You are using an older browser version. Please use a supported version for the best MSN experience.

The state's data overreach

India Today logo India Today 02-12-2021 Vidushi Marda

On November 22, the Joint Parliamentary Committee (JPC) constituted to review the Personal Data Protection Bill, 2019, finalised its report after two years of deliberation. The Bill is expected to be tabled in Parliament in the ongoing 2021 winter session.

A prominent aspect emerging from media reports is the JPC's decision to retain controversial provisions of the 2019 Act that give the State wide powers in the context of collecting and processing personal data. More specifically, reports suggest that the JPC recommends only minor tweaks to Section 35 of the Bill, which allows the central government to exempt its agencies from complying with the Act if it is convinced that such exemption is "necessary or expedient" in the interest of national security, or more specifically "sovereignty and integrity of India, security of the State, friendly relations with other States or public order".

These provisions give rise to a host of issues. First, the threshold for exemptions to be assessed as 'expedient', a term with no precise legal definition, provides potential carte blanche to the central government to unilaterally exempt agencies from complying with the Bill, especially in the absence of any accountability or oversight mechanisms. Terms like 'sovereignty and integrity of India', 'security of the State' and 'public order' are wide enough to be all-encompassing and imprecise, effectively diluting any check on such exemption. Reports indicate that the minor change indicated by the JPC is for the exemption process to be 'just, fair, reasonable and proportionate'. While this is (at best) a step in the right direction, it means little in the absence of accountability mechanisms, on which account the JPC is deafeningly silent. The Committee instead retains the current language of the Bill, which delegates the contours of these procedures, safeguards and oversight mechanisms to rules 'as may be prescribed'.

At the heart of these recommendations is a fundamental misconception: that balancing privacy and security means rejecting one in favour of the other.

Similarly, the JPC keeps Section 12 of the 2019 Bill intact, which provides for non-consensual processing of personal data by the State, if such processing is necessary to provide a service or benefit, or engage in functions of the State. Given the myriad ways in which the State processes the personal data of citizens, and also keeping in mind the large ambit of the term 'State', it is hard to legally justify the JPC's conclusion. As in the case of Sec. 35, here too an overarching exemption is dangerous without a proportionality requirement and given ample evidence of data breach in government agencies.

At the time of writing this piece, at least five dissent notes had been filed against the Report by members of the JPC, airing concerns about the lack of oversight and the sweeping exceptions the Act grants the State, which are unlikely to stand the test of constitutionality in a court of law.

At the heart of these recommendations is a fundamental misconception: that balancing privacy and security means rejecting one in favour of the other. But it's not a zero-sum game: the insistence on balancing privacy and security simply necessitates careful oversight and regulation. Privacy is a fundamental right in India as laid down by the Supreme Court in 2017. However, it is by no means an absolute right. Any infringement of this right must pass the proportionality test laid down by the Supreme Court, under which the infringing action must be shown to be: i) imposed by law, ii) in pursuit of a legitimate aim, iii) necessary and balanced, i.e. must be the least restrictive way to achieve the aim, and iv) have sufficient procedural guarantees.

As time progresses, a systematic dilution of these safeguards is becoming increasingly apparent. The 2018 version of the Data Protection Bill, instance, included these tests within Sec. 35 of the Bill. But the 2019 version seems to have taken several steps back by rejecting carefully laid out legal standards and safeguards. In recent months, the need for stronger protections against State surveillance and exercises of power vis-a-vis individual rights was emphasised in the Pegasus case, and indications of the JPC's recommendations seem to continue to paint a grim picture. Even though the Pegasus case was celebrated for rejecting blanket claims of national security to violate individual rights, it still revealed an overarching issue we see replicated through the JPC's report—the mechanisms and oversight needed to hold the Executive to account require an urgent and sharp rehaul.

Vidushi Marda is a Bengaluru-based lawyer and researcher. She currently leads global research and engagement at ARTICLE 19, an international human rights organisation

Watch Live TV in English

Watch Live TV in Hindi

More from India Today

image beaconimage beaconimage beacon