[This two-part essay has been authored by Aarya Pachisia, a 4th-year law student at Jindal Global Law School. Part One can be found here.]
Continuing the argument of how the executive seeks to control different actors under the Bill, this article focuses on executive control over the citizens. I advance the argument in two parts. First, I argue that under section 35 of the Personal Data Protection Bill, 2019 (‘the Bill’), a notification by the executive can exempt any stage agency from obtaining consent to process data of the citizens. There is no oversight mechanism envisaged by the Legislature under the Bill, as recommended by the Committee to validate or invalidate such notifications. Second, I argue that the Bill also considerably dilutes the consent framework under the Bill and drifts away from the concept of allowing the data subject to exercise control over personal data at every stage.
Section 35 and control over citizens
Section 35 of the Bill has been subjected to a lot of criticisms. It allows the executive to exempt any state agency from obtaining consent of an individual before processing their data on specified grounds. Contrary to the recommendation, the Bill introduces additional grounds for such exemption. The State has been given excessive discretionary power which violates right to privacy and curbs other fundamental rights from being effectively exercised. The argument shall revolve around how section 35 has negated the test of proportionality, lacks oversight mechanism while issuing executive order. This section also enables the application of extremely regressive legislations and allows the central government to decide the oversight mechanism which shall be applicable during processing of data by exempted agencies.
(i) Increased scope of data processing
The increased scope of section 35 provides for higher degree of surveillance on the citizens. The Committee had recognized Security of State and prevention, detection and investigation of crimes as legitimate grounds for processing personal data without the consent of the individual, subject to the tests of necessity and proportionality. Section 35 increases the scope of this absolute exemption to the following purposes as well – in the interest of sovereignty and integrity of India, public order and maintenance of friendly relations with foreign States. The exemption can be made to prevent an act which seems to threaten any of the grounds mentioned above.
(ii) Lack of oversight mechanisms
The lack of oversight mechanism and the power of the executive to prescribe the means of oversight mechanism also extends the power of the state over its citizens and undermines their right to privacy. Under section 35, the central government notifies the mode of oversight mechanism that shall apply during processing of data by the exempted state agency. This is in direct contravention of the recommendations by the Committee. The recommendation to adopt legislative and judicial oversight to maintain transparency and accountability has not been included under the 2019 Bill.
Different jurisdictions around the world have adopted either judicial or legislative mechanism or both. For instance, in South Africa, there is parliamentary and civil oversight mechanism in place by the virtue of Intelligence Services Oversight Act, 1994 which receives complaints on intelligence services. Further, Information of Communication and Communication related Activities Act requires judicial approval for interception of communication activities. In the United Kingdom, under the Investigatory Power Act, interception warrants can be issued by Secretary of State upon an application by an interception authority which has to be further approved by the Judicial Commissioner to ensure that test of proportionality was met at the time of issuance of warrant. The warrant can be only issued for safeguarding national security. It is also necessary to note that jurisdictions discussed by the Committee only allow exemptions on the grounds for safeguarding national security which is narrower in application when compared to the scope of section 35. Therefore, when compared to other jurisdictions, the government of India can exercise greater degree of surveillance over its citizens by a mere executive order.
The Committee did highlight criticism pertaining to these legislations but appreciated the importance of inter-branch oversight through legislation as we do not have any legislative act dealing with the same. They also mention that it is necessary to exempt state agencies only through legislative action in light of the necessity test but the legislature has vested the executive with the power to decide the oversight mechanism for each state agency and consequently diluted accountability, principle of checks and balance. Such oversight mechanism should be prescribed by the legislation.
In light of the same, we could apply the Condorcet Jury Theorem as suggested in the works of Eric A. Posner and Cass R. Sustein. This rule is based on the law of larger number or confirmation through the experiences of foreign jurisdictions. The Indian Courts even if implicitly so, have heavily relied on this theorem while deciding upon the validity of legislations. For instance, in Naz Foundation v Government of NCT of Delhi, the Delhi High Court relied on the laws of different jurisdictions finally invalidate sodomy laws in India. Even in the Puttaswamy judgment, the Indian Supreme Court borrowed the jurisprudence from various foreign jurisdictions to recognize privacy as a fundamental right. Therefore, in this situation as well, the Legislature should consider the Recommendations as well as the experiences of the foreign countries, in order to establish an oversight mechanism, that does not come directly under the control of executive.
