Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/library/functions/custom_functions.php on line 702

Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/library/functions/custom_functions.php on line 702
The Data Protection Bill: In Search of a Balanced Horizontal Data Protection Framework

The Data Protection Bill: In Search of a Balanced Horizontal Data Protection Framework

Posted by By at 4 March, at 14 : 01 PM Print


Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/single_blog.php on line 46

Warning: count(): Parameter must be an array or an object that implements Countable in /web/qlc/nishith.tv/htdocs/wp-content/themes/Video/single_blog.php on line 52
March 04, 2022

THE DATA PROTECTION BILL: IN SEARCH OF A BALANCED HORIZONTAL DATA PROTECTION FRAMEWORK

 

We are excited to announce our latest series of quick takes on the emerging data protection framework in India, and its implications for the Government, the industry and other stakeholders. We are kick-starting the series with our first piece discussing the need for appropriately framed Government exemptions under the proposed Data Protection Bill, 2021 (DPB).

BACKGROUND

The DPB previously called the Personal Data Protection Bill, 2019 (PDPB)) has been recommended by the Joint Parliamentary Committee after two years of review.1 The DPB proposes a significant overhaul of the existing regulatory framework for data protection, as contained under the Data Protection Rules.2

The DPB, to a large extent, owes its formulation to the observations of the Supreme Court of India in K.S. Puttaswamy v. Union of India.3 The Court in Puttaswamy, recognized the right to privacy (including right to informational privacy) as a fundamental right implicit in the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution, and other fundamental guarantees that flow from Part – III of the Indian Constitution.

However, while doing so the Court noted that the right to privacy is not an absolute right, and that subject to the satisfaction of certain tests and benchmarks, a person’s privacy interests can be overridden by competing state and individual interests. Nonetheless, the Court recognized the need for a cross-sectoral and horizontally applicable legislation (i.e. applicable to the Government as well as private persons), noting that the right to privacy, being enforceable primarily against the State, imposes upon the State both negative and positive commitments, i.e. to restrict the State from unfairly interfering in the privacy of individuals, while putting in place legislation to restrict others from doing so, and providing conditions for the development and dignity of individuals.

Resultantly, as opposed to the Data Protection Rules, the DPB is horizontally applicable, rights-based (i.e. it defines a data subject’s rights vis-à-vis her personal data) and cross-sectoral in nature. However, in its present form, the DPB maintains widely worded provisions, that could enable the Government to exempt itself from the applicability of the DPB once enacted – which arguably go beyond the permissible limits of impinging upon individual privacy, as set forth in Puttaswamy.

CLAUSE 35 OF THE DPB AND POTENTIAL ISSUES

Clause 35 of the DPB enables the Central Government to exempt any agency of the Government from any or all provisions of the DPB.

The Supreme Court has previously observed in PUCL4and Puttaswamy, that derogations from the right to privacy, need to be assessed against (a) the requirements under Article 21 of the Constitution (i.e. for the derogation to be just, fair and reasonable); and (b) the limits prescribed for imposing reasonable restrictions on any other right that is impacted.

Resultantly, exemption provisions such as Clause 35, need to meet the four-step test that emerges from the Supreme Court’s prior observations: (a) legality (existence of a law); (b) legitimate goal (existence of a legitimate State aim underlying the derogation); (c) proportionality (existence of a rational nexus between the objects and the means to achieve them, narrow tailoring of derogation in line with reasonable restrictions, such that derogation is proportionate to the aim sought to be achieved); and (d) procedural guarantees (existence of a fair, just and reasonable procedure).

The grounds for triggering the exemption under Clause 35, have been linked to the grounds specified under Article 19(2) of the Constitution of India (i.e. reasonable restrictions relatable to the exercise of freedom of speech and expression), thereby establishing a legitimate State aim. However, despite the limitations introduced, Clause 35 falls short of meeting the test of narrow tailoring and proportionality – since the provision offers no guidance as to the scope of the exemption, instead enabling the Government to exempt its agencies from any or all of the provisions of the DPB.

While the newly introduced Explanation (iii) to Clause 35 adds that exemptions granted under this Clause, would be subject to just, fair, reasonable and proportionate procedures – thereby implying the existence of procedural guarantees – it does not explicitly define the contours of such procedural guarantees in the DPB.

