The Achilles heel of the draft personal data Bill

The Srikrishna Committee report on India’s new privacy framework has been criticized for seemingly granting the government latitude in state surveillance, including national security exemptions. While similar exemptions are common in global data protection laws, concerns arise from the report’s failure to address practical concerns and the draft Bill’s inability to hold the government accountable for privacy violations. The penalties, designed with private entities in mind, may leave government data fiduciaries without fear of consequence.

This article was first published in The Mint. You can read the original at this link.

Some of the most vituperative criticisms of the Srikrishna Committee report have been reserved for the latitude that the government has seemingly been granted under the new privacy framework. In particular, the manner in which the committee has apparently sidestepped the chance to regulate state surveillance is widely being panned as a lost opportunity. Much of this angst stems from the inclusion of national security exemptions in Chapter IX of the draft Bill, which have allegedly given the state carte blanche.

It must be said that most data protection laws around the world contain exemptions of a similar nature. The fact that the committee has included this language should, therefore, not come as a surprise to anyone. On the other hand, I am glad to note that the committee has taken care to explicitly incorporate into each of these provisions the three-fold test laid out by Justice D.Y. Chandrachud in the Justice K. S. Puttaswamy (retd.) and Anr. vs Union of India and Ors, 2017 judgement against which any national security exemption that is sought to be invoked must be tested.

On the face of it, this should have been sufficient. However, given the uncertain pace of judicial intervention in India, it is more than likely that by the time the three-fold test is eventually applied, the damage done to victims of state surveillance could be severe. That being the case, the objections might have more to do with the failure on the part of the committee to provide a solution to these practical concerns.

Chapter VIII of the report (which deals with non-consensual processing) sets out the rationale behind the committee’s formulation of Section 42 relating to government exemptions on the grounds of security of the state. It is clear from the reading of that chapter that the committee has not only engaged with the issue but has also strongly recommended that the government enact a new law to deal with oversight over intelligence gathering. It has suggested that this law should have both ex ante access control through parliamentary oversight as well as ex post accountability through the mechanism of judicial approval. As if to underline the seriousness of this recommendation, the committee goes on to say that while this recommendation was not a part of the draft law appended to the report, it is “important for the data protection principles to be implemented effectively and must be urgently considered".

If it is read in isolation, it could appear that the draft Bill might have overlooked this issue. However, when examined along with the suggestions in the report, it is clear that the committee intends for the government to enact a separate law to apply appropriate fetters on the surveillance powers of the state.

This is why I am less concerned about the exemptions section of the proposed law and have instead reserved my concerns for the manner in which the draft Bill intends to hold the government, as a data fiduciary, accountable and liable for any privacy violations that it commits.

Chapter XI of the draft Bill, and in particular Section 69, sets out the penalties and remedies that are intended to apply to all data fiduciaries for violations of various provisions of the draft law. This includes contraventions such as processing personal data in a manner that is not in accordance with the data protection obligations of fair and reasonable processing, purpose and collection limitation, notice, data quality and data storage limitation, processing it otherwise than under approved grounds and a failure to adhere to the specified security safeguards.

In the event of a violation of any of the provisions listed above, a list of penalties has been laid out that is intended to apply to all data fiduciaries. However, in the manner in which these penalties have been articulated, it seems clear that they have been designed with private entities in mind. The penalties for violating the various provisions of the draft Bill set out in Section 69 (1) and (2) have been presented in terms of a percentage of global turnover of the contravening entity—ranging from 2% to 4%, based on its severity. This is a construct understandable only in the context of private corporations to whom such metrics apply. Global turnover is meaningless in the context of a government fiduciary as is any sort of financial penalty. How, then, does the law intend to hold them liable for the violations that they may commit?

This is what comes of trying to use General Data Protection Regulation style laws in the context of data protection violations by the state. As the committee has pointed out in the report, in the European Union (EU) the state is responsible for protecting individual interests and it is assumed that the government will not abuse its responsibility as a data fiduciary. This is diametrically opposite to the US model, which imposes stringent obligations on the state based on the US constitutional understanding of liberty as freedom from state control. In applying EU-style penalties to contraventions of the law, the committee has given government data fiduciaries a free pass to violate the provisions of the law without fear of consequence.

This is the Achilles heel of the proposed privacy legislation and one that I hope will be fixed during the consultation process. However, given that none of this is in the interests of the government, I am resigning myself to a toothless statute.