## Friday, April 03, 2020

### Comments on the draft Personal Data Protection Bill, 2019

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

In December 2019, the Government introduced the draft Personal Data Protection Bill, 2019 (the "Bill") in the Lok Sabha. The genesis of this Bill lies in the report and draft law ("PDP Bill, 2018") prepared by a Committee of Experts headed by Justice B.N. Srikrishna. This committee was constituted by the Government in the course of the hearings before the Supreme Court in the right to privacy case (Justice K.S. Puttaswamy v. Union of India). This blog post is the first of a two part series containing our comments on the latest version of the PDP Bill, which has been referred to a Joint Parliamentary Committee for their consideration. It builds on our previous submissions on the white paper released by the Justice Srikrishna Committee and the draft PDP Bill 2018 prepared by them.

The Bill offers a fairly comprehensive set of data protection principles and rights to data subjects, particularly in relation to data processing by private entities. However, several provisions are in need of further improvements and revisions. In this piece, we focus on the provisions pertaining to the relationship between citizens and the State and the structure and independence of the proposed Data Protection Authority of India (the "DPA"). We find that by crafting a number of wide ranging exemptions for the State, providing it with various broad and ambiguous powers, and failing to check its influence over the functioning of the DPA, the Bill significantly limits the exercise of privacy rights by individuals.

### Defining the State and its functions

The State is one of the biggest collectors/processors of data, and has a unique ability to impact the lives of individuals. While the Bill takes an important and essential step towards empowering the citizen vis-a-vis the State by including the State within the definition of the term "data fiduciary" (and "data processor"), it needs to do more in terms of meaningfully empowering the individual. This process has to begin with providing greater clarity on some definitional aspects.

First, the definition of "data fiduciary" in Section 3(13) and of "person" in Section 3(27) seem to refer to "the State" in its entirety, instead of regarding each of its agencies / departments as an independent data fiduciary. This would, for instance, become relevant in a context like Section 7(1)(g), which requires individuals to be given notice of any data sharing arrangements with other fiduciaries. Clearly, the State cannot be regarded as a monolith for this purpose and the requirement of notice for data sharing should also apply to any inter-departmental sharing within the Government. This is also reflected in international best practice -- the UK's Data Protection Act, 2018, for instance, applies to distinct government agencies, while the US Privacy Act, 1974 refers extensively to intra-government information sharing. To make sure that this will also be the case under Indian law, the definition of "data fiduciary" needs to clarify that any reference to the "State" means the relevant department or Government agency of the State.

Second, Section 3(39) of the Bill imports the definition of the State from Article 12 of the Constitution. Article 12 defines the State to include the Parliament and State Legislatures, Central and State Governments, and all local or other authorities that are controlled by the Government. Given its place in Part III of the Constitution (dealing with fundamental rights), Article 12 has been drafted broadly so as to impose the broadest set of "responsibilities and obligations on the 'State' vis-a-vis the individual to ensure constitutional protection of the individual's rights..." (Pradeep Kumar Biswas v. Indian Institute of Chemical Biology). Accordingly, the term "other authorities" has been read to encompass a range of bodies such as state electricity boards, research and educational institutions, regional rural banks, and statutory corporations such as the Oil and Natural Gas Commission, the Industrial Finance Corporation and the Life Insurance Corporation.

However, when this definition is used in a context that limits, rather than expands the rights of individuals, the intent of the wide definition is turned on its head. For example, Section 12 of the PDP Bill permits non-consensual processing by the State in various circumstances. Given the wide scope of the word "State", this provision could be used by a range of entities, thereby limiting individual rights. Further, terms like "function of the State" and "service or benefit" used in Section 12(a) can also be interpreted very broadly. Thus, the breadth of the word "State", together with the wide ranging nature of functions carried out by the State will imply that a whole range of entities will be permitted to exercise the option of non-consensual processing. Such a wide exemption would be against the spirit of the Bill. Further, it may also create differential regimes for private and public sector entities providing similar services (such as education and health).

Accordingly, we suggest that the references to the "State" in Section 12(1)(a) of the PDP Bill and, by extension, Section 19(2)(a) (which provides an exemption from the right to data portability), should not include any of the "other authorities" under Article 12 of the Constitution. Further, given the challenge of trying to narrowly define the scope of the State, its functions, services or benefits, we propose that the State should be required to meet requirements of "proportionality" when processing data under Section 12. This will help in safeguarding the privacy interests of the individual, in keeping with the Supreme Court's decision in the Puttaswamy right to privacy case (See Bhandari et al, 2017).

