Personal Data Protection: What A New Bill Should Look Like
In the first week of August, the Ministry of Electronics and Information Technology moved to suddenly withdraw the Personal Data Protection Bill, 2019, citing the report of the Joint Parliamentary Committee and its detailed recommendations. In its place, the government has committed to enacting a “comprehensive legal framework”, i.e. a new law, “hopefully” – as per the Minister – by the next Budget session of Parliament.
A lot has been written about the reasons for withdrawal and its immediate implications. However, given that the withdrawal has happened, it is important to focus on the way ahead.
There have been multiple iterations of the data protection law over the last five years – the Srikrishna Committee submitted its draft Personal Data Protection Bill in 2018; the government introduced its version one year later in the Lok Sabha in the form of the PDP Bill, 2019; and the JPC proposed a redrafted Data Protection Bill in 2021. Each of these drafts was more complex, and more criticized than its previous version.
Regardless of one’s views on the merits of the withdrawal of the PDP Bill, the government now has a blank slate when it comes to redrafting the law. What elements should such a law contain? I give six suggestions here.
Re-Centre The Bill On Privacy
The impetus behind enacting a data protection law came partly from the Supreme Court’s observations in the Puttaswamy judgment, which recognized the right to privacy as a fundamental right. The decision was given in the backdrop of the constitutional challenge to the Aadhaar scheme and its impact on privacy, consent, and choice, leading the Court to recognize that the “dangers to privacy” in an information age originate from State and non-State actors.
The draft PDP Bill 2018 released by the Srikrishna Committee as well as its accompanying report tried to balance the right to privacy with the importance of the digital economy, with the objective to “unlock the data economy”. The 2018 Bill recommended a comparatively stricter approach towards regulating the private sector, compared to the leniency shown towards state action. This philosophy was followed in the PDP Bill, 2019. This was critiqued by many for unnecessarily undermining privacy. Unfortunately, instead of responding to this critique, the JPC further privileged the state’s interests, at the expense of the individual. Taking a view that digital privacy must be circumscribed and limited by the country’s sovereignty, integrity and security, the JPC recommended modifying the long title of the Bill to add that its purpose was also, “to ensure the interest and security of the State”.
National interest and security should not be the underlying considerations for a data protection and privacy law. The government would do well to correct this assumption in any forthcoming legislation and re-centre privacy and autonomy as the primary objective.
Retain The Original Focus On ‘Personal’ Data
The PDP Bill was always intended to focus on the privacy of individuals and the regulation of their personal data. This was reflected in the text of the Srikrishna draft law in 2018 as well as the PDP Bill, 2019. However, without any coherent justification, the JPC recommended expanding the scope of the law to cover the regulation of personal and non-personal data.
Such a move was without precedent. Most countries regulate personal and non-personal data separately, partly to avoid conflicting concerns. A personal data protection law keeps the individual at its centre and is focused on regulating the collection, storage, and use of their personal data, such as health or financial data. In contrast, non-personal data such as traffic data is anonymized and its regulation is focused on unlocking the “economic benefit” that inheres in such data.
A law that conflates these concerns will only be cumbersome and difficult to implement.
Reduce State Exceptionalism
Each iteration of the law has increasingly privileged state action and provided wide-ranging exemptions to state and law enforcement agencies. Clause 35 empowers the central government to exempt any government agency from the entire application of the law, even if it is simply “expedient” in the interest of “public order”. Clause 36, which has attracted less attention, but is perhaps even more insidious, exempts law enforcement agencies and even private RWAs as long as it is in the interest of prevention, investigation, and prosecution of offences. There is no statutory requirement for these exemptions to be invoked only after satisfying the Puttaswamy standard of legality, necessity, or proportionality. Nor is there any independent (or even executive) oversight to provide some accountability against misuse.
Any exemptions granted to state agencies under the new law should be strictly regulated and such a carte blanche approach must be avoided.
The exemptions must be narrowly tailored and should not exempt the entire law. Similarly, certain procedural safeguards and appeal provisions should be built into the law.
Introduce Surveillance Reform
As we saw in the Pegasus revelations, privacy interests are also directly implicated by another form of state action – surveillance. As acknowledged by the Srikrishna Committee, India’s surveillance regime is inadequate and lacks any independent or inter-branch oversight, in stark contrast to other major democracies. A new data protection law provides an important opportunity for surveillance reform.
Strengthen Independence And Robustness Of Regulator
The PDP Bill, 2019 establishes the Data Protection Authority as the regulator, which is tasked with grievance redress and compliance. Given that the State is one of the biggest actors over which the DPA has jurisdiction, it is imperative to ensure its independence. The appointment process for the DPA needs to be overhauled to reduce executive control.
At the same time, the success of the law requires the DPA to be robust and effective. The law must provide for a large DPA that is well-funded, has adequate personnel, and has offices in multiple parts of India. This will prevent the centralisation of power in Delhi and make it accessible to individuals across the country.
Remove Data Localisation Mandates
The proposed law should remove the strict data localisation mandate that impedes cross-border flows and increase the risk of state surveillance. Data localization must be narrowly tailored only to clearly defined critical data. Apart from benefits to business, such a provision will also have a strong environmental benefit, given the climate costs of having companies maintaining data servers in India and abroad.
Hopefully, in our 76th year of independence, we will have a new and improved data protection law!
Vrinda Bhandari is an indpendent lawyer practicing in New Delhi, and is an Of-Counsel for the Internet Freedom Foundation. She works on a variety of digital rights and privacy issues.
The views expressed here are those of the author’s and do not necessarily represent the views of BQ Prime or its editorial team.