P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
If we look back at the history of Privacy and Data Protection law in India, one of the stumbling blocks is that there are unreconciled controversies about the exemptions that the Government agencies are provided either for Governance or for Law Enforcement.
Even in PDPB 2019, the most contentious section was Section 35 which was an enabling provision which empowered the Central Government to exempt any agency of the Government from the application of the Act. Though the power was within the “Reasonable Exceptions” under Article 19(2) of the constitution, the section was interpreted as providing disproportionate powers to the Government.
Additionally, another empowering section viz Section 92 was seriously opposed as if it provided extraordinary powers of oppression on the private sector by the Government.
In comparison, Section 36 (a) which addressed exemptions for law enforcement nor Section 36(e) which addressed exemption for journalistic purpose did not evoke opposition.
Though these discussions are now redundant, it is likely that similar objections would surface once again when the new draft is issued by the Government and they will also be subject to individual judicial scrutiny if it becomes a law.
In the new Data Protection law which is being proposed for discussion by us, we therefore suggest a simplification of the provisions related to the coverage of the law on Government bodies.
Since Right to Privacy is a fundamental Right under the constitution, there is a duty to the Government to protect the right subject to reasonable exceptions. This follows the judgement of the Puttaswamy case and is yet to be incorporated in any statutory law. This new law is an opportunity to convert the Supreme Court observations to a statutory provision.
However the more micro level specification of the obligation of the Government the law attempts to cover, the more controversies may emerge. Hence it is suggested that instead of a section like Section 35 or 36(a) or 92, the provisions related to the coverage of or exemption from the provisions of the Data Protection law for Government agencies may be summarized as a part of defining the scope and applicability of the Act.
A suggestion in this regard which can be improved by others is to introduce the following set of sections to cover the obligations of the Government in steps.
Step 1: In the first section which specifies the Title of the Act and its date of applicability, the following can also be added
This Act shall be applicable to whole of India and shall also apply outside India to the extent necessary to protect the Rights of the Citizens of India and the interest of the Country as envisaged in the constitution of India.
With this, we are providing for the extra territorial application and deriving powers of legislation from the “Right to Privacy” as a fundamental right in the constitution and recording at the same time that there could be other Rights of Citizens and Duties of the Government as per the Constitution. It will also keep the statutory obligations to the citizens of India and in national interests and any other extension of the provisions to non-citizens will be subject to the specific rights granted under this statute. The details will be covered under the provisions on “Rights”
Step 2: The fundamental objective of the Act is recorded by defining the purpose of the Act with the following section.
The right to privacy of an Indian Citizen shall pe protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.
With this section we are bringing the protection of Right to privacy into the statute in the words of the Puttaswamy judgement and providing the cover of “Due Process” for any exemptions claimed for right to privacy under the reasonable exception clause.
Step 3: We specify the obligations of the Government through the following words
Obligations of the Government
(a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty as envisaged in the Constitution of India
(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.
(c) All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty
(d) In the event of non compliance of the above, the designated person or in his absence the person responsible for the activities in the subject Government body shall be liable for disciplinary action
(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal law.
The sub section (a) defines the obligation of the Government as a “Duty” under the constitution and hence does not need any further elaboration in the law as to whether Consent is required in certain circumstances and not in others etc. This should cover even the law enforcement requirements of the Police, ED, CBI etc.
Any action of the Government which is in dispute will be a subject matter of a writ petition and hence in any case of dispute the Court can also decide about whether the action of the Government was within the powers of the constitution.
Even if a section like Section 35 of PDPB 2019 is written down, it will be challenged even before the adoption of the law itself. The suggested section protects the law being questioned in the Court until there is some specific action initiated by the Government.
Perhaps it can still be questioned for “Vagueness” but this vagueness is directly linked to the Constitution and nothing different from the vagueness prevailing now where there is no statutory provision on Right to Privacy and we need to depend only on the interpretation of the Supreme Court judgement.
Under sub section (b) all compliance measures are suggested without going into details such as whether DPIA is required, whether Privacy by Policy document is required etc. The Ministries will have flexibility to define their own “Reasonable Measures”. In PDPB 2019 this discretion was available under section 50 (Code of Practice) and the same is provided here in another manner.
Under sub section (c) a provision to bring accountability to an officer is indicated so that the head of the department may be freed from the liabilities unless no such designated person is appointed as Compliance officer.
Sub sections (d) and (e) prescribe the sanctions that can be imposed on the officials for negligence and where there could be malicious intentions.
This provision means that the Data Protection Authority need not impose any penalty upto Rs 5 crores etc. If there is a compensation payable to a data principal it can be provided by the adjudicator and the Government may be asked to pay. But one Government officer (Data Protection Authority) imposing an administrative penalty on another Government officer (Secretary of a Government department) need not arise. Under the provisions of PDPB 2019, such penalties are collected from the Government and again credited back to the Government which has no meaning and therefore can be avoided.
Having thus defined the obligations of the Government, the rest of the Act may focus on “Obligations of Non Government Organizations” where the compliance measures such as Privacy by Design Policy, Notice and Consent, DPIA, DPO, and Data Breach Notification etc can be specified.
The Grievance redressal for the data principal through Adjudication and Appellate Tribunal may still consider the Government body as a party and claims of compensation under Section 65 of the present PDPB 2019 may continue to be protected even against the Government body as the Data Guardian/Fiduciary.
The above is a suggestion for consideration by other experts. It has been made to simplify the applicability of the law to Government organizations and ensure that the problems that may arise from them donot become a stumbling block to the passage of the law.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.