### Exemption of surveillance and other agencies

Section 35 of the PDP Bill empowers the Central Government to exempt any government agency from the application of the entire Act, if it is satisfied that it is necessary or expedient to do so, subject to procedures, safeguards, and oversight mechanisms that will be prescribed by the Government. This is a very wide power, that enhances the existing asymmetry in the relationship between the citizen and the State, without increasing any corresponding accountability or transparency in the functioning of the State. This is of concern for a variety of reasons.

First, the Central Government needs only to be satisfied that the exercise of such powers is "necessary" or "expedient". The expedience test is hard to check or restrict, and can easily descend into being a mere convenience test, thereby providing an easy justification to invoke this provision.

Second, Section 35 permits the invocation of the exemption on various grounds, that go well beyond the grounds considered by the 2018 version of the PDP Bill. The earlier draft restricted its scope only to "security of the State" while the 2019 version has introduced several additional grounds that are relatable to the "reasonable restrictions" listed under Article 19(2) of the Constitution. For instance, it includes terms like "public order" that are much wider in scope and require a lower threshold for invocation as compared to "security of the State" (Ram Manohar Lohia v. State of Bihar).

Third, the provision does not require that any order that exempts the application of the legislation, and violates privacy in the process, has to be proportionate to the achievement of a stated legitimate aim. This is not compliant with the Supreme Court's judgment in the Puttaswamy right to privacy case.

Fourth, the Section allows both the scope of the provisions from which the agency would be exempted; as well as the procedures, safeguards and oversight mechanisms to be subsequently laid down by the Government. By delegating important powers to the Government, including the power to prescribe procedural safeguards, the Bill precludes the involvement of the legislature and the accompanying benefit of Parliamentary debate.

Fifth, Section 35 permits the Government to exempt the application of the entire Act. We find that there does not seem to be any discernible rationale for exempting the application of provisions like Sections 4, 5, 6, 9, 24, and Chapters I, IX-XIV of the Bill, which provide basic protections like need for fair and reasonable processing, retention norms, security safeguards, etc. Notably, jurisdictions such as the UK also do not exempt law enforcement agencies from the application of their data protection laws in their entirety (Bailey et al, 2018).

Finally, the provision lacks any independent high-level oversight mechanism or periodic review, and actions of the Central Government to exempt an agency are not subject to application of a judicial mind. The need for such oversight was recognised by the Report of the Justice Srikrishna Committee, and the Supreme Court too has repeatedly stressed on the need to implement appropriate procedural fetters on interferences with privacy rights. Further, democratic countries across the world employ multiple layers of oversight to intelligence and law enforcement agencies (See Bailey et al, 2018).

Accordingly, we believe that Section 35 of the Bill ought to be deleted in its entirety. There is an urgent need to revisit the entire legal framework pertaining to surveillance in India, and a broad exemption such as that contemplated under the Bill is undesirable. However, in the event that such a provision is to be retained, it would need to be strengthened by addressing the various concerns detailed above though appropriate safeguards to be built into the primary law. Specifically, the law must ensure that use of the provision and the actions taken pursuant to it are subject to appropriate (judicial) oversight; the grounds for invocation of the provision need to be restricted to "security of the state"; and proportionality requirements need to be specified. Further, relevant provisions of the Bill, as outlined above, must continue to apply even if an agency is being exempted from the application of other provisions of the law.

### Exemption for law enforcement purposes

The PDP Bill also provides for an exception in situations where personal data is being processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law (Section 36(a)). This provision is extremely wide in its import and can thereby end up creating unreasonably restricts on the fundamental right to privacy. We list the various concerns with the provision and corresponding changes that are being suggested to limit its scope.

First, the provision does not clarify that the exemptions from the obligations under the Bill will only be available to the State. For instance, nothing currently precludes an individual from relying on this provision to set up CCTV in any public place under the guise of preventing any criminal activities. The provision could therefore encourage vigilantism or enable privatised surveillance, significantly limiting the right to privacy. Therefore the provision should clearly state that this exemption can only be availed by the Central Government or a State Government or any officer specially authorised in this behalf by the Government.

Second, the use of the phrase "any offence or any other contravention of any law" extends the exemption to include even relatively minor contraventions of law or even civil wrongs arising from a breach of contract, violations of civil laws, violations of statutory obligations, etc. The provision is therefore overboard and unworkable in its current form. One of the ways to limit its scope could be by providing that the exemption would only be applicable to the prevention, investigation or prosecution of cognizable offences and that too if they are punishable with imprisonment of 3 years and above (indicating the more serious nature of the offence). Further, the phrase "any other contravention of any law for the time being in force" should be dropped.

