On 5 August 2022, the Ministry of Electronics and Information Technology withdrew the Personal Data Protection Bill was withdrawn. The Bill was tabled in Parliament in 2019 after a year-long consultation by the Justice Srikrishna Committee. In 2019, a Joint Parliamentary Committee was constituted, which suggested around 81 amendments to the 99-clause Bill, with a detailed report. The Bill has been heavily criticised by both civil society and the industry for various reasons, including an over-broad government exemption provision and unreasonable compliance-related provisions.
India’s current legal framework offers citizens limited data protection both from the state and the private sector. The present iteration of the Data Protection Bill may not have plugged this lacuna, but the lack of legislation creates a vacuum in our society and stymies the enforcement of the Supreme Court’s constitutional vision.
Over-Broad Exemptions
In 2017, a nine-judge bench of the Supreme Court of India, in Justice K.S. Puttaswamy (Retd) v. Union of India (Puttaswamy judgment), unanimously pronounced the existence of the Right to Privacy within the constitutional freedom of Right to Life under Article 21 of the Constitution of India. Clause 35 of the Data Protection Bill provides for a ‘blanket exemption’ to the Central government from the ambit of the Bill, and this is all in the name of ‘sovereignty’, ‘public order’, ‘friendly’ relations, ‘security of the state’ and ‘relations with foreign states’. The Bill, though, clarifies that the procedure for implementation should be “just, fair, reasonable and proportionate”.
The JPC report also mentions the Puttaswmay judgment and lists down the test of proportionality, as to how any restriction on the right to privacy would have to comply with the conditions prescribed, wherein it should be
backed by the law;
have a legitimate state aim, and
be necessary and proportionate
The problem, as noted by civil society, is that the report expects a ‘just, fair and reasonable procedure’ to only apply to the procedure for exemption, not the reason for the exemption itself. Ministers of Parliament such as Manish Tiwari have noted in their dissent that this exemption provision should be subject to judicial determination.
The Alt News Case
Recently, a journalist and the co-founder of the fact-checking platform, Alt News, was arrested in broad daylight for allegations (amongst many) of receiving illegal foreign donations. To investigate this case, the Delhi Police approached Razorpay, the payment gateway of Alt News, to investigate transaction records. This involved Razorpay receiving a notice under Section 91 of the Code of Criminal Procedure, which required the payment aggregator to provide the required ‘data’ to the law enforcement agency. The Delhi Police claims that it requested ‘transaction and account details and did not request Razorpay to deactivate payments from its platform.
Alt News, in the meantime, released a statement expressing its concern on how Razorpay had shared its donor data with the Delhi Police without informing them or without even a preliminary investigation of any possible violations on the part of Alt News.
Meanwhile, Razorpay clarified that they only shared ‘specific data that lied within the scope of investigation’, and not data belonging to the donors, such as PAN, address, pin code, etc. Lawyers have justified how Razorpay did not have a choice and that the refusal for disclosure was not a sustainable option under the law – since the privacy policy of Razorpay did not require consent or validity of any user data or search warrant request from the government.
The point here is that bulk transaction data requested by the government was shared instantaneously, without any pushback, primarily owing to the limited safeguards in the present legal framework. The tabled version of the Data Protection Bill would not have helped matters here as one could argue that the procedure adopted to enact the exemption was “fair, just and reasonable”. As the government thinks through the new legal framework for data protection, remedying this gap is imperative to ensure that individuals feel safe and secure in their increasing use of the digital economy.
A Growing Vacuum
It is quite clear from the reactions by civil society that the justifications for withdrawing the Bill are not enough. Reasons such as the Joint Parliamentary Committee giving ‘81 amendments’ to a ‘99-clause Bill’ and how the current version of the Bill is not ‘compliance-friendly’ for start-ups have been cited. But none of this justifies why the right to privacy of the citizen of this country has been put on hold for over 10 years from when the discourse was started.
The Joint Parliamentary Committee did not even recommend the ‘withdrawal’ of the Bill, but the government has taken it upon itself to draft a Bill from scratch, rendering the labour of parliamentarians, civil society, academia and industry redundant.
If there are ‘major changes’ being planned by the government, would it be possible to do so by the winter session? Would there be adequate stakeholder recommendations for the implementation of the new Bill? Would the new Bill meet the ‘global standards of Privacy’ as promised? We don’t currently know owing to the current policy paralysis, but we do know that there are plenty of unanswered questions and presumptive answers, and an increasingly digital society crying out for security and certainty.
(The author is a policy researcher. Views expressed are in her personal capacity.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)