In the first part of the blog, we traced the historical development surrounding the data protection regime in India and how the Supreme Court of India in KS Puttaswamy (Privacy) vs. Union of India and Ors (2017)10 SCC 1, felt the need for a strong data protection framework and robust enforcement. The Supreme Court in the privacy judgment elevated the status of privacy to a fundamental right. We also dealt with the conundrum around some of the half-baked definitions in the Bill and the wide and broad ramifications of the provisions such as deemed consent. In this second part, we will deal with issues of some of the missing rights from the Bill such as the right to erasure and the right to be forgotten. We will also discuss the exemption clause and its consequences on the privacy of personal data. The blog will explore the other important aspects of the Bill such as the Data Protection Board, and dilution of the Right to Information Act amongst others.
Data can still be processed-no right to erasure
The right to be forgotten and data portability are essential rights to privacy and the Bill should recognise these rights and include them in a similar fashion as they were there in the previous iterations.
The Bill of 2019 and Bill of 2021 separately recognised the right to be forgotten. (Cl. 20 of 2019 and 2021). This was done to ensure that the continuing disclosure of the data principal’s information is restricted. The JPC observed that if the right to be forgotten meant the prevention or the disclosure of personal data, the data could still be processed without the consent of the data principal. Therefore, the JPC recommended “processing” to be added in the clause. The DPDP Bill, 2022 has omitted this right from the Bill.
The Supreme Court in KS Puttaswamy Judgement has ruled that the Right to be forgotten does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognise a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest.
Recently the Kerala High Court in Vysakh K. G. vs. Union of India & Anr 2022 LIveLaw (Ker) 665 recognised right to be forgotten in a matrimonial dispute and permitted the masking of the personal information of litigant. However, the Court cautioned that in an open court system the right to privacy cannot coexist and it is for the legislature to take ground for invocation of such right. However, the Court in appropriate cases, is also entitled to invoke principles relating to the right to erase personal data available online.
Clause 19 of the Bill of 2019 and 2021 had provisions for the right to portability. The Justice B N Srikrishna Committee report had noted that the right to data portability is critical in making the digital economy seamless. It observed that right to data portability allows the data principal to obtain their personal data stored with data fiduciary in a structured and readable format. Thereby, it empowers data principals by giving them greater control over their personal data.
Duties of Data Principals - a strange requirement
Clause 16 of the present Bill has not been featured in the earlier versions of the draft. This new clause imposes obligations on the data principals to comply with the provisions of the law while exercising their rights within the Bill. A thorough analysis of the Bill reveals that the government has made the enjoyment of rights contingent on the fulfilment of the duties. As long as the data principal abides by the duties, he will be entitled to enjoy the rights and in cases of failure, the Bill has a provision to punish him with the fine. The fear of being penalised will deter the data principals to even file genuine complaints in cases of breach of personal data, processing of the personal data by third party without the notice being given to the data principal; they shall not be able to enjoy the rights without fear. Therefore, the duties clause should be deleted and if not, then the penalisation of data principal should be done away with.
Exemptions for the state and significant data fiduciaries - defeat the purpose of the Bill
The exemption clause provides that the provisions of the 2022 Bill will not be applicable on State instrumentalities wherever it is necessary and expedient in the interest of sovereignty and integrity of India, friendly relations with foreign states, maintenance of public order etc. The Bill makes a departure from the previous versions by empowering the Government to exempt certain data fiduciaries or class of data fiduciaries from the rigours of the Bill. (Cl. 18)
Clause 18 empowers the government with blanket and untrammelled powers to exempt any state instrumentality or data fiduciary from the reaches of the legislation on the broad grounds of national security, sovereignty and public order, if it satisfies the ‘necessary and/or expedient’ requirements which shall be prescribed by the government in due course. An executive order will suffice to authorise any state instrumentality to conduct surveillance without safeguards and process the personal data of the data principal.
The Apex Court in Puttaswamy developed the triple requirement test, ruling that an invasion of life or personal liberty must meet the threefold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.
In absence of safeguards, necessity and proportionality, the clause fails to pass the triple requirements test. The Bill also doesn’t qualify the requirement of having procedural safeguards against the abuse.
