Watch the Watchmen Series Part 5 : The Personal Data Protection Bill, 2019

Donate to help sustain our work

tl;dr

Over the last couple of weeks, we have taken a closer look at the various surveillance technology projects that the Government is slowly putting in place. Now, we talk about why we should all be extremely worried. While this may sound alarmist, the lack of laws which would protect our privacy and from surveillance is one of the biggest causes of alarms in India’s near future.

Why should you care about privacy?

In our previous posts in the “Watch the Watchmen” series, we have highlighted various projects that the government is developing and deploying that would enable it to strengthen the internet security structure of the country. These projects include the NATGRID, the CMS, the CCTNS and the AFRS.

The aim of the Government behind the introduction of these projects is to ensure that a higher level of coordination can be achieved between the intelligence agencies at the Central level and the law enforcement agencies to ensure that terror threats are neutralised swiftly and criminals can be apprehended easily.

While these concerns do come across as valid, the cause for alarm surrounding these projects is much simpler. These projects are problematic simply because India does not have a data protection regime in place to ensure that the privacy of its citizens is not compromised or violated by excessive interference or surveillance by the state.

Here, it is also important to understand that the right to privacy is essential and has been reaffirmed as a fundamental right in the landmark decision of the Hon’ble Supreme Court in K.S. Puttaswamy v. Union of India (2017 10 SCC 1). The right to privacy is not only relevant to those who may want to hide wrongdoing as has been the narrative but is important in various contexts, for example, to ensure that one is not discriminated against on the basis of belonging to a particular religious or social group or due to one’s political ideology.

The Draft Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 was touted as the solution to all the personal data related problems currently existing in India. It calls for obtaining consent before accessing an individual's data, penalties for any violations of the law, setting up a Data Protection Authority (DPA), and that the personal data which is collected be stored in India. However, the Bill fails to safeguard Indian citizens against state sponsored surveillance.

The PDP Bill, 2019 provides broad exemptions to the government by stating that consent is not required to be obtained by the State which can exempt any government department by an order.

Clause 35 of the Bill empowers the Central Government to exempt by an order, ‘any agency’ of the government from all or any provisions of the data protection law if it is in the interest of the sovereignty and integrity of India, the security of the state, friendly relations, public order and to prevent incitement to the commission of an offence. The only safeguard is that the written order from the Central Government must specify the reasons for such exemptions, ignoring the requirements otherwise established in Indian and international law of meeting the test of being “necessary and proportionate”. These exemptions will not just apply to data gathered by such agencies, but also with any data that is shared with such agencies by other data fiduciaries. It puts the power in the hands of the Central Government and specifically makes it the judge and adjudicator of its own cause. Clause 36 of the Bill also creates specific exemptions in certain cases, to which no safeguards will apply. Clause 37 which is supposed to empower the Central Government to exempt the processing of data of foreigners by data processors is also vaguely worded. Most intelligence agencies of India suffer from a lack of institutional oversight and there are no laws clearly defining their powers or limitations to those powers. Further, there is the lack of any serious review of telephone tapping and other communications interception powers in the Bill. This will make personal data of citizens open to mass surveillance and make the protection meaningless.

The Bill was first introduced in the Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Lok Sabha referred the Bill to the Joint Parliamentary Committee which invited comments/suggestions from stakeholders till February, 2020. (Read IFF’s comments here) While the report of the JPC is due in the upcoming winter session of the Parliament, the Bill is likely to be tabled in the next year's budget session.

The Schrems II Dilemma

On July 16, 2020, the Court of European Union (‘CJEU’) passed a landmark judgement in Data Protection Commission v. Facebook Ireland, Maximillian Schrems (‘Schrems II Decision’). The Schrems II Decision produced shockwaves for the practice of commercial transnational data transfers of personal data originating from the European Union (‘EU’) and being transmitted to a non-EU country, such as India. Under the EU data protection regime, data transfers are conducted pursuant to the European Union General Data Protection Regulation (‘GDPR’), in conjunction with the Charter of Fundamental Rights of the European Union (‘Charter’) and several other directive and regulations. Chapter V of the GDPR allows for transfers of data outside the EU through three different modes, provided that the receiving countries were determined to provide adequate privacy protections for the same. First, an adequacy decision may be passed by the Data Protection Commission as to the existence of adequate privacy protection within the domestic legal framework of the receiving country. Second, an agreement to provide adequate safeguards, accompanied with enforceable data subject rights and effective legal remedies for data subjects. These may take place between two public authorities, such as in the case of the EU-US Safe Harbour or Privacy Shield, or between the sending and receiving data processors, such as in the case of Standard Contract Clauses (‘SCCs’), or between affiliated companies within a single commercial enterprise, such as in the case of Binding Corporate Rules (‘BCRs’). Third, derogations, or exceptions, to the requirement of either one of the above may be availed in specific circumstances.

