Not enough checks and balances: “I think there are various checks and balances and sort of requirements that have to be met at every stage in the process. And unfortunately, of course, the data protection bill doesn’t have that,” Kakkar said, comparing the bill with similar legislation in other countries. She also flagged that the bill exempts entire agencies from its provisions – a departure from international practices.
Recommendation: Kakkar laid out the guiding principles that are applicable in other countries, regarding government surveillance:
- How access can be granted
- The circumstances in which that access can be granted to the government
- The extent to which information can be shared with the government
- Who within the government that information can be shared with
- Data minimisation requirements
- Requirements in terms of if one government agency has it, how much can be shared with a second government agency,
- There is the role of judicial actors in sanctioning such a request
Interception should be allowed only when other means are exhausted: The law gives a blanket exemption to agencies to intercept communications, not in line with international practices, Datta said. He further pointed out that Indian government agencies do not have parliamentary or judicial oversight, as compared to the US or UK.
Recommendation: Datta pointed to the practice of only allowing legal interception of communications when all other methods of investigation have been exhausted. According to him, this principle is practiced in American court and is recognised by Indian law to an extent.
State-sanctioned surveillance in India
2014: A surveillance program of the government, NETRA which detects suspicious words like ‘attack’, ‘bomb’, ‘blast’ or ‘kill’ in real time on social media was launched.
2016: The government launched the Central Monitoring System (CMS) which would “automate the process of lawful interception and monitoring of mobile phones, landlines and the internet in the country” in New Delhi and Mumbai.
2020: The Indian Express reported that local units of the Department of Telecommunications had been seeking call data records (CDRs) of all mobile subscribers across several parts of the country.
2021: News broke that the Indian government may have deployed Pegasus spyware against several Indian politicians, activists, journalists, businessmen, and bureaucrats, among others.
- How should India’s Data Protection Authority work
- Data Protection Bill 2021: Summary of all powers held by Indian government
- Restrictions on cross-border data transfer will hurt Indian start-ups
What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.