The Justice BN Srikrishna-led Committee of Experts on Data Protection on Friday submitted its report and a draft bill to the Ministry of Electronics and Information Technology. The Committee’s exercise, although criticised for its opacity, is the most comprehensive undertaking on data protection yet, by any government agency in the country.

The committee was set up last year to “study various issues regarding data protection in India”, in the wake of the Supreme Court’s August 2017 ruling upholding the right to privacy as a fundamental right.

For months, there has been constant speculation on what these recommendations would mean for consumer data, the government’s Aadhaar programme, and the way law enforcement agencies undertake surveillance in India. With the final report and the draft bill in hand, we take a look at how the citizen-state relationship could be affected, should this Bill pass.

Notable exceptions

The draft Bill says that anyone – be it the government, a private company, citizen, a person or a body of persons – who seeks to process personal data needs to do so in a “fair and reasonable” manner that safeguards the individual’s privacy. Among other things, the Bill states that only limited personal data should be collected, for a clear, specific and lawful purpose, and individuals should be notified of the kind of data that has been collected. Barring certain situations, personal data should be collected and processed only with the explicit consent of the individual.

The Bill exempts the State from some of these obligations in two broad contexts. First are the situations where personal data needs to be processed (collected, stored, used, disclosed or shared) by the government for one of the following reasons:

  1. For the functioning of Parliament or State Legislatures
  2. For providing individuals with any service or benefit
  3. For issuing any certification, license or permit.

In the aforementioned situations, the other safeguards listed in the data protection law are largely applicable, but the government does not need to take the consent of individuals before collecting or processing their personal data.

The second involves situations where personal data needs to be processed in the interests of the security of the country, or for prevention, detection, investigation and prosecution of any violation of law. Here, the government is given a wide exemption from the data protection law. However, the data processing in these situations must be authorised by a separate law passed either by the Parliament or the State Legislature, and the processing itself should be necessary for, and proportionate to the purpose for which the data is processed.

While this may sound reasonable, the problem is that most surveillance activities currently undertaken in India, whether for national security or law enforcement, are not authorised by way of a law.

State of surveillance

The Telegraph Act, 1885 and the Information Technology Act, 2000 are the two laws that deal with surveillance. Both contain some provisions that allow for the monitoring and interception of phone calls or communications subject to certain rules. These rules only allow for targeted interception of communication in specific situations. The Information Technology Act also allows for monitoring and collection of network traffic or information in the interest of cyber security – however, this does not include surveillance of actual communication.

The Indian government, and its intelligence agencies however, run several surveillance programs that are not undertaken under these laws, and in many cases permit mass surveillance. There is very little information about these programmes, and it is not clear when, how or why any personal data is collected for these purposes. In addition to the traditional surveillance programs, we have seen several reports about the government’s controversial plans to monitor social media communications.

These activities have naturally led to several concerns regarding the privacy of individuals. Given that these surveillance and monitoring activities rely on personal information, it was hoped by many that a law that deals with protection of personal data would address some of these concerns.

The Committee’s report recognises these concerns and acknowledges that the current framework in India lacks sufficient legal and procedural safeguards for individual civil liberties. It admits that the majority of intelligence-gathering takes place outside the remit of the law and there is a lack of meaningful oversight. It discusses the need for narrow, watertight exemptions that are subject to adequate safeguards. The report also notes the need for transparency and accountability in the context of surveillance, and discusses different oversight mechanisms adopted in other countries – judicial, parliamentary, or even a combination of both.

It then goes on to recommend that the State enact a suitable law that will be applicable to intelligence or surveillance activities, provided that once such a law is enforced, all data processing for the purpose of the security of the state and law enforcement be exempt from the data protection law. This is where concerns arise.

The only provisions under the data protection law that are applicable to such actions are those requiring that the data is processed in a “fair and reasonable” manner, and that minimum security safeguards are adopted.

Much to be done

It has been argued that the role of this Committee and a data protection law is limited and cannot be used to govern intelligence and law enforcement activities. Even if this is accepted, there are certain provisions within the Bill itself that could have been extended to processing of personal data for state security and law enforcement.

For instance, the draft Bill says that data fiduciaries (the entity controlling the collection and processing of personal data) can collect and process personal data for limited purposes only and have to ensure accuracy of the data and store such data only as long as necessary. These obligations could have been made applicable even in the case of security and law enforcement activities.

The Committee’s report recognises that accountability is an important factor in ensuring that surveillance is lawful. However, this position is not reflected in the bill. For instance, the Bill requires those who are collecting data to ensure transparency and accountability through various methods including maintenance of records and regular audits. These measures could have been made applicable for security and law enforcement situations too, with modifications where necessary.

The rights of individuals to be notified when the government processes their personal data and to access that data could also be available on a conditional basis, once the surveillance activities are completed.

Some of these concerns also extend to the first category of exemptions. To begin with, the government is not required to obtain the consent of those whose data it is processing. In addition, the Bill also states that some of the transparency and accountability measures laid out in the draft need only be implemented by recognised “significant data fiduciaries”. The data protection authority may or may not categorise government agencies as “significant data fiduciaries”.

The Committee’s report recognises that the relationship between and data principals and the State involves a power imbalance. But this imbalance is furthered if the State is not required to be accountable to its citizens, especially with regard to their personal data.

Given the low bar set by existing standards, it can be argued that this is a step forward with respect to protecting rights from the surveillance apparatus in the country. However, it is not close to the kind of surveillance reform that is needed to ensure that the right to privacy is protected adequately.

Smitha Krishna Prasad is Programme Manager, Centre for Communication Governance, National Law University, Delhi.