This article is Part 4 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws. You can read Part 1, Part 2 and Part 3.
Any right, even a fundamental right, is subject to restrictions. These are set out to balance two competing needs — the rights of the individuals and the rights and interests of others, such as that of the state. Even the right to privacy is, without doubt, subject to reasonable restrictions. While the Puttaswamy judgment outlined some of these, the data protection law which will embody the main restrictions. These will result in the exemption of certain activities from the ambit of the new law.
Exemptions from a data protection law will not imply a complete exemption from the protection it offers. Instead, it normally involves a partial waiver of the obligations, with the extent of the waiver to be determined on a case by case basis. The most common exemptions are for data that is already in the public domain, anonymous data and data on deceased persons. Another common exemption is to data with small businesses.
In the internet and technology age, even these traditional notions have to be challenged, in view of the increasing uses and disclosure of data. Apart from these, the White Paper discusses the following specific types of exemptions.
Personal or household purpose
The first exemption often found in various jurisdictions is the processing for personal or household purposes. This may be an individual’s personal diary or blog post, which lists information on his friends or relatives. It may be an individual’s address book. It may also include data collected through the installation of CCTV cameras in private residences.
An important point raised by the White Paper is the change in obligations involved even with such uses, in view of the tremendous ‘publishing power’ in the hands of people these days. Consider contact lists on your cell phone, data which is collected by several apps. An app like TrueCaller uses these contact lists to prepare global phone directories, and you have your and your friends’ data on this public space for anyone to access.
Similarly, consider private collections of data, such as matrimonial lists, which are prepared for circulation among private members, say of a particular society. Such lists could involve details of names, parent’s names, date of birth, contact details and other details specific to a matrimonial list. So long as the circulation of such lists is limited to the private members, it may fall under this exemption. But if the society decides to publish this data online, say through a blog post, then it is putting highly sensitive data out in the public domain, for anyone to access. This would be a privacy violation.
Journalistic / Artistic / Literary purpose
This exemption is crucial to maintaining a balance between the right to privacy and right to freedom of speech. Journalists often turn to methods which may be legal or covert to obtain data, and this is often justified in the name of protecting the public interest. Journalists gain access to, retain and have the power to disclose huge amounts of data in this process.
Such activities, even covert investigations, are often protected under this head, even in foreign data protection laws. The important aspect is to ensure that the public interest in the issue is justified, and the degree of intrusion is necessary. Consider newspapers which routinely acquire and publish personal data on public figures. Journalists are thus required to be fair and cautious of the information that they actually put out in the public domain through the media, in order to stay within the law.
A new issue in this field is the number of non-media journalists and even citizen journalists, who are officially not the press. Even such activities may be protected under this head if the public interest in the matter is established.
Similar exemptions also apply in the name of art and literature.
Research / Historical / Statistical purpose
The right to privacy should not be such that it impedes innovation and research. Thus, activities like academic research, collecting and recording data are exempted from certain obligations.
An example of this is the census. Under the law, people are obligated to hand over their data to officials collecting, recording and analysing this data. However, the same issue with the publishing power available to people today applies to this exemption as well. Publication of census data is fine, so long as it only involves anonymous, aggregated data, or the results of the analysis of this data. For example, it is fine to know that there are so many males, females and children living in a particular area.
However, a publication of the personal data collected on these people, revealing their names and addresses and other details, becomes a problem. Such census databases have been found online in the past, much like the Aadhaar databases disclosed by government websites. Care thus needs to be taken to ensure that the data in the possession of such authorities is adequately protected.
Investigation and detection of crime
Several laws in India such as the CrPC and the Prevention of Money Laundering Act give the State the power to conduct search and seizure operations for the purpose of investigations. This includes the authority to demand the production of a document by the individual.
Under a data protection law, any collection, use or sharing of data will require the consent of the individual in order to be legitimate. On the face of it, fulfilling obligations like acquiring the consent of an individual before conducting an investigation against him seems to defeat the very purpose of the investigation. Even acts like the right to information (RTI) contain exceptions for providing information which can hamper an ongoing investigation. However, when considering the details of conducting an investigation, this is less obvious.
Consider a police request for CCTV footage from a residence to investigate a crime. Next, consider requests from a tax official to an employer to disclose an employee’s details for investigating a suspected tax evasion. The general view in other jurisdictions is that the first example is valid under data protection laws, but the second may not. It will be valid only if a sufficient link can be established between the data sought, the investigation required, and the authority of the person seeking the data.
Another consideration to be had is with the databases created to aid such investigations. For example, consider the DNA databank proposed to be created in India, which is to store data from a crime scene, suspects or undertrials, offenders, missing persons and unknown deceased persons. While the DNA bill itself does contain some provisions to ensure privacy, the creation of such databases and safeguarding the data in them is an issue that should be addressed in a data protection law.
National security or security of the state
Exemption of activities by the state includes reasons like national security, security of the state, upholding the sovereignty, maintaining public order, etc. The White Paper does not specifically discuss the SC’s clause of ‘preventing dissipation of social welfare benefits’, a new clause added to the typical list of state-related exemptions listed above, purportedly introduced to protect state activities like the use of Aadhaar.
Consider the large-scale surveillance being conducted by state agencies like the NSA. Though this activity is in the name of prevention of terrorist activities and crime detection, it is a major invasion of privacy.
Another issue that arises in this respect is with border searches and the data collected at that point. Increasingly invasive border searches are seeing seizure of phones and other devices, copying of all data on them, demanding and storing social media and other passwords, all under the pretext of permitting entry into the nation. When the device of a NASA scientist or a journalist is seized, it brings the amount of sensitive data at risk at such points into focus.
Previously, the exercise of such powers required following a number of legally determined procedures and safeguards. Examples of these are the Supreme Court rules in the telephone tapping case and the rules for interception and monitoring under Section 69 of the IT Act, 2000. Such safeguards are essential to prevent privacy violations such as conducting large-scale surveillance on people and the warrantless seizure of devices at the borders.
Key questions raised in the White Paper
Such new uses of and risks with data need to be taken into consideration while determining the contours of these exemptions.
In view of these issues, the White Paper has sought comments on the following key questions w.r.t exemptions:
- What exemptions must be included in the new law? What are the basic safeguards which should apply to these?
- What are your views on the specific exemptions discussed here and what should their scope be?
- How should terms like ‘journalist’, ‘art’ and ‘literature’ be defined?
- How much protection should be offered to non-media persons?
- Is prior judicial approval required before exercising investigative powers? Should there be a subsequent review of such acts?
- What are the obligations on law enforcement agencies to protect personal data in their possession? How can it be ensured that such data is only used for bona fide purposes?
- Should there be a separate exemption for the assessment and collection of tax?
- Any other views?
Part I of the series explores the definitions of personal data and sensitive personal data, Part II of the series examines the jurisdiction and territorial scope of data protection laws and Part III of the series explores cross-border data flows and data localisation.
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.
Updated Date: Dec 04, 2017 09:29 AM