Note on Data Protection and Data Privacy

The Joint Parliamentary Committee has to submit its report on the Personal Data Protection (PDP)
Bill by the end of the 2021 winter session of the parliament. It stems from the 2017 judgment of the
Supreme Court in the KS Puttaswamy vs.Union of India which recognised privacy as a fundamental
right protected by the Constitution. A committee headed by Justice B. N. Srikrishna submitted a
report in 2018 upon which Personal Data Protection Bill , 2018 was made. It was then give to a 30
member Joint Parliamentary Committee. The committee, which had been deliberating on the Bill
since it was introduced in Parliament in 2019, has made several recommendations for modifying the
draft.

Justice K.S. Puttaswamy vs Union of India, 2017

(Fundamental Right to Privacy)

Case Summary and Outcome

On 24th August 2017, a nine-judge bench of the Supreme Court passed a historic judgment
affirming the constitutional right to privacy. It declared privacy to be an integral component of Part
III of the Constitution of India. The Supreme Court has, however, clarified that like most other
fundamental rights, the right to privacy is not an "absolute right". Subject to the satisfaction of
certain tests and benchmarks, a person's privacy interests can be overridden by competing state and
individual interests. Since the 2017 judgment, the fundamental right to privacy has been cited as
precedent in various landmark judgments, such as the Navtej Johar and Joseph Shine judgments

Facts

The case was brought by 91-year old retired High Court Judge Puttaswamy against the Union of
India before a nine-judge bench of the Supreme Court which had been set up on reference from the
Constitution Bench to determine whether the right to privacy was guaranteed as an independent
fundamental right following conflicting decisions from other Supreme Court benches.

The question of whether or not privacy is a fundamental right first arose in 2015 before a three-
judge bench of the Supreme Court considering the constitutional challenge to the Aadhaar
framework. The Attorney General had then argued that although a number of Supreme Court
decisions had recognised the right to privacy, Part III of the Constitution does not guarantee such a
fundamental right since larger benches of the Court in M.P Sharma (8 judge bench) and Kharak
Singh (6 judge bench), had refused to accept that the right to privacy was constitutionally protected.
Consequently, this bench referred the matter to a five-judge bench to ensure "institutional integrity
and judicial discipline". Thereafter, the five-judge bench referred the constitutional question to an
even larger bench of nine judges to pronounce authoritatively on the status of the right to privacy

The Petitioner argued before the nine-judge bench that this right was an independent right,
guaranteed by the right to life with dignity under Article 21 of the Constitution. The Respondent
submitted that the Constitution only recognised personal liberties which may incorporate the right
to privacy to a limited extent. The Court considered detailed arguments on the nature of
fundamental rights, constitutional interpretation and the theoretical and philosophical bases for the
right to privacy as well as the nature of this right.

Issues

• Is the decision in M.P. Sharma v Satish Chandra, District Magistrate, Delhi is correct in law?
• Is the decision in Kharak Singh v State of Uttar Pradesh is correct in law?
• Is the right to privacy is an intrinsic part of the right to life and personal liberty under Article 21
and a part of the freedoms guaranteed by Part III of the Constitution?

Operative Part of the Judgement

• The eight-judge bench decision in M P Sharma (1954), which held that the right to privacy is not
protected by the Constitution stands over-ruled;
• The Court's subsequent decision in Kharak Singh (1962) also stands over-ruled to the extent that
it holds that the right to privacy is not protected under the Constitution;
• The right to privacy is protected as an intrinsic part of the right to life and personal liberty under
Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution; and
• The body of case law that developed subsequent to Kharak Singh, recognizing the right to
privacy, enunciated the correct position of law.

Judicial review standard adopted

• Legality
• Legitimate Goal
• Proportionality
• Compelling State Interest: (Only held by Chelameswar J.)

Decision Overview

The right to privacy was reinforced by the concurring opinions of the judges in this case which
recognized that this right includes autonomy over personal decisions (e.g. consumption of beef),
bodily integrity (e.g. reproductive rights) as well as the protection of personal information (e.g.
privacy of health records).

