If you live in a city where the police pride themselves on the number of CCTVs that have been installed, have you ever wondered what the police can do with all the footage it collects? Sure, they can use it to issue fines to vehicles that violate the law, find criminals on the run, and so on. But it doesn’t end there. For instance, they can use this data to track the whereabouts of protestors and clamp down on rightful protests even before they begin. Essentially, the police can use the CCTV data for whatever purposes they want. They can even share it with any other government agency. And India’s proposed data protection regulation will do nothing to protect the personal data of citizens, and consequentially their right to privacy, in such cases because law enforcement agencies are among those that can (and probably will) be exempt from the provisions of the legislation.
The Digital Personal Data Protection Bill, 2022, the fourth iteration of India’s draft data protection law, was released on November 18 and one of the foremost criticisms from privacy advocates is the broad powers given to the government and the scope for surveillance and misuse of personal data that could arise from these powers.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Which provisions of the Bill increase scope for surveillance and misuse of personal data by the State?
1. Power of the government to exempt any of its entities
Under Section 18(2) of the Bill, the central government can issue a notification to exempt any “instrumentality of the state” from the provisions of the Bill in the interests of the:
- sovereignty and integrity of India
- security of the State
- friendly relations with foreign states
- maintenance of public order
- preventing incitement to any cognizable offence relating to any of the above
“Every time they amend this bill, they should define what they’re talking about. They say the government can access your data with deemed consent if it is intended for protecting the sovereignty of the nation. These are just broad words. What is the sovereignty of the nation? Now, every babu will say I need to access your data in the interest of sovereignty of the nation.” — Justice BN Srikrishna told The Economic Times.
2. Government’s right to retain data forever
All data Fiduciaries must stop retaining personal data, or remove the means by which the personal data can be associated with particular Data Principals, as soon as it is reasonable to assume that:
- “the purpose for which such personal data was collected is no longer being served by its retention;” and
- “retention is no longer necessary for legal or business purposes.”
However, the government and its agencies have a blanket exemption to this requirement and can retain personal data for an unlimited period of time even if the purpose for which data was collected has been served.
3. Exemptions for crime detection and prevention purposes
Section 18(1) of the Bill exempts entities from certain provisions of the Bill when the “personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law.”
Specifically, entities engaging in crime prevention are exempt from provisions under Chapter 2 (obligations of Data Fiduciaries) except sub-section 4 (provision related to securing data) of section 9, Chapter 3 (rights and duties of Data Principals), and Section 17 (transfer of personal data outside India).
4. Power of the government to exempt certain fiduciaries
Section 18(3) of the Bill allows the central government to exempt certain Data Fiduciaries or a class of Data Fiduciaries, based on the volume and nature of personal data they process, from certain provisions of the Bill. Specifically, these Fiduciaries will be exempt from:
- Section 6 (issuing notice before consent)
- Sub-sections 2 (ensuring accuracy of personal data) and 6 (deleting personal data after the purpose is served) of section 9
- Section 10 (obligations when processing personal data of children)
- Section 11 (obligations of Significant Data Fiduciaries)
- Section 12 (Data Principal’s right to information about personal data)
There is no clarity or limitation on who these exempted data fiduciaries might be. While the government could use this provision to exempt small data fiduciaries from onerous obligations, there is nothing that limits the government to exempt only small data fiduciaries.
5. Lack of appropriate penalty for government offences
Earlier Bills contained explicit penalties for offences committed by government entities. For example, the 2019 Bill held the head of the department that conducted the offence liable for penalties. This 2022 Bill, however, does not have specific provisions for government offences, instead subjecting government agencies to the same penalties as other data fiduciaries.
“Technically yes, enforcement for non-compliance (which may result in penalties) can be taken against any ‘person’, which is defined to include the state. However, the Bill provides broad exemptions to data processing for law enforcement, the performance of a judicial function, and the enforcement of any legal right or claim—in addition to residuary powers to exempt any government body. Due to these wide exemptions, it is unclear if any enforcement action—especially one seeking high penalties—would be taken against government bodies,” Vijayant Singh, Senior Associate at Ikigai Law, told MediaNama.
