Data Protection Bill: Missed Opportunity for Surveillance Reform

Srikrishna Committee’s draft bill fails to make urgent reforms to surveillance regime. Vrinda Bhandari Srikrishna Committee’s draft Personal Data Protection Bill 2018 fails to make urgent surveillance reforms. | (Photo: Shruti Mathur/The Quint) Opinion Srikrishna Committee’s draft bill fails to make urgent reforms to surveillance regime.

On 27 July, the Expert Committee chaired by Justice Srikrishna submitted its Report and a draft of the law titled “The Personal Data Protection Bill, 2018” (“the Bill”) to the Minister of Electronics and Information Technology. The submission of the Report and its publication online – after weeks of guess work and leaks – are a welcome step and bode well for transparency and accountability in legislative drafting. The Bill broadly does a good job in moving the debate forward on issues of data protection and privacy, especially in its recognition of the principles of collection and purpose limitation (sections 5-6), privacy by design (section 29) and data portability (section 26) and data breach notification (section 32) (although their application raises certain issues).

Significantly, however, the Bill, fails to deal with the issue of surveillance, even though previous versions of the Government’s own Privacy Bill of 2011 or the Data (Privacy and Protection) Bill, 2017 introduced as a Private Member Bill in the Lok Sabha by Baijayant Panda, had separate chapters on the regulation/prohibition of surveillance.

Also read: Key Highlights From Srikrishna Committee Report on Data Protection

References to Surveillance in the Draft Bill

Instead of dealing with surveillance separately, section 42 of the Bill on the “security of the State” clarifies that processing of personal data “in the interests of the security of the State” shall be exempt from the obligations of the Act (except sections 4 and 31) if it is: authorised pursuant to a law made by Parliament; in accordance with the procedure established by such law ; and necessary for, and proportionate to, such interests being achieved. Section 43 creates similar exemptions if the processing of personal data is in “the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law” and is (a) authorised by a law made by Parliament and State Legislature , and (b) is necessary for, and proportionate to, such interests being achieved. These requirements seem to be in line with the Supreme Court’s formulation in Puttaswamy. To that extent, they seemingly signal the death knell of the government’s highly controversial CMS and NETRA programs (for the lack of legislative sanction) and for any mass surveillance program (for the failure to meet the necessity and proportionality standard). Unfortunately, however, the Bill represents a lost opportunity for comprehensive surveillance reform.

Why the Bill is a Missed Opportunity

1. No Judicial Oversight

First, the requirements in sections 42 and 43 endorse the current antiquated surveillance framework that exists in the country under the Telegraph Act and the Information Technology (“IT”) Act.

Broadly speaking, both these laws empower the law enforcement agencies to intercept messages and communication on the grounds of sovereignty and integrity of India, security of the State, and public order. <a href="https://indiankanoon.org/doc/1439440/">Section 69</a> of the IT Act goes further in permitting the interception, decryption, and monitoring of information for the “defence of India”, without any pre-requisite of demonstrating “public emergency” or “public safety”.

Notably, in line with the Supreme Court’s judgment in PUCL v Union of India (1997), these laws do not require any prior judicial authorization to conduct surveillance, and instead rely on executive sanction by a competent authority. Even as far back as 2013, RTI responses revealed that the Central Government alone issues around 7500-9000 telephone interception orders each month (which number would have substantially increased today). This clearly indicates that there cannot be any reasonable application of mind by the competent government authority, while authorizing targeted surveillance. Due to such State capacity concerns, in many countries such as Canada, USA (through the FISA Court), or Australia, judicial control is built into the domestic/foreign surveillance framework, through the process of overseeing and approving warrants and surveillance requests. However, the current Bill entirely sidesteps this issue.

2. No Accountability for Intelligence Agencies

Second, while section 30 of the Bill requires data fiduciaries to take “reasonable steps” to maintain transparency and section 35 recognises data audits, there is no direct requirement for law enforcement agencies to submit a report to Parliament about the nature and scale of their surveillance and interception activities.

Given that some of our most important law enforcement agencies such as the Intelligence Bureau and R&AW<b> <a href="https://timesofindia.indiatimes.com/india/Explain-Intelligence-Bureaus-legality-HC-tells-Centre/articleshow/12408605.cms">lack statutory basis</a></b> (having been constituted pursuant to an Executive notification), this Bill could have achieved much-needed measures of accountability and oversight over these agencies.

Interestingly, the Committee’s Report acknowledges that the lack of any inter-branch oversight of law enforcement agencies, through a statute, is “deleterious in practice… and potentially unconstitutional” and that the Central Government should “carefully scrutinise the question of oversight of intelligence gathering and expeditiously bring in a law to this effect.” However, for reasons that are not fully clear, these recommendations do not find a place in the proposed law.

3. No Reform on Illegally Obtained Evidence

Third, one of the biggest problems in terms of surveillance reform has been the judicial sanction to admit illegally obtained evidence, including tape-recorded conversations. This skews the incentive of law enforcement agencies to comply with the (already weak) safeguards that are recognised in the law.

The Bill had a chance to make a difference by clarifying that any personal data collected, stored, processed, transferred, or disclosed in contravention with its provisions would be inadmissible in legal proceedings before any court of law.

Instead all it does, is reiterate in section 42 that processing has to be done “in accordance with the procedure established by law” – a requirement which, incidentally, has been dropped in section 43 – without specifying any consequences for non-compliance. Additionally, the Bill uses the term “surveillance” only once, while defining the term “harm” in section 3(21)(x) as “any observation or surveillance that is not reasonably expected by the data principal”, which in itself seems to indicate that certain kinds of surveillance are to be “reasonably expected” from the State and private actors.

4. No Rules on Non-State Actors

Fourth, the Bill does not expressly deal with surveillance by non-State actors.

5. Unrestricted Discretion for Government on Security and Aadhaar

Finally, it is worth examining Chapter XV of the Bill on Miscellaneous provisions. Section 98(1) allows the Central Government to issue “such directions” to the Data Protection Authority (“DPA”), “as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order”. Such directions on questions of policy then bind the DPA.

Consequently, the Central Government enjoys untrammelled discretion in issuing such directions on any question of policy, seemingly separate from the safeguards that have been prescribed in the Act, as long as it is in the interest of national security or public order.

In fact, it is also worth noting the wording of section 19(2) that permits the processing of sensitive personal data (such as passwords, financial/biometric/genetic data) without consent, if it is “strictly necessary” for the exercise of any function of the State, authorised by law for the provision of “any service or benefit to the data principal from the State”. Interestingly, the terms “service” or “benefit” have not been defined in the Bill, and this provision seems to endorse the Aadhaar Scheme. In fact, even data portability rights do not apply when processing is necessary for the functioning of the State.

Also read: Srikrishna Committee suggests amendments in Aadhaar Act for data protection

Can This Still be Addressed?

In the Indian Privacy Code, 2018 that we had drafted and sent to the Committee, we had included a separate chapter on surveillance and interception, both by State and private actors. In it, we had proposed the constitution of a Surveillance and Interception Review Tribunal that would ordinarily give prior authorisation.

It also included specific provisions on the duration of interception and surveillance, duty to inform, storage and disclosure of surveillance/intercepted communication, and making illegally obtained evidence inadmissible.

Any comprehensive privacy law has to include surveillance reform, dealing separately with State and private actors. While the Committee’s Report recognises this, the Bill, unfortunately, fails to translate their concerns into substantive provision. We can only hope that parliamentary consultation will bring about some changes.

(Vrinda Bhandari is an Advocate in Delhi. She is also a volunteer with SaveOurPrivacy.in and helped in drafting the model India Privacy Code, 2018. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)