India’s Data Protection Bill: the hits and misses

Radhika Jhalani is a Counsel at the Software Freedom Law Centre.

India’s Digital Personal Data Protection Bill is here, at long last. The Bill, which germinates from the landmark judgment Puttaswamy v Union of India, 2017, recognising the right to privacy in the Indian Constitution, has seen four iterations over the past five years. Although each version suffered criticism from civil society, forgiveness would still have been possible had the final version been a rights-respecting law.

At the outset, there is a disconnect between the text of the Bill, and the Explanatory Note released with it. The Note echoes the “natural principles” of all data protection regimes across jurisdictions, including values of lawfulness, transparency, fair use of data, purpose limitation, data minimisation, accurate data collection, storage limitation, security and accountability measures. While these principles are very important and respectable, their mention in an Explanatory Note to a Bill is not helpful in protecting data rights since the Note holds no legal binding value.

The Bill itself has more misses than hits. The language, length, and examples used in the Bill, for instance, align with civil societies’ call for legal texts to be more accessible and understandable for even the lay person. The Bill is articulate, and has avoided unnecessarily complicated language. But drafters may have taken the recommendation of brevity in legal text too far, by omitting definitions which are necessary and obvious.

Drafters have omitted the definition of “sensitive personal data”, which is an important category of personal data requiring more protection than other forms of data. The desire for efficient legal drafting cannot be met by omitting rights from the law.

The law on exemptions – ie grounds on which the government may legitimately violate our rights was made unambiguously clear in the Puttaswamy judgment, and through several other judgements of the Supreme Court. Broadly, principles of fairness, reasonableness and proportionality are non-negotiable. The government must meet these requirements in a law which affects our fundamental rights. This Bill does not meet that requirement.

The exemptions are overbroad and ambiguous, and strike at the heart of the principles of data minimisation and purpose limitation. Shockingly, the government is exempted from deleting the personal data that it collects on us, even after the use of that data has been exhausted.

The Data Protection Board of India is the entity that will protect our rights and yet, the Bill says nothing about who will form the Board, and how their independence from the influence of the government will be ensured. Unlike previous iterations, which spoke in detail about the requirement of experts and mandatory independent members as part of the Authority, the Bill draws the most opaque curtain, and surrenders all control to the federal government.

Surveillance is one of the largest concerns in India today. There are no laws which effectively restrict the state or private entities from illegally snooping into our lives, and using that data to their advantage. This Bill could have been the answer, shielding us from the prying eyes of the state and corporations. However, it does not even recognise surveillance as a grave concern in the text, let alone legislate it.

The ‘As may be prescribed’ Bill leaves a lot of power in the hands of the government to notify rules that may change the legislation even more. Any legislation impacts different sections of the society differently. A piece of legislation as central as the Data Protection Bill in a data-run society impacts citizens, businesses and government in a significant manner. This Bill does not include a definitive or detailed timeline for the implementation of its provisions and the compliance mechanisms. This can negatively impact smaller firms who do not possess the resources to quickly upgrade their infrastructure to comply with the Bill. A reliable and fair timeline ought to be laid out clearly in the Bill to equip all players with a fair chance to comply with the Bill.

On the plus side, on the contentious matter of data localisation, the government has removed criminal penalties, and civil penalties have been increased significantly, which is an improvement.

For drafters of the Bill, in keeping with the spirit of the Constitution of India, the aim must be to limit state power, and protect individual rights. Ambiguity, the antithesis of the rule of law, will have to be done away with in the revised and amended Bill.