BRINGING THE DPB IN LINE WITH PUTTASWAMY

To remedy this, the Government should consider amending Clause 35 of the DPB and bring it in line with the requirements of narrow tailoring and procedural and substantive proportionality, as previously set forth by the Supreme Court in PUCL and Puttaswamy.

  1. Narrow Tailoring and Proportionality: The Government should consider limiting the scope of the exemptions under Clause 35, to only such provisions of the DPB that could seriously prejudice the purposes of processing by the Government.

    Therefore, while provisions such as the enforcement of data principals’ rights, and adopting safeguards applicable to significant data fiduciaries (including data audits and data protection impact assessments) should continue to apply to the Government and its agencies as they would apply for other data fiduciaries, but certain obligations such as seeking explicit consent for the processing of official identifiers may be dispensed with in special circumstances. Such an approach would ensure narrow and proportionate tailoring of exemptions, in line with legitimate objectives of the State.

  2. Additional Procedural Safeguards: The Government should consider supplementing Clause 35 with additional guidance on procedural safeguards and oversight mechanisms applicable to the Government with respect to exercising its powers under Clause 35. These should include:
    1. Defining the institutional process applicable to reviewing exemption orders, similar to the process adopted under Sections 69/69A of the Information Technology Act, 2000. This should include defining the relevant authorities and rank of officers authorized to issue exemption orders, specifying the relevant authority for ex-ante review of exemption orders, or specifying the review process to be adopted, and/or defining exceptional circumstances where ex-post facto review is permitted;
    2. Ensuring that the review process minimum extends to: (i) existence of a written and reasoned order of exemption under Clause 35; (ii) a review of the applicability of the grounds under Clause 35 to the exemption sought or granted; (ii) scope and conditions of the exemption sought in order to ensure proportionality of the exemption to the grounds contained in the exemption order; and
    3. Enabling the proposed Data Protection Authority (DPA) to audit the relevant Government agency’s adherence to the scope and conditions of exemption orders under Clause 35, on an ongoing basis.

– Aniruddha MajumdarIndrajeet Sircar & Gowree Gokhale

You can direct your queries or comments to the authors


1 See, Report of the Joint Parliamentary Committee on Data Protection, 16 December 2021, Available at URL:

http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%

20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf;

2 See, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules) issued under the Information Technology Act, 2000 (IT Act), read with Section 43A of the IT Act, Available at URL: https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf;

3 SeeK.S. Puttaswamy v. Union of India, (2017) 10 SCC 1

4 SeePeople’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301


Chambers and Partners Asia-Pacific: Band 1 for Employment, Lifesciences, Tax and TMT, 2022

AsiaLaw Asia-Pacific Guide 2022: Ranked ‘Outstanding’ for Media & Entertainment, Technology & Communications, Labor & Employment, Regulatory, Private Equity, Tax

Who’s Who Legal: Thought Leaders India 2022: Nishith M Desai (Corporate Tax – Advisory, Corporate Tax – Controversy and Private Funds – Formation), Vikram Shroff (Labour & Employment and Pensions & Benefits) and Vyapak Desai (Arbitration)

Benchmark Litigation Asia-Pacific: Tier 1 for Tax, Labour and Employment, International Arbitration, Government and Regulatory, 2021

Legal500 Asia-Pacific: Tier 1 for Tax, Data Protection, Labour and Employment, Private Equity and Investment Funds, 2021

IFLR1000: Tier 1 for Private Equity and Tier 2 for Project Development: Telecommunications Networks, 2021

FT Innovative Lawyers Asia Pacific 2019 Awards: NDA ranked 2nd in the Most Innovative Law Firm category (Asia-Pacific Headquartered)

RSG-Financial Times: India’s Most Innovative Law Firm 2019, 2017, 2016, 2015, 2014


DISCLAIMER

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender’s contact information, which this mail does. In case this mail doesn’t concern you, please unsubscribe from mailing list.

Hotline

Related Posts

Post Your Comment

You must be logged in to post a comment.

About Us

Nishith Desai Associates (NDA) is a research based international law firm with offices in Mumbai, Bangalore, Silicon Valley, Singapore, New Delhi, Munich and New York.

Links

Mobile App

.