Kshitij Goyal
The provisions in the 2019 Bill do not align with the Puttaswamy judgment and are also incompatible with the effective privacy regulation
The Joint Committee of Parliament on the Personal Data Protection Bill, 2019, has adopted the draft report of the Bill on personal data protection three years after the Justice Srikrishna Committee of Experts crafted the draft. But the Draft Bill falls short of the standards set by the Committee, based on the landmark Puttaswamy judgment on privacy. The important divergence from Justice Srikrishna’s draft Bill is the latitude provided to the Union Government to exempt its agencies from the application of the Act.
It is to be noted that the 2019 Bill places heavy reliance on members of the executive in the selection for the Data Protection Authority. The 2019 Bill has “public order” as a qualifier in section 35(i) to exempt a government agency from the Act, above and beyond, only providing for those reasons to be recorded in writing. This is in contrast to the 2018 Bill that provided exemptions to the state institutions from acquiring informed consent only in cases relating to the “security of the state”. The 2018 Bill also called for a law to provide judicial approval and parliamentary oversight of non-consensual access to personal data. Section 12(a)(i) of the 2019 Bill grants blanket exceptions to the government agencies from the provisions of consent. While the private agencies/companies would be given two years to migrate to the new data protection regime, no such stipulation was required from the government agencies.
Congress leader Jairam Ramesh in his dissent note pointed out that Section 35 gives unbridled powers to the Central government agency from the entire Act. He asked the Centre to get Parliamentary approval from exempting any of its agencies and asked to remove the ground of ‘public order’ from Section 35(i) given its prone to misuse.
The Court in Superintendent, Central Prison v. Ram Manohar Lohia, while interpreting the term “public order,” read it in an exclusive sense to mean safety, public peace, and tranquillity. This was in contradistinction to national upheavals, such as civil strife and war, revolution, affecting the security of the State. Subsequently, the Court in Madhu Limaye v. Sub-Divisional Magistrate, Monghyr, held that the expression ‘in the interest of public order’ is wider than the ‘maintenance of public order’ and ‘public order’ has within itself not only the absence of those acts that disturb the security of the State or the absence of riot, insurrection, turbulence, or crimes of violence, but also the absence of acts, which are breaches of the peace, and disturb public tranquillity. So, the Supreme Court has given a wider interpretation to the term ‘in the interest of public order,’ which can be prone to misuse. That is why the term ‘public order’ in Section 35(i) of the 2019 Bill found its way in the dissent notes submitted to the chairperson of the JPC.
Under the 2018 Bill, the exemption was approved for the security of the State, subject to such processing of personal data being (i) per the procedure laid down by law; (ii) authorised bylaw; (iii) necessary; and (iv) proportionate to the interest being achieved by the law. This four-stage process embeds the principles laid down in the case of Puttaswamy. This was the first step towards determining the State’s surveillance powers, even though the recommendation of the Srikrishna Committee concerning the ex-ante judicial approval of the entire process was not included in the Bill. Under the present 2019 Bill, section 35 provides that the Central Government may exempt its agencies if it is contented that it is ‘necessary’. There has to be a written order exempting any government agency from the application of any of the provisions of this Bill in respect of the processing the personal data subject to such safeguards, procedure, and oversight mechanism as may be prescribed.
Section 12(a)(i) of the 2019 Bill also grants total exceptions to the government agencies from the provisions of consent for providing any function of the State authorised by law. The provision of any public services should not be a complete exemption to the consent requirement. The conditions for the non-consensual processing of personal data should also be based on proportionality and not solely on necessity.
By doing away with the four-pronged test, the provisions in the 2019 Bill do not align with the Puttaswamy judgment and are also incompatible with the effective privacy regulation. The concerns enunciated by the dissenting JPC members over the report are valid. In this year of the Pegasus spyware controversy, it is not unnatural that opposition members in the JPC are perturbed over the report submitted to Parliament.
(The writer is a student at National Law School of India University (NLSIU), Bengaluru. The views expressed are personal.)
