The Digital Personal Data Protection Bill, 2022 does not satisfy the Supreme Court’s Puttaswamy principles

Tl;dr

The Ministry of Electronics & Information Technology (MeitY) released the draft Digital Personal Data Protection Bill, 2022 (Data Protection Bill, 2022) for public consultation on November 18, 2022. Feedback has been solicited on the Data Protection Bill, 2022 by MeitY through the MyGov website by December 17, 2022. We have analysed the Data Protection Bill, 2022 and found that it does not meet the standards of privacy that have been laid down by the Supreme Court in the Puttaswamy matters. At its core, the Data Protection Bill, 2022 forms a scheme for the interaction of persons, companies or other entities (called Data Fiduciaries in the Bill), who collect, store, index, share etc., personal data of their  users (called Data Principals in the Bill) with each other.

Why should you care?

The Data Protection Bill, 2022 contains around 30 clauses, shrunk considerably from previous drafts of data protection proposals which contained 90+ clauses. As per the explanatory memorandum this is to achieve simplicity in drafting, however has made the present version bereft of first principles at several places. As a result of this, and of leaving much to the framing of subsequent Rules, the Bill fails at several instances in standing up to the scrutiny of a Puttaswamy lens. This is important because a Data Protection Bill will necessarily impact the privacy rights of Indian users, and the right to privacy has been recognised as a fundamental right by the Supreme Court in the two Puttaswamy v. Union of India judgments (2017 and 2019). Any law or state action that impacts the privacy of Indians must conform and adhere to the principles of proportionality that were set out in the Puttaswamy matter.

Puttaswamy protects informational privacy

In Justice K. S. Puttaswamy v. Union of India (2017) 10 SCC 1 (Puttaswamy-I), a nine-judge bench of the Indian Supreme Court unanimously affirmed the status of the right to privacy as a fundamental right guaranteed in Part III of the Constitution of India. The Court held that privacy is an integral part of Articles 14,15, 19 and 21.

The Court held that informational self-determination and informational privacy constitute an integral part of the right to privacy. Chandrachud J. held that information control empowers individuals to use “privacy as a shield” to retain control over personal information. Nariman J. held that informational privacy relates to a person’s mind and therefore individuals have “control over the dissemination of material that is personal” to them. Kaul J. held that “the right to control dissemination of personal information” is a part of the right to privacy.

Though the case arose in the context of the constitutional challenge of the Aadhaar Act, the Court recognised that data protection is closely intertwined with informational privacy. The Court notes that a robust data protection law must be formulated by the State by “carefully balancing” individual privacy and legitimate concerns of the State.

The Data Protection Regime must pass the tests of legality, legitimacy and proportionality

The Supreme Court held that such a robust regime must satisfy the three-fold tests of legality, legitimacy and proportionality. This means that first, there must exist a valid law to justify an encroachment on privacy; second, there must be a legitimate state aim to justify such a restriction and third the restriction must be proportionate to the object and needs of the law.

While the Data Protection Bill, 2022 may satisfy the first test of legality, since, by virtue of it being a statute, it will provide a legal basis for the government’s actions, the existence of a legitimate state aim that can pass the second test is less clear. The statement of objects and purpose of the Data Protection Bill, 2022 states that it is to “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto”. It is necessary to note that the objective of the Data Protection Bill, 2022 is not framed the other way around, i.e. to recognise the right to protect personal data, such that it may allow for the processing of digital personal data. It is intended to be a data processing bill and not a data protection bill.

This becomes clearer once the Data Protection Bill, 2022 and its clauses are read as a whole. For example, the wide exemptions provided under Clause 18, and the low bar for consent contemplated under Clauses 7 and 8 leave little doubt that the thrust of the Data Protection Bill, 2022 is not to protect data, but to enable its processing.

The legitimacy of the Data Protection Bill, 2022 is further undermined by Clause 16, which imposes duties on Data Principals, which carry a penalty of up to Rs. 10,000. These duties include complying with the provisions of all applicable laws, not registering a false or frivolous grievance or complaint with a Data Fiduciary or the Data Protection Board, not furnishing any false particulars or suppress any material information or impersonate another person, and furnishing only such information as is verifiably authentic. These are worrying developments since a legislation that is supposed to protect the rights of individuals is now imposing penalties on them.

An argument could be made that data processing is a legitimate state aim, but its legitimacy is weaker than the state aim of protecting personal data of Indian citizens and users. This is because protecting user data is directly derived from the Constitution of India and the fundamental rights it guarantees, whereas the state aim for data processing comes from the commercial interests of data fiduciaries and the state.

