Click here to download the full paper (PDF)

Authored By: Mr. Vedant Jain (BBA LL.B (Hons)), School of Law, UPES, Dehradun.

Click here for Copyright Policy.

Click here for Disclaimer.

I. INTRODUCTION:

The previous year a giant data company Facebook (which recently trying to introduce its modified privacy terms particularly on Indian users) acquired 9.99% of share in Jio Platform worth around $5.7 billion but they are yet to decide their commercial agreement of how the integration of WhatsApp will take place with the JioMart and how the data will be shared among the two platforms as both of their privacy policies allows the sharing of user personal data with the third-party platform for their business growth.

The deal raises an important concern for the privacy of consumers in India, how their choices and preferences will be monitored by the private data companies/firms to target them without their direct knowledge which ultimately leads to their breach of privacy given the monetary benefits are involved.

In 2017 the Supreme Court in its judgement held that right to privacy is a fundamental right protected under article 21[1] (life and personal liberty) which led us to the question of privacy protection legal framework in India so that such type of deal can effectively protect the personal data of the citizens and also allow such firms to grow by abiding law as the fundamental right can only be enforced against State and its entities and not against private entity/firm.  

However, the parliament came up with the Personal Data Protection Bill, 2019, on the recommendation of B.N. Srikrishna Committee which was also proposed in the privacy Judgement of 2017 by the Supreme Court. The bill can be enforced against state entities and private individuals and entities too. The bill aimed to safeguard the personal data, strengths the privacy norms and also to regulate the privacy of an individual. In the drive of making India a truly digital nation, the bill was the need of the hour because protected privacy can only provide true freedom to an individual. It lays down the framework for the collection, dissemination, and protection of personal data which includes a wide range of data from health data to biometric data to genetic data[2]. The bill gives certain rights to an individual to know the purpose, nature and categories of data collected[3]. The bill is exemplary in the sense that people will control their data rather than the state or any firm.

However, the present bill could compromise the privacy, personal data protection and also hamper the progress of the digital economy. So briefly the article will present some of the concerning provisions of the bill that endangers the right to privacy of an individual. 

II. THE CONCERNING PROVISIONS OF THE PRESENT DRAFTED BILL:

II.I User Protection:

1. Under section 12[4] of the bill provides certain grounds for non-consensual processing of data even then also, notice is required to be given to the user under section 7[5] (1)(e) as the notice keeps them informed about the status of their data. But an exception to this under section 7[6] (3) is that entities can dispense away with notice for any non-consensual data. This provision should only be dispensed with in cases of emergencies like epidemic or disaster or for public order.
2. The bill under section 11[7] (6) makes user liable for legal consequences to take away consent without any valid reasons. Consent withdrawal should not be subjected to consequences as this will threaten the data principle’s consent providing for data processing. There should be no hurdles to withdraw consent.
3. Section 21[8] (2) of the bill creates fee for the exercise of certain rights of data principle which will disallow them from exercising it, as in India there are people with a very low-income group so they will not bother to exercise their rights even if there is a breach to their privacy. Exercise of all rights should be available at free of cost.

II.II Data Protection Agency (DPA):

