With the recent surge in digitization and technological growth, India’s approach to privacy and data protection is undergoing a metamorphosis, from a fragmented data protection framework to a more dedicated regulation consistent with global trends, which proposes to protect individual data and the right to privacy, from both State and non-State actors.
The current framework for data protection is contained in multiple laws, including some sector specific regulations, such as in the banking and healthcare sectors. Having said that, the primary legislation governing privacy in India is the Information Technology Act, 2000 (“IT Act“) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“).
While the IT Act and SPDI Rules, have prescribed certain safeguards and practices to be adopted by body corporates that are possessing, dealing or handling ‘sensitive personal data or information’ (“SPDI“) in a computer resource, the legislation is not comprehensive enough to have kept pace with today’s digital economy and rapid technological advancements in each sector, which has become apparent today.
This has given rise to several concerns from various stakeholders on the need to further strengthen the existing safeguards available to individuals vis-à-vis their right to privacy, and adequately address the complex issues of data privacy, including loss of data, processing of data by the State, etc., which are absent in the present legislation.
Taking a cue from the European Union with its enactment of the EU GDPR in 2018, India seems to have arrived at the party, with the need to address the limitations of the present data protection regime and formulation of a separate and comprehensive data protection law.
With the Supreme Court of India upholding the ‘right to privacy’ as a fundamental right under the Constitution of India in the Puttaswamy judgment (Justice K.S Puttaswamy & another Vs. Union of India & others), India is at the cusp of enacting an all-encompassing data protection legislation, and is taking more concrete steps towards achievement of this objective. Sometime in July 2017, the Government of India appointed a committee of experts with Justice B. N. Srikrishna as the chairman (“Committee“), and entrusted the Committee with the task of identifying the gaps in the existing framework, to replace it with a more robust legislation to address the shortcomings at a more granular level.
On July 27, 2018, the Committee submitted a draft bill titled ‘Personal Data Protection Bill, 2018’ (“Bill“), to the Government of India. The Bill has, for the first time, sought to provide an overarching data protection legislation, which once enacted, is intended to replace the existing data protection framework as contained under Section 43A of the IT Act and the SPDI Rules.
Grounds on which the State can process Data today
Now that we have understood the present regulatory environment surrounding data protection in India, it is important to understand the nature of rights that the State possesses vis-à-vis personal data and SPDI.
Presently, the IT Act and the SPDI Rules do not contemplate processing of SPDI or information by the State. However, any person or officer authorised by the Government (Central or State), can inter-alia, direct any of their agencies to intercept, monitor or decrypt, or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in a computer resource. The pre-requisite to these rights being that, the Government has to be satisfied that it is necessary or expedient to do so in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States, public order, for preventing incitement to the commission of any cognizable offence relating to above, or for investigation of any offence.
These rights of the State are expansive and unrestricted, as they cover personal information and SPDI within its ambit, leaving the State with the power to effectively access all information of an individual that is available in electronic form, subject of course to due process being followed.
Does the proposed legislation intend to curtail or widen the powers of the Government?
One of the significant departures from the present legal framework is that the Bill proposes to extend the scope, to cover processing of personal data by the State as well.
As on date, the protections offered under Section 43A of the IT Act to SPDI are available to an individual only when a “body corporate” is negligent in implementing and maintaining reasonable security practices and procedures, thus, leaving negligent actions of individuals and the State, in relation to SPDI, outside the purview of the existing regime.
The Bill has attempted to deal with this issue by proposing to hold both individuals as well as the State accountable for processing of personal data and SPDI. Having said that, the Bill provides for various exemptions to the State, that could enable the State to circumvent the need to follow the requirements for data processing under certain circumstances.
The Bill mandates that an individual’s consent be obtained for processing personal data, and explicit consent be obtained for processing of SPDI, such as passwords, financial data, health data, official identifiers, biometric data, etc. However, it seems that such consent requirements may be bypassed by the State under several circumstances. For instance, consent is not required for processing personal data or SPDI, when inter-alia, it is “necessary” or “strictly necessary” for any function of the Parliament and State Legislature, respectively, or if such processing is for provision of any service or benefit to the individual whose data is being processed. SPDI may also be processed if it is “strictly necessary” to access such sensitive personal data, or to undertake any measure to ensure safety of any individual during any disaster or breakdown of public order.
In addition, the Bill also permits processing of personal data for prevention, detection, investigation and prosecution of any offence or any other contravention of law.
The broad language of the provisions in the Bill, and the set of exclusions envisaged for the State, clearly dilute the focus and purpose of obtaining consent of the individual, and seem to give the State, in certain circumstances, unfettered access to personal data and SPDI.
While on one hand, the Bill appears to give individuals greater control and protection over their data, on the other hand it seems to be taking that control and protection away, by giving the State sufficient opportunity to access and process personal data, or even SPDI.
The potential for the State to have unconstrained access to personal data and SPDI poses risk to right to privacy. Ideally, exemptions available to the State for processing of personal data and SPDI should be for a stated purpose, which is specific and bona-fide in nature. The objective should be for the State to process the data in a fair, reasonable and transparent manner, only for limited purposes, and in exceptional circumstances.
There will be exceptions under which the State will be required to process SPDI without the consent of the individual, in exercise of its public functions. It should, in line with the EU GDPR and the UK Data Protection Act, 2008 restrict the ground of processing to when a public authority carries out its tasks, duties, functions and powers (including its discretionary powers), which are required to be those that have been set out under law for compliance of a legal obligation. Any processing that is undertaken by the official authority beyond what is envisaged under law should not be permitted under this ground of processing.
Arbitrary or nebulous exceptions given to the State for processing of such data would have higher possibility of potential misuse by the State. The Bill needs to plug gaps to ensure that the right to privacy can be actually enforced.
Nevertheless, the Bill seeks to make improvements on existing legislation and is better than the stop-gap data protection regime prevailing today, under the IT Act and the SPDI Rules. While this legislation is the need of the hour, the Government should not rush into bringing about a law which will, due to far reaching implications on individuals, raise more issues rather than solving them.
Shagun Badhwar, Senior Associate
 Article 6(3), EU GDPR; Recital 41, EU GDPR; Information Commissioner’s Office, Legal Obligation available at <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawfulbasis-for-processing/legal-obligation/> (last accessed on September 04, 2019).