Proportionality Test: Assuming the Bill had a legitimate aim, it is not a proportionate way to achieve this aim.

The third test above, i.e. proportionality, consists of four sub-components, which must all be satisfied, before a law or state action can be considered constitutionally valid. Thy are the following:

  1. A measure restricting a right must have a legitimate goal (legitimate goal stage) and it is designated for a  proper purpose;
  2. It must be a suitable means of furthering this goal (suitability or rational connection stage), i.e. measures undertaken to effectuate the limitation are rationally connected to the fulfilment of the purpose;
  3. There must not be any less restrictive, but equally  effective alternatives (necessity stage), i.e. there are no  alternative less invasive measures; and
  4. The measure must not have a disproportionate impact on the right holder (balancing stage), i.e. there is a  proper relation between the importance of achieving the  aim and importance of limiting the right.

We have discussed above how the goal of the Data Protection Bill, 2022 does not fare well on the test of legitimacy. But assuming, for the purpose of continuing this analysis, that the goal was legitimate, i.e. that the goal was to protect the personal data of Indians, the Data Protection Bill, 2022 fails to offer suitable protections to Data Principals.

Suitability Stage: The Data Protection Bill, 2022 is unsuitable for adequately protecting user data

Clauses 7 and 8 offer a highly diluted scheme of obtaining user consent for data processing. For example, Clause 7(4) squarely places the consequences of not providing consent upon the Data Principal. The illustration provided under Clause 7(4) gives a clear power upon Data Fiduciaries to make their services contingent upon the processing of data, even where the services have no real-world connection to data gathering. This can result in a scenario where a restaurant can refuse service if a Data Principal does not consent to sharing her contact data with third-parties, and lead to data blackmail.

Clause 8 of the Data Protection Bill, 2022 presumes the consent of the Data Principal if “such processing is necessary”, and then enumerates extremely wide scenarios where processing can be considered necessary, such as “where it is reasonably expected” that personal data would be provided, or for “the provision of any service or benefit to the Data Principal”, or even simply “for employment”, as well as when it is in the public interest. Deemed consent can also not be withdrawn at any time by the Data Principal.

This highly vitiated scheme of consent will force greater generation and sharing of data than is necessary, and entirely fails core tenets of data protection, specifically data minimisation and purpose limitation. This renders the provisions of the Data Protection Bill, 2022 unsuitable to meet the legitimate state aim of data protection. In fact, data minimisation and purpose limitation and other data principles become more relevant at the next stage of the proportionality analysis, which is the necessity stage. These principles offer the best alternative in terms of a less invasive measure, and must be more strongly adopted in the Data Protection Bill, 2022.

Necessity Stage: Less intrusive alternatives exist, but are not considered by the Bill

The explanatory note accompanying the Data Protection Bill, 2022 enumerates the seven privacy principles which were also endorsed in Justice K. S. Puttaswamy v. Union of India (2019) 1 SCC 1 (Puttaswamy-II) as “principles around the data economy”, i.e. (i) usage of personal data must be fair, lawful and transparent; (ii) purpose limitation i.e. the data must be used for the purpose it was collected; (iii) data minimisation, i.e. only collect the data that is required for a specific purpose; (iv) personal data must be kept accurate and up-to-date; (v) storage limitation, i.e. not stored perpetually by default; (vi) reasonable safeguards to prevent unauthorised data collection; and (vii) accountability, i.e. the person who decides the purpose and means of processing must be accountable for processing.

Unfortunately, these principles are only listed out in the explanatory note, but not followed in practice or in spirit by the scheme of the Data Protection Bill, 2022. Further, the explanatory note clarifies that it is not intended to be a part of the Data Protection Bill, 2022 and shall not be considered for its legal interpretation.

Principles of fairness have not been incorporated in the Bill, for example where offline services, which are not contingent on data gathering, may be refused on grounds that Data Principals have withdrawn consent for the sharing and processing of their data. This is most apparent in Clause 7(4) of the Bill.