1. Under the bill, only the Data Protection Agency (DPA) has the power to initiate proceedings and file complaint with the court and not the data principle. The data principle should have the right to approach the court directly and not at the discretion of DPA.
2. Section 25[9] of the bill talks about the reporting of the personal data breach and the data fiduciary makes the assessment of the breach causing harm then inform the DPA. It’s upon the DPA whether to inform the data principle of the breach or not. This subjective assessment by the data fiduciary and discretion of the DPA seriously injures the privacy rights of data principle and put him in the dark about the use of his/her data.
3. There is a provision in the bill for the creation of Policy by Design (PbD) that must be approved by the DPA but there is no necessary obligation for its implementation by the data fiduciary. There should be a mandatory obligation of its implementation also to provide a better safeguard.
4. There is a greater harm to the composition of the DPA body as the selection committee is made up of Secretaries to the Central Government and its ministers. Since it will be the sole body to deal with all the matters of data protection and its breach, its composition should also consist of independent members. The selection committee should also include the CJI and an independent Expert like it was mandated in the previous bill of 2018. The regulatory body needs to be independent, transparent and effective otherwise the public trust won’t be there in the body. If the body is only controlled by the govt. then it may become arbitrary and might not protect the privacy which is a fundamental obligation on the State to protect it.
5. Under the bill, DPA is no longer required to publish results of inspection or inquiry in the public domain. Publishing of these reports will enhance the transparency of the regulator and also serves in the public interest. The publishing of reports can help understand the data principle how the DPA works and ensure effective implementation, the data fiduciary can understand the need for compliance and it will gain trust and faith in the DPA body.

II.III Powers Given to State:

a. Section 35[10]of the Bill empowers the Central Government to pass orders to exempt itself or any other state agencies from any or all provisions of the proposed data protection regime. The bill enables the Central Government to pass orders whenever it considers it necessary or expedient in the interests of sovereignty and integrity of the country, national security, friendly relations with foreign states, public order or to prevent the incitement to commit offences that jeopardise these interests. There also does not exist any procedural and substantive safeguards which enable the state to exercise that right. Section 35 empowers the govt. with a wide degree of discretionary powers which overrides the fundamental right to privacy. This is the most drastic section in the entire bill which alone defeats the purpose of privacy and inevitably gives the privacy of data principle in the hands of govt. agencies without any justification.

In Puttaswamy judgement the Supreme Court laid down the test by which the right to privacy can be restricted with reasonable grounds. The lead judgment in Puttaswamy[11] set out a three-part test that any restriction to the right to privacy should meet to be considered reasonable i.e. (in para 180, Puttaswamy):

1. the existence of law i.e., an action of the Central Government to limit the right to privacy needs to be backed by law. This requirement arises from the content and procedural mandates of Article 21 of the Constitution, that requires that any action that deprives a person of their right to liberty must be backed by the law;
2. legitimacy i.e. the Central Government must restrict the right to privacy only to satisfy a legitimate state aim, and
3. proportionality i.e. the quality and severity of restrictions on privacy must match the objective of the law. The means to curtail privacy, adopted by the legislature should not be disproportionate to the objectives of the law.    

Under article 21 it is established principle that any restrictions on fundamental rights should be fair, just and reasonable and not arbitrary and unreasonable[12]. This section can be challenged for its constitutional validity as it surely fails the triple test of article 14, 19 and 21 of the constitution. Under the section the govt. should clearly set out the mechanism and structure of exercising its powers and in the previous draft of the bill, it was clearly mentioned as procedure established by law for the exercise of such power by the Central govt., the same should be inserted in the present bill.

b. The combined reading of section 91[13](2), 91[14] (3) and 2[15] (B) gives the power to the Central Govt. to take any non-personal data from the data fiduciary for the purpose service delivery and policy-making. The objective of this bill was to protect rights to their personal data and ensure the fundamental right to privacy while these provisions clearly negate those rights entirely.

The current bill is like a double-sided sword which on the one hand provides the protection of personal data of an individual by empowering them with data principle’s rights and on the other hand, gives the govt. exemptions by which they can easily infringe anyone’s privacy. Justice B.N. Srikrishna said that the bill has dangerous implications and can turn India into an Orwellian state and he was the chairperson of the committee on whose recommendations the previous bill was drafted in 2018. The current bill gives the govt. extraordinary powers to breach privacy at their will and wishes. It is through privacy only that a person can make his own choices freely like sexual orientation, health condition, mental condition and banking transactions. By compromising the privacy rights the person is being extorted and coerces.    

