As the final piece in our series on the Data Protection Bill, we look at alternative paradigms of data protection. Here, we first explain the 7 fundamental principles of the Indian Privacy Code, 2018. Then we analyse two alternative data protection bills that were introduced in Parliament: the Data (Privacy and Protection) Bill, 2017 and the Personal Data and Information Privacy Code Bill, 2019.
A quick recap
Part 1 of our series dealt with the need for a data protection bill, and illustrated emerging threats that threaten our modern digital life. We also provided some historical context for the Bill, and gave some updates on what the future lies with respect to the report of the joint Parliamentary Committee on the Bill.
Then came Part 2, in which we explained the various provisions of the Bill. We began with an explanation of all the definitions and jargon, and then showed how the Bill:
- provides users with certain Rights;
- lays down a consent mechanism for the processing of personal data;
- imposes on obligations on data collectors and processors
- lays down transparency and accountability measures to be followed
- provides the government with certain exemptions
We also provided an update on the Bill: the Joint Parliamentary Committee on the Personal Data Protection Bill will now be releasing its report in the first week of the monsoon session.
Then last week, in part 3, we highlighted the key concerns with the Bill that we feel deserved the most attention. Broadly, we covered the following issues: the dilution of user’s rights, non-consensual processing of data, definitional ambiguities, the removal of anonymity on social media, the threat of increased surveillance, the lack of independence of the Data Protection Authority, and governmental access to non-personal data.
This post will be the last in our #StartfromScratch series, and we plan to use this to provide examples of what other potential data protection frameworks might look like. Now, the Puttaswamy judgment of the Supreme Court, which enshrined the Right to Privacy as a fundamental right, noted that a data protection bill signals a positive obligation of the Government of India towards fulfilling the autonomy and dignity of the people by securing informational privacy. Hence, any data protection legislation needs to be centred around our fundamental rights. The bill must cement the power of individuals and communities that constitute individuals over governments and corporations.
For instance, the Government of India is under a clear obligation to provide essential services. However, the Personal Data Protection Bill, 2019 is ambiguous about whether services may be denied due to a lack of consent for the processing of personal data. Another example is the use of surveillance technology.
Today, such technologies are no longer about the surveillance of the high and the mighty - they are now used for a more everyday surveillance in which the aam aadmi is constantly surveilled in public spaces and while using public infrastructure. Facial surveillance even occurs through masks in metropolitan areas. Such technologies are not adequately regulated under the Personal Data Protection Bill, under which there are exemptions for large categories of surveillance which do not have any oversight mechanisms of judicial review, a hallmark of a democratic country. Furthermore, existing models of data protection, as well as a lot of the conversation that occurs around the bill, focus more on the growth of the digital economy, rather than the protection of an individual’s privacy. We believe that any rights respecting legislation should not drive a bargain between the market and fundamental rights.
With this in mind, we will now explain the 7 privacy principles of the India Privacy Code, 2018, put forth and discussed by lawyers involved in the Puttaswamy case and by public law experts. We believe that these principles must form the bedrock of any forthcoming data protection legislation.
The 7 Privacy Principles of #SaveOurPrivacy
These Principles were created through a collaborative and iterative process by a diverse group of civil society organisations, lawyers involved in cases and submissions related to digital rights, and digital law experts. They draw from a variety of sources, including the Privacy (Protection) Bill, 2013, the report of the Justice A.P. Shah Committee of Experts, and submissions by multiple lawyers to the Justice Srikrishna Committee of Experts, as well as various Supreme Court judgements such as the Puttaswamy judgement. Best practices from international frameworks such as the European Union’s General Data Protection Regulation were also taken into account:
- Individual rights are at the center of privacy and data protection: The individual and their rights are primary. The promotion of an individual’s rights promotes innovation in a sustainable way.
- A data protection law must be based on privacy principles: User rights as identified by the report of the Justice A.P. Shah Committee of Experts are essential to a data protection law. Additionally, a data protection law should develop with advances in technology and global best practices. Exceptions to the law should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards.
- A strong privacy authority must be created to enforce the privacy principles: We need a strong and independent body to ensure that the data protection rights are put into practice and enforced. It should be provided wide powers of investigation, adjudication, rule-making and enforcement. The authority should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence, and should serve as a forum for the redressal of the general public’s grievances.
- The government should respect user privacy: We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare. To make sure this happens the privacy authority must have overriding power and superintendence over all legal entities, including the government, in matters of data protection and privacy.
- A complete privacy code comes with surveillance reform: Any data protection law has to limit mass surveillance as it contravenes the principles of necessity, proportionality and purpose limitation. Even when individual interception and surveillance is carried out this should be severely limited in substance and practice through procedural safeguards. Furthermore, the privacy authority must be allowed oversight over surveillance activities, while, to ensure accountability, all such orders need to be communicated to the person who was surveilled.
- The right to information needs to be strengthened and protected: Individual rights are well served by the Right to Information Act which brings accountability to the functioning of government and public authorities. Hence, privacy protections which already exist under the Right to Information Act and are made subject to public interest, need to be preserved. Information Commissioners should be exempted from interference or control from external authorities.
- International protections and harmonisation to protect the open internet must be incorporated: Data protection legislations must have extraterritorial effect and apply to web services and platforms which are accessible in India and which gather personal data of Indians. At the same time, care and caution should be taken to preserve the global character of the open internet which is beneficial to Indians as they can access information, knowledge and services from all over the world.
We will now look at two legislations that we believe further the process started by the privacy principles.
The Data (Privacy and Protection) Bill, 2017
The Data (Privacy and Protection) Bill, 2017 is a variant of the Indian Privacy Code, 2017 was introduced in the Lok Sabha as a private member Bill by Sashi Tharoor MP. The Bill was submitted to the Parliament before the Puttaswamy judgement and the constitution of the Sri Krishna Committee. The Bill is thus inspired by international best practices and the report of the Justice A.P. Shah Committee of Experts.
The Bill seeks to establish an effective and comprehensive data protection regime in the country to protect the right to privacy of individuals in a data driven world, and shuns the ‘goods and services’ driven perspective on data. At the outset, the Bill sets down the guiding principles by enumerating the core data protection principles that are embedded in the Bill and those that govern the Bill. Individuals are made the owners of and put in control of their personal data. The Bill acknowledges that the Government is one of the biggest collectors of personal data and makes it a point to bring the State under its purview to plug misuse by the State. The main regulatory body envisaged is an independent privacy commission. The Bill has various provisions to secure the independence and accountability of its regulatory body and to prevent it from being reduced to a paper tiger. Given that the Bill was drafted before the Puttaswamy judgement, it stands out for being the first statute to explicitly declare that right to privacy is a fundamental right, which is essential to the maintenance of a democratic society.
User consent forms the bedrock for data processing under this Bill. The collection and processing of personal data has to be done with the consent of data subjects. In the event of a data breach, notifications must be sent not just to the Privacy Commissioner, but also to the data subjects affected. Certain types of data such as medical records, financial data, biometrics, sexual preference and practices, political affiliation, etc. have been classified as sensitive personal data and are afforded even more protection by requiring explicit consent for the collection and processing of such data.
The Bill limits the grounds for the non-consensual processing of data to two cases: a) the use of personal data for personal or family use and b) surveillance by a resident of their own residential property. The limitations on the collection, processing, and storage of personal data are carefully drafted keeping in mind the interest of the data subjects. Indeed, a remarkable feature of the Bill is its focus on the collection of personal data by intelligence agencies, surveillance, and interception of communications. The Bill devotes Chapters IV and V to interception and surveillance respectively. The Bill appears to be mindful of the perils of mass surveillance and bans it outright. Though surveillance at the level of the individual may be allowed, certain safeguards have been placed to ensure that such exemptions do not become a tool to crush dissent. For example, an order of the Chief Privacy Officer is required for carrying out surveillance and interception. Furthemore, any person being surveilled must be informed about such surveillance and the duration thereof.
The Personal Data and Information Privacy Code Bill, 2019
Following the lapse of the Data Privacy and Protection Bill, 2017, another private member Bill; The Personal Data and Information Privacy Code Bill, 2019 was introduced in the Parliament by Dr. Ravikumar M.P. in 2019. It is another, more updated and robust variant of the is a variant of the Indian Privacy Code, 2017. This Bill was a big step along the path to securing the right to privacy of individuals. This Bill is built around the seven privacy principles under the updated Indian Privacy Code, 2018.
The Personal Data and Information Privacy Code Bill, 2019, seeks to ensure the protection of informational privacy of individuals through a rights-based individual-centric data protection regime. Like the Data (Privacy and Protection Bill) 2017, this Bill also declares at its outset that every person has a natural right to privacy. The guiding principles of the Bill make it mandatory that personal data be processed fairly and lawfully. These principles also state that any invasion of privacy shall be evaluated based on the principles of legality, necessity and proportionality, and thus enshrines the privacy test laid down in the Puttaswamy judgement. The collection of personal data under the Bill is envisaged through a meaningful, revocable, and accountable notice and consent framework.
The provisions of the Bill that handle consent are thorough. An important provision on consent under the Bill is that the data controller cannot deny any service to any person for the reason that consent for sharing personal data for identification purposes has not been obtained. Moreover, the data subjects can claim compensation if essential services are denied to them on this ground. This provision has contemporary relevance where Aadhar has become the prerequisite for availing of essential services.
The Bill confers certain rights to the individuals, such as the right to access personal data, the right to correct their personal data, the right to destruction and erasure of personal data, right to object etc. Among these rights, most remarkable is the right to seek exemption from automated decision making. Individuals can seek exemption from decisions based solely on automated processing, including profiling, where such automated decisions cause demonstrable harm or injury.
Similar to the 2017 Bill, the grounds for exemption under this Bill are limited as well. Interception and Surveillance are dealt with in detail separately under Chapter IV of the Bill. The safeguards on surveillance and interception under this Bill are almost similar to that in the The Data (Privacy and Protection) Bill, 2017. However, the Bill provides for the setting up of a Surveillance and Interception Review Division, which review, renew, or take any other action with respect to orders for the interception of communications and surveillance.
This is the last blogpost in our series of explainers on the Data Protection Bill; read part 1 here, part 2 here, and part 3 here. In the coming weeks, as promised, we will be discussing the various issues with the Personal Data Protection Bill, 2019 in greater detail, so stay tuned!
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- The Personal Data and Information Privacy Code Bill, 2019 as introduced by MP Dr. D. Ravikumar (link)
- The Data (Privacy and Protection) Bill, 2017 as introduced by MP Dr. Shashi Tharoor (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post was drafted with the help of Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow.