India’s Latest Draft Bill on Data Protection: Exemption Clause and Related Privacy Concerns

by | Dec 22, 2022

author profile picture

About Anupam Verma

Anupam Verma is a second year law student at National Law University Odisha, India

Image description: a laptop with a lock on the screen.

The government of India recently released the draft Digital Personal Data Protection Bill, 2022 (DDPB), hoping to finally give the nation its first proper data protection law. However, this is not the first bill on data protection in recent years. The Srikrishna committee, set up by the union government, released a draft in 2018. Building on that, the union government released the draft Personal Data Protection Bill, 2019 (PDPB). The PDPB was withdrawn in August 2022 after the Joint Parliamentary Committee (JPC) suggested 81 amendments to the 99-section bill. After nearly three months since the withdrawal, the union government has now proposed the DDPB.

The latest bill differs from its predecessor in some ways, but there are some concerning similarities too. Section 18(2)(a) of the DDPB empowers the union government to exempt any instrumentality or agency of the state from the purview of the act “in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.” These terms are left undefined in the bill, making the grounds for exemption alarmingly broad and thus prone to misuse. This provision is strikingly similar to Section 35 of the now-withdrawn PDPB, a section against which various JPC members had expressed privacy concerns.

In its 2018 draft, the Srikrishna committee also suggested exemptions for the state and its agencies on certain grounds, but only when they are backed by a law that has been duly passed by parliament. This suggestion was in accordance with the Puttaswamy judgment, which along with declaring the right to privacy as a fundamental right, also allows for certain restrictions if they are backed by a law, serve a legitimate aim of the state, pass the proportionality test laid down in the Modern Dental College judgement, and have procedural safeguards against abuse.

But according to Section 18(2)(a) of the DDPB, an exemption can be granted by a mere executive notification of the union government without needing to give reasons. This provision doesn’t pass the test laid down in the Puttaswamy judgement because (a) there is no requirement for a law passed by parliament but just an executive notification; (b) there is no way to determine whether the goal is legitimate because specifying the reason for exemption is not mandatory for the union government; (c) for similar reasons it cannot be subjected to the proportionality test; and (d) after being exempted, a state agency will also be out of the purview of the safeguards stipulated in the bill. Furthermore, Section 18(4) of the DDPB permanently exempts the state and its agencies from the requirement of doing away with personal data after its intended purpose has been fulfilled. These provisions are far-reaching in their effect and could be disastrous for the privacy of Indians.

In addition to obeying the Constitution’s negative injunctions not to interfere with certain civil liberties, the Indian state has a positive obligation to safeguard the rights of its citizens from encroachment (Granville Austin, The Indian Constitution: Cornerstone of a Nation). In the I. C. Golaknath judgment, the Supreme Court of India (SC) said that fundamental rights are passive obligations of the state, and the state should not deny these rights mentioned in the constitution. In the Prithipal Singh judgment, the SC said that the right to life, of which the right to privacy is a part (Puttaswamy), is supreme and basic, and the state has a negative obligation to prohibit arbitrary deprivation of it as well as a positive obligation to protect it.

The Srikrishna Committee had envisaged that Indian data protection law should be modelled on the EU’s General Data Protection Regulation (GDPR), but the latest bill is far from it. The union government needs to treat the right to privacy with the same regard as the Indian judiciary has, and therefore, it must revisit the DDPB and do away with the provisions that provide for arbitrary and vague restrictions of this fundamental right.

Want to learn more?

Share this:

Related Content


Submit a Comment