Third, there is no requirement that the processing has to be proportionate to, and necessary for, interests of prevention, detection, and investigation of the offence, as required under the Puttaswamy tests (Bhandari et al, 2017). There is also no requirement of prior judicial review for such collection and processing of personal data, which was one of the potential safeguards suggested by the Supreme Court in the Puttaswamy Aadhaar case. The PDP Bill should ideally ensure that any processing of personal data under this provision is subject to prior judicial review and is in compliance with the proportionality standard.

Fourth, while the Bill lists some provisions that would continue to apply despite the exemption, it is unclear why other critical user rights, like fair and reasonable processing, access, correction, retention etc., have not been included. We propose that all of these provisions should be applicable to authorities availing this exemption, subject to situations where discharging data protection obligations may actively harm or interfere with their duty of investigating or prosecuting the relevant offences. As noted previously, countries like the UK that provide similar exemptions to their investigative agencies still apply a robust set of data protection norms in such cases (Bailey et al, 2018).

Finally, the Bill removes some of the safeguards that were suggested in the PDP Bill, 2018, pertaining to the processing of personal data of victims, witnesses, informants and other such relevant persons (Section 43(3)). Under the PDP Bill, 2018, the exemptions in relation to the processing of personal data of such people were available only where following the general obligations under the law would obstruct or prejudice the investigation process. This safeguard is critical since it protects the privacy of individuals who are not suspected of having committed an offence but are involved in investigative or legal proceedings by virtue of being victims, witnesses or informants. This approach has also been adopted by the U.K Data Protection Act, 2018 (Section 38(3)). We suggest that this safeguard should be reinstated in the Bill.

### Independence of the Data Protection Authority

Ensuring independence of any regulator is one of the basic pillars of good regulatory governance. As noted by the Financial Sector Legislative Reforms Commission (FSLRC), independence of regulators yields greater legal certainty, and therefore better outcomes (FSLRC, 2013). Independence also enables functioning of the regulator as an expert body, which can be particularly relevant in the context of privacy rights given their contextual and often technical nature. Independence of the regulator is even more critical in case of the proposed DPA, as unlike many existing Indian regulators, it will be charged with supervising the private sector as well almost all Government agencies. Further, the range of discretionary and enforcement powers that the DPA enjoys under the law (which range from standard setting to enforcement and adjudication) makes it vital that the body functions without favour and in an accountable and transparent manner (Parsheera, 2019). The DPA's independence therefore needs to be reflected in its composition, selection process, and functioning.

1. Structure of the DPA: Section 42 of the Bill provides that the DPA will consist of a Chairperson and up to six whole-time members. This does not allow for the appointment of any part-time/non-executive members, who can bring in technical expertise as well as independent ideas and critiques into the functioning of the DPA. Not only is this considered good regulatory practice, it is also in line with existing Indian laws, such as those constituting regulators such as the Telecom Regulatory Authority of India (TRAI) and the Securities and Exchange Board of India (SEBI).

2. Selection process: The Bill provides that all DPA members will be appointed on the recommendations of an executive-led selection committee comprising of the Cabinet Secretary and two other secretaries of the Central Government. This ensures that the Government will have absolute control over the DPA's selection process, thereby seriously threatening its independence. In contrast, the PDP Bill, 2018 had proposed a judiciary-led selection process. We believe that such a process should be reinstated in the Bill, in addition to which one could also learn from the Right to Information (RTI) Act, which includes the Leader of Opposition (together with representatives of the government) to select Information Commissioners. A selection committee could therefore comprise the Chief Justice of India or a nominee (as chair), and include the Cabinet Secretary, the Leader of the Opposition in Parliament, and two experts (appointed by the Chief Justice in consultation with the other two members). The Bill should also require transparency in the functioning of the selection committee, such as by making the deliberations, votes and recommendations of the committee publicly available.

3. Terms and conditions of appointment: Section 43(2) of the Bill states that the salaries and allowances and other terms and conditions of service of the Chairperson and the Members of the DPA shall be as prescribed. Empowering the Government to vary salaries of its members, which could also be to their detriment, could end up hindering the independent functioning of the DPA. As with numerous other agencies in India such as the Information Commissioners under the RTI Act and members of the Securities Appellate Tribunal under the SEBI Act, the Bill must ensure that Government is not able to reduce salaries of the members of the DPA once they are appointed. The PDP Bill, 2018 had also suggested the inclusion of such a provision.

