In Chapter 4 of GPD’s recently published Travel Guide to Data Protection, we outline a set of key questions which can be used to determine whether a data protection regime is rights-respecting. In this mini-series, Data Protection on the Ground, we apply this framework to laws currently in development.
For this entry, examining the current draft of India’s Personal Data Protection Bill, special thanks go to Apar Gupta of the Internet Freedom Foundation, Arnav Joshi, and Shuchita Thapar, who contributed invaluable review and feedback.
India currently has a sectoral data protection regime, which means that personal data processing is incompletely regulated under a variety of distinct frameworks, including the IT Act and the Telecom Regulatory Authority’s recommendations on privacy, security and ownership of data in the telecom sector. In 2017, a case brought against India’s controversial Aadhaar national identity project highlighted the deficiencies and gaps in this regime, sparking vigorous debate and discussion in the media. Anticipating (correctly as it turned out) a pro-privacy ruling by the Supreme Court, in July 2017 the Indian government formed an expert committee to examine “principles to be considered for data protection in India and suggest a draft data protection bill” which would be comprehensive.
In July 2018, the Committee submitted a draft of the Personal Data Protection Bill to the Ministry of Electronics and Information Technology. At the time of writing, a three-week public consultation on the bill has concluded. A timeline is as yet unconfirmed, but – with a general election scheduled for April/May – it’s reasonable to expect that the government will try to pass it in the last remaining session of this Parliament (November – December 2018).
The below analysis examines the current draft of the Personal Data Protection Bill from a human rights perspective.
DOES THE DATA PROTECTION LAW INCORPORATE THE MINIMUM STANDARDS NEEDED TO ENSURE THAT AN INDIVIDUAL’S RIGHT TO PRIVACY IS PROTECTED?
Yes and no.
The data protection bill does incorporate the majority of the minimum standards, including the requirement that personal data should be collected, stored and used fairly and lawfully (fairness and lawfulness), that data subjects be informed that data is being collected (notice of purpose), and of rights to remedy where data controllers infringe the law. Regrettably, however, the bill falls short of full compliance in two important ways.
The first is that it fails to explicitly set out the right to erasure for data subjects, which is one of the minimum data protection standards. Although it includes “a right to be forgotten” (Clause 27), which means that a data subject can prevent or restrict disclosure of personal data, it does not explicitly allow the data subject to request the actual deletion of personal data. While it is possible that the current provision could be read to include the right to erasure, this should be more clearly set out in the relevant clause.
The second relates to the exceptions included in the bill. As we note in our Travel Guide to Data Protection, it is important that data protection laws also allow for exceptions (pp. 92-4). However, in order for these exceptions to be human-rights respecting, they must meet certain tests – i.e. to be in pursuance of a legitimate aim, and to be necessary and proportionate. There are several exemptions in this bill which fail to meet these tests.
Clauses 13 and 19, for example, exempt any government data processing activities which “provide a service or benefit to a data principal [subject]” from the requirement to obtain consent. This broad exemption is problematic because, in practice, it could mean that a vast range of government agencies – including those that process sensitive data – are absolved of responsibility for upholding a crucial principle of data protection. Clause 16, similarly, appears to exempt all employers in India (with no further qualification) from this requirement. The broad nature of these exemptions, and the lack of clarity around their aims, means that they cannot be deemed compatible with a rights-respecting regime.
Equally concerning are provisions in Clauses 14 and 20, allowing any legislation passed by Parliament or a State legislature to override provisions in the data protection law. This would seem to give the government almost unlimited scope to create new exemptions on a case-by-case basis and, again, can be judged neither proportionate nor in service of a legitimate aim.
Brazil’s data protection law (which will be covered in an upcoming entry in this series) offers a useful model for how to incorporate exceptions in a rights-respecting way. There, where exemptions exist, they come with strong safeguards which ensure measures are necessary and proportionate; by, for example, providing that any exception “carried out for the sole purpose of public security, national defence, state security or investigation and prosecution of criminal offences” must be governed by separate legislation.
IS THE DATA PROTECTION LAW COMPREHENSIVE?
In technical terms, yes. The law applies to data processed by both the public and the private sector, including any actors outside India that process the personal data of individuals in India. However, as noted in the section above, broad exemptions in the text mean that, in practice, the law might not end up applying to significant areas of state and private sector activity, potentially undermining its wide coverage and application.
Another way in which the bill could fall short of being comprehensive relates to its relationship to a separate item of legislation, the Aadhaar Act, which enables India’s national identity programme. While the bill’s accompanying report calls for amendments to this Act, there is no provision for this in the bill itself. It is customary for comprehensive data protection bills to make amendments to other legislation where appropriate, so this absence is significant, and should be remedied.
IS THERE AN ENFORCEMENT AUTHORITY IN PLACE EQUIPPED WITH THE POWERS TO ENFORCE THE LEGISLATION?
Yes. Chapter X of the bill establishes a data protection authority (DPA), and Chapter XII an “appellate tribunal” with powers to hear and dispose of any appeal relating to personal data processing.
Whether this DPA and tribunal would be independent is a different question. Worryingly, Clause 50 of the bill makes clear that – in the current proposed structure – nominations and qualifications for positions on these bodies would be directly controlled by the Indian government. A properly independent DPA would be able to staff itself and decide on its own procedures without any external influence.
Clause 40 of the bill requires that a copy of all personal data relating to data subjects in India be stored within the country. Although not strictly in contravention of the minimum standards, such a requirement, often referred to as “data localisation”, would not only limit cross-border trade by imposing additional costs on data controllers, but would also – given the broad exemptions discussed above – create opportunities for widespread government surveillance.
The legislation’s provisions for disclosure and notification could also be improved. Under the current bill’s provisions, a data processor responsible for a breach is obliged to inform only the DPA, and not the affected data subject/s. As a result, finding out whether your personal data has been compromised as an Indian citizen would depend on the discretion and capacity of the DPA. Here, the EU’s General Data Protection Regulation offers an example of better practice. Under its provisions, the data controller is obliged, in cases of data breaches likely to result in a high risk to the rights and freedoms of individuals, to contact any affected data subjects without undue delay.
India’s draft data protection bill provides a broad range of rights for data subjects in India, including purpose limitation, notice, and “fair and reasonable processing”, as well as introducing obligations on data processors (or “fiduciaries” in the bill).
However, the bill’s inclusion of disproportionate exemptions on government data processing means that these protections are qualified and limited. Should the Indian data protection bill be passed in its current form, it would not foster a human-rights respecting regime. To do so, it would first need to:
- Clarify the right to erasure (Clause 27);
- Ensure that the exceptions that apply to government processing of personal data are necessary and proportionate (Clauses 13, 14, 16, 19 and 20);
- Provide for amendment of the Aadhaar Act in line with the recommendations in the report; and
- Amend the process for selection of the DPA’s staff to ensure the full impartiality of the enforcement authority (Chapter X and XII).
You can find the full text of India’s draft Data Protection Bill here. For in-depth analysis of data protection in India, take a look at Mozilla’s analysis. GPD’s Travel Guide to the Digital World: Data protection for human rights defenders offers further guidance on the requirements for a rights-respecting data protection – as well as in-depth analysis of current policy debates, case studies, information on key forums, and advocacy tips and messaging.