This judgement takes privacy far beyond the confines of Article 21 and weaves it into other
fundamental rights such as the freedom of conscience, the freedom of assembly and the freedom of
occupation. Privacy has been described in Puttaswamy as a travelling right, a necessity and a pre-
condition for the exercise of other freedoms. In present times, privacy is a pre-requisite of free
speech. The judgment in Puttaswamy recognises the right to privacy against not just the State but
private parties as well The State is now under a duty to safeguard the privacy rights of citizens not
only against itself but also against big corporations.

The judgement proceeds to recognise several new facets of privacy that the Supreme Court might
not have had occasion to address before. For example, the judgment recognises the right to
publicity, the right of an individual to control the public portrayal of her image and to control the
commercial use of her identity, image or likeness. It also recognises the right to be forgotten in the
context of the digital world, the right to erase information from the public domain that has become
irrelevant.

A striking feature of this judgment is the treatment of issues of digital privacy which are of
increasing importance, both in India as well as internationally. The judgment makes it clear that the
Indian Government is now concerned to establish an online data protection regime to protect the
privacy of the individual which is great as India is lagging behind in online data privacy regime i.e.
proper laws and regulations regarding collection, preservation, and compliance of personal data and
related enforcement mechanisms.
The judgement provides for the protection of freedom of expression by recognizing rights such as
the right against arbitrary, unregulated State surveillance, the right to express ones sexual
orientation, religious expression and data protection.

It provides that privacy is a fundamental inalienable right, intrinsic to human dignity and liberty
under article 21 of the constitution of India. The judgment gave a way for the decriminalisation of
homosexuality in India in Navtej Singh Johar v. Union of India (2018) and abolishing the
provisions of the crime of Adultery under in the case of Joseph Shine v. Union of India.

Aadhar Judgement’s relation to right to privacy

Constitutionality of Aadhaar Act

Justice K.S. Puttaswamy v Union of India, 2018

The Government of India initiated a new identity document called as Aadhaar card for which
established a new agency, the Unique Identification Authority of India (UIDAI), to issue the card.
For the application of the card, a resident must submit the scan of their fingerprints and retina. All
the data are stored in a centralized data base. Subsequently, the government made Aadhaar
mandatory for several welfare schemes such as subsidized food under Public Distribution System,
Mid-day meal scheme and Mahatma Gandhi Rural Employment Guarantee Scheme etc. The Aadhar
Act, 2016 was also passed for the smooth functioning of the scheme. This scheme was challenged
by the retired judge of Karnataka High Court K.S. Puttaswamy before the SC.

The issues before the apex court

• Was Parliament was competent to pass the Aadhaar Act as a Money Bill?
• Does the maintenance of a record of biometric data violate the Right to Privacy?
• Whether making Aadhaar mandatory for getting subsidies and benefits under Section 7 of the
Aadhar Act violates the rights to equality and dignity?

The primary arguments against the Aadhar scheme

• The government has not put in place adequate privacy safeguards. Any private entity may request
authentication by Aadhaar for any reason subject to regulations by the UIDAI. There are no
checks on the power of the government to use the biometric data collected.
• Entitlements granted to the individuals by the State’s social sector schemes are themselves a
fundamental right. They cannot be limited for any reason, including the failure to produce an
Aadhaar Card/Number when applying for benefits.

Operative part of the judgement

• A 4:1 majority upheld the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits
and Services) Act, 2016 as constitutional.
• The Court held that the Act was competently passed by Parliament, even though it was passed as
a Money Bill.
• Section 7 of the Act, which says proof of Aadhaar number is necessary for receipt of certain
subsidies, benefits and services, etc., would cover only those benefits for which expenditure is
drawn from the Consolidated Fund of India.

