It needs to strike the right balance between national security and citizens’ rights. An independent regulator is called for
Every success or innovation brings with it challenges that need balanced solutions. The same holds true for the internet revolution. Internet is all pervasive. As a result, the volumes of information, created and consumed daily in India, have grown exponentially.
The draft Bill includes key changes to the original bill with regard to penal provisions on fiduciaries breaching data privacy. The Bill trifurcates data into the categories of personal data, sensitive personal data and critical personal data. As a first step, data will be stored and processed within India’s boundaries, but who decides the contours of three categories?
This localisation of data, with the government at its nucleus, marks a significant step to curb the spread of fake news. Localisation provides easy access to help law-enforcement agencies to access data in case of cyber-attack investigations. The Bill has been described as a pivotal step for the progress of Indian companies by PP Chaudhary, chairman of the JPC. Chaudhary stressed that the Bill enhances the chances of Indian companies to compete in the global market and boost employment, while emphasising that this step “will not hurt the industry”.
A cornerstone to privacy in India is the case judgment on Justice KS Puttaswamy and others vs Union of India, which unanimously reaffirmed right to privacy as a fundamental right specified under Article 21. In 2017, after the legal validity of the Aadhaar database was put under scrutiny, this ruling underlined the expansive nature of the right to privacy under India’s constitutional provisions.
The previous draft version of the data protection Bill prepared by the committee headed by retired Justice BN Srikrishna passed the three-part test of necessity, proportionality and legality which are enshrined in the Puttaswamy judgment.
A provision under part III of the Constitution that was a pillar of concern previously is Article 359, which bestows the President with the power to suspend fundamental rights entirely during conditions that qualify as state emergencies.
This facet of infringement of personal rights cited in the Constitution has once again come under scrutiny in light of the JPC version of the Bill which provides the State with blanket exemptions on accessing citizen data under Section 35.
This legal abridgement of the right to privacy has a serious implications for the fundamental rights of citizens of India and defies the basic skeleton upholding the republic status of India.
The supremacy of the sovereign is supreme, so is privacy. The key is to provide a balanced approach between citizens’ rights and security/sovereignty of the nation. Democratic rights and privacy laws are a subject of global debate.
The Data Bill has to deal with the dilemma of choosing equally between cardinal concerns of national security and safeguarding the fundamental rights of its citizens. It is unsettling that Chaudhary, while declaring that the Bill was inclusive of sufficient safeguards and that it did not grant any overarching power to the State, commented that “fundamental rights are always subject to reasonable restrictions but (the provision of) judicial review is always there”. Citizens’ personal and sensitive data must be dealt with carefully that should include the ability to survey the State’s actions to access personal data of citizens.
The Data Protection Bill needs to have an accountability framework that ensures transparency of operations, which can be achieved successfully by an independent third-party data regulator or an independent ombudsman.
The presence of such a regulator is also significant for India internationally as it can enable the country to enter into bilateral data treaties, once such a strong measure is included in the Bill. The Bill can make a statement globally that India not only values innovation and trade but also its citizens’ privacy.
The writer is member, London Court of International Arbitration