Should States Have the Power to Enact Their Own Data Protection Laws?

If the Centre endorses states having the right to control access to their own records, it will also be forced to have a relook at the RTI Act, 2005.

As India debates the requirement of a data protection law, an important issue that is not getting much attention is whether data protection is a subject on the state list, central list or the concurrent list. As per the constitution, legislative powers are distributed between the parliament and the state legislatures as per the scheme laid down in Schedule VII to the constitution. This schedule contains three lists – only the parliament can enact laws for subject matters listed in List I, only state legislatures can enact laws for subject matters listed in List II and both can legislate on matters listed in List III, subject to certain restrictions. For all residuary subjects, which are not in any of the three lists, only parliament can legislate. Schedule VII ensures a federal India where power is not concentrated with the central government and allows states the flexibility to chart their own course on most matters.

So, where on Schedule VII is data protection listed? Understandably, none of the entries in the schedule specifically mention the subject matter of data protection. This does not automatically mean that it falls within the residuary subject matter, thereby giving the parliament the right to legislate on a law for the entire country. Determining the legislative competence under Schedule VII does not come down to finding the exact subject matter in one of the three lists. Rather, courts use the test of “pith and substance” to identify the essence of a legislation and identify which of the entries in the three lists best covers the issue. This doctrine was recognised by the Supreme Court in its early days in the case of The State of Bombay and Another vs F.N. Balsara where the court had to decide on whether the Bombay Prohibition Act was within the ambit of List I or List II.

The “pith and substance” of a data protection law is a slightly complicated issue because such a law deals with records which are an intrinsic part of every aspect of governance and administration. There are, however, a few parliamentary legislations which deal exclusively with data and information held by the government and those can serve as a starting point for the discussion.

Also read: Does India Need Only One Data Protection Law and Regulator to Rule Them All?

Public Records Act, 1993 – covers only central government

The first is the Public Records Act, 1993, which lays down the procedure to maintain public records in the custody of the central government. The same law also lays down the procedure to archive records with the National Archives. At the time the parliament was enacting the legislation, there were calls for extending it to even those public records that are held by the state governments. At the time the government told the parliament that it would not be possible for the parliament to control the manner in which states held their public records. The then deputy minister of HRD Kumari Selja gave the parliament the following reason for not enacting a single uniform law for both the central and state governments:

“Considering this all-round demand, the Government had appointed an Archival Legislation Committee in 1959, which in its Report submitted in the next year, suggested enactment of a Single Uniform Law on Public Records of the Union Government, Governments of the States and the Union Territory Administration by amending the Constitution. Since the proposed course of amending the Constitution was not very easy, and there is no single entry in the Constitution under which such a law could be framed, consultations with the State Governments were initiated, permitting the Parliament to frame a law on their behalf. Unfortunately, none of the State Governments wished to give such an authorisation.”

In short, the Union government had then conceded that parliament could not legislate on a law controlling the manner in which state government maintained their records. Logically, this position makes sense because a state legislature should have the power to make laws on how records generated by its legislation can be held or released by the state government.

Right to Information Act, 2005 – covers both the state and the central government

This takes us to the second legislation which controls access to public records. This legislation is the Right to Information (RTI) Act, 2005, which was enacted by the parliament and which covers public records held by both the state and central governments. Before discussing the competence of the parliament to enact such a legislation, I should point out that several states like Tamil Nadu, Goa, Maharashtra, Karnataka and Rajasthan had enacted their own RTI legislation long before the UPA enacted the RTI Act, 2005. Tamil Nadu, for example, had enacted a state-level RTI Act in 1997, although it is generally accepted that none of these laws were as powerful as the version proposed by the National Campaign for the People’s Right to Information and enacted by parliament in 2005.

The inevitable question at this point is how exactly did the parliament, in 2005, enact an RTI Act covering even the state governments when in 1993 the Union government had conceded that the parliament lacked the power to pass a legislation covering public records held by the state governments? The answer to that is available in one of the parliamentary debates in the Rajya Sabha over the Freedom to Information Bill, 2002, introduced by the NDA government. Pranab Mukherjee, then in the opposition, had headed the parliamentary committee that examined the legislation and spoke at length about the deliberations surrounding the legislation. In his speech, Mukherjee had argued that the parliament had the legislative competence to enact a law covering all states because the right to information was not specifically listed in any of the lists thus bringing it under the residuary power in List I, giving the parliament the power to enact the law. His submission was as follows:

“the Central laws would be made available to them. If I understand correctly – if I am wrong, the Minister may correct me – the legislative competence of the Union Government is arriving in this case from Entry 97 of the List I in the Seventh Schedule, because in List I of the Seventh Schedule, on which the Parliament has the competence to make laws, specifically, the right to information is not mentioned there. But, as early as in 1997, the Department-related Parliamentary Standing Committee on Home Affairs, while examining the Demands for Grants for the Department of Personnel, recommended that if the Government suffered from lack of legislative competence, it can take the help of Entry-97, which is a residuary clause, where the power is vested in the Union Government to make legislations through Parliament, if it is not specifically mentioned from Item Nos. 1 to 96.”

