In August 2017, the Supreme Court reiterated in Bhuttaswamy’s ruling that the right to privacy is guaranteed to its citizens by the constitution. An integral part of court decisions is the recognition of “data protection” as a form of privacy, especially in today’s digital age. Recognizing the proliferation of digital tools and the Internet in daily life, the Court stressed the need for the timely introduction of data protection laws that apply to private and government entities.
While India has helped formulate its privacy laws over the past few years, its technology and applications have advanced at a rapid pace. The Internet is getting faster (5G), smartphones are reaching more hands, the number and functions of applications are increasing rapidly, the use of artificial intelligence systems is increasing, and governments are increasingly relying on technological devices to perform various tasks. such as public service delivery and law enforcement. The growing reliance on technological solutions has only increased during this devastating pandemic. With this in mind, it is time for India to implement strict data protection laws.
Also read: Objection and Personal Data Act
While we await the final report and revised version of the PDP Law from the Joint Parliamentary Committee, we point out some important changes that need to be made to the PDP Law in order to ensure strict data protection laws in India.
Independent and talkative
The main purpose of data protection laws is to protect individuals from threats to the privacy of both government and private entities, and therefore any supervisory authority in charge of enforcing such laws must have a high degree of autonomy and independence in order to perform its task effectively .
In the PDP Act, which is currently under review by the JPC, the central government has the task of establishing a regulatory authority – the Data Protection Authority (DPA). The heads and members of the Political Department are appointed on the proposal of a committee composed entirely of bureaucrats. In contrast, the draft law proposed by the Srikrishna Commission provides for the appointment of a regulator by a body composed of a senior judge from the Supreme Court, the cabinet secretary and a prominent expert appointed by the other two members. Given the extent to which the government is involved in the appointment and dismissal of regulators under the current PDP law, important questions remain about the extent of the political and operational independence of the Ministry of Politics.
In addition to regulatory independence and independence, the effective application and enforcement of data protection laws depends on the high regulatory, technical and financial capacity of the regulatory authorities. The General Data Protection Regulation (GDPR) of the European Union came into force more than three years ago and is now considered the standard for data protection legislation around the world. Even with laws that are considered standard, regulatory capacity is one of the biggest challenges the EU faces in implementing the GDPR. It was highlighted that the regulator’s inadequate technical and financial capacity has hampered its ability to effectively enforce the GDPR as it handles complex legal technical issues and regulates some of the world’s largest private companies. India should learn from the EU’s experience and ensure that the Ministry of Political Affairs has sufficient regulatory, technical and financial capacity to regulate not only large private companies but also government agencies.
Data protection regulations need to keep pace with technological developments. Therefore, regulators should be enabled to enact rules and regulations in a timely manner to effectively respond to evolving aspects of complex technologies such as artificial intelligence and new advances in computing capacity. It is becoming increasingly important to ensure that regulators are independent, independent and have the capacity to make these quick and important decisions. The amended GPA bill should address this issue and ensure that it enables the creation of an independent and highly qualified regulator.
The law applicable to the state
The current draft law, which is under review by the GPA, provides wide-ranging exemptions for the state from some of the core provisions of the draft law. Some of the conditions for introducing such exemptions are – among others, state security, public order, sovereignty and integrity of India, friendly relations with foreign countries. These terms are quite broad and run the risk of being applied in many cases and will therefore significantly weaken data protection for individuals in a country context.
Therefore, the state can lawfully restrict all fundamental rights in India if certain conditions are met. The main requirement that the Supreme Court makes in connection with the state restriction of the personal rights of the individual is the principle of proportionality – measures to restrict privacy must be proportionate to the goals to be achieved.
Most importantly, the current draft law does not take into account the principle of proportionality, but allows for broad state exemptions. Hence, broad exemptions from the state under the PDP Act run the risk of being unconstitutional. The amended version of the GPA should limit the scope of the exception to the state and incorporate the principle of proportionality in its text.
Lead by example and set the standard for the Global South
News reports indicate that the revised version of the GPA Act will contain significant changes from the version they are currently reviewing. As the bill will affect multiple stakeholders and citizens, it is imperative for Parliament to seek public comments from multiple stakeholders and to allow meaningful public consultation on the version of the bill as amended by the JPC. This ensures a participatory legislative process and the formulation of effective data protection laws.
The countries of the Global South often look to India and follow its example in shaping contemporary laws and guidelines. As India is recognized as a pioneer for its progressive stance on net neutrality and ensuring that internet access remains the same for everyone, strict data protection laws should also be introduced that set data protection standards in the southern hemisphere. This is in line with the government’s efforts to increase the country’s digital capital and place India as a prime example for other countries, particularly in the southern hemisphere.
(Kakar is Executive Director, Center for Communication Governance, National Law University, Delhi; Mohan is Senior Project Director, Center for Communication Governance, National Law University, Delhi)
“Beer maven. Creator. Tv fanatic. Internet scholar. Award-winning web junkie. Avid alcohol expert. Friendly writer. Gamer.”