4. Power of the Government to issue directions: Section 86 of the Bill allows the Government to issue any directions to the DPA on issues of public policy and also in the interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order. While similarly broad provisions are contained in laws governing some other regulatory agencies - such as the TRAI, the Airports Economic Regulatory Authority and the Petroleum and Natural Gas Regulatory Board - the presence of such broad provisions has been questioned in the past, notably by the Parliamentary Standing Committee in its 93rd Report on the Competition Bill, 2001.

5. Needless to say, conferring such a broad power on the Government can be problematic not least due to the possibility of political interference in technical and administrative functions of the DPA. Given the DPA's wide scope of authority and discretion, ensuring its functional autonomy becomes vital. Further, it must be remembered that State agencies will be among the biggest entities regulated under the law and therefore there should be no scope for such directions being issued in respect of any ongoing investigations by the DPA. In this sense, the Bill is similar to the RTI Act, which does not contain a similar provision for government directions. The Competition Act, 2002 could be seen as another example. Section 51 of that law limits government directions to matters of policy, which is admittedly a vague concept, but also clarifies that this would not include any "technical and administrative matters".

### Accountability of the DPA

The Bill currently lacks sufficient mechanisms to ensure the DPA's accountability to the Government and the Parliament, as well as to stakeholders and the public. Given that the DPA is an unelected body, it is critical that appropriate accountability mechanisms be set out in the primary law itself rather than leaving this to the DPA's discretion or through rules to be framed by the Government.

1. Meetings of the Authority: Section 46(1) of the Bill provides that the rules and procedures relating to the meetings of the DPA are to be prescribed by the Government. We believe that minimum requirements of transparency should be laid down in the primary law. For instance, the law should clearly state the time period within which the minutes of the meetings of the DPA, along with any votes cast or resolutions made, should be published.

2. Transparency in DPA's functioning: While the Bill does contemplate a consultative and transparent process in the drafting of codes of practice to be issued by the DPA, it does not require the DPA to act transparently during the exercise of it regulation making powers, its supervisory or adjudicatory functions, or in relation to the recommendations that it will give to the Government. We recommend that the Bill ought to provide for a general obligation for the DPA to act transparently in the discharge of all its functions. Further, it should also specify what it would mean to be transparent in specific contexts.

3. For instance, the Bill should lay out a clear process for drafting new regulations. Such a process should include the drafting of a consultation paper that lays down the problem, the possible interventions and the costs and benefits of each intervention. This should be put through an open and transparent consultation process involving all stakeholders. The DPA should then be required to provide its responses to the comments along with the proposed draft text of the regulation, and seek comments on the same, before proceeding with its final adoption. In case regulations are required to be issued urgently, DPA may issue such regulations without following the consultation process outlined above. However, such regulations should cease to operate at the expiration of six months from its notification unless the consultation process is initiated within this duration.

### DPA's redress functions

The Bill creates an adjudication wing within the DPA, which would be responsible for undertaking enforcement actions against any non-compliance of the law as well as providing redress for individual complaints. Given the large number of data fiduciaries in the system and the data principals interacting with them, a large number of complaints are likely to come up before the DPA. As highlighted in our earlier submissions, expecting the same set of adjudication officers to undertake enforcement as well as redress functions, leads to a blurring of the DPA's objectives.

Housing adjudication and enforcement functions within one body could also lead to a conflict of interest within the DPA. For example, a large number of complaints on a particular issue may be due to non-compliance by the data fiduciaries or due to the DPA failing to take appropriate regulatory or supervisory actions to curb such malpractices. Embedding the redress functions within the DPA is therefore not suitable either from a design or execution perspective.

Therefore, we reiterate the need for a separate ombudsman service or a redress agency that would be responsible for adjudicating complaints raised by data principals and awarding compensation to them. By hiving-off the adjudicatory functions of the DPA from its regulatory and supervisory responsibilities, each unit can then focus on its core functions, while also acting as a check on the exercise of the other functions. A similar division of responsibilities between regulatory and redress functions was recommended by the FSLRC in the context of the financial regulatory framework (FSLRC, 2013).

The proposed redress agency should consist of specialised adjudication officers, who would function independent of the DPA, although there should be a strong feedback loop between the two bodies. The redress agency should make use of technology, such as remote participation through audio/visual means to make redress more accessible. If this proposal is accepted, the provisions regarding the terms and conditions of appointment, powers and functions, codes of practice, and other provisions in Chapter IX of the Bill could apply mutatis mutandis to the redress agency. Further, an appeal from any decision made by adjudication officers of the redress agency should lie to the Appellate Tribunal constituted under Section 67 of the Bill.

### Inter-regulatory coordination

Given the cross-sectoral purview of the DPA there is significant scope for overlap between the DPA's functions and that of other sectoral regulators. Equally, there is also scope for drawing valuable synergies through cooperation between them. Section 56 of the Bill is therefore a welcome provision that requires coordination between the DPA and other regulators. The provision, however, needs to be further strengthened in order for it to be utilised effectively.

First, the current provision leaves it to the discretion of the DPA and other statutory authorities to enter into a Memorandum of Understanding (MoU) for the coordination of their activities. We propose that the MoU should instead be made mandatory along with a suggested (non-exhaustive) list of provisions that need to be covered in the MoU. This list should include items such as the process for inter-regulatory references; mechanism for cooperation in framing of regulations and codes of conduct; appointment of a nominee of one party as non-voting observer member on an action being considered by the other party; mechanism for exchange of information, subject to confidentiality obligations; and coordination in conducting awareness related activities. This list draws from the MoU between the United Kingdom's Financial Conduct Authority and the Information Commissioner's Office (FCA-ICO MoU, 2014).

Further, the agencies with whom the DPA would necessarily have to cooperate should also be set out in an Annexure to the Bill or the Central Government should be authorised to prescribe this list. For instance, this would include agencies like the Competition Commission of India, the Reserve Bank of India, SEBI, the Insurance Regulatory and Development Authority of India, the Pension Fund Regulatory and Development Authority of India, and TRAI. This will ensure that the agencies cannot subsequently deny the need or the statutory basis for such agreements.

### Conclusion

As detailed in our response to the PDP Bill, 2018, the current state of Indian privacy law means that virtually any improvement thereon would represent a significant step towards protection of privacy rights of individuals. However, given the broad scope of the proposed law, and the significant powers given to the DPA, it becomes important to ensure that the law is properly crafted. The role of the Joint Parliamentary Committee currently examining the law becomes all the more relevant given the significant changes made to the law compared to the PDP Bill, 2018, and the absence of any explanations for the same (say in the form of an explanatory memorandum detailing why certain provisions of the law were modified). The fact that the Committee has called for and is considering public comments on the Bill is therefore a positive step.

In this post we examined the lacunae in the Bill in the context of how it delineates the State-citizen relationship, particularly in the form of the exemptions crafted for the State. We highlighted the overbroad nature of the exemptions for the State -- in the context of non-consensual processing, State surveillance and data processing for prevention and investigation of offences of offences -- and demonstrated how this may limit individual rights in a number of contexts. Carving out such broad exemptions detracts from the "horizontal" nature of the law, and also renders the Bill susceptible to constitutional challenges.

At the same time, the Bill also gives significant powers to the Central Government, not just directly (for instance through various standard setting powers), but also by limiting the independence of the proposed DPA. We point, in particular, to the problems in the structure of the DPA, provisions that enable the Government to interfere in its technical and administrative functioning and the need for greater accountability from what is likely to become one of the most powerful regulators in the country.

### References

Bailey et al, 2018: Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, Use of Personal data by intelligence and law enforcement agencies, LEAP Blog, August 1, 2018.

Bhandari et al, 2017: Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An analysis of Puttaswamy: the Supreme Court's privacy verdict, LEAP Blog, September 20, 2017.

FCA-ICO MoU, 2014: Memorandum of Understanding dated 29 September, 2014 between the United Kingdom's Financial Conduct Authority and the Information Commissioner's Office.

FSLRC, 2013: Financial Sector Legislative Reforms Commission, Volume I: Analysis and Recommendations, March, 2013.

Justice K.S. Puttaswamy v. Union of India (Right to privacy case), 2017 (10) SCC 1.

Justice K.S. Puttaswamy v. Union of India (Aadhaar case), 2019 (1) SCC 1.

Parsheera, 2019: Smriti Parsheera, Regulatory governance under the PDP Bill: A powerful ship with an unchecked captain?, Medianama, January 7, 2020.

Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, 2002 (5) SCC 111.

Ram Manohar Lohia v. State of Bihar, (1966) 1 SCR 709.

Rishab Bailey, Smriti Parsheera, and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance Policy. Vrinda Bhandari is a practicing advocate in Delhi.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.