After a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India recognised the right to privacy as a fundamental right, several attempts have been made to enact a data protection regime in India. The newest iteration of the Personal Data Protection Bill was released on November 18, 2022, for public consultation.
While the Bill takes several commendable steps to ensure that it complies with international standards of data protection such as the General Data Protection Regulation (GDPR), it nevertheless suffers from several infirmities that render its constitutionality questionable.
This article will seek to test the provisions of the Digitial Personal Data Protection Bill on the anvil of Puttaswamy and other similar judicial pronouncements to analyse whether it passes constitutional muster.
The introduction of the Bill drew mixed reactions from legal experts. While some lauded it for enacting a strong consent-based regime of data privacy, others have expressed concern over the broad powers given to the government.
To analyse such infirmities in detail, let us look at Section 8 of the Bill. While generally, the Bill mandates that personal data must only be processed after the express and unambiguous consent of the data principal, Section 8 provides that such consent may be ‘deemed’ in certain circumstances.
This provision draws from Section 15 of the Personal Data Protection Act of Singapore, which recognises that there may be situations where the processing of data is reasonably necessary without express consent. Non-consent-based grounds for processing data are also mentioned in Article 6 of the GDPR. However, the Personal Data Protection Bill goes even further, by providing for deemed consent on a broadly defined ground of ‘public interest’ in Section 8(8).
Public interest has been defined under Section 2(18) as including the sovereignty of India, security of the State, public order, etc. However, Section 8(8) provides for deemed consent in cases of credit scoring, which is wholly incompatible with even the most liberal definition of public interest.
Credit scoring involves the collection of highly sensitive personal information including financial data and history. Collection of such data without the express consent of the principal constitutes a clear threat to their privacy.
Puttaswamy has clearly prescribed a requirement of ‘narrow tailoring’ of a law infringing the right to privacy, i.e., the law must be framed restrictively to achieve its stated objective. The object of the Bill being to enact a data protection regime which balances the importance of consent and larger public interest, needlessly broadening the ambit of public interest to include unrelated grounds, is uncalled for.
The apex court in Puttaswamy also emphasised the importance of the non-discrimination principle of data protection, which prescribes that the collection and processing of data must not discriminate on the basis of race, ethnicity, religion, and other similar characteristics. The new Bill, unlike its 2018 iteration, has also done away with the distinction between non-sensitive and sensitive personal data.
For instance, under Section 16 of the old Bill, employment was a basis for processing only non-sensitive personal data. The new Bill is couched in broader terms wherein Section 8(7) gives employers the authority to process sensitive information of the data principal without express consent.
In the old Bill, details such as sexual orientation, sex life, transgender status, caste, religious affiliation, etc. were covered under ‘sensitive personal data’. If employers can obtain broad-based consent to process such sensitive information of their employees, it may lead to unfettered workplace discrimination of gender, sexual, caste, and religious minorities.
Section 18(2)(a) empowers the Union government to exempt instrumentalities of the State from the application of the provisions of the Bill. It is pertinent to note that this is a blanket exemption without any procedural safeguards.
Maneka Gandhi propounded that a transgression of Article 21 must meet the threshold of a ‘fair, just, and reasonable’ procedure. Puttaswamy further introduced the requirement of ‘proportionality’. The proportionality test, now concretised by judgments such as Anuradha Bhasin vs Union of India, contains four prongs – (a) the law infringing on privacy must have a legitimate goal, (b) it must bear a rational nexus with the said goal, (c) there must not be a less restrictive but equally effective alternative, (d) it must not have a disproportionate impact on the right-holder.
Under Section 18(2)(a) the government can exempt instrumentalities of the State on grounds akin to those enumerated in Article 19(2), which is evidently a much lower threshold than the proportionality review. Furthermore, this provision violates prongs ‘(b)’, ‘(c)’ and ‘(d)’ of the proportionality test.
It is not denied that there may be a necessary and compelling State interest in granting an exemption to the government in the interests of national security. However, a blanket exemption from all provisions of the Bill is excessive.
The State is already permitted to process personal data without the express consent of the data principal in furtherance of public interest under Section 8. This provision should be sufficient to allow the State to counter illegal activities without having a heavy procedural burden, i.e., it is a lesser restrictive but equally effective measure.
Exempting the State from general obligations under Section 9, which includes taking reasonable safeguards to prevent data breaches, or Section 10, which provides for the protection of children in relation to data processing, bears no rational nexus to the object of preventing public disorder or maintaining national security. It is a disproportionate measure which expands State power at the expense of individual privacy.
As per Section 18(4), instrumentalities of the State are also exempt from the requirement of purpose limitation, i.e., erasing personal data after its need has been fulfilled. This, too, is devoid of any procedural safeguards and allows the government to arbitrarily retain data for an indefinite period of time. This is a plain violation of the data principal’s right to be forgotten.
While the jurisprudential acceptance of the right to be forgotten as a standalone right is murky, judgments such as Vasunathan vs Registrar General (delivered well before Puttaswamy) have recognised the importance of the same. This right is based on the importance of the autonomy of the data principal.
As Justice Kaul in Puttaswamy explained:
“People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individual should have the capacity to change his/her beliefs and evolve as a person. Individuals should not live in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves.”
Thus, an individual should be able to control (as far as practicable) the use of their data to protect their dignity and autonomy.
Obviously, there ought to be exceptions to this right in light of the legitimate interests of the third parties. This may include interests based on other fundamental rights (such as use of the data for journalistic purposes) or the interests of the government in protecting the security of the State.
Clearly, all sorts of third-party users can have legitimate interests in the use of such data, but this has to be determined on a case-to-case basis. For guidance, the European Court of Justice in Google Spain discussed several factors that the court may consider while balancing the right to be forgotten with the legitimate interests of the third parties.
What is not permissible is giving an arbitrary and blanket exemption to the government. The Bill has created a distinction between the government and private entities which lacks an intelligible differentia and a rational nexus with the purported object of the Bill. This is a patent violation of Article 14 as well as the proportionality test.
While it has been repeatedly stressed that data retention mandates must be specifically reasoned, there is no clear justification given as to why the state is exempt from the storage limitation requirement. Clause 20 of the Explanatory Note to the Bill provides that “a clear grounds-based description of exemptions has been incorporated in the Bill”. However, such ‘clear grounds-based descriptions’ are visibly absent from Section 18(4).
It is hard to determine whether there exists a legitimate state aim or a necessary purpose that this provision is seeking to fulfil. In the absence of a legitimate aim, it is impossible to ascertain if the proportionality criteria have been satisfied.
Even in Puttaswamy- II, the court struck down a regulation that allowed the Unique Identification Authority of India (UIDAI) to retain certain transaction data for a period of five years. The bench noted the disproportionate nature of the provision and recognized that it affected the RTBF of citizens.
The Personal Data Protection Bill is an ambitious yet gravely flawed attempt at creating a data protection regime in India. While it purports to enact a consent-based system for processing personal data, the government has practically given itself carte blanche to ignore the safeguards in the Bill.
The immense powers given to the government, coupled with the fact that the distinction between sensitive and non-sensitive data has now been eradicated, may lead to undue targeting of gender, sexual, and religious minorities. The Bill is riddled with arbitrary provisions that are contrary to the right to privacy judgment.
The infirmities highlighted above ought to be rectified if the government is serious about complying with international standards in data protection.
This article was originally published on the blog Indian Constitutional Law and Philosophy.