The Union government on Friday released the draft Personal Data Protection Bill, 2018, submitted as part of the recommendations of the Justice Srikrishna Committee on data security.
The main purpose of the Bill seems to be to protect Aadhaar, the 12-digit biometrics-linked unique identification number currently under challenge before a Constitution bench of the Supreme Court. Significantly, the draft law facilitates sweeping state surveillance by providing broad exceptions to consent clauses when the data is processed by the government.
The Srikrishna committee was tasked with coming up with a report and recommendations on what India’s data protection regime should look like, especially in light of the Supreme Court’s 2017 judgment that asserted a fundamental right to privacy for all Indians. The panel has delivered a report that covers its views on the data protection landscape in India, as well as a draft bill, which is likely to form the core of the government’s own draft, which, it told the Supreme Court, would be in place by September. The recommendations are, however, not binding, so the final law that the government proposes need not have the same provisions as those suggested by the Srikrishna panel.
Some provisions of the draft Bill are alarming. Take for instance, the matter of consent. Chapter III of the Bill provides the clauses dealing with data processing. Section 13 of the Bill under this chapter exempts consent for certain types of data processing by the state. The provision says:
“Processing of personal data for functions of the State –
(1) Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.
(2) Personal data may be processed if such processing is necessary for the exercise of any function of the State authorised by law for:
(a) the provision of any service or benefit to the data principal from the State; or
(b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.”
This section is extremely vague and open to interpretation. The term “necessary for the exercise of any function of the State” is as broad an exception as could be given. Section 13 (2) (a) removes the necessity for consent for any “service or benefit” to the data principal – the individual whose data is being processed. This is essentially the very basis of Aadhaar, which the government has been trying to make compulsory for accessing services and benefits, including subsidiaries.
The same exceptions are given to “sensitive personal data” as well. The draft defines “sensitive personal data” as follows:
“Sensitive Personal Data” means personal data revealing, related to, or constituting, as may be applicable – (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; 6 (xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22.
These exemptions continue throughout, even for the right to be forgotten under Section 27 of the draft Bill.
In addition, Section 42 of the draft Bill expressly provides certain exemptions for the security of the nation, though here the Bill makes it clear that collection for such intelligence purposes should be authorised by a separate law enacted through Parliament.
This apart, Section 17 (1) (c) allows non-consensual data processing for what it defines as “any public interest”. Section 40, on the other hand, allows for the storage of such data “on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.”
Such exemptions are further reiterated in Section 19, which says:
Processing of sensitive personal data for certain functions of the State.
— Sensitive personal data may be processed if such processing is strictly necessary for:
(a) any function of Parliament or any State Legislature.
(b) the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal.
The draft Bill also provides for data processing for purposes of “prevention, detection, investigation and prosecution of any offence” and exempts consent if authorised by a law. Section 43 reads thus:
“Prevention, detection, investigation and prosecution of contraventions of law —
(1) Processing of personal data in the interests of prevention, detection,investigation and prosecution of any offence or any other contravention of law shall not be permitted unless 26 it is authorised by a law made by Parliament and State Legislatureand is necessary for, and proportionate to, such interests being achieved.
(2) Any processing authorised by law referred to in sub-section (1) shall be exempted from the following provisions of the Act – (a) Chapter II, except section 4; (b) Chapter III; (c) Chapter IV; (d) Chapter V; (e) Chapter VI; (f) Chapter VII except section 31; and (g) Chapter VIII.
Tuhina Joshi, associate at TRA Law firm, said the grounds for data processing, as they appear in the draft law, seem to be at odds with the corresponding recommendations of the committee in its report.
“For example, the Committee report calls for ‘welfare functions of the state’ to be recognised as a separate ‘non-consensual’ ground for processing,” she said. “It clearly states that processing on this ground is only available for ‘certain entities and certain functions’. However, the corresponding provision, Section 13 in the draft law, does not articulate this specific intent to allow processing for only welfare activities and creates a much wider ground for processing.”
These contradictions present a peculiar legal problem.
“The report has some value as it is part of the law-making process,” said Joshi. “But before a court of law, the text of the Act is crucial and so it must reflect the report’s recommendations accurately.”
Lawyer Chinmayi Arun took to Twitter to point to the problems in the consent clauses.