How the Data Protection Bill, 2022 fares in the Supreme Court’s Puttaswamy test: IFF

“The Data Protection Bill, 2022 fails the proportionality standard adopted by the Supreme Court in Puttaswamy – I and II. The Data Protection Bill, 2022 will pass the test of legality, and may even pass the test of legitimacy, but its inability to provide a suitable means of achieving a legitimate state objective, its failure to consider less intrusive alternatives, and its complete failure to provide procedural safeguards, render the Data Protection Bill, 2022 a disproportionate invasion of user privacy, and may even render the entire Bill unconstitutional,” the Internet Freedom Foundation (IFF) concluded after an analysis of whether the Bill meets the Puttaswamy test.

What is the Puttaswamy test: The Supreme Court’s Puttaswamy judgements (in 2017 and 2019) recognised the right to privacy as a fundamental right of Indian citizens and tasked the government with enacting a data protection law. The court also noted that encroachment/restriction of privacy can only be allowed if the restriction satisfies the three-fold tests:

1. Legality: There must exist a valid law allowing the restriction of privacy
2. Legitimacy: There must be a legislated state aim justifying the restriction
3. Proportionality: The restriction must be proportionate to the object and needs of the law

Why does this matter: If the Bill is enacted as is, one of the strongest legal challenges it might encounter will be based on how it fares on the Puttaswamy test.

MeitY has extended the deadline for public feedback on the Bill to January 2, 2023. The feedback may be submitted on the MyGov website. 

How does the Bill fare under the three tests?

1. The Bill may satisfy the legality test: The Bill “may satisfy the first test of legality, since, by virtue of it being a statute, it will provide a legal basis for the government’s actions,” IFF observed.

2. Unclear if Bill will satisfy the legitimacy test: IFF noted that “the existence of a legitimate state aim that can pass the second test is less clear” because the objective of the Bill appears to be to allow for the processing of personal data rather than to protect personal data. To justify its point, IFF cited the objectives laid out in the Bill as well as the wide exemptions provided under Clause 18 to the government and other entities and the low bar for consent under Clauses 7 and 8. “It is intended to be a data processing bill and not a data protection bill,” IFF remarked. IFF further questioned the fact that the Bill imposes penalties on users in certain situations. “These are worrying developments since a legislation that is supposed to protect the rights of individuals is now imposing penalties on them,” IFF added.

“An argument could be made that data processing is a legitimate state aim, but its legitimacy is weaker than the state aim of protecting personal data of Indian citizens and users. This is because protecting user data is directly derived from the Constitution of India and the fundamental rights it guarantees, whereas the state aim for data processing comes from the commercial interests of data fiduciaries and the state,” IFF explained.

3. The Bill will not pass the proportionality test: IFF explained that the proportionality test consists of four sub-components:

1. Legitimacy test: “A measure restricting a right must have a legitimate goal (legitimate goal stage) and it is designated for a proper purpose.” IFF already explored above how the Bill does not do well on the test of legitimacy, but for the sake of the rest of the analysis, it assumed “that the goal was legitimate, i.e. that the goal was to protect the personal data of Indians.”
2. Suitability test: “It must be a suitable means of furthering this goal (suitability or rational connection stage), i.e. measures undertaken to effectuate the limitation are rationally connected to the fulfilment of the purpose.” As for this test, IFF concluded that the Bill is “unsuitable for adequately protecting user data” because of the dilution to user consent for processing data. Clause 7(4) allows for “a scenario where a restaurant can refuse service if a Data Principal does not consent to sharing her contact data with third-parties, and lead to data blackmail,” IFF pointed out. IFF also questioned the whole concept of deemed consent under Clause 8, noting that “highly vitiated scheme of consent will force greater generation and sharing of data than is necessary, and entirely fails core tenets of data protection, specifically data minimisation and purpose limitation.”
3. Necessity test: “There must not be any less restrictive, but equally effective alternatives (necessity stage), i.e. there are no alternative less invasive measures.” On this front, IFF noted that the Bill does not consider any less effective alternatives to achieve its aim although such alternatives exist. IFF also observed the absence of the seven privacy principles (fair use, purpose limitation, data minimisation, storage limitation, reasonable safeguards, accountability) endorsed in the Puttaswamy judgement, although these principles were outlined in an explanatory note released along with the Bill, which does not have any legal effect. IFF pointed out clause 9(6) which requires erasure of personal data once purpose is served but allows for retention if it’s necessary for business purposes. “The wording of Clause 9(6) leaves room for a Data Fiduciary to retain personal data of its users forever […]Here, the principles of storage limitation, purpose limitation, and fairness to the Data Principal are defeated simultaneously,” IFF remarked.
4. Balancing test: “The measure must not have a disproportionate impact on the right holder (balancing stage), i.e. there is a proper relation between the importance of achieving the aim and importance of limiting the right.” IFF concluded that the Bill fails this test because it “completely fails to provide any procedural safeguards at all.” Noting that “the presence of adequate procedural safeguards help ensure that there is a proper relation between the importance of achieving the state aim and importance of limiting the citizens’ right,” IFF points out four provisions which demonstrate there is a failing on this front: the lack of independence of the Data Protection Board from the government, the wide powers the government has to exempt itself under Clause 18, which “could result in mass surveillance,” the number of aspects left to be clarified by delegated legislation, and the removal of compensation for users who actually suffer the harm from any violation of the Act.

What does the government think?

Speaking at a Twitter Spaces conversation last month, Minister of State in Electronics and Information Technology Rajeev Chandrasekhar stated that the Bill meets the test. “As you know, the Puttaswamy judgment talked about proportionality, necessity and legality and this Bill meets the test of all of those principles because the only exemptions […] are for the government to be able to use citizens’ personal data in the event there is a court order, in the event there is a national security issue, in the event there is a pandemic, in the event there is a natural disaster, and so on and so forth.” (emphasis ours)

What other experts have noted:

Speaking at MediaNama events held in Delhi and Bangalore, privacy activists pointed out that Puttaswamy test requires safeguards against abuse, which the Bill doesn’t have. Additionally, they pointed out that not all actions taken by government agencies are justified enough to violate privacy. Arguing that it doesn’t meet the Puttaswamy test, Anushka Jain of IFF explained that “necessity and proportionality are something that have to be applied on a case-by-case basis whereas these clauses, especially clause 18, allows the entire agency or instrumentality to be exempted. So it’s not why the action has been taken, it’s based on who is taking the action. So in that situation, it’s definitely not complying with the safeguards of necessity and proportionality, because you can’t say that every action taken by the NIA or by RAW or by CBI is justified enough to violate privacy.”

But not all experts are on the same page. Pratyush Miglani, a lawyer who spoke with MediaNama opined: “While prima facie, it may appear that the Puttaswamy judgment could pose a challenge to the provisions on exemption of government instrumentalities, a finer reading of the bill reveals that such power could be exercised in limited circumstances, such as sovereignty and integrity of the state, security of the State, etc. Given that fundamental rights including the right to privacy are not absolute, these qualifications can be read as reasonable restrictions to the right to privacy. Eventually, the court shall go over each of the qualifications with a fine tooth comb and determine if they qualify as reasonable or not.”

Also Read

• A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
• MediaNama event discussions: Reworking the Data Protection Bill, Delhi and Bangalore
• State Surveillance, Reduced Obligations, And Eight Other Issues With The 2022 Data Protection Bill: IFF
• Twelve Major Concerns With the 2022 Bill
• What India’s IT Minister Has To Say About The Concerns Around The Bill