The Joint Parliamentary Committee on the Personal Data Protection Bill was reconstituted due to a Cabinet reshuffle at the Central level. Some members of the Committee were made Ministers, ostensibly necessitating the move.
However, reports suggest that the newly constituted Committee is keen to create a fresh draft report on the law and reconsider several provisions. Once enacted into law, the PDP Bill will constitute India’s framework privacy law. It stipulates the manner in which personal data is to be collected, processed and stored. It also establishes consent as the basis for data sharing between individuals and organisations.
While the reshuffle is likely to delay the enactment of the Bill even further—the first Draft was submitted in December 2019—it could prove to be beneficial if the Committee revisits certain contentious provisions in the current Bill.
One such problematic provision is Section 35, which empowers the Centre to exempt any government agency from abiding by the privacy safeguards contained in other provisions. Such an exemption can be granted by the Centre in the interest of protecting and maintaining the sovereignty of India, security of the State, and on other similar grounds.
This is obviously concerning from a rights-based perspective as it enables unchecked supervision and surveillance over Indian citizens’ activities—in violation of the Right to Privacy under Article 21 of the Constitution. The Pegasus Papers have already brought to light the many insidious methods the Indian government uses to monitor the activities of its citizens, which could be exacerbated if provisions like Section 35 are written into law.
However, along with privacy, such Sections are also likely to impact India’s trade and business interests in the coming years.
With data being an increasingly valuable commodity in the digital era, the transfer of data between nations will be determined by the level of privacy protections that a nation offers to its own citizens and those of other countries. Nations that are unable to showcase a robust privacy protection framework, especially against State surveillance, will fail to meet standards for the grant of ‘adequacy status’—a privacy benchmark assessment gaining traction worldwide—and will resultantly miss out on the benefits of the free flow of data.
Simply put: poor data protection laws now have economic costs in the global market. There’s a lot to unpack in that statement: so let’s first begin by understanding what ‘adequacy status’ really means—and how it impacts India’s trade.
What does ‘adequacy’ mean?
The ‘adequate’ privacy standard set by the European Union’s General Data Protection Regulation (GDPR)—the EU’s landmark privacy framework—is emerging as a global standard, with several nations adopting legal instruments similar to the EU’s.
Article 45 of the GDPR empowers the European Commission (EC) to issue ‘adequacy decisions’. The European Commission is the executive wing of the EU, responsible for drafting and implementing laws.
The EC is charged with evaluating whether a country outside the European Economic Area (EEA) ensures an ‘adequate level of protection’ for personal data or not. It assesses a range of factors when deciding adequacy, including the provisions governing surveillance and access to personal data for national security purposes.
If a nation is granted adequacy status, personal data can flow freely from EU member nations to the third country without further permissions or approvals from the EU. The EC has so far granted adequacy status to 13 nations, with South Korea slated to be the fourteenth.
Why is adequacy important for businesses in India?
The free flow of data between nations will increasingly be shaped by decisions regarding the adequacy of privacy protection. Failing to adopt the required level of protection will force countries to enter into alternate arrangements, such as binding corporate rules and standard contractual clauses.
This significantly increases compliance costs, affecting the competitiveness of domestic firms as compared to firms in a nation that has been granted adequacy status. It also makes it difficult for domestic enterprises to compete globally and extend their reach beyond their own borders, which is particularly worrying for India’s vibrant and evolving digital economy. On the flip side, a lack of robust privacy frameworks also affects the ease of doing business for foreign companies looking to set up shop in India.
So, an unfavourable adequacy decision could have adverse impacts on countries that trade and invest with countries in the EU and others that have adopted similar privacy legislations. This is potentially a major setback to India’s digital start-up ecosystem, which relies heavily on the inflow of foreign capital.
So, how do you determine the adequacy of a privacy framework?
The European Commission’s decision to grant adequacy status to 13 countries sheds some light on what it considers an ‘adequate’ level of protection—a level of protection that as per various rulings is “essentially equivalent” to the protections granted under the GDPR. This means that privacy laws in other nations needn’t mirror the GDPR, but must ensure that the right to privacy of individuals is subject to robust and enforceable safeguards.
The Court of Justice for the European Union (CJEU) has provided further clarity on what safeguards are considered “essentially equivalent” to the GDPR in its recent decision in Max Schrems II. The CJEU invalidated the “privacy-shield” agreement that enabled data transfers between companies in the EU and the United States (US) even though the latter does not have a holistic privacy legislation. The Court stated that surveillance laws in the US, such as the Foreign Intelligence Surveillance Act (FISA), subject EU citizens to unsupervised surveillance by US intelligence agencies. The absence of effective redressal and oversight by an independent authority in the US was another reason why its privacy regime could not be considered equivalent to the GDPR.
