In a landmark 2017 judgment, India’s Supreme Court, while recognising the right to privacy as a fundamental right, noted that a robust data protection regime must be enacted by the government after “carefully balancing” individual privacy interests and legitimate state concerns. Only as the sixth anniversary of this landmark judgement approaches does India finally have a data protection law.
The Digital Personal Data Protection Act, 2023 has seen several drafts over the years. However, common to all the drafts, and the newly passed Act, is the concern that the Act does not strengthen individual privacy. Nor does it affix adequate accountability upon non-state entities that misuse individuals’ data.
Upon state entities, the Act affixes nearly no accountability – a consequence of wide exemptions that have been provided to the government and its instrumentalities when handling – ie gathering, storing, analysing, transferring and even selling - user data.
Much has been written about the Act’s provisions relating to non-consensual processing of data, the extensive government exemptions and a seriously weakened data protection authority. However, equally glaring are the provisions that are omitted from an Act that purports to serve data protection, particularly those addressing surveillance.
The Supreme Court in 2017 recorded its dissatisfaction over the prevalent surveillance regime, which was also echoed by the Justice BN Srikrishna Committee in 2018. Unfortunately, all iterations of draft data protection legislation, including this one, have been marked by their conspicuous absence of provisions relating to surveillance reform.
In its current form, the surveillance regime is concentrated with the executive, lacks a specific articulation of the circumstances and procedures governing surveillance, and is devoid of any meaningful safeguard such as an independent review of surveillance directions.
Just like its draft predecessors, the Act contains significant exemptions that allow the government and other government instrumentalities to exempt themselves from the application of the Act, thereby granting unfettered power for data collection and processing without any safeguards when these activities are related to “interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence relating to any of these”.
The reasons outlined for the exception are vague and broadly framed. Such blanket exemptions are not in compliance with the proportionality standards laid down in the 2017 verdict where the Supreme Court held that privacy-restricting measures must satisfy the threshold of legality, suitability, necessity, and proportionality, and have procedural safeguards.
Clampdown on right to information
Alarmingly, the Act amends the Right to Information Act, 2005, replacing a section that prohibits the sharing of personal information that lacks a connection to public activity or interest, or that could lead to an “unwarranted invasion” of an individual’s privacy. An exception was carved out for the sharing of personal information if its disclosure is justified in the larger public interest, and information that cannot be denied to the parliament or state legislature under the RTI Act cannot be denied under this provision.
Now, the amended section abolishes the exemptions established under the previous version of the Right to Information Act. Grassroots activists argue that the broadly worded exemption can be deployed against requests for seeking granular personal information, thereby undermining efforts to promote transparency, seek accountability from governments, and enforce social security entitlements.
Notably, the text of the Act does not refer to the right to privacy or the principles laid down in the 2017 order. However, the narrative of the right to privacy and the 2017 judgment are being appropriated to dilute the right to information. The Justice AP Shah Commission in 2012 cautioned against using a data protection law to clamp down on the right to information.
In the pursuit of “privacy”, the Digital Personal Data Protection Act, 2023 clamps down on the right to information while granting the executive with unfettered discretion to undertake surveillance to trample on citizens’ right to privacy.
Gayatri Malhotra is associate litigation counsel at the Internet Freedom Foundation.