Provisions struct down as unconstitutional

Section 57: Permits the use of Aadhaar number for establishing identity for any purpose, by the
state or any corporate or person, pursuant to any law or contract.
Judgment: The order stated that “any purpose” is susceptible to misuse and can only be a purpose
backed by law. It also found that allowing any corporate or person to use Aadhaar for
authentication, especially on the basis of a contract between the corporate and an individual, would
enable commercial exploitation of private data and hence is unconstitutional.

Section 33(1): Disclosure of Aadhaar information in certain cases, such as pursuant to a court
order.
Judgment: The order said an individual, whose information is sought to be released, must be given
the opportunity of a hearing and the right to challenge any such court order.

Section 33(2): restricts confidentiality of Aadhaar data in cases of national security if so determined
by senior government officer (joint secretary).
Judgment: Any breach of confidentiality can be done only on the orders of a very senior
government officer (higher than joint secretary) along with a sitting high court judge.

Section 47: Provides that only UIDAI can file a court complaint in case of violation of the act.
Judgment: The section must be amended to also allow filing of such complaint by an
individual/victim whose right is violated. Section 2(d): pertains to authentication record ie: the
record of the time of authentication, identity of the requesting entity and the response provided by
UIDAI. Judgment: The provision in the present form has been struck down but can be reframed
keeping parameters laid down in order.

Regulation 27: Which provides archiving of data for a period of five years.
Judgment: Retention of data beyond the period of six months is impermissible.

Does the maintenance of a record of biometric data violate the Right to Privacy?

The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not tend to create a
surveillance state, said the majority order. According to the order, this is ensured by the manner in
which the Aadhaar project operates.

• During the enrolment process, minimal biometric data in the form of iris and fingerprints is
collected.
• UIDAI does not collect purpose, location or details of transaction. Thus, it is purpose blind.
• The information collected, as aforesaid, remains in silos. Merging of silos is prohibited.
• The requesting agency is provided answer only in ‘Yes’ or ‘No’ about the authentication of the
person concerned.
• The authentication process is not exposed to the internet world.
• There are sufficient authentication security measures taken.
• There is an oversight by Technology and Architecture Review Board and Security Review
Committee.
• During authentication no information about the nature of transaction etc. is obtained.
• The authority has mandated use of Registered Devices for all authentication requests.

Hence the three judges held that “it is very difficult to create profile of a person simply on the basis
of biometric and demographic information stored in CIDR”. (P.545)

Whether the Aadhaar Act violates the right to privacy and is unconstitutional on this ground?
According to the Justice K.S. Puttaswamy vs Union of India, 2017 judgement any restraint on
privacy must meet three tests: Legality; Legitimate Goal and Proportionality.

The existence of the Aadhaar Act and delivery of welfare benefits fulfil the the first two
requirements. The order noted that the third test of proportionality has also been met because the
purpose of the act is to ensure deserving beneficiaries of welfare schemes are correctly identified; it
also achieves the balancing of two competing fundamental rights: right to privacy on the one hand
and right to food, shelter and employment on the other. Section 7 of the Act, which says proof of
Aadhaar number is necessary for receipt of certain subsidies, benefits and services, etc., would
cover only those benefits for which expenditure is drawn from the Consolidated Fund of India.

Decision Overview

The Aadhaar Judgment cherishes the nine judge bench view on the right to privacy as a
fundamental right. It further throws light on the evolution of the concept of human dignity and
privacy and discusses the rationale of the progressive judgments of the courts of law on the subject.
The judges also touched upon other landmark judgments related to the fundamental rights and rule
of law and the limitations and permissible restraints on exercising fundamental rights. A number of
arguments were dealt with and commented upon by the bench. Whether Aadhaar challenges the
concept of limited government, whether the state will have complete control on biometric and
demographic data of the citizens and that given that everything at all times will be linked to
Aadhaar, will every citizen be under the gaze of the government, are few points which had been
deliberated upon. The court also stressed upon the need for security monitoring, data protection,
conducting data audits and having a robust system in place to ensure data safety. The Aadhaar
Judgment also stated that suitable provisions to deal with the need of altering information and those
related to accepting alternate means of identity in case the biometric/ demographic information
changes as a result of age, injury, surgeries, etc. shall be introduced.