(iii) Dilution of the Right to Privacy
The dilution of the consent framework under section 11(6) of the Bill is detrimental to the fundamental right of privacy. Under the 2019 bill, there are two main actors – data principal and data fiduciary. Data belongs to the data principal and data fiduciary receives it or processes it. The penalties for not complying with the obligations for processing data by the fiduciaries under chapter II of the 2019 Bill attracts penalties as high as 4% of the total global turnover of the data fiduciary corporation. The data principal has been given right of erasure and the right to be forgotten under the Bill but the consent framework which was highly discussed in the Committee report has been severely compromised. In the Puttaswamy judgment, Justice Nariman states “informational privacy is one which deals with a person’s mind and therefore recognizes that an individual may have control over the dissemination of material that is personal to him.” In furtherance to this, the Committee suggested that the data principal should have the right to withdraw consent as easily as it was given. General Data Protection Regulation (‘GDPR’) also requires the data subject to have the right to easily withdraw consent to process their data without any repercussions. If not so, it can dilute the ‘free will’ requirement under the consent framework. Therefore, control over one’s informational data does not extinguish once consent has been given for processing their data, it continues until the data is processed and even after that the data principal reserves the right to decide whether the fiduciary can store their data once the purpose for which the data was obtained has been fulfilled.
Section 11(6) of the Bill states that if a data principal withdraws his consent without any ‘valid reason’ then all legal consequences with respect to such withdrawal shall be borne by the data principal.’ This provision has extremely diluted the consent framework envisaged within the Bill as recommended by the Committee. Article 7(3) of GDPR requires consent should be ‘as easily withdrawn as it is given’. By attaching the requirement of bearing legal consequences, the Bill has essentially diluted the consent framework. Moreover, by mandating the requirement of ‘valid reason’ to be given is another factor that renders the free will requirement for obtaining or withdrawing consent meaningless. It adds an element of ‘inappropriate pressure’ on the will of the individual that renders the choice/consent of the data principal invalid. Data protection allows the individual to exercise autonomy over their data at all stages of processing, and mandating ‘valid reason to withdraw’ and ‘bearing legal consequences of such withdrawal’ is violation of the expression of the data principals’ autonomy. In such a situation, it becomes pertinent to analyze the impact of adequacy measure as provided under the Schrems judgment on the cross-border transfer from EU to India.The judgment requires that equivalent level of protections should be provided in the transferee country. The consent framework under GDPR requires the data subject to have free will and real choice while giving/withdrawing consent for the processing of their data. When the consequence of withdrawing consent is bearing legal consequences, the standards of ‘real choice’ and ‘free will’ as imagined under GDPR are negated. The data subject might not withdraw consent due to the fear of bearing legal consequences, thereby providing data controller (in India, data fiduciary), the power and influence over data subject’s (data principal in India) choices. This may lead to India failing the adequacy tests as the consent framework is not equivalent to the protection afforded under GDPR and data transfer from EU to India may become difficult.
The information provided is an intrinsic part of the individual and by attaching legal consequences because they withdrew their consent for processing their own personal information without any valid reason compromises the fundamental right of the citizens at the behest of corporations. Also, the constituents for determining a valid reason has not been mentioned in the Bill. It is also silent on who shall decide upon the ‘validity’ of the reason of withdrawal. Therefore, although the corporations have been brought under the scrutiny of the State, the fundamental right of the citizens is yet diluted.
(iv) Non-communication of the data breach
Furthermore, the data principal can be kept averse of data breach on the discretion of DPAI. Data fiduciaries are mandatorily required to inform the Authority about the data breach but the discretion to decide whether the data principals should be made aware of the breach is reserved with the DPAI under section 25 of the Bill. This displays the lack to transparency. One of the foundational principles of data protection is transparency and the importance for the same is asserted after the WhatsApp Snooping case. If the DPAI was functional in 2019 and the breach would not have been called out by WhatsApp, then the Authority could have easily withheld such information from the citizens at behest of the state. The fiduciaries should be required to simultaneously inform both the citizens as well as the DPAI in case of a breach. If not simultaneously, the information should always be communicated to the data principal within 48 hours after the breach is committed and the discretion of the DPAI should be immaterial in this regard.
Privacy has been recognized as a fundamental right after much ado. The PDP Bill is a step in the right direction but the provisions of the Bill should not dilute the right of the citizens. It has been designed to bring every actor in the Bill under the direct or indirect control of the executive. The Bill legitimises the use of unfettered power by the executive with almost negligent oversight mechanism. The Bill will be placed before the Parliament in the coming monsoon session. Therefore, it is necessary for the legislature to introduce appropriate amendments to uphold the sanctity of the right to privacy.
 Ministry of Electronics and Technology, A Free and Fair Digital Economy Protecting Privacy Empowering Indians Committee of Experts under Chairmanship of Justice B.N. Srikrishna,at 125-127.
 Data Principals are called data subjects under the GDPR.