Illustration by Binay Sinha
The Joint Select Committee of Parliament will have its hands full when it starts assessing the Draft Personal Data Protection Bill, 2019. Experts say the draft Bill in its present form may face several legal challenges in its ability to protect an individual’s privacy.
The biggest legal challenge would be to defend the provisions under Clause 35 of the draft Bill. This clause provides wide powers to the government to exempt any agency or department from the complete or partial application of the data protection law. The exemption can be made through a mere order, and the existence of a law is not required. Experts say this provision is likely to be challenged on the grounds of arbitrariness and excessive delegation.
“The wide exception it gives to the government’s use of data, including surveillance, conflicts with the ‘necessary and proportionate’ standard laid out in the Puttaswamy judgment that declared that privacy was a fundamental right,” says Udbhav Tiwari, Mozilla’s policy advisor in India.
The guidelines and the procedure for granting such exemption and measure for oversight, and safeguards have been left to delegated legislation. Experts point out that in the absence of clear statutory guidance, this provision gives overarching powers to the government to exclude any surveillance or privacy-invasive activity from the ambit of data protection.
In its current state, this provision does not conform to the principles of necessity and proportionality as laid down by the Supreme Court
in the Puttaswamy case, says Akriti Gaur, senior resident fellow at Vidhi Center for Legal Policy.
According to Kazim Rizvi, founding director, The Dialogue, a policy think-tank, in the absence of checks and balances, judicial safeguards, and parliamentary oversight, this is tantamount to blatant violation of the right to privacy as guaranteed by the Constitution.
Another significant challenge that the Bill is expected to encounter is in relation to the provision on ‘social media intermediaries’. According to Clause 26 of the Bill, any intermediary which “solely” or “primarily” enables “online interaction” between users shall be a “social media intermediary”. This excludes data fiduciaries, such as e-commerce platforms, online encyclopedia, search engines, e-mail services, and internet access providers.
What galls experts the most is that the government proposes to empower itself with the right to notify such intermediaries as “significant data fiduciaries”, based on their aggregate number of users, and potential of harm to electoral processes, public order and security of the state.
Experts point out the definition of “social media intermediary” is vague. “Terms such as ‘user’ and ‘online interaction’ are not clearly defined. While major social media platforms may make the cut, the status of many other applications would be unclear,” says Gaur.
What further complicates matter is the clause that requires “social media intermediaries” to verify their users on a voluntary basis. Experts are not clear on the intent of placing such a provision in a data protection law. Gaur says this is likely to overlap with the powers of the government to regulate ‘intermediaries’ under Section 79 of the Information Technology Act, 2000, and the Information Technology (Intermediaries Guidelines) Rules, 2011.
While strong data protection measures are increasingly becoming the new normal for businesses, for fraud and forensic investigators their job might just become more challenging. According to Jayant Saran, partner, Deloitte India, the proposed Bill permits processing of personal data without consent, in case of investigations. However, there are sections in the Bill that could potentially permit a disgruntled target of an investigation to make complaints to the proposed Data Protection Authority (DPA) and initiate inquiries, he says.
“We do see terms, conditions, and clauses of our engagement contracts changing because of the Bill and the ensuing Act,” he adds.
Given the plethora of issues facing the proposed data protection law, privacy activists and industry lobby groups hope the Parliamentary Committee gives them a proper hearing.
A few sticking points
Clause 35 gives wide powers to the government to exempt any agency or department from the complete or partial application of the data protection law
Clause 26 says any intermediary that “solely” or “primarily” enables “online interaction” between users shall be a “social media intermediary”. But this excludes data fiduciaries, such as e-commerce platforms, search engines, e-mail services, and internet access providers
Clause 26 also requires “social media intermediaries” to verify their users on a voluntary basis. This is likely to overlap Section 79 of the Information Technology Act, 2000, and the Information Technology (Intermediaries Guidelines) Rules, 2011
Tax jitters for social media companies
The need for mandatory storage of personal sensitive information in a domestic server, according to the requirements of the draft Bill, may have tax implications for some internet-based companies.
“If a social media/ internet company does not have a subsidiary in India, the question arises whether the server where this personal sensitive data is stored would be regarded as the company’s permanent establishment (PE) in India,” says Daksha Baxi, head-international tax, Cyril Amarchand Mangaldas.
The income tax law uses the presence of PE to establish taxing jurisdiction over a foreign company’s or person’s business activities in a country.
Even the use of a leased server -- which gives a company a dedicated space to do business -- could be treated as PE by the tax authorities, say experts. The revenue realised from the data processed through the server can be taxed in India under certain conditions, experts add.