The Supreme Court categorically recognised certain data protection principles such as data
minimization (restricting collection of data to data necessary for stated objects or purpose), purpose
limitation (limiting the scope of purpose and using the data only for such purpose), data retention
(retaining the data only for a limited period necessary for the purpose) and data security as relevant
factors in determining whether the provisions of particular legislation, including the Aadhaar Act,
was in conformance with an individual's right to privacy. While the Supreme Court discussed
various data privacy principles from the United States and European Union jurisdictions, it did not
specify which of those principles should be adopted in the Indian context.

Summary of the B. N. Srikrishna Committee Report and the Personal Data

Protection Bill, 2018

The Committee of Experts on a Data Protection Framework for India (Chair: Justice B. N.
Srikrishna) submitted its report and draft Bill to the Ministry of Electronics and Information
Technology on July 27, 2018. The Committee was constituted in August, 2017 to examine issues
related to data protection, recommend methods to address them, and draft a data protection Bill.

• The Bill and the report noted that the relationship between the individual and the service provider
must be viewed as a fiduciary relationship.  This is due to the dependence of the individual on the
service provider to obtain a service.  Therefore, the service provider processing the data is under
an obligation to deal fairly with the individual’s personal data, and use it for the authorised
purposes only.  
•  The Bill provides processing of sensitive personal data is allowed on certain grounds, including:
(i) based on explicit consent of the individual, (ii) if necessary for any function of Parliament or
state legislature, or, if required by the state for providing benefits to the individual, or (iii) if
required under law or for the compliance of any court judgement. 

• The Bill provides exemptions from compliance with its provisions, for certain reasons including:
(i) state security, (ii) prevention, investigation, or prosecution of any offence, or (iii) personal,
domestic, or journalistic purposes.

• Under the Bill, the Authority may levy penalties for various offences by the fiduciary including
(i) failure to perform its duties, (ii) data processing in violation of the Bill, and (iii) failure to
comply with directions issued by the Authority.  For example, under the Bill, the fiduciary is
required to notify the Authority of any personal data breach which is likely to cause harm to the
individual. Failure to promptly notify the Authority can attract a penalty of the higher of Rs 5
crore or 2% of the worldwide turnover of the fiduciary. 
 
• To prevent abuse of power by service providers, the law should establish their basic obligations,
including: (i) the obligation to process data fairly and reasonably, and (ii) the obligation to give
notice to the individual at the time of collecting data to various points in the interim. 

• The Committee and Bill distinguished personal data protection from the protection of sensitive
personal data, since its processing could result in greater harm to the individual.  Sensitive data is
related to intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and
sexual orientation of the individual).  

• The report made individual consent the centrepiece of data sharing, awards rights to users and
imposes obligations on data fiduciaries. It made consent a lawful basis for processing of personal
data. It also provided right to be forgotten, which refers to the ability of individuals to limit,
delink, delete, or correct the disclosure of personal information on the internet that is misleading,
embarrassing, irrelevant, or anachronistic.

• The committee report stated that the data protection law will set up a Data Protection Authority
(DPA), which will be an independent regulatory body responsible for the enforcement and
effective implementation of the law. The DPA was to be appointed by the Union government on
the basis of recommendations made by a selection committee comprising of: The Chief Justice of
India or a Supreme Court judge nominated by the CJI. This 'Judicial Member' would have been
the chairperson of the selection committee, the Cabinet Secretary and a person of repute
nominated by the other two members.

• Committee made specific mention of the need for separate and more stringent norms for
protecting the data of children, recommending that companies be barred from certain types of data
processing such as behavioural monitoring, tracking, targeted advertising and any other type of
processing which is not in the best interest of the child.

• The report has also listed the impact of the proposed data protection framework on allied laws,
including the Aadhaar Act and the RTI Act, which require or authorise processing for personal
data for different objectives.