The CJEU, in the Schrems II Decision, concluded three crucial findings regarding the transnational transfer of personal data from European Union:

A. The CJEU Confirms Extra-Territorial Application of GDPR for EU-Citizens’ Data

First, it held that the GDPR would remain applicable to personal data that has been transferred out of the European Union by one economic operator, or body corporate, to another for any commercial purpose, regardless of whether such data may be processed by the governmental authorities of the latter for the purposes of public security, defence and State security.

B. SCCs to Hold Validity Only if Underlying Framework Provides GDPR-Esque Data Protection

Second, it affirmed the validity of SCCs, provided that the level of data protection must be of a standard which is “essentially equivalent” to that guaranteed under the GDPR, read with the Charter. To this effect, The CJEU mandated the use of “other clauses or additional safeguards” in circumstances where the SCC itself failed to secure adequate levels of protection. These may cover, for example, the issue of law enforcement and access of personal data by government agencies. Additionally, respective Data Protection Authorities were under the obligation to suspend or prohibit data transfer to any third country wherein the aforementioned privacy safeguards, and alternative methods to achieve the same, were absent.  

C. EU-US Privacy Shield Invalidated for Lack of Safeguard Against Government-Sanctioned Surveillance

Third, it invalidated the EU-US Privacy Shield on the grounds that:

  1. the United State surveillance regime, based on  Section 702 of the Foreign Intelligence Surveillance Act, 178 and Executive Order 12333 (1981), assumes primacy of national interest and law enforcement over the fundamental right to privacy by allowing the the sanctioning of surveillance with no apparent limitation, violating the principles of proportionality in so far as the same is not restricted by the requirement of necessity,
  2. the United States does not provide foreign data subjects with an actionable right against the Government for privacy breaches, under the Presidential Privacy Directive 28 (2014) and Executive Order 12333 (1981), and
  3. the United States legislative framework is inadequate in ensuring the independence of the judicial ombudsman, an authority established by the EU-US Privacy Shield and an undersecretary of state, and the requisite authority of the body to deliver binging judgments upon US intelligence services.

What this means for India?

According to Article 45 of the GDPR, the relevant inquiry into an adequacy decision involves an assessment of the rules and regulations applicable to data controllers and processors within a country. This also includes an analysis of the accompanying safeguards limiting the governmental access to foreign personal data. Per the Schrems II Decision, a like analysis would now be required for the operation of other modes of data transfer, such as Privacy Shields, SCCs, or BCRs. The recognition of the fundamental right to privacy in K.S. Puttaswamy v. Union of India (‘Puttaswamy Decision’) inducted principles of proportionality from Article 8 of the European Convention of Human Rights. Yet, without an underlying statutory framework, these rights lack remedial mechanisms that may be triggered by their violation. However, while the Personal Data Protection Bill, 2019 (‘PDPB’) remains to be passed, India exists in a state of limbo. Without a current standard of foreign personal data protection for all commercial operations, India does not qualify the criteria for an adequacy decision. Additionally, as has been highlighted throughout our “Watch the Watchmen” series, the citizens of India themselves do not have any strict protections from state surveillance which vitiates the question of protecting foreign data from surveillance as well.  In such a situation, India stands to be outcast by being restricted to trade and offer services within the EU.

The Schrems II decision analysis included in this post has been done by former IFF intern Rohit Gupta.

Important documents

  1. Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
  2. Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  3. IFF’s “Watch the Watchmen” series on Surveillance Technology Projects in India (link)
Join the Internet Freedom Forum