Technology Law Analysis

The Data Protection Bill: In Search of a Balanced Horizontal Data Protection Framework

We are excited to announce our latest series of quick takes on the emerging data protection framework in India, and its implications for the Government, the industry and other stakeholders. We are kick-starting the series with our first piece discussing the need for appropriately framed Government exemptions under the proposed Data Protection Bill, 2021 (DPB).

Background

The DPB previously called the Personal Data Protection Bill, 2019 (PDPB)) has been recommended by the Joint Parliamentary Committee after two years of review.¹ The DPB proposes a significant overhaul of the existing regulatory framework for data protection, as contained under the Data Protection Rules.²

The DPB, to a large extent, owes its formulation to the observations of the Supreme Court of India in K.S. Puttaswamy v. Union of India.³ The Court in Puttaswamy, recognized the right to privacy (including right to informational privacy) as a fundamental right implicit in the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution, and other fundamental guarantees that flow from Part – III of the Indian Constitution.

However, while doing so the Court noted that the right to privacy is not an absolute right, and that subject to the satisfaction of certain tests and benchmarks, a person's privacy interests can be overridden by competing state and individual interests. Nonetheless, the Court recognized the need for a cross-sectoral and horizontally applicable legislation (i.e. applicable to the Government as well as private persons), noting that the right to privacy, being enforceable primarily against the State, imposes upon the State both negative and positive commitments, i.e. to restrict the State from unfairly interfering in the privacy of individuals, while putting in place legislation to restrict others from doing so, and providing conditions for the development and dignity of individuals.

Resultantly, as opposed to the Data Protection Rules, the DPB is horizontally applicable, rights-based (i.e. it defines a data subject’s rights vis-à-vis her personal data) and cross-sectoral in nature. However, in its present form, the DPB maintains widely worded provisions, that could enable the Government to exempt itself from the applicability of the DPB once enacted – which arguably go beyond the permissible limits of impinging upon individual privacy, as set forth in Puttaswamy.

Clause 35 of the DPB and Potential Issues

Clause 35 of the DPB enables the Central Government to exempt any agency of the Government from any or all provisions of the DPB.

The Supreme Court has previously observed in PUCL⁴and Puttaswamy, that derogations from the right to privacy, need to be assessed against (a) the requirements under Article 21 of the Constitution (i.e. for the derogation to be just, fair and reasonable); and (b) the limits prescribed for imposing reasonable restrictions on any other right that is impacted.

Resultantly, exemption provisions such as Clause 35, need to meet the four-step test that emerges from the Supreme Court’s prior observations: (a) legality (existence of a law); (b) legitimate goal (existence of a legitimate State aim underlying the derogation); (c) proportionality (existence of a rational nexus between the objects and the means to achieve them, narrow tailoring of derogation in line with reasonable restrictions, such that derogation is proportionate to the aim sought to be achieved); and (d) procedural guarantees (existence of a fair, just and reasonable procedure).

The grounds for triggering the exemption under Clause 35, have been linked to the grounds specified under Article 19(2) of the Constitution of India (i.e. reasonable restrictions relatable to the exercise of freedom of speech and expression), thereby establishing a legitimate State aim. However, despite the limitations introduced, Clause 35 falls short of meeting the test of narrow tailoring and proportionality – since the provision offers no guidance as to the scope of the exemption, instead enabling the Government to exempt its agencies from any or all of the provisions of the DPB.

While the newly introduced Explanation (iii) to Clause 35 adds that exemptions granted under this Clause, would be subject to just, fair, reasonable and proportionate procedures – thereby implying the existence of procedural guarantees – it does not explicitly define the contours of such procedural guarantees in the DPB.  

Bringing the DPB in line with Puttaswamy

To remedy this, the Government should consider amending Clause 35 of the DPB and bring it in line with the requirements of narrow tailoring and procedural and substantive proportionality, as previously set forth by the Supreme Court in PUCL and Puttaswamy.

1. Narrow Tailoring and Proportionality: The Government should consider limiting the scope of the exemptions under Clause 35, to only such provisions of the DPB that could seriously prejudice the purposes of processing by the Government.

   Therefore, while provisions such as the enforcement of data principals’ rights, and adopting safeguards applicable to significant data fiduciaries (including data audits and data protection impact assessments) should continue to apply to the Government and its agencies as they would apply for other data fiduciaries, but certain obligations such as seeking explicit consent for the processing of official identifiers may be dispensed with in special circumstances. Such an approach would ensure narrow and proportionate tailoring of exemptions, in line with legitimate objectives of the State.

2. Additional Procedural Safeguards: The Government should consider supplementing Clause 35 with additional guidance on procedural safeguards and oversight mechanisms applicable to the Government with respect to exercising its powers under Clause 35. These should include:

   1. Defining the institutional process applicable to reviewing exemption orders, similar to the process adopted under Sections 69/69A of the Information Technology Act, 2000. This should include defining the relevant authorities and rank of officers authorized to issue exemption orders, specifying the relevant authority for ex-ante review of exemption orders, or specifying the review process to be adopted, and/or defining exceptional circumstances where ex-post facto review is permitted; 

   2. Ensuring that the review process minimum extends to: (i) existence of a written and reasoned order of exemption under Clause 35; (ii) a review of the applicability of the grounds under Clause 35 to the exemption sought or granted; (ii) scope and conditions of the exemption sought in order to ensure proportionality of the exemption to the grounds contained in the exemption order; and

   3. Enabling the proposed Data Protection Authority (DPA) to audit the relevant Government agency’s adherence to the scope and conditions of exemption orders under Clause 35, on an ongoing basis.

– Aniruddha Majumdar, Indrajeet Sircar & Gowree Gokhale

You can direct your queries or comments to the authors

¹ See, Report of the Joint Parliamentary Committee on Data Protection, 16 December 2021, Available at URL:

http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%

20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf;

² See, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules) issued under the Information Technology Act, 2000 (IT Act), read with Section 43A of the IT Act, Available at URL: https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf;

³ See, K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1

⁴ See, People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301