• The report started that the state can process data without consent of the user on ground of public
welfare and public order, emergency situations where the individual is incapable of providing
consent, employment, and reasonable purpose. However, adequate security safeguards must be
incorporated in the law to guard against potential misuse.
• Cross border data transfers of personal data, other than critical personal data, will be through
model contract clauses containing key obligations with the transferor being liable for harms
caused to the principal due to any violations committed by the transferee. Personal data
determined to be critical will be subject to the requirement to process only in India (there will be a
prohibition against cross border transfer for such data).

Issues with the Personal Data Protection Bill, 2018

The report proposed that personal data of individuals can be processed for the exercise of any
function of the state. This can be done without the consent of the individual as long as it is to
provide a service or benefit to the individual. This runs directly counter to the articulation of
informed consent as central to informational privacy in the Puttaswamy judgment, 2017. Another
key aspect missing from the report was the reform of surveillance laws. There is very little
legislative and judicial oversight on surveillance activities carried out in India. As proposed by the
report, requiring all businesses to store data within India, without any reform of surveillance
governance, can pose even bigger privacy issues in the future.

The bill requires data fiduciaries to store “at least one serving copy” of personal data on a server or
data centre located in India. The government can exempt certain categories of personal data from
this requirement. It can also declare certain categories of data “critical” and require that they be
stored only in India. In other words, foreign internet intermediaries and services may all be required
to physically host user data in India. The only discernible reason for such a requirement is to give
law enforcement easy access to this data. The draft bill creates a regulatory structure that is not
sufficiently independent as the central government has significant control over the regulatory
regime, and it is vulnerable to capture by industry. The draft bill gives the central government the
power to appoint members of the data protection authority upon the recommendation of an outside
committee. The appointment is for a term of five years, which seems much too short to give a new
institution sufficient time to learn the ropes and gain the independence it needs to be an effective
regulator. The central government also has the ability to remove members of the authority for
reasons specified in the law.

Difference between the Personal Data Protection Bill 2018 and Personal Data
Protection Bill 2019

The 2019 Bill retains much of the draft bill proposed by the Justice Srikrishna Committee (“2018
Bill”). However, the 2019 Bill introduces new concepts and deviates from the 2018 Bill in certain
respects. The key differences include:

• The data localisation requirements for personal data have been relaxed to an extent. However,
storage/ transfer of sensitive personal data and critical personal data are still restricted.
• The 2019 Bill introduces the concept of a ‘consent manager’ through whom data principals can
manage consent for exercising rights such as data portability, right to correction and right to be
forgotten under the 2019 Bill.
• Unlike the 2018 Bill, the DPA cannot specify new categories of sensitive personal data under the
2019 Bill. This power has been given to the central government.
• The 2019 Bill gives the central government powers to direct any data fiduciary/data processor to
provide non-personal data to the government to ‘enable better targeting of delivery of services or
formulation of evidence-based policies’. This was not envisaged by the 2018 Bill.
• Under the 2019 Bill, the central government can exempt any government agency from the
application of the provisions of the bill on widely worded grounds, subject only to such
procedure, safeguards and oversight mechanism as may be prescribed. This is a significant
dilution of the 2018 Bill, where the central government could be exempted from limited
provisions of the bill, and only on limited grounds and subject to (a) procedure established by
law, (b) necessity, and (c) proportionality
• Under the 2019 Bill, the central government may notify certain social media intermediaries as
‘significant data fiduciaries’, who will have to comply with additional obligations under the 2019
Bill and will be required to give their users the option to voluntarily verify their accounts in the
prescribed manner.
• Under the 2018 Bill, the Data Protection Authority (“DPA”) consisted of a chairperson and six
whole time members, while under the 2019 Bill the DPA may consist lesser than six members.
Further, the selection committee under the 2019 Bill does not include a judicial member as
opposed to the 2018 Bill where it consisted of the Chief Justice of India (“CJI”) or a Supreme
Court judge nominated by him and an expert.
• Non-compliance with the proposed act entails significant penalties which could go up to four
percent of total worldwide turnover of an entity.

