Envisaging A Privacy-Respecting National Security Regime

Envisaging A Privacy-Respecting National Security Regime

SUMMARY

A general discontent in the ecosystem is regarding the broad exemptions enshrined in Clause 35 of the 2019 Bill

The Apex Court had specifically outlawed ‘Expedience’ as a standard and mandated ‘Necessity’

the objective of the 2019 Bill is to protect personal data and ensure privacy and not to ensure government access to data

The quest for a privacy regime in India changed gears with the Supreme Court ruling in Puttaswamy I (KS Puttaswamy v. Union of India, 2017). This led to the constitution of the Justice Srikrishna Committee in 2018 which submitted with its Report a Draft Bill (2018 Bill) which was never introduced in the Parliament.

Thereafter, the Personal Data Protection Bill, 2019 (2019 Bill) was introduced in December 2019 and thereafter referred to a Joint Parliamentary Committee which sought public comments on the 2019 Bill and is currently deliberating on the same. This article addresses the National Security implications of the 2019 Bill in light of precedents set by the Constitutional Courts of India, aspirations of a Democratic Republic, and the duties of a Sovereign.

There exists Constitutionally protected legitimate State interest in addressing National Security challenges be it external or internal. Yet a democratic society thrives on the rule of law and accordingly the National Security challenges ought to be addressed not at the cost of civil liberties but by harmonizing the two.

A general discontent in the ecosystem is regarding the broad exemptions enshrined in Clause 35 of the 2019 Bill and the over-reliance on delegated legislation leading to legal uncertainty. An overt difference between the 2018 Bill and the 2019 Bill is the divestment of power from the Data Protection Authority (Authority) to the Central Government.

Constitutional Challenges

Clause 35 of the 2019 Bill enables an executive order to be passed to abrogate fundamental rights of citizens if it is ‘Necessary or Expedient’  in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order or inciting offences affecting the said interests. The provision faces constitutional challenges on four counts. First, the provision introduces the ‘Necessary or Expedient’ standard for curtailment of civil liberties even when the Puttaswamy I judgment explicitly mandates ‘Necessary and Proportional’ standard.

Second, the Apex Court had specifically outlawed ‘Expedience’ as a standard and mandated ‘Necessity’ in S Rangarajan etc v. P. Jagjivan Ram (1989). Third, the provision violates the ruling in Puttaswamy II judgement (KS Puttaswamy v. Union of India, 2019) which mandates that only a law enacted by Parliament, which is just, fair and reasonable can encroach upon the right to privacy whereas the provision empowers an executive to do the same.

Fourth, the power delegated to the executive is so vast and the scenarios defined when it can be exercised are so broad that it leads to legal uncertainty and ‘Arbitrariness’ actionable under Article 14 of the Constitution as held in EP Royappa v. State of Tamil Nadu (1973).

Recently, the Bombay High Court precluded the use of incriminating evidence in the trial which was collected in violation of the Puttaswamy I judgement and ordered its destruction in Vinit Kumar v. CBI (2019). Thus it is important to understand that a robust National Security regime is built on the bedrock of individual Privacy.

Implementational Challenges

Another pertinent decision envisaged in the 2019 Bill is the mandatory storage or localization of sensitive and critical personal data in India. The prime reason behind the data localization mandate has been two-fold: law-enforcement access to data and security of data. While the reason is well-intended, forced localization is neither conducive to the strategic nor economic Indian interests.

First, law enforcement actions can only be legitimized by following the due process of law as established in Manaeka Gandhi v. Union of India (1978) and data localisation cannot circumvent the said due process requirement guaranteed under Article 21 of the Indian Constitution. Second, it is wrong to assume that data localisation will amount to better privacy protections. Also, localization of data may lead to the creation of ‘honeypots’ of sensitive data and increases the propensity of targeted cyber-attacks and foreign surveillance due to the increase in surface area for the same.

Way Forward

National Security objective can only be achieved after securing individual privacy, procedural integrity and an oversight mechanism first, as this inspires public confidence in the procedure established by law and furthers national integration. Accordingly, three major steps need to be undertaken to ensure a robust National Security regime:

First, there is a need to harmonise Clause 35 of the 2019 Bill with the mandate in Puttaswamy I, II and Manaeka Gandhi case. To achieve this end, the standard of ‘Necessary and Proportional’ must be utilized, instead of ‘Necessary or Expedience’. Thereafter, the power to restrict the right to privacy must rest with the legislature and not the executive. Lastly, the scenarios wherein the power enshrined in Clause 35 of the 2019 Bill ought to be exercised must be more defined and specific instead of being broad and vague.

Second, law enforcement access to overseas data can be better accessed through MLATs or bilateral data-sharing agreements. avenues along the lines of EU-US Privacy Shield, Convention 108 or the APEC-CBPR privacy model would help the government to achieve its objectives while being at par with other jurisdictions globally. Additionally, the government may also consider a bilateral arrangement with the US Government through the CLOUD Act to seek access to data for law enforcement.

Third, the objective of the 2019 Bill is to protect personal data and ensure privacy and not to ensure government access to data which ought to be a subject matter of a separate legislation. If government access to data is retained as a part of the 2019 Bill then it’s important to understand that the Data Protection Authority will be the one adjudicating on the infractions of the rights protected in Article 21 of the Constitution.

The European Regime had both regulatory experience and privacy jurisprudence and still, their Data Protection Authority is facing regulatory concerns. Accordingly, we will need an Authority which is independent and possesses requisite legal and technical expertise. Considering that the Authority would be cross-cutting other sectoral regulators on issues related to Data Access and Protection, it is important that consultation mechanism with sectoral-regulators is institutionalised within the 2019 Bill or the sectoral regulators be considered as members for constituting an experienced Authority.

National Security is not an abstract concept that exists outside of the individual security of the citizen. It is imperative that the legislature harmonises the 2019 Bill with the civil liberties and ensures the development of a competent and independent Authority with oversight mechanisms which inspires confidence. Unbridled power is bound to be judicially reviewed, it’s best if nipped in the bud.

[This article was co-authored by Pranav Bhaskar Tiwar Policy Research Associate, The Dialogue and Kazim Rizvi.]

Note: The views and opinions expressed are solely those of the author and does not necessarily reflect the views held by Inc42, its creators or employees. Inc42 is not responsible for the accuracy of any of the information supplied by guest bloggers.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Envisaging A Privacy-Respecting National Security Regime-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Envisaging A Privacy-Respecting National Security Regime-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Envisaging A Privacy-Respecting National Security Regime-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Envisaging A Privacy-Respecting National Security Regime-Inc42 Media
Envisaging A Privacy-Respecting National Security Regime-Inc42 Media
You’re in Good company