A serious debate over the setting up of a data privacy law has been doing the rounds for more than half a decade now. India has gone through several twists and turns in the quest to build a data privacy law framework that matches other mature jurisdictions worldwide. However, the more India comes close to making a robust data privacy law, the more it appears to be becoming a Sisyphean task. This article highlights how we are stuck in an endless loop when it comes to formulating the data privacy law in India.
Justice B N Srikrishna Committee
On 31 July 2017, the Ministry of Electronics and Information Technology (MEITY) constituted an expert committee led by Justice B N Srikrishna to study and identify key data protection issues. The decision to constitute an expert committee came when the Supreme Court of India was hearing the Puttaswamy case.
The Puttaswamy verdict
On 24 August 2017, a nine-judge bench of the Supreme Court of India passed the decision in K.S. Puttaswamy (Retired) v. Union of India1. Widely touted to be a landmark decision in the history of constitutional rights, the bench in Puttaswamy unanimously agreed that the right to privacy was an inherent part of the right to life under Article 21 of the Constitution of India. The Puttaswamy dictum elaborately discussed aspects such as privacy in a digital economy, the perils of unregulated data mining, and, most importantly, the dire need for a data protection law.
2018 Bill
Justice Srikrishna committee submitted its report to MEITY on 27 July 2018 along with a draft bill aimed at introducing minimum safeguards for data processing in the country. The committee's Draft Personal Data Protection Bill (2018 Bill) could not stand up to the expectations of the concerned stakeholders. The 2018 Bill was proposed to be a gap-filling law that would introduce minimum data privacy and protection standards commensurate to global best practices. However, the 2018 Bill did not address the issue of excessive state surveillance and the potential measures that could be introduced to drift away from the draconian surveillance methods in vogue in India. The 2018 Bill failed to balance out the interests of protecting data privacy while ensuring effective governance and maintaining national security. All in all, the move to propose a law was well-intended, but the 2018 Bill was far from being called the end product.
2019 Bill
The Personal Data Protection Bill (2019 Bill) was introduced in the Lok Sabha by Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on 11 December 2019. The object of the 2019 Bill was once again to protect the personal data of individuals. For this purpose, the 2019 Bill proposed establishing a 'Data Protection Authority'. However, the 2019 Bill had its own vices. Most important of all, the 2019 Bill not only failed to tackle state surveillance like its predecessor but also appeared to aggravate the possibility of greater and deeper surveillance. The 2019 Bill gave the state essentially a free hand at processing data without the taking consent of the individuals.
Similarly, the 2019 Bill carved a complete exception for employers who were allowed to process data of employees without their consent for aspects such as verification of attendance and assessment of performance. Individuals were provided with the option of withdrawing their consent for processing data. However, such withdrawal could pose legal consequences if there was no 'valid reason' - a term with no set definition and threshold. Entities involved in processing people's data could charge them for processing their requests. Experts saw this as an economic hurdle, especially when a person would wish to withdraw their consent to process data. Hence, the 2019 Bill became the centre of a heated debate on how not to draft a data privacy law.
Joint Parliamentary Committee Report
On 11 December 2019, Mr. Ravi Shankar Prasad moved a motion for reference of the 2019 Bill to a Joint Committee of both Houses of Parliament. After a wait of two long years, the Joint Parliamentary Committee (JPC) report on the 2019 Bill was released on 16 December 2021. The report results from discussions spanning across almost 80 sittings of the JPC and consultation with key stakeholders. The JPC received memoranda from 234 government agencies and bodies, think tanks, and individual experts, including the likes of Reserve Bank of India, FICCI, Facebook, Google, Twitter, and Internet Freedom Foundation. The JPC, in its report, came up with a new data privacy law called Data Protection Bill, 2021 (2021 Bill).
The JPC report and 2021 Bill continue to suffer from the same issues as their predecessors. The 2021 Bill appears to make state security its core concern, and individual privacy rights play a distant second fiddle. The 2021 Bill widens the scope of the non-consensual use of data moving further away from the internationally accepted norm of proportionality. Additionally, the 2021 Bill fails to sufficiently deal with the data breach prevention and management framework.
Rising Data Privacy Concerns and the Way Ahead
As per Surfshark, a cyber security company, India is ranked third globally in terms of the number of data breaches, with an estimated total of 86.63 million breaches until November 2021. Another worrying figure is that there was a 350% per cent jump in the number of affected Indians compared to last year. Other notable data breaches include Dr. Lal Path Labs server breach and IRCTC's data leak of October 2020, where user data of some million users was leaked.
Apart from data privacy breaches, there are discussions on fairness of data policies of companies like Google and Meta owned applications such as Instagram and WhatsApp. There is an ever increasing need to have a concrete law on data privacy. India must take the final steps and enact a law soon that places citizens and their privacy first and does not treat data as a commodity. The two-decade old Information Technology Act has failed to keep up with the swift advancements in technology and the ramifications arising thereof. With India witnessing and becoming more prone to cyberattacks and data breaches, it is high time to emerge out of the Sisysphean nightmare and build a data privacy law that meets the ideals discussed in the Puttaswamy verdict.
Footnote
1. K.S. Puttaswamy (Retired) v. Union of India, 2017 10 SCC 1.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