Changes recommended by the JPC

(known from source-based news reports and dissent comments)

With the joint parliamentary committee (JPC) finalising its report on the Personal Data Protection
Bill 2019, India might finally get its long-overdue data protection law in the forthcoming winter
session of Parliament. Although the report has been given its sixth extension and has to be
submitted by the end of the winter session, there are some key recommendations that are known
from source-based news reports and the comments by the dissenting members. The JPC report does
not appear to have resolved the concerns raised about the 2019 bill and has take the proposed law
even further away from the well-crafted draft bill proposed by the Justice BS Srikrishna Committee.
Some MPs have even called the bill "Orwellian" and take objection to the JPC's failure to consider
amendments to bill to ensure compliance with the Supreme Court's right to privacy judgment.

Key Recommendations Made by JPC Report

• No significant changes to Section 35 of the 2019 bill (state use exemption), which
allows the Union government to exempt its agencies from complying with the requirements
under the law, including that any processing of data has to be for a limited purpose, done
with consent and after providing notice. The exemption can be applied if the government
thinks that it is "necessary or expedient" in the interest of the sovereignty and integrity of
India, security of the state, friendly relations with other states, or public order.

• The procedure for applying the exemption needs to be "just, fair and proportionate.”

• No changes to Section 12 of the 2019 bill, which allows the processing of personal
data without a person's consent if this is necessary, among other things, for provision of
services or benefits from the government, or issue of licences/certifications/permits from the
government for any action or activity.

• Social media platforms should be treated as publishers (that is, not as intermediaries)
unless they mandatorily verify users. This would make them responsible for content posted
by users. It is said to have recommended that no social media company be allowed to
operate in India unless the parent company handling the technology sets up an office in
 India.

• Any data fiduciary which passes on information to a third party will need to
mandatorily disclose this information to the person whose data has been passed on.
However, this will not apply to information passed on for the purposes of state use.

• Senior management personnel of companies have to be appointed to the position of

data protection officers and will ultimately be held responsible.

• Non-personal data should also be included within the ambit of the law.

• Data breaches will need to be reported within 72 hours by companies.

• Data collection by electronic hardware (telecom equipment like 5G and home

devices like Alexa) should also be specifically addressed by the data protection law.

• Data localisation requirements need to be complied with for all sensitive and critical
personal data – even for data already collected by foreign entities operating in India (like
Visa, Mastercard, etc). Copies of such data will now need to be retained in India as well.

• The Data Protection Authority, which is to be set up under the law to regulate how
data is to be managed and processed, should be bound by directions of the Union
government in all cases – not just questions of policy.

• At the same time, the rule about mandatory disclosure to the owner of a data in case it is
passed on to a third entity will not apply in case it is for purposes such as State function
(such as for offering benefits, to maintain law and order) or to comply with a court order.
Government departments will be allowed to carry out an in-house inquiry to fix
responsibility in the event of a leak.

• Foreign entities that store the data of Indian citizens would first have to seek the
government's permission. It is not clear about what happens if a national or a domestic entity
chooses to do the same, it is also unclear whether permission can be granted for the usage of
this data internationally.

• Additional compliance for companies that deal exclusively with children’s data is also
sought, by asking them to register with the Data Protection Authority.

• Setting up of an indigenous architecture, which can be an alternative to the internationally

accepted SWIFT payment system, is also said to have been suggested.

• A proposal to allow data principals to choose how their data will be handled after their death
is also included.

Issues with the JPC Report

• Whether entities such as social media giants can still be considered intermediaries if they are
given permission to edit content. If granted permission to edit, the platforms become editors or
secondary authors, much like a newspaper or a website. If a social Media platform fails for safe
harbour its liability should not be of a publisher.
• It is clear that regulation of content on social media and digital media is a key concern for this
government the controversial new IT Rules in 2021 also seek to do this but this should not be in a
data protection law.

• The clubbing of personal and non-personal data is untenable. The inclusion of non-personal data
within its ambit, changes the nature of the Bill from personal data protection to just data
protection.