6. Powers of the Data Protection Board of India
The Bill proposes the establishment of the Data Protection Board of India, which will oversee the implementation of the Act, including carrying out investigations when there is a wrongdoing and imposing appropriate penalties. The composition of the Board and the rules of its functioning, however, are set to be dictated by the central government. If this is the case, there is unlikely to be any legitimate recourse in case of misuse of personal data by the government. “Normally, if an institution is to be established, a bill specifies who is qualified to be a member, chairman and secretary. Nothing is mentioned here. The data protection board will be a puppet of the government,” Justice BN Srikrishna told The Economic Times.
“The earlier drafts envisaged setting up of independent data protection regulator, which would oversee compliance with the law by both the private and government sectors. However, the new draft talks about setting up a Data Protection Board that will be under the direct control of the Government and thus its autonomy stands diluted,” Abhinay Sharma, Managing Partner at ASL Partners, opined.
Which government “instrumentalities” can be exempt?
“The term ‘instrumentality’ is not defined under any law. Through consistent judicial interpretation over the years, the term has been understood to mean any authority established by law as any instrument or agency of the state or a company carrying on the functions of public nature,” Pratyush Miglani, Managing Partner, Miglani Verma and Co, explained. “Article 12 provides an inclusive definition of State, which inter alia includes, Parliament, Central Government, (its State Counterparts) etc, wherein Central Government includes Executive, that is, agencies responsible for the implementation of laws,” Abhinay Sharma noted.
“An instrumentality of the state can be broadly understood as any body that performs state or government functions or falls under the control of the government. Law enforcement agencies would qualify as state instrumentalities – they are set up under a statute, are controlled and funded by the government, and perform state functions,” Vijayant Singh described. “Courts have interpreted this term when deciding which type of organisations (such as public-sector companies, universities) fall under the definition of ‘state’ under Article 12 of the Indian constitution,” Singh added.
Vinay Butani, Partner at Economic Laws Practice gave the following examples of judgments that bring out the nuances in how entities are classified as state instrumentalities or not:
- R.D. Shetty v. International Airport Authority of India & Ors, 1979: “Function test—sovereign functions, degree of control, extra-ordinary financial assistance, public importance i.e., these tests should be fulfilled for a body to become state agency or instrumentality.”
- Ajay Hasia v. Khalid Mujib, 1981: “Entire share capital held by the government, financial assistance, monopoly status, deep or pervasive control. The governments need not undertake their functions themselves. However, this does not imply that the bodies which carry out functions akin to them be under the direct control of the government either. It simply implies that the government should be exercising at least the slightest degree of control over the functions and duties carried out by the body. Being a statutory body does not in itself qualify it as a State and similarly, not being a statutory body does not automatically disqualify it from Statehood under Article 12. Any kind of body corporation can be given statehood as long as they are either funded by the State financially or if such a government exercises administrative or any other kind of direct or indirect control.” (emphasis ours)
Why is government access to data more worrisome in the 2022 Bill than previous draft Bills?
“The text has changed from the 2019 and 2021 versions to the latest iteration. The 2019 bill required exemption orders to be subject to a ‘procedure, safeguards and oversight mechanism’, while the 2021 Bill required orders to be ‘just, fair, and reasonable’. The 2022 bill does not contain such language—because of which it can be argued that the exemption powers have broadened,” Vijayant Singh said. “The material and practical impact of dropping this language remain unclear, however,” Singh added.
2018 Bill only allowed exemptions pursuant to law: The 2018 version drafted by an expert committee headed by Justice BN Srikrishna, had the strongest protections against government access to data. The 2018 Bill allowed the government and law enforcement agencies to process personal data in the interests of the security of the State only if it was “authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.” Additionally, this was allowed only if the data belongs to a person who is “a victim, witness, or any person with information about the relevant offence or contravention” and if compliance with the Bill would “be prejudicial to the prevention, detection, investigation or prosecution of any offence or other contravention of the law.”
2019 Bill diluted protections, but still had some safeguards: The 2019 Bill diluted the earlier provisions giving the central government the power to exempt any agency of the government on the same grounds as the 2022 Bill (security of the state, public order, etc). The Bill, however, said that this should only be done if it’s “necessary or expedient” and the order exempting an agency must specify the “procedure, safeguards and oversight mechanism to be followed by the [exempted] agency.”
