In August of 2017, the Supreme Court unequivocally reaffirmed that the right to privacy was indeed guaranteed by the Constitution to its people, in the Puttaswamy judgement. One essential component of the Court’s decision was the recognition of ‘informational privacy’ as one of the types of privacy, especially in today’s digital age. Acknowledging the pervasiveness of digital tools and the internet in everyday life, the Court emphasised on the need for the timely introduction of a data protection law applicable to both private entities and the State.
Over the past few years, while India has deliberated on the framing of its data protection bill, technology and its applications have continued to advance at a blinding pace. The internet is getting faster (5G), smartphones are reaching more hands, the number of apps and their features is rapidly growing, there is increased deployment of AI systems, and governments are increasingly relying on technological tools for various responsibilities such as delivery of public services and law enforcement. The increased reliance on technological solutions has only intensified during this devastating pandemic. Given this context, now, more than ever, is the time for India to lay down a robust - privacy protecting - data protection law.
Also read: Personal data bill and dissent
As we await the final report and the revised version of the PDP Bill of the Joint Parliamentary Committee, we point to some critical changes that need to be made to the PDP Bill, to ensure a robust data protection law in India.
An independent and capable regulator
The primary objective of a data protection law is to protect individuals against privacy harms from both — the State and private entities, and consequently any regulator tasked to enforce such a law, must enjoy a high degree of autonomy and independence to effectively discharge its role.
In the draft of the PDP Bill currently being examined by the JPC, the central government is tasked with establishing the regulator - the Data Protection Authority (DPA). The chairperson and members of the DPA are appointed based on the recommendations of a committee that is wholly composed of bureaucrats. In comparison, the Bill proposed by the Srikrishna Committee had envisaged the appointment of the regulator by a committee composed of a senior judge of the Supreme Court, the cabinet secretary and a reputed expert nominated by other two members. Consequently, given the extent of government involvement in the appointment and removal of the members of the regulator under the current PDP Bill, significant questions remain around how independently and autonomously the DPA will be able to function.
Besides independence and autonomy of the regulator, effective operationalising and enforcement of the data protection law is contingent on high regulatory, technical and financial capacity of the regulator. The European Union’s General Data Protection Regulation (GDPR) was brought into force more than three years ago and is now broadly considered the benchmark for data protection legislation globally. Even with legislation that has been considered a benchmark, one of the significant challenges faced by the EU in the implementation of the GDPR has been the capacity of its regulators. It has been highlighted that inadequate technical and financial capacity of the regulator has impacted its ability to effectively enforce the GDPR given that it engages with complex techno-legal issues and is regulating some of the biggest private corporations in the world. India must learn from the EU’s experience and ensure that the DPA has sufficient regulatory, technical and financial capacity to regulate not only large private corporations but State entities as well.
Data protection regulation will need to constantly play catch-up with advances in technology. Consequently, the regulator needs to be empowered to issue timely rules and regulations to effectively respond to evolving aspects of complex technologies like artificial intelligence and new breakthroughs in data processing capacity. Ensuring that the regulator is autonomous and independent and has high capacity becomes even more crucial for such rapid and significant decision making. The JPC’s revised Bill must address these concerns and ensure that the Bill enables the creation of an independent and high capacity regulator.
A law applicable to the State
The current draft of the Bill being examined by the JPC, provides for wide exemptions to the State from certain core provisions of the Bill. Some conditions for triggering such exemptions are — the security of the State, public order, sovereignty and integrity of India, and friendly relations with foreign States, among others. These conditions are fairly broad and run the risk of being applicable in myriad situations and hence would significantly dilute the privacy protections available to individuals in the context of the State.
Having said that, the State can legitimately impose limitations on all fundamental rights in India, if certain conditions are fulfilled. One of the essential conditions the Supreme Court has laid down in the context of limiting the right to privacy of an individual by the State is that of proportionality - the measure adopted to limit privacy must be proportionate to the object sought to be achieved.
Crucially, the current draft of the Bill does not incorporate the doctrine of proportionality while laying out the wide exemptions for the State. Therefore, such broad exemptions provided to the State under the PDP Bill run the risk of being unconstitutional. The JPC’s revised version of the Bill must significantly narrow the scope of exemptions to the State and must necessarily incorporate the doctrine of proportionality within its text.
Leading by example and setting a benchmark for the Global South
News reports suggest that the JPC’s revised version of the bill will have significant changes from the version of the one currently being examined by them. As the Bill will impact a wide array of stakeholders and citizens, it is critical that Parliament seeks public feedback from a range of stakeholders and enables meaningful public consultation on the JPC’s revised version of the Bill. This will ensure a participatory legislative process and the formulation of an effective data protection law.
Oftentimes, Global South countries look towards India and follow its example on the formulation of contemporary laws and policies. Thus, as India is recognised as a leader for its progressive stand on net neutrality, ensuring access to the internet remains equal for all, it must also introduce a robust, privacy respecting data protection law that sets the benchmark for privacy in the Global South. This will be in line with the government’s endeavour to strengthen the digital capital of the country and position India as a leading example for other countries to follow, specifically in the Global South.
(Kakkar is Executive Director, Centre for Communication Governance, National Law University, Delhi; Mohan is Senior Project Manager, Centre for Communication Governance, National Law University, Delhi)