• Clause 35 in the name of “public order”, ‘sovereignty’, “friendly relations with foreign states”
and “security of the state” allows any agency under the Union Government exemption from all or
any provisions of the law. Historically in India, these umbrella terms have been used by the
government to misuse laws and curb the freedom of dissenters or their opposition. If government
agencies can avoid data protection requirements on such broad grounds, there is great scope for
misuse of personal data for surveillance.

• Even if these exemptions are to be made, “judicial or parliamentary oversight” for granting such
exemptions should be made mandatory.

• The new act shall supersede other laws, including the information technology act and the
telegraph act with regards to regulating social media platforms.

• One positive is that as far as the ability of the government to seek exemptions should include the
test for “just, fair, reasonable and proportionate procedure” to curb any misuse.

• As per the new report, personal data protection and non personal data have now been possibly
compressed into a single enactment. To do so as in Sec. 91 of PDP 2019 is completely
unsustainable. If the errors of that provision have been carried over, the same is likely to be
afflicted with the malaise of excessive delegation of parliamentary powers to government
authorities.

• The JPC has also failed to expressly reintroduce wording on how any attempt to apply the state
use exemption would only be exercised under the terms of new legislation, and would comply
with the tests of proportionality as laid down by the Supreme Court in the Puttaswamy (right to
privacy) judgment. This is particularly concerning as Section 35 doesn't just allow for the
exemption when "necessary" but also when this is "expedient," which does not meet the
proportionality standard.

• A failure to restrict the state use exemption also dilutes one of the useful recommendations for
mandatory disclosure of information being passed on to a third party.

• The failure to accept any amendments to Section 12 is also worrying. This provision to allow
non-consensual data processing for government benefits has been a matter of concern since the
Srikrishna Committee's draft bill itself, since it imposes no express proportionality requirements.It
is unclear why there should be no consent for taking data when it comes to people accessing
government benefits.This is essentially an erosion of privacy and data protection principles on the
assumption that the poor and disadvantaged are not concerned with privacy and data protection.
Given the kinds of data breaches that have already occurred in connection with Aadhaar data, the
need to ensure that data collection in connection with public services and benefits is done in a
more restricted manner, should have been even clearer.

• The Data Protection Authority is rendered toothless qua the government. The Srikrishna
Committee draft, the DPA was to be appointed by the Union government on the basis of
 recommendations made by a selection committee comprising of: The Chief Justice of India or a
Supreme Court judge nominated by the CJI. This 'Judicial Member' would have been the
chairperson of the selection committee, the Cabinet Secretary and a person of repute nominated
by the other two members. However, in the government's 2019 bill, the requirement for a judicial
member on the selection committee disappeared, as did the inclusion of a 'person of repute',
meaning the DPA members would solely be appointed from among the Union government's
bureaucrats. Not only does the JPC report fail to make any suggestions to rectify the composition
of the selection committee, it also wants the DPA to be required to fall in line with all directions
of the government.

Where are we headed ?

• The 9 Principles of data protection specified by the GDPR: Lawfulness; Fairness; Transparency;
Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and
confidentiality; Accountability should be followed in letter and spirit in India.

• As per the recommendations given by the JPC report data localisation requirements need to be
complied with for all sensitive and critical personal data. However, if the data localisation rules
are made very stringent, then it might not be possible some service providers to provide their
services in India. Thus, these rules need adequate impact assessment before they are enforced. On
the other hand copies of data will need to be retained in India as well. If this is not done then it
shall create problems for investigative agencies as it shall be difficult for them to collect such data
maintained in another jurisdiction.

• There should be equal data protection levels in the country of the service provider and the country
of the service recipient.

• The Personal Data Protection (PDP) Bill does not address the issue of how to deal with entities
already using facial recognition technology. It also fails to address the issue of facial recognition
softwares used for surveillance by governments around the world. India is ramping up the use of
facial recognition to track down individuals without any laws to keep track of how this
technology is being used. The Central government used this technology to track down the
protestors who were present at the Red Fort during the ruckus in January this year.

