SUMMARY
A general discontent in the ecosystem is regarding the broad exemptions enshrined in Clause 35 of the 2019 Bill
The Apex Court had specifically outlawed ‘Expedience’ as a standard and mandated ‘Necessity’
the objective of the 2019 Bill is to protect personal data and ensure privacy and not to ensure government access to data
The quest for a privacy regime in India changed gears with the Supreme Court ruling in Puttaswamy I (KS Puttaswamy v. Union of India, 2017). This led to the constitution of the Justice Srikrishna Committee in 2018 which submitted with its Report a Draft Bill (2018 Bill) which was never introduced in the Parliament.
Thereafter, the Personal Data Protection Bill, 2019 (2019 Bill) was introduced in December 2019 and thereafter referred to a Joint Parliamentary Committee which sought public comments on the 2019 Bill and is currently deliberating on the same. This article addresses the National Security implications of the 2019 Bill in light of precedents set by the Constitutional Courts of India, aspirations of a Democratic Republic, and the duties of a Sovereign.
There exists Constitutionally protected legitimate State interest in addressing National Security challenges be it external or internal. Yet a democratic society thrives on the rule of law and accordingly the National Security challenges ought to be addressed not at the cost of civil liberties but by harmonizing the two.
A general discontent in the ecosystem is regarding the broad exemptions enshrined in Clause 35 of the 2019 Bill and the over-reliance on delegated legislation leading to legal uncertainty. An overt difference between the 2018 Bill and the 2019 Bill is the divestment of power from the Data Protection Authority (Authority) to the Central Government.
Constitutional Challenges
Clause 35 of the 2019 Bill enables an executive order to be passed to abrogate fundamental rights of citizens if it is ‘Necessary or Expedient’ in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order or inciting offences affecting the said interests. The provision faces constitutional challenges on four counts. First, the provision introduces the ‘Necessary or Expedient’ standard for curtailment of civil liberties even when the Puttaswamy I judgment explicitly mandates ‘Necessary and Proportional’ standard.
Second, the Apex Court had specifically outlawed ‘Expedience’ as a standard and mandated ‘Necessity’ in S Rangarajan etc v. P. Jagjivan Ram (1989). Third, the provision violates the ruling in Puttaswamy II judgement (KS Puttaswamy v. Union of India, 2019) which mandates that only a law enacted by Parliament, which is just, fair and reasonable can encroach upon the right to privacy whereas the provision empowers an executive to do the same.
Fourth, the power delegated to the executive is so vast and the scenarios defined when it can be exercised are so broad that it leads to legal uncertainty and ‘Arbitrariness’ actionable under Article 14 of the Constitution as held in EP Royappa v. State of Tamil Nadu (1973).
Recently, the Bombay High Court precluded the use of incriminating evidence in the trial which was collected in violation of the Puttaswamy I judgement and ordered its destruction in Vinit Kumar v. CBI (2019). Thus it is important to understand that a robust National Security regime is built on the bedrock of individual Privacy.
Implementational Challenges
Another pertinent decision envisaged in the 2019 Bill is the mandatory storage or localization of sensitive and critical personal data in India. The prime reason behind the data localization mandate has been two-fold: law-enforcement access to data and security of data. While the reason is well-intended, forced localization is neither conducive to the strategic nor economic Indian interests.
First, law enforcement actions can only be legitimized by following the due process of law as established in Manaeka Gandhi v. Union of India (1978) and data localisation cannot circumvent the said due process requirement guaranteed under Article 21 of the Indian Constitution. Second, it is wrong to assume that data localisation will amount to better privacy protections. Also, localization of data may lead to the creation of ‘honeypots’ of sensitive data and increases the propensity of targeted cyber-attacks and foreign surveillance due to the increase in surface area for the same.
Way Forward
National Security objective can only be achieved after securing individual privacy, procedural integrity and an oversight mechanism first, as this inspires public confidence in the procedure established by law and furthers national integration. Accordingly, three major steps need to be undertaken to ensure a robust National Security regime:
First, there is a need to harmonise Clause 35 of the 2019 Bill with the mandate in Puttaswamy I, II and Manaeka Gandhi case. To achieve this end, the standard of ‘Necessary and Proportional’ must be utilized, instead of ‘Necessary or Expedience’. Thereafter, the power to restrict the right to privacy must rest with the legislature and not the executive. Lastly, the scenarios wherein the power enshrined in Clause 35 of the 2019 Bill ought to be exercised must be more defined and specific instead of being broad and vague.
Second, law enforcement access to overseas data can be better accessed through MLATs or bilateral data-sharing agreements. avenues along the lines of EU-US Privacy Shield, Convention 108 or the APEC-CBPR privacy model would help the government to achieve its objectives while being at par with other jurisdictions globally. Additionally, the government may also consider a bilateral arrangement with the US Government through the CLOUD Act to seek access to data for law enforcement.
Third, the objective of the 2019 Bill is to protect personal data and ensure privacy and not to ensure government access to data which ought to be a subject matter of a separate legislation. If government access to data is retained as a part of the 2019 Bill then it’s important to understand that the Data Protection Authority will be the one adjudicating on the infractions of the rights protected in Article 21 of the Constitution.
The European Regime had both regulatory experience and privacy jurisprudence and still, their Data Protection Authority is facing regulatory concerns. Accordingly, we will need an Authority which is independent and possesses requisite legal and technical expertise. Considering that the Authority would be cross-cutting other sectoral regulators on issues related to Data Access and Protection, it is important that consultation mechanism with sectoral-regulators is institutionalised within the 2019 Bill or the sectoral regulators be considered as members for constituting an experienced Authority.
National Security is not an abstract concept that exists outside of the individual security of the citizen. It is imperative that the legislature harmonises the 2019 Bill with the civil liberties and ensures the development of a competent and independent Authority with oversight mechanisms which inspires confidence. Unbridled power is bound to be judicially reviewed, it’s best if nipped in the bud.
[This article was co-authored by Pranav Bhaskar Tiwar Policy Research Associate, The Dialogue and Kazim Rizvi.]