2021 reintroduced more safeguards: While government agencies could still be exempt on the same grounds as the 2019 Bill, the exemption must be subject to “just, fair, reasonable and proportionate” procedure, the 2021 Bill stated. The JPC made this change after deliberating on how existing provisions might not bode well with Article 19 of the Constitution, the Puttaswamy judgment and individual rights with respect to privacy. “The JPC’s recommendation that such exemption must be just, fair, and reasonable does not feature in the  bill, although the same will apply as a constitutional standard,” Pratyush Miglani told MediaNama.
2022 Bill removes any kind of safeguard: Both the 2019 and 2021 Bill have been repeatedly criticised for giving excessive power to the government to exempt itself, but instead of addressing this issue, the 2022 Bill makes it easier for government to access data by removing the limiting clauses that were there in the 2019 and 2021 Bills.
“The government has gotten a blank cheque with this bill. They, central or state, can do anything, anytime, under any section of the bill. This is concerning because if you are going to somehow make an inroad into data protection as a fundamental right, it can’t be guaranteed anymore. They (the government) are not bound by the bill at all.” — Justice BN Srikrishna told The Economic Times
Understanding the government’s power in the context of the Puttaswamy judgement
“In the Puttaswamy case, the Right to Privacy was declared a Fundamental Right under Article 21 of the Indian Constitution. While the preamble of the initial draft declared the right to privacy as a fundamental right, however, the 2022 draft makes no mention of the same in its preamble. Additionally, the new draft empowers the central government to exempt instrumentalities of state from its provisions without adequate checks and balances, thereby, ignoring principles of legality, necessity, and proportionality, as laid down in the Puttaswamy judgment,” Abhinay Sharma opined.
Countering this, Pratyush Miglani opined: “While prima facie, it may appear that the Puttaswamy judgment could pose a challenge to the provisions on exemption of government instrumentalities, a finer reading of the bill reveals that such power could be exercised in limited circumstances, such as sovereignty and integrity of the state, security of the State, etc. Given that fundamental rights including the right to privacy are not absolute, these qualifications can be read as reasonable restrictions to the right to privacy. Eventually, the court shall go over each of the qualifications with a fine tooth comb and determine if they qualify as reasonable or not.”
How does the Indian Bill compare to the EU’s GDPR?
“Comparative legal regimes, which, as per the explanatory note, were considered before proposing the Bill, do not contain comparable provisions. Such blanket exemptions to state agencies, let alone private corporations, are absent in foreign legislations. While the existing or proposed legislations in the European Union and in the U.S. permit security agencies to claim exemptions on a case-by-case basis, depending on why they are collecting personal data, they do not contain blanket exemption powers to an entire government,” Anushka Jain and Krishnesh Bapat of the Internet Freedom Foundation wrote in The Hindu. “Further, other jurisdictions exercise meaningful oversight over state surveillance. For instance, the Investigatory Powers Tribunal in the UK. is authorised to hear complaints against misuse of surveillance powers and can impose monetary penalties in case of a breach,” Jain and Bapat added.
Unlike India’s DPDP Bill, the European Union’s General Data Protection Regulation (GDPR) does not provide a blanket exemption. It does allow the exemptions when data is gathered and processed for the prevention, investigation, detection, or prosecution of criminal offences or for preventing threats to public safety, but this is a much narrower ground than what India’s Bill proposes. In fact, the GDPR was one of the reasons why the JPC felt the need to modify the 2019 Bill to include more safeguards with government access.
“As compared to the DPDP Bill, the GDPR explicitly does not provide for government exemption. However, GDPR does recognise that member states should adopt legislative measures which lay down the exemptions and derogations necessary for the purpose of balancing fundamental rights,” Vinay Butani remarked.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
- Summary: India’s Digital Personal Data Protection Bill, 2022
- DPDP Bill, 2022: Government Once Again Given Broad Powers To Exempt Itself From Provisions Of Law
- Twelve Major Concerns With India’s Data Protection Bill, 2022