• The choice in front of internet users in India to chose between private companies who make a
profit or to hand data over to the government with whom they’re facing a trust deficit. The
vaguely worded provisions in the Bill such as clause 91, leave room for misuse. The clause allows
the central government to access anonymised or non-personal data to frame policies in the
internet of the ‘digital economy’. Such provisions show that the proposed law is far more
interested in treating data as a resource. Even ‘critical’ and ‘sensitive’ data such as religion, age,
gender and other personality identifiers may be available to the government in the interest of
‘national security’.

• The definition of personal data, non-personal data and critical personal data are not defined and
clear. This gives the government unbridled discretion to notify critical personal data and to misuse
it.

• The stance of social media platforms is dubious. Intermediaries should not be put in the same
category as publishers, specially when the content is posted by an unverified user or when the
platform does not have content editing powers.
• While some national security concerns may require the state to access and maintain records of
public data, it is important that the law does not make the citizens’ right to privacy secondary to
the nation’s security interests. A deliberate elevation of the nation’s security over the right to
privacy will vest power with the government to collect and use public data as it deems fit.

• There are different types of non-personal data. One is collected by the government such as
meteorological data, agriculture, forestation and deforestation, which will be held by the
government. Then there is private non-personal data of companies. This could be the policy they
have where they want to expand, source raw materials, or raise financials by different
methodology. This is a companies business intelligence. All these are private to the company and
the company should not have to just hand over the data to the government without adequate
compensation.

• Non personal data of users can help civic bodies and private companies to provide better services
to the citizens.

• Recently, allegations over the usage of Pegasus spyware for surveillance by several governments
have surfaced. In India, it is unclear whether the spyware was deployed by the Centre or if it was
used by a secondary entity. The Bill must take into consideration data security and privacy risks
posed by such modern surveillance technologies.

• This bill provides the users with a greater degree of control over what data they allow service
providers to collect. The service providers need to ask for consent to collect and access user data.
It also allows users to ask the service provider what data is it collection and ask for a copy of the
same. In case of obsolete data the user has the power to correct data. Consent also needs to be
taken in case of third party sharing of the user data. The service provider cannot deny service in
case the user refuses consent for data which does not have a direct nexus with the services.
However, the Bill is not clear about the protection provided to the consumers in case of a data
breach.

• Another aspect that should be considered is the interaction between data collection, data privacy
and competition. It poses questions such as Can codes of conduct or other agreements between
competitors on data protection and privacy policies violate competition law? Can a dominant
undertaking justify its refusal to grant access to data collected by it by invoking its obligations
under data protection law? Do the data protection rules limit the collection of information during
investigations by competition authorities or internal investigations?

• Firms may compete to offer better privacy terms to customers over their competitors. However,
consumers have vastly different ideas about how or when they want their data to be used. Some
find targeted or behavioural advertising invasive, while others appreciate more relevant ads and
receive free products or services in exchange for targeted ads.

• The CCI in March, 2021 issued an order initiating an investigation against WhatsApp and
Facebook under Section 26(1) of the Competition Act which considers data as a non-price
competitive parameter. In the orders the CCI observed that these companies have potential to
collect and process significant amounts of customer data and in a data driven ecosystem, the
competition law needs to examine whether the excessive data collection and the extent to which
such collected data is subsequently put to use or otherwise shared, have anti-competitive
implications. The CCI Telecom Report provides the following illustrations of abusive conduct: (a)
a low privacy standard implying lack of consumer welfare; (b) lower data protection, which could
also indicate exclusionary behaviour; and (c) leveraging a data advantage across various services.
• CCI Telecom Report identifies data as a metric for non-price competition, it also acknowledges
that privacy is a consumer protection issue. The CCI should act in conjunction with other
agencies (in this case, the proposed DPA) that have been specifically empowered to set standards
for data protection. Clarity on the boundaries between privacy and competition law is needed
going forward to avoid enforcement overlap.