Ignored the recommendation of the committee with regards to necessity and

proportionality

NECESSITY https://www.medianama.com/wp-content/uploads/Centre-for-Internet-and-
Society-Submission-India-Draft-Data-Protection-Bill-Privacy-2018.pdf
Section 40: Restrictions on Cross-Border Transfer of Personal Data Comments: This section
adopts a three-pronged model delineating the transfer of data outside India. First, as per Section
40(1) all personal data to which the Bill applies must have at least one live, serving copy stored
inside India. Second,with regard to certain categories of personal data to be notified as ‘critical
personal data’ by the central government under Section 40(2), there is a mandate to store and
process this personal data only in India such that no transfer abroad is permitted. Third, under
Section 40(3) the Central government has been bestowed with the power to exempt transfers on
the basis of strategic or practical concerns, thereby enabling the free flow of data when they
deem it to be justified. Comments: This submission is not meant to serve as a blanket criticism of
data localisation, in circumstances which benefits India’s strategic interests and is clearly defined
in a sector-specific law or regulation in which case the costs and benefits of having a localisation
provision can be evaluated keeping the context in mind. However, the ‘one-size-fits-all’
approach to data localisation with the vesting of carte blanche’ authority on the government to
determine exemptions and export prohibitions is unjustified. In particular, allowing these
questions to be delegated to agencies of the Central Government rather than voted on and passed
by the Legislature opens the government up to allegations of excessive delegation to the
Executive of legislative responsibility and consequently, a lack of effective representation in the
passage of crucial provisions of a law with wide-ranging ramifications. A more restrained
approach to 25 localisation is required, which should be determined by sectoral regulators after
consultation with crucial stakeholders that may be impacted by localisation requirements

 Grutter v Bollinger:
“Even in the limited circumstance when drawing racial distinctions is
permissible to further a compelling state interest, government is still
constrained under equal protection clause in how it may pursue that end:
the means chosen to accomplish the government’s asserted purpose must
be specifically and narrowly framed to accomplish that purpose.”

Crucially, then, the Court in Gobind seemed to implicitly accept the narrow-

tailoring flip side of the compelling state interest coin. On the
constitutionality of the Police Regulations itself, it upheld their
constitutionality by reading them narrowly. Here is what the Court said:
“Regulation 855, in our view, empowers surveillance only of persons against
whom reasonable materials exist to induce the opinion that they show a
determination, to lead a life of crime – crime in this context being confined
to such as involve public peace or security only and if they are dangerous
security risks. Mere convictions in criminal cases where nothing gravely
imperiling safety of society cannot be regarded as warranting surveillance
under this Regulation. Similarly, domiciliary visits and picketing by the police
should be reduced to the clearest cases of danger to community
security and not routine follow-up at the end of a conviction or release from
prison or at the whim of a police officer.”
    But Regulation 855 did not refer to the gravity of the crime at all. Thus,
the Court was able to uphold its constitutionality only by narrowing its scope
in a manner that the State’s objective of securing public safety was met in a
way that minimally infringed the right to privacy.
Therefore, whether the Gobind bench was aware of it or not, its holding
incorporates into Indian constitutional law and the right to privacy, not just
the compelling State interest test, but narrow tailoring as well.
As per Chandrachud J, while referring to the doctrine of
‘legitimate state interests’, the Court refers to the three
step process where firstly, there must be a law in
existence to justify an encroachment. Secondly, there
must be a legitimate state aim, ensuring that the
restriction of the statute falls within the zone of
reasonableness mandated by Article 14. Thirdly, the
means which are adopted by the legislature must be
proportional to the object and needs of the
legislation/provision
Informational privacy……….puttaswamy
Insofar as the second aspect, namely, informational privacy is
concerned, it does not deal with a person’s body but deals with a
person’s mind. In this manner, it protects a person by giving her control
over the dissemination of material that is  personal to her and
disallowing unauthorised use of such information by the State.

In Modern Dental College & Research Centre v. State of

Madhya Pradesh & Ors, a five-judge Bench of the
Supreme Court listed four components to be looked at in
order to determine proportionality. These were based on
the observations of former Chief Justice of the Supreme
Court of Israel, Aharon Barak.

The same was agreed to in essence by a nine-judