The Digital Personal Data Protection Bill, 2022 suffers from flaws which may render it unconstitutional

Digital Personal Data Protection Bill, 2022 was released by the Ministry of Electronics and Information Technology (MeitY) on November 18. The bill aims to provide a framework for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. However, it fails to do so by not regulating the state surveillance system effectively and not providing a redressal mechanism for the same.


DIGITAL rights are strongly associated with the right to freedom of speech and expression and right to privacy. Therefore, the protection of these rights through a special legislation becomes imperative on the part of the legislature. However, in our country it has been a tough ride for data protection legislation to materialise or to take a tangible form. There was not any separate or special legislation that specifically talked about digital rights or data privacy and data protection of individuals. In the name of data protection law, we only have provisions located in multiple other legislations, rules and regulations formed by the government.

Put in this context, will the new Digital Personal Data Protection Bill, 2022, make any difference to the ongoing discourse on digital rights or data privacy?  Sadly, the answer appears to be in the negative.

Existing legal architecture

The only central legislation that the country has is The Information Technology Act, 2000 which was promulgated with an aim to facilitate electronic filing of documents with government agencies and to provide legal recognition for transactions executed through electronic data interchange and other means of electronic communication. The Act provides punishments for various digital offences including violation of privacy, cyber-terrorism, identity-theft, cheating by personation by using computer-researched and many other computers-related digital offences.

Despite several private member bills on privacy being introduced, it was not until 2011 that concrete steps were taken. The UPA Government prepared the Right to Privacy Bill of 2011, but it never saw the light of the day. According to some reports, the bill was suspended due to objections from the intelligence agencies. At that time, the extensive gathering of citizen data by the government was a major cause for worry. There was a risk that the data might be exploited by the authorities violating the right to privacy of individuals.

There was no legislation which regulated the surveillance architecture in the country. The issues related to regulating illegal surveillance by the government were frequently raised by many activists and jurists. On one side of the balance, there were people contesting that if the power to conduct surveillance is being fettered then the national security may be compromised, while the other side of the balance highly valued the right to privacy.

Challenges for privacy

Covert use of surveillance mechanisms by the political parties in power to further their political motives, remains a fundamental problem associated with the surveillance structure. The current surveillance structure provides concentration of authority in the hands of the Executive branch and the absence of any judicial or parliamentary scrutiny. This encourages total lack of accountability and frequently leads to accusations of using surveillance for political ends.

All the iterations of Bill differ from each other in many aspects; however, there is one similarity among them. They all failed to provide a robust framework for state surveillance and the personal data of citizens can be processed without their consent.

In every political regime, allegations surface that the ruling party has used the phone-tapping mechanism to monitor and record the phone calls of important party members and opposition figures to conduct routine surveillance and to obtain the upper hand over rivals during crucial moments.  

Communications on the Internet have frequently been under the scrutiny of authorised agencies of the central government and state-level law enforcement. The Minister of State for Home Affairs responded to a question in the Rajya Sabha by saying that security and intelligence organisations “regularly monitor the popular social media sites and websites and take necessary action in case they find any classified material or provocative material or anti-national or terror related material hosted / circulated on such sites.”

Not only the political figures but the journalists, activists and writers are targeted through the surveillance mechanisms. By means of the Pegasus Project (an international investigative journalism initiative that revealed the espionage by governments), voices were raised against the wrongful and illegal surveillance done by the government. It was claimed that using the Israeli surveillance programme ‘Pegasus’, the phones of two union ministers, three opposition leaders, one constitutional authority, and chiefs of security organisations were tapped by the authorities.

This is not only a blatant breach of the right to privacy but also is against the democratic fabric of the constitution, which is based on transparency, fairness, and due-process and it also lowers the trust of the public in the democratic institutions.

How courts have asserted the right to privacy

The main provisions which talk about surveillance by the state are Section 69 of The Information Technology Act, 2000 (read with IT Rules of 2009) and Section 5(2) of Telegraph Act.

The Section 69 of IT Act, grants powers to the central government to issue directions for interception or monitoring or decryption of any information through any computer resource in matters to safeguard sovereignty or integrity of India, defence, security, friendly relations with other countries, or public order, or to prevent anyone from inciting anyone else to commit any crime that might be prosecuted under those offences, or to investigate any crime.

Also read: Concerns over vested state interests in data protection Authority of India

Digital rights and liberties organisations time and again called the provision overbroad, vague, and widely worded provision, which gives unfettered powers to the government to conduct surveillance by way of interception or monitoring or decryption of any information. They claim that when it comes to the right to privacy, which protected by Article 21 of the Indian Constitution, the implications of enacting and enforcing Section 69 of the IT Act, 2000, along with the directives issued for intercepting, monitoring, and decrypting any such information for the public of this nation, have serious ramifications.

The provision is often contrasted with the Section 5(2) of the Telegraph Act, which provides the central and state government with the authority to seize control of licensed telegraphs and demand message interception “on the occurrence of any public emergency, or in the interest of the public safety” if it is satisfied that it is necessary or expedient so to do in the interests of the (i) sovereignty and integrity of India, (ii) the security of the State, (iii) friendly relations with foreign States, (iv) public order or (v) for preventing incitement to the commission of an offence.

Even the private sector entities can be exempted under this version of the bill.

However, when compared to Section 5(2) of Telegraph Act, the Section 69 appears to permit monitoring beneath an impenetrable cloak, where there is no circumstance that is “obvious to a reasonable person” and there is no requirement for ‘public emergency or in interest of public safety’. It is argued that because the people impacted by improperly intercepting their private conversations are never made aware of this, the provision lacks any requirements for openness and responsibility. There is no publicly apparent circumstance that would serve as a public warning that the government may be using surveillance, or that would serve as a publicly verifiable reason for monitoring, in the absence of a public emergency or public safety imperative. Thus, the centralisation of authority in the hands of executive leads to a lack of accountability and may facilitate abuse.

In the case of People’s Union for Civil Liberties v. Union of India (1997), the element of transparency required for the purpose of interception was highlighted by the  Supreme Court. The writ petition was filed in response to instances of telephone tapping by the government. The court in this case observed that the trigger condition necessary to attract the Section 5(2) or for the state to intercept the telegraphs or demand message interceptions is “occurrence of any public emergency” or “interest of public safety.” Therefore, the authorities do not have the authority to use the powers granted by the provision unless a public emergency has occurred, or it is necessary for the sake of public safety.

The court defined public emergency, as ‘the prevailing of a sudden condition or state of affairs affecting the people at large calling for immediate action.’ The expression public safety, was defined as “the state or condition of freedom from danger or risk for the people at large.”

The court was apprehensive about the possible misuse of surveillance structure and subjugation of right to privacy by the actions of the government. Therefore, while laying down the guidelines for the use of surveillance architecture under Telegraph Act, the court asserted the element of privacy that needs to be maintained.

The court with regards to right to privacy and surveillance observed the following –

  1. The right to privacy “is a part of the right to ‘life’ and ‘personal liberty’ enshrined under Art. 21 of the Constitution”. 
  2. The right to hold telephone conversation, in the privacy of one’s home or office without interference forms part of the right to privacy.
  3. The government uses sub-rosa operations to some extent as a component of its intelligence apparatus but at the same time the citizen’s right to privacy must be protected from being abused by the authorities.

Further, while referring to the ruling of court in the case of Maneka Gandhi vs UOI, the court held that any right protected by Article 21 cannot be restricted unless doing so follows a procedure that is just, fair, and reasonable.” 

Also read: A sound data protection authority is the need of the hour

Thus, the court laid down some guidelines for the exercise of power under Article 5(2), and the same were codified later by the government. However, even after the judgement, surveillance was still conducted by the governments.

Need for clear procedure and guideline complementing the right to privacy of the citizens

The need for special legislation on data privacy and data protection was reiterated by the Supreme Court in the case of Justice K. S. Puttaswamy (Retd.) & Anr. versus Union of India & Ors. (2017). The court observed that “a delicate line must be established between the legitimate concerns of the State on the one hand and individual interest in the preservation of privacy on the other in order to strike a balance between data regulation and individual privacy poses complicated challenges. The promulgation of a data protection regime is a task that the state must take on after carefully weighing the demands of privacy, other values that the protection of data serves, and the legitimate interests of the state.”

The court also directed the government that the information which the government gathers must be used for clear and legitimate objectives; it cannot be used illegally for unrelated reasons. This will preserve the right to privacy while also ensuring that the legitimate concerns of the state are properly protected.

Placing emphasis on informed consent as central to informational privacy, the court ordered the state to draft a legislation addressing data privacy and data protection, emphasising that any restriction to the right to privacy must be “by law; must be necessary, reasonable and proportionate; and must promote a legitimate state interest.”

Therefore, if the Bill is passed and it comes to the court for scrutiny, it may be struck down on the grounds that – i) it lacks transparency and accountability; ii) is not in line with the observations of the Supreme Court in the case of Puttaswamy, where the court declared that the law must be necessary, proportionate, and reasonable; iii) it provides an excess delegation of power to the central government without proper guidelines by the legislature.

Accordingly, Justice BN Srikrishna Committee was constituted by the government in 2017, ‘to make specific suggestions for consideration of Central Government on principles to be considered for data protection in India and suggest a draft data protection bill’.

The committee did not provide a procedure or detailed guideline in context of the state surveillance. However, it asserted the importance of ‘consent’ and proposed some suggestions on data protection to the government. The Committee suggested that the Central Government enact legislation that would “provide for both parliamentary oversight as well as judicial approval of all requests for non-consensual access to personal data.”

Also read: Whatsapp privacy controversy and India’s data protection bill

It observed in the report that the government should process data without consent of the user only on the grounds of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and reasonable purpose. It also noted that adequate security safeguards must be incorporated in the law to guard against potential misuse of the authority.

The new Bill fails to recognise the right to privacy

The Digital Personal Data Protection Bill, 2022 is the latest draft of the data protection bill. It is the fourth version after the Personal Data Protection Bill, 2018, the Personal Data Protection Bill, 2019 and the Data Protection Bill, 2021.

On the new draft, Justice B.N. Srikrishna has remarked that the latest draft seemed to pick up some good points from the previous versions of the drafts but has worsened on some other issues. In an interview to a national daily newspaper, he called the draft fundamentally flawed’ as the bill is loaded in favour of the state and may encourage the executive to act capriciously and infringe on the fundamental right of privacy.

All the iterations of Bill differ from each other in many aspects; however, there is one similarity among them. They all failed to provide a robust framework for state surveillance and the personal data of citizens can be processed without their consent.

Also read: The Digital Personal Data Protection Bill, 2022 may further delay realisation of the right to dignity

The latest bill is much worse in the sense that it appears more arbitrary and opaque than previous versions.

Firstly, by the mandate of the Bill the government has a lot of power to exempt its agencies from any or all the provisions of the Bill. Due to the removal of the safeguards proposed in earlier versions, particularly the 2021 version, from the 2022 Bill, this power is wider than in earlier iterations. As a result, government agencies are free to collect personal data without complying with generally accepted privacy requirements, such as obtaining consent from the data subject or granting them the right to access, amend, or delete their data. Even the private sector entities can be exempted under this version of the bill.

Secondly, the bill has abrogated the important provisions present under 2021 bill, which called for a “just, fair, reasonable, and proportionate” process before the government could provide an exemption, and the provisions under 2018 bill, which demanded that the exemption to be “authorised by law.” Therefore, the power to conduct surveillance without providing any adequate safeguards to prevent the infraction of fundamental rights under Articles 19(1)(a) and 21 of the Constitution stands in contravention to the Constitution.  

Thirdly, all the vital issues like strength and composition of the Data Protection Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members are relegated to delegated legislation, which is left on the discretion of the government. There is so much over-reliance on rules to be framed by the executive, without proper guidelines by the legislature. In the interview, Justice B.N. Srikrishna was apprehensive of the fact that the Data Protection Authority, will become ‘a puppet of the government and will have no independence.’ He highlighted the need for a robust and independent Data Protection Authority, as envisaged under the 2018 version of the draft.

Therefore, if the Bill is passed and it comes to the court for scrutiny, it may be struck down on the grounds that – i) it lacks transparency and accountability; ii) is not in line with the observations of the Supreme Court in the case of Puttaswamy, where the court declared that the law must be necessary, proportionate, and reasonable; iii) it provides an excess delegation of power to the central government without proper guidelines by the legislature.

Without a reasonable substantive law regarding surveillance architecture, which is formulated considering the rights of privacy and backed by proper procedural guidelines and redressal mechanism, the law will only appear to be arbitrary in nature. However, if carefully developed with a just, fair, and reasonable procedural law, data protection legislation may promote fundamental rights and institutional procedures that make sure that such capabilities are not utilised for political ends.

The Leaflet