A group led by privacy activist Max Schrems filed complaints with German and Spanish data protection authorities over Apple’s online tracking tool, alleging that it allows iPhones to store users’ data without their consent in breach of European law https://t.co/Ypz8y0B0aO $AAPL pic.twitter.com/BB9XbevQLh
— Reuters Asia (@ReutersAsia) November 16, 2020
So, moving forward, the EC is likely to give greater weightage to a country’s surveillance framework, as well as redressal avenues against such surveillance available to citizens. It has already done so in recent decisions to grant adequacy to South Korea and the United Kingdom (UK).
This may seem surprising as the UK’s Data Protection Act, 2018 (DPA 2018) exempts personal data from protection if required for national security or defence purposes—just like the PDP Bill.
However, unlike the PDP Bill, this is not a blanket exemption and is assessed on a case by case basis. Under the DPA 2018, the data controller requesting the exemption must show that there is a real possibility of national security being adversely affected and relevant evidence must be submitted to the Information Commissioner’s Office (ICO). A person can also lodge a complaint with the Investigatory Powers Tribunal if their data is interfered with unlawfully.
Similarly in South Korea, the processing of personal data for national security purposes is subject to a more limited set of protections under the Personal Information Protection Act. However, the core principles—such as rules on oversight, enforcement and redress—continue to be applicable. Even where personal data is to be processed for criminal law enforcement purposes, the South Korean law imposes several limitations on the access and use of personal data for enforcement and provides oversight and redress mechanisms.
How does India measure up?
India is expected to apply for an adequacy decision once the PDP Bill is passed into law. Given that the Bill is currently being reconsidered, this is an opportune moment to assess how the current version would fare before the EC.
We know that Section 35 of the PDP Bill empowers the Central Government to exempt government agencies from the provisions of the bill in the interest of national security and sovereignty. So, the government can grant a blanket exemption to law enforcement agencies to conduct unsupervised surveillance through a simple executive order.
Moreover, the PDP Bill states that the “procedure, safeguards and oversight mechanism to be followed” for surveillance purposes will be made by the executive, providing it with unfettered discretion to determine how, when, and why surveillance will be carried out. This is unlike the provisions in the South Korean and UK privacy laws, which ensure that fundamental privacy protections apply even when personal data is used for national security or criminal prosecution purposes.
By exempting govt. authorities from its purview, the PDP Bill fails to quell the threat of state sponsored mass surveillance which is on the rise due to the introduction of various surveillance technology projects such as NATGRID, CMS, CCTNS AND AFRS. https://t.co/nPU2SY4eWn
— Anushka Jain (@iamanushkajain) October 28, 2020
The Bill also establishes a Data Protection Authority (DPA)—a redressal forum in case an individual’s privacy rights are infringed upon. However, as per Section 42 of the Bill, the DPA is a body constituted entirely by the Executive. This brings its independence into question. It is also not clear if a case can be filed before the DPA concerning the surveillance activities of law enforcement agencies. Overall, the availability of independent redressal mechanisms for citizens in the case of privacy breaches by State agencies is highly questionable.
In light of the above, it would appear that the provisions of the PDP Bill regarding surveillance would fall short of the stringent criteria for the grant of adequacy status under the GDPR.
Where do we go from here?
The Centre has laid out a vision for a trillion-dollar digital economy in India. This is a laudable vision—but one that will be difficult to achieve if Indian companies are unable to send and receive data from other countries, especially large trading blocs like the EU.
The reconstituted Joint Parliamentary Committee has an opportunity to assess whether broad surveillance provisions like Section 35 are necessary to protect the nation’s security. It must also weigh security interests against economic and international trade-related concerns. If it is able to do so, the reconstitution will be one step back but two steps forward.
At the same time, the Committee must not reshape the Act just to meet GDPR adequacy requirements. Even though the GDPR is emerging as a global standard, it is not neatly applicable to the Indian context as it was created with citizens of Europe in mind and not as a global standard. The Committee must instead pay heed to the unique attributes of the Indian population, in terms of literacy and digitization, and arrive at a solution that ensures the privacy of even uninformed or illiterate is adequately protected from both private and State action.
Featured image: the Justice Srikrishna Committee—tasked with preparing a preliminary report on a data privacy law for India in August of 2017—addressing the media on the release of the Personal Data Protection Bill and Report on 27 July, 2018. Ravi Shankar Prasad, former Cabinet Minister, Ministry of Law and Justice, Ministry of Communications, and Ministry of Electronics and Information Technology, is seated at the centre. Retrieved via Rama Vedashree/Twitter.