The important question it raises is the protection of whistle-blowers if any person knows and want to reveal the information about the misleading conduct of govt. or its ministers then the most important thing is his privacy. If the govt. invades his privacy and tries to stop him then it will lead to coercion and grave misuse of public power. The govt. derives its powers from the Constitution and if the exercise of that power is against the fundamental principle of the Constitution then it cannot become justifiable. Whenever there is discretion, there is arbitrariness fits perfectly in the current bill. The discretion given should be used in a fair, just and reasonable manner which is opposed to arbitrariness, unjust and unreasonable means. Fundamental Rights imposes a duty on the state to protect the rights of its citizens. Therefore, it is the duty upon the state to protect the privacy rights of its citizens but the current bill seems to defeat that obligation.

In the era of Google and Facebook whose, platforms easily access the personal information of its user because of its privacy policy and share them with a third-party host to run their business, the role of govt. and its agencies becomes very significant to protect its citizens from any unfair trade practices and this can only be done by implementing effectively the privacy laws in India. We have seen around the world that how the breach of privacy impacts the general elections of their country in the modern digital era even though having an effective mechanism. If without air a person can die than without privacy a person cannot live freely and wilfully. Privacy is the ultimate essence of the freedom of an individual. The exemptions in the current bill give the govt. right to surveillance on its subjects (citizens) without their express written consent and only on the whims and fancies of the govt. 

III. CONCLUSION:

Although the current Personal Data Protection Bill 2019’s objective is to safeguard and protect the personal data and privacy rights of an individual but the exemptions given to state and its agencies seriously undermine its intentions. Since the right to privacy had been granted a fundamental right by the Supreme Court, the current bill has to satisfy the highest standard of reasonableness and fairness. Freedom is essence by which an individual live which can only be ensured by the privacy rights but the discretion is given to the State has the capability to take away that privacy and ultimately freedom is also curtailed. Some of the provisions of the bill does not satisfy the reasonable restriction criteria developed by the Supreme Court and can be declared unconstitutional.

Privacy is the biggest asset of an individual in present-day technological world. Indian Constitution is based on the philosophy of Rule of Law and this principle implies the absence of arbitrary rules. The level of obligations imposed by the fundamental rights is greater than any other law or rules created by the State. Article 21[16] cannot be abrogated even in an extraordinary time, so the level of scrutiny is much higher when State make such kind of provisions to justify its action. A state cannot play with the privacy of an individual just so they have the statutory protection, they are accountable to a higher level of reasonableness.

The provision above mentioned categorically shows the need to modify or amend them so as to make them fair & reasonable and that can also protect the personal data and privacy of an individual. Also, the fact that rights are nothing unless remedies are provided whereby people can seek to obtain redress when rights are invaded, so given the mechanism of the DPA, the bill does not provide any substantive remedies to data principle in case of any breach. State’s intentions may be bonafide but the end cannot always justify the means. The article concludes by saying for a right that ultimately needs to be protected, the beginning needs to be right.

[1] Justice K.S. Puttaswamy and Anr. v. Union of India, W.P. (Civil) No. 494, 2012.

[2] Krishnaveer Singh, Does the Data Protection Bill threaten the right to privacy, National Herald (2 Jan 2020, 4:27 PM), https://www.nationalheraldindia.com/opinion/does-the-data-protection-bill-threaten-the-right-to-privacy.

[3] Id.

[4] The Personal Data Protection Bill, 2019; § 12.

[5] The Personal Data Protection Bill, 2019; § 7.

[6] Id.

[7] The Personal Data Protection Bill, 2019; § 11.

[8] The Personal Data Protection Bill, 2019; § 12.

[9] The Personal Data Protection Bill, 2019; § 25.

[10] The Personal Data Protection Bill, 2019; § 35.

[11] Maneka Gandhi v. Union of India, AIR 1978 SC 597.

[12] Id.

[13] The Personal Data Protection Bill, 2019; § 91.

[14] Id.

[15] The Personal Data Protection Bill, 2019; § 2.

[16] Constitution of India; art. 21.