Mukherjee’s submission is not very convincing for the reason that the “pith and substance” of the RTI Act is essentially the management of public records and the right to access the same. Land records, public expenditure from the state consolidated fund and state taxes are essentially subjects on the state list and only the state legislature can enact laws on those issues. It is only logical that state legislatures be responsible for regulating access to such public records. It does not make sense to argue that state legislature enact laws that create these public records which the parliament can then regulate through laws like the RTI Act. The logical extension of my argument is that portions of the RTI Act that create mandates for public records created and stored by state governments, are most certainly unconstitutional.

Apart from these two laws, there are laws such as the Census Act, 1948 and the Collection of Statistics Act, 2008 which deal with collection of huge amounts of data from citizens. Both of these are parliamentary legislations – the census is clearly listed on List I, while the latter is on List III, which means that the parliament can enact laws on these issues.

The ‘pith and substance’ of a data protection law

But returning to the subject of discussion, which is a potential data protection law, I think the essence of the argument remains the same. Just because data protection is not enumerated as a separate subject in Schedule VII, it does not automatically fall within the residuary powers that lie with the parliament under Entry 97 of List I. The pith and substance of a data protection law, in the context of the state, is basically the right to regulate access to state records. Therefore, it is the legislature that enacts the laws creating the state record or information in a particular sector that should have the right to enact a data protection law regulating access to those records. So, for example, when it comes to records maintained by the state government in context of state taxes, financial records, state services governed by state laws, employment records of state employees, land records, educational records and lower court records, a data protection law can be enacted only by the state legislature and not the parliament. The same logic applies for records created by the parliament i.e. employment records of central government employees, educational records at centrally-funded universities, income tax records, etc. which are already subject to parliamentary law.

The next question to be examined is that of data protection for the private sector. The question of a central or state law will again depend on which legislature can regulate that particular sector under Schedule VII. So, for example, Entry 31 of List I covers, “post, telephone, telegraph, wireless, broadcast” etc. This clearly means that the parliament will also have the right to enact a data protection law for the telecom and internet sector regulating how that data may be accessed or used. Same goes for Aadhaar, which is a centrally-funded project.

However, for other sectors like hospitals, hotels, casinos which fall under List II, where only the state legislature enacts legislation creating the public/private record, it is only the state legislature that can enact a data protection law. The pith and substance in these cases is regulation of those sectors and transparency or secrecy of those records goes to the core of regulating any particular sector. Any other outcome will lead to a rather strange scenario where states can regulate certain sectors without having the power to define the transparency of those sectors.

Also read: India’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach

If the central government endorses this position of states having the rights to control access to their own records as also the records of the private sectors that they regulate, it will also be forced to have a relook at the RTI Act, 2005, because that legislation has an impact on the boundaries of a data protection law. It does not make sense allowing states to enact their own data protection laws if they don’t have the power to regulate access under the RTI Act, 2005. This is easier said than done, given the immense popularity of the current RTI Act throughout the country.

The other question is whether state governments will even want to enact their own data protection law. Do states have an incentive to have their own laws? Given that information is power, I presume that state governments will eventually want the right to control their own records. This may become a prickly issue between the Centre and the states in light of the State Resident Data Hubs (SRDHs) that will be a goldmine of data for state governments from a financial perspective as well as a surveillance perspective. These hubs will contain data of all beneficiaries of various government schemes and as the system is populated with more data, it will become a critical tool of governance. I am sure the central government is eyeing the data contained in these SRDHs. Whether state governments are willing to share such data with the Centre remains to be seen. I think public interest is better served by not concentrating all this data in the hands of the central government. Allowing states to retain control over the SRDHs will help to prevent this concentration of information.

Federalism has many goals and decentralisation of power is one of them. If information is power, I think we can all agree that we are better off with parliament not having the exclusive power to regulate data. Other countries with a federal scheme of governance follow a similar template for data regulation. Germany, for example, has different data regulation laws at the federal and provincial level. The same is true for the US, where the Privacy Act, 1974 regulates only the federal government’s records, while different states have their own privacy laws based on either common law or state constitutions. There is no reason for India to not follow a similar path of decentralised data protection laws.

Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).