National security, at the cost of citizens’ privacy

The second point of concern emerges from the power of the central government to exempt departments from the application of the Data Protection Bill, 2021 as contained within Clause 35. This provision, first proposed by the Srikrishna committee, has witnessed considerable dilution. The exemption clause in the Data Protection Bill, 2018 was originally tethered to the conditions of legality, necessity and proportionality. This was diluted when the Data Protection Bill, 2019 was introduced in Parliament to satisfy the conditions of “necessity” and “expediency”, leading Justice Srikrishna to call this exemption a “dangerous trend”, potentially leading to an “Orwellian state”.

Instead of rectifying this provision, the Data Protection Bill, 2021 has cemented it. First, it adds a non-obstante clause, providing primacy to this provision over any other laws. Second, it stipulates that the procedure to be followed by the government agency must be just, fair, reasonable and proportionate. However, this change is only applicable to the “procedure” and not the substantive standards for the government’s invocation of exemption. To put it another way, the government does not need to establish that the exemption from the entire Data Protection Bill is necessary for, or proportionate to achieving its interest of national security or public order.

There is no doubt that data protection rights may not apply in totality when it comes to national security concerns. However, such exceptions, being in the nature of an “exception to the rule”, need to be limited and precise. For instance, under the United Kingdom’s Data Protection Act, 2018, the national security exemption does not extend to the entire Act; requires a certificate to be signed by the Minister of the Crown; and can be challenged by the affected person before a tribunal.

In contrast, in India, even the reasons for providing the exemption are not required to be tabled in Parliament. In fact, the order invoking the exemption is not a gazetted notification and will likely be exempt from RTI proceedings. Hence, the government can, without any oversight, exempt its own departments or ministries from the application of the Data Protection law in perpetuity.

The third and final feature of the Data Protection Bill, 2021 concerns the Data Protection Authority, which is tasked with ensuring compliance with the law. The Justice B N Srikrishna panel had proposed an appointment committee consisting of judicial members, with the Chief Justice of India as chairperson, to choose members of the Data Protection Authority. This was watered down in 2019; the panel now included the cabinet secretary, law secretary and the IT secretary. This was heavily criticised for compromising the independence of the appointment process. Changes have been made in Clause 42(2) of the draft Data Protection Bill, 2021 by which the Attorney General, an expert, a director of an IIT, and a director of an IIM are included in the selection panel. This does not address the problem that the Centre appoints the nominees at its pleasure. Further, choice extends to the government in picking any one director from the multiple IITs and IIMs across India. In contrast, in the UK, under the Data Protection Act, the Information Commissioner is supposed to be appointed on the basis of “fair and open competition”, with candidates required to appear before a Parliamentary Select Committee prior to appointment.

Under Clause 87, the JPC has expanded the power of the central government, when it states, “the authority should be bound by the directions of the central government under all cases and not just on questions of policy”. This ties in with an unguided legislative allowance under Clause 92, which makes policies made by the central government override any protections or obligations under the Data Protection Bill, 2021. It is not without reason that Jairam Ramesh, a member of the JPC, has noted in his dissent that, “government agencies are treated as a separate privileged class whose operations and activities are always in the public interest and individual privacy considerations are secondary.”

The JPC report and the Data Protection Bill, 2021, by protecting the government instead of the personal data of Indian citizens, recalls the wry wit of Yes Minister: “The Official Secrets Act is not to protect secrets, it is to protect officials.”

This column first appeared in the print edition on December 20, 2021 under the title ‘A weak bulwark’. Gupta is the executive director of Internet Freedom Foundation; Bhandari is a practising lawyer in Delhi