The Government can not be permitted to process the personal data of the data principals on wide and vague terms such as national interest, and sovereignty, as the threshold, as Justice Srikrishna Committee noted, should be high. The committee noted that it is critical to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception.
The state should bring procedural safeguards and ensure that the state instrumentalities or the data fiduciaries shall follow the triple requirements of the Puttaswamy test.
Data Protection Board - an authority without powers
The Data Protection Board of India has been entrusted with the crucial responsibility of protecting and regulating the use of personal data of the data principal and compliance with the provisions of the present Bill. This necessitates the independence of the Board so that it can function smoothly without being controlled.
The 2019 Bill and 2021 Bill were detailed and provided the mechanism of the DPA within the Bill itself, such as the selection of the chairperson and the members of the DPA, the essential qualifications of the members of the DPA, the number of the members of the selection committee etc. However, the present Bill has removed all such necessary details leaving it for the executives to decide in future.
As we can see from the table that the Justice Srikrishna Committee recommended that the Chief Justice of India or her nominee be the part of the selection committee of the members of the DPA to ensure transparency. The 2019 Bill, however, proposed that the selection committee would be composed only of the members of the executives. The JPC, in 2021, recommended the inclusion of the Attorney General and an independent expert in the selection committee. This amendment was proposed to ensure the independence of the authority.
The 2019 and 2021 Bill contained the basic details of how the chairperson and members of the Board would be appointed and what would be the essential qualifications. They provided the parliamentary requirement like other independent agencies such as SEBI, TRAI etc.
The DPBI under the present Bill has been stultified by the wide powers of the Government. It is the Government that has the sole discretion of appointing the Chief executives, members of the Board. The Bill empowers the Government to prescribe the process of selection, conditions and removal of the chairperson and members of the Board. (Cl. 19)
In Union of India v. R. Gandhi, the Supreme Court (2010) 11 SCC 1 held that tribunals must be constituted in a manner that inspires the confidence of the public in their ability and independence. The Apex Court in Rojer Mathew v. South Indian Bank Ltd., (2020) 6 SCC 1 held that there was compulsory need for exclusion of control of the executive over quasi-judicial bodies of tribunals discharging responsibilities akin to courts. Given the fact that the DPBI that every order made by the Board shall be enforced by it as if it were a decree made by a Civil Court and Board shall have all the powers of civil court as provided under Civil Procedure Code, 1908, it become imperative that the Selection Committee for the appointment of the Chairperson and members of the Board must have the representatives of the judiciary.
Therefore, in order to restore the independence of the DPBI, it is imperative that the provisions related to the Board are reconsidered and amended. The unrestricted powers could prove dangerous and detrimental to the independent functioning of the Board.
Right to privacy and transparency go hand in hand
The Right to Information Act, 2005(RTI) was enacted with an aim to secure the Indian citizens, the information under the control of public authorities. The Act ensured that in a democratic Republic of India, there has to be transparency and accountability in the working of every public authority. The Act that secured an inalienable right to the citizens of the country is now under threat with the recent proposed amendment under the present DPDP Bill, 2022. The RTI is not just a statutory arrangement rather it is a constitutionally recognised right of the citizens. The right to information is a fundamental right flowing from Art. 19(1)(a) of the Constitution is now a well-settled proposition.
In the landmark case of Bennett Coleman and Co. v. Union of India, the right to information was held to be included within the right to freedom of speech and expression guaranteed by Art. 19 (1) (a). The proposed amendment is unwarranted and will restrict the scope of the RTI Act and will render it redundant as the state will be able to deny any information to the citizen. citing privacy, thereby making the RTI Act ineffective.
Therefore, it is strongly recommended that clause 30 of the Bill should be deleted.
The Bill needs to ensure that the citizen’s right to privacy is not trampled upon by provisions such as deemed consent and exemptions. There is a greater need to strengthen consent mechanisms and data protection rights. Processing without consent under deemed clause must have an adequate safeguard. The missing rights should be brought back. Broad exemptions under the proposed law need safeguards such as necessity and proportionality. The independence and discretion of the DPBI must be ensured in light of the Supreme Court pronouncements. As India moves towards enacting data protection legislation, there is a need to ensure a strong data protection framework and robust enforcement.