TeaMinistry of Electronics and Information Technology released Digital Personal Data Protection Bill, 2022, on 18 November. The journey towards a data protection law began in 2011 when the Department of Personnel and Training initiated discussions on the Right to Privacy Bill, 2011. According to an office memorandum dated September 29, 2011, the then Attorney General, Gulam Vahanvati, said that the conditions under which the government can “intercept communications” should be clarified in the bill. This opinion was also echoed by the Experts Group on Privacy in 2012, headed by Justice AP Shah. The group’s report stressed the need to examine the impact of the growing collection of citizen information by the government on the right to privacy. Since then, civil society organizations, lawyers, and politicians have continually called for surveillance reform, highlighting how personal data can only be protected when the government’s power to monitor citizens is meaningfully regulated. goes. However, like its predecessors, latest bill also fails to cope with India’s evolution into a surveillance society.
monitoring architecture
The surveillance structure in India primarily consists of Section 5(2) of the Indian Telegraph Act, 1885; Section 69 of the Information Technology Act, 2000; and the procedural rules promulgated thereunder. But this framework does not meaningfully define the grounds under which, or the manner in which, monitoring can be carried out. It also does not include safeguards such as pre- or post-facto independent review of interception guidelines. Concentration of power with the executive thus creating a lack of accountability and enabling abuse. This is evidenced not only by instances of political surveillance, but also by the veils of transparency that telecom companies mistakenly pull. For example, submissions by Airtel to the Department of Telecom, as part of the public consultation process for the Indian Telecom Bill, show that excessive data collection requests are already a reality. Airtel has asked the government to share the cost incurred to comply with the increasing demands of law enforcement agencies for surveillance.
Apart from outright surveillance, the unfettered collection and processing of citizen data for other purposes such as digital governance raises concerns. The movement on the nature of surveillance architecture was voiced by the Supreme Court in its judgment on privacy in 2017 and by the Justice BN Srikrishna Committee in 2018. However, all iterations of the data protection law – the Draft Personal Data Protection Bill, 2019, the Draft Data Protection Bill, 2021 and the 2022 Bill – have no proposal for surveillance reform. Worse, personal data may even be processed without the individual’s consent.
blanket discount
As in previous iterations, section 18(2) of the 2022 Bill allows the central government to provide broad exemptions to selected government agencies. However, the Bill is more robust than previous iterations as it allows exemption to private sector entities including individual companies or a class of them by assessing the quantum and nature of personal data under section 18(3) Could The comparable legal regimes, which were considered before proposing the Bill, according to the Explanatory Note, do not have comparable provisions. Foreign laws do not provide such broad immunity to government agencies, except for private corporations. While existing or proposed laws in the EU and the US allow security agencies to claim exemptions on a case-by-case basis, depending on why they are collecting personal data, they may have to do with the government entity as a whole. does not have broad exemption rights. , In addition, other jurisdictions exercise meaningful oversight over state surveillance. For example, the Investigatory Powers Tribunal in the UK is empowered to hear complaints against abuse of surveillance powers and can impose monetary penalties in case of a breach. Under the new bill in India, exempted state agencies and private entities will not be under the purview of the Data Protection Board, the body responsible for imposing fines in case of privacy violations.
Interestingly, the explanatory note accompanying the bill elaborates on the seven principles it seeks to promote, including transparency, objective limitation, data minimization and prevention of unauthorized collection of personal data. But when tallied with the actual provisions, the bill appears to serve a figurative value. This can also be seen in the government’s refusal to share statistical data on the number of surveillance orders issued annually, thereby hindering any meaningful transparency. Further, in direct contravention of the objective threshold, inter-departmental sharing of data is not only permitted but encouraged by draft policies such as the draft National Data Governance Framework Policy, 2022 to facilitate the creation of comprehensive profiles of citizens goes. Further, the provisions of other laws, such as the Criminal Procedure (Identification) Act, 2022, which allows seditious collection and storage of biometric data for 75 years, is in direct contradiction to the principles of data minimization and prevention of unauthorized collection . personal data.
Editorial | Standing Issues: On the New Data Protection Bill
The preamble of the 2022 Bill states that it aims to protect the personal data of individuals and ensure that personal data is processed only for legitimate purposes. Unfortunately, by choosing to protect state surveillance, the new bill fails to fulfill its mandate of protecting citizens’ right to privacy.