Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
Under the Digital Personal Data Protection Bill, 2023, the Indian government, or its authorised officers, after giving a data controller an opportunity to be heard, can order any government agency or intermediary to block public access to information in the “interests of the general public”. This can only happen if the government (or officer) receives two kinds of references from the Data Protection Board, the apex body investigating non-compliance with the bill. One, intimating it of penalties being imposed on a data controller more than twice. And two, if the reference, in the “interests of the general public,” advises blocking public access to information transmitted on any computer resource enabling the data controller to offer goods or services to data principals in India. Intermediaries are bound to comply with such blocking orders.
The “problematic” provision “could be used for blocking websites and applications,” said advocacy group SFLC in a media statement, similar to how other controversial content blocking provisions in India already work. “It’s a way for the Central government to usurp more censorship power for itself,” added lawyer and public policy professional Divij Joshi, speaking to MediaNama.
“The reason as to why censorship is being introduced through a data protection bill is not known, but it fits well with the current ethos of the country where censorship, and specifically censorship on the internet, are being pushed and intermediaries are being increasingly brought under the wings of the State,” pointed out Radhika Roy, Associate Litigation Counsel at the Internet Freedom Foundation.
However, Aman Taneja, Principal Associate at Ikigai Law, differed, noting that the provision has more to do with blocking businesses in India that are non-compliant with the data protection law, rather than free speech. “In some sense, it is a service-blocking provision,” Taneja explained. “That if you don’t comply [with the data protection law], you get blocked in the country, you can’t offer services in the country. As for why the language ‘intermediary’ is used, these are online services. So, the government issues a block at an ISP-level issue, essentially. That’s the logic of it.”
The Digital Personal Data Protection Bill, 2023, is the fifth iteration of India’s much-awaited data protection law, with previous versions released in 2018, 2019, 2021, and 2022. Read our full summary here, and explore our thematic coverage here.
Reading the provision through a censorship lens
Experts say grounds for blocking are not Constitutionally protected: Speaking to MediaNama following the Bill’s release, Joshi observed that the blocking provision travels beyond the government’s blocking powers held under Section 69A of the IT Act, 2000 and the Supreme Court’s Shreya Singhal verdict delivered in 2015. Remember: the Indian government can already block public access to online information on grounds like national security under Section 69A of the IT Act, 2000. The provision (and the government’s censorship) survived constitutional scrutiny in Shreya Singhal on specific grounds.
“Section 69A has a very specific procedure to issue blocking orders, where there’s a Review Committee, and there’s a chance to appeal [the order],” Joshi explained. “A lot of this was brought up in the recent Twitter order [by the Karnataka High Court dismissing the platform’s case on the Indian government’s alleged online censorship via Section 69A].” The second thing is the grounds on which information can be ordered to be blocked, which are also mentioned in the provision and the rules [for Section 69A]. Those grounds are the same grounds as mentioned under Article 19(2) of the Constitution, which provides the acceptable restrictions on freedom of speech [like “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence”].
If you read Section 37 here [of the DPDP Bill, which is the blocking clause], you’ll see immediately what I mean by it going beyond Section 69A. First of all, the procedure to be followed isn’t the same. So, the substantive procedural safeguards that were specifically highlighted by the Supreme Court in Shreya Singhal as a reason for which 69A passed muster at all constitutionally [are missing]…
…The second thing is it [Section 69A] is directly linked to the wording of Article 19(2)…[But] If you read Section 37, it uses this really vague term which is not in the Constitution, which says in the “interests of the general public”. That is not a constitutional ground for censorship or for restriction of freedom of expression, more specifically…[There’s also the financial penalty provision]…Both these conditions will need to be satisfied for the blocking order to happen…Neither of these actually have any link to, again, the constitutional grounds of Article 19(2). The censorship provision has nothing to do with the data protection provision.”
Concurring with the censorship concerns surrounding the provision, Roy also described the blocking grounds as vague. “With Section 37, we can see that the ground for blocking access to information is ‘in the interests of the general public,'” Roy explained. “This is a very vague term and generates the potential of being misused because of how overbroad it is.”
This isn’t necessarily an isolated fear. Despite being upheld by the Supreme Court, the broad Section 69A blocking grounds have been repeatedly criticised for enabling opaque government censorship online.
Article continues below ⬇, you might also want to read:
- Summary: India’s Digital Personal Data Protection (DPDP) Bill, 2023
- India’s Digital Personal Data Protection Bill, 2023 Gives The Government Powers To Exempt Itself From The Bill, Block Content, And More
- Digital Personal Data Protection Bill, 2023: Executive-Appointed And “Independent” Data Protection Board To Investigate Non-Compliance, Impose Penalties
- India’s Data Protection Bill Tabled In The Lok Sabha: MPs Voice Concern
Reading the provision through a business operations lens
Whether the bill restricts the right to operate a business, or to speech, depends on the platform being blocked: “In the case of Section 37, they say blocking can happen in the public interest, which is not necessarily an Article 19(2) ground [for speech restrictions],” Taneja argued. “But it is a ground to restrict Article 19(1)(g) [the right to freedom of trade].”
“When we’re looking at restrictions on Article 19(1)(g) we look at Article 19(6),” Taneja continued. “It says that nothing in the said clause shall affect the operation of any existing law or prevent the state from making any law which imposes in the interest of the general public reasonable restrictions on this right. So, the government is finding the basis of the blocking provision in that…There are also safeguards in that you will get a hearing…So, if it is viewed as an Article 19(g) restriction on trade, then its [legal] validity is likely to survive. But, if it is viewed as an Article 19(2) restriction, then that question remains open. So, it will depend a little bit on the facts, or which platform ends up getting blocked…Even if it’s a social media platform getting blocked, it’s impacting user speech, in some sense. But, at the same time, the logic of it will be it’s trying to protect users’ privacy. So, then it becomes a balancing exercise.”
Is India alone in including such a provision in a data protection law?
“If you look at even the GDPR, they say a Data Protection Authority can bar you from processing personal data of citizens in one country, for instance, which effectively becomes a ban,” Taneja argued. “If you remember what just happened with ChatGPT in Italy, that was the order which was passed. They were told to stop processing in Italy, which effectively means you would have to ban [the service]. But, what’s different here is that you’re figuring out a way to enforce a ban against someone who may try to skirt it otherwise. So, you go to the internet service provider and ask them to block [the service instead].”
However, if you read the provision as a content-blocking measure, then the bill could have over-stepped its remit, hitting free speech rights in the process. “The provision does not emanate from the object of the Bill which was to balance the processing of data and the data privacy of the public,” Roy pointed out. “It, therefore, also goes beyond the intention behind the implementation of the Bill. Further, from what we’ve noticed in terms of the Blocking Rules and even the IT Rules [India’s platform regulation rules], intermediaries find it in their interest to comply rather than not. In such an event, then it bears heavily on a right of an individual to receive information, a right which is protected under Article 19 of the Constitution of India [the right to speech].”
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!