Data Protection Bill: Missed Opportunity for Surveillance Reform
On 27 July, the Expert Committee chaired by Justice Srikrishna submitted its Report and a draft of the law titled “The Personal Data Protection Bill, 2018” (“the Bill”) to the Minister of Electronics and Information Technology.
The submission of the Report and its publication online – after weeks of guess work and leaks – are a welcome step and bode well for transparency and accountability in legislative drafting. The Bill broadly does a good job in moving the debate forward on issues of data protection and privacy, especially in its recognition of the principles of collection and purpose limitation (sections 5-6), privacy by design (section 29) and data portability (section 26) and data breach notification (section 32) (although their application raises certain issues).
Significantly, however, the Bill, fails to deal with the issue of surveillance, even though previous versions of the Government’s own Privacy Bill of 2011 or the Data (Privacy and Protection) Bill, 2017 introduced as a Private Member Bill in the Lok Sabha by Baijayant Panda, had separate chapters on the regulation/prohibition of surveillance.
References to Surveillance in the Draft Bill
Instead of dealing with surveillance separately, section 42 of the Bill on the “security of the State” clarifies that processing of personal data “in the interests of the security of the State” shall be exempt from the obligations of the Act (except sections 4 and 31) if it is:
- authorised pursuant to a law made by Parliament;
- necessary for, and proportionate to, such interests being achieved.
Section 43 creates similar exemptions if the processing of personal data is in “the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law” and is (a) authorised by a law made by Parliament , and (b) is necessary for, and proportionate to, such interests being achieved.
These requirements seem to be in line with the Supreme Court’s formulation in Puttaswamy. To that extent, they seemingly signal the death knell of the government’s highly controversial CMS and NETRA programs (for the lack of legislative sanction) and for any mass surveillance program (for the failure to meet the necessity and proportionality standard). Unfortunately, however, the Bill represents a lost opportunity for comprehensive surveillance reform.
Why the Bill is a Missed Opportunity
1. No Judicial Oversight
First, the requirements in sections 42 and 43 endorse the current antiquated surveillance framework that exists in the country under the Telegraph Act and the Information Technology (“IT”) Act.
Broadly speaking, both these laws empower the law enforcement agencies to intercept messages and communication on the grounds of sovereignty and integrity of India, security of the State, and public order. Section 69 of the IT Act goes further in permitting the interception, decryption, and monitoring of information for the “defence of India”, without any pre-requisite of demonstrating “public emergency” or “public safety”.
Notably, in line with the Supreme Court’s judgment in PUCL v Union of India (1997), these laws do not require any prior judicial authorization to conduct surveillance, and instead rely on executive sanction by a competent authority.
Even as far back as 2013, RTI responses revealed that the Central Government alone issues around 7500-9000 telephone interception orders each month (which number would have substantially increased today). This clearly indicates that there cannot be any reasonable application of mind by the competent government authority, while authorizing targeted surveillance.
Due to such State capacity concerns, in many countries such as Canada, USA (through the FISA Court), or Australia, judicial control is built into the domestic/foreign surveillance framework, through the process of overseeing and approving warrants and surveillance requests. However, the current Bill entirely sidesteps this issue.
2. No Accountability for Intelligence Agencies
Second, while section 30 of the Bill requires data fiduciaries to take “reasonable steps” to maintain transparency and section 35 recognises data audits, there is no direct requirement for law enforcement agencies to submit a report to Parliament about the nature and scale of their surveillance and interception activities.
Interestingly, the Committee’s Report acknowledges that the lack of any inter-branch oversight of law enforcement agencies, through a statute, is “deleterious in practice… and potentially unconstitutional” and that the Central Government should “carefully scrutinise the question of oversight of intelligence gathering and expeditiously bring in a law to this effect.”
However, for reasons that are not fully clear, these recommendations do not find a place in the proposed law.
3. No Reform on Illegally Obtained Evidence
Third, one of the biggest problems in terms of surveillance reform has been the judicial sanction to admit illegally obtained evidence, including tape-recorded conversations. This skews the incentive of law enforcement agencies to comply with the (already weak) safeguards that are recognised in the law.
Instead all it does, is reiterate in section 42 that processing has to be done “in accordance with the procedure established by law” – a requirement which, incidentally, has been dropped in section 43 – without specifying any consequences for non-compliance.
Additionally, the Bill uses the term “surveillance” only once, while defining the term “harm” in section 3(21)(x) as “any observation or surveillance that is not reasonably expected by the data principal”, which in itself seems to indicate that certain kinds of surveillance are to be “reasonably expected” from the State and private actors.
4. No Rules on Non-State Actors
Fourth, the Bill does not expressly deal with surveillance by non-State actors.
5. Unrestricted Discretion for Government on Security and Aadhaar
Finally, it is worth examining Chapter XV of the Bill on Miscellaneous provisions. Section 98(1) allows the Central Government to issue “such directions” to the Data Protection Authority (“DPA”), “as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order”. Such directions on questions of policy then bind the DPA.
In fact, it is also worth noting the wording of section 19(2) that permits the processing of sensitive personal data (such as passwords, financial/biometric/genetic data) without consent, if it is “strictly necessary” for the exercise of any function of the State, authorised by law for the provision of “any service or benefit to the data principal from the State”.
Interestingly, the terms “service” or “benefit” have not been defined in the Bill, and this provision seems to endorse the Aadhaar Scheme. In fact, even data portability rights do not apply when processing is necessary for the functioning of the State.
Can This Still be Addressed?
In the Indian Privacy Code, 2018 that we had drafted and sent to the Committee, we had included a separate chapter on surveillance and interception, both by State and private actors. In it, we had proposed the constitution of a Surveillance and Interception Review Tribunal that would ordinarily give prior authorisation.
Any comprehensive privacy law has to include surveillance reform, dealing separately with State and private actors. While the Committee’s Report recognises this, the Bill, unfortunately, fails to translate their concerns into substantive provision. We can only hope that parliamentary consultation will bring about some changes.
(Vrinda Bhandari is an Advocate in Delhi. She is also a volunteer with SaveOurPrivacy.in and helped in drafting the model India Privacy Code, 2018. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)