While Clause 9(6) of the Bill does provide for certain circumstance for erasure of personal data, such as when “retention is no longer necessary for business purposes”, it leaves broad ambiguities about when there is a legal obligation on the Data Fiduciary to delete a Data Principal’s data. The wording of Clause 9(6) leaves room for a Data Fiduciary to retain personal data of its users forever, on the grounds that it remains necessary for its business purpose. Here, the principles of storage limitation, purpose limitation, and fairness to the Data Principal are defeated simultaneously. This is compounded by the framing of Clause 13, which requires Data Principals to take active steps to ensure that their data is deleted by Data Fiduciaries. Further, the vague and wide wording of Clause 18, essentially gives the government carte blanche to exempt itself or any other Data Fiduciary from the application of the bill.

Proportionate Impact Stage: The Data Protection Bill, 2022 completely fails to provide any procedural safeguards at all

This is a limb of the broader proportionality inquiry, where the presence of adequate procedural safeguards help ensure that there is a  proper relation between the importance of achieving the state aim and importance of limiting the citizens’ right. The procedural failings of the Data Protection Bill, 2022 are particularly severe, and are visible in four major provisions.

First, the major procedural overhaul contemplated in the Data Protection Bill, 2022 is the constitution of a Data Protection Board, which will oust the jurisdiction of civil courts. While India’s experience with tribunals has not been encouraging, procedurally the concern with the DPB is that the members and the Chief Executive of the DPB will be appointed by the Union Government under Clauses 19(2) and 19(3). Accordingly, the Data Protection Board (DPB) does not have the independence needed to sufficiently protect the interests of Data Principals.

Second, Clause 18(2)(a) of the Data Protection Bill, 2022 allows the Union Government to completely exempt any “instrumentality” of the State from all provisions of this Bill, in the interests of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”. This would give the notified government instrumentalities immunity from the application of the law, which could result in immense violations of citizen privacy. These standards are excessively vague and broad, and open to misinterpretation and misuse. If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.

Third, the Data Protection Bill, 2022 leaves large gaps that MeitY is expected to fill through delegated legislation. In fact, the Data Protection Bill, 2022 mentions the phrase “as may be prescribed” 18 times (yes, we counted). Other phrases such as ‘as may be determined’, ‘may, by notification’ and ‘may determine’ appear over 20 times in the 24-page bill. "This has allowed the Union Government to get away with vague and unchecked powers that the Data Protection Bill, 2022 has provided it to frame rules at a later stage, without proper legislative guidance. This is particularly concerning in provisions such as Clause 8(9) of the Bill which allows the Union Government to prescribe  fair and reasonable purposes for which a Data Principal will be deemed to have given consent to the processing of her personal data; or Clause 10(2) relating to processing of personal data that is likely to cause harm to a child; or the provisions relating to the working of the Data Protection Board under Clauses 19(2) and 19(4).

Finally, Clause 30 of the Data Protection Bill, 2022 deletes Section 43A of the Information Technology Act, 2000, which provided Data Principals compensation in case of wrongful loss caused by a Data Fiduciary’s negligence in maintaining reasonable security practices and procedures while handling “sensitive personal data”. This is replaced by Clause 25 of the Data Protection Bill, 2022, which only imposes financial penalties, but no user compensation. While the impact on the Data Fiduciary may be similar, the impact on the Data Principal will be completely different. Under the Data Protection Bill’s regime, the entirety of the financial consequences borne by the Data Fiduciaries will benefit the government treasury, instead of compensating the Data Principals who have actually suffered harm. This also underlines a deeper philosophical failing of the Data Protection Bill, 2022 that the Data Principal is not the ultimate owner of her own personal data.

These infirmities could render the Data Protection Bill, 2022 unconstitutional

From the analysis, one clear conclusion follows - The Data Protection Bill, 2022 fails the proportionality standard adopted by the Supreme Court in Puttaswamy - I and II. The Data Protection Bill, 2022 will pass the test of legality, and may even pass the test of legitimacy, but its inability to provide a suitable means of achieving a legitimate state objective, its failure to consider less intrusive alternatives, and its complete failure to provide procedural safeguards, render the Data Protection Bill, 2022 a disproportionate invasion of user privacy, and may even render the entire Bill unconstitutional.

We will submit our comments to the Data Protection Bill, 2022 on the MyGov portal before the deadline for submissions, and will make our submissions publicly available. We encourage our readers and the wider community to also submit their comments, and to feel free to refer to our comments, if found helpful.

Important documents

  1. IFF’s First Read of the draft Digital Personal Data Protection Bill, 2022 (link)
  2. The draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)
  3. Explanatory note accompanying the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)
  4. Notice of public consultation for the draft Digital Personal Data Protection Bill, 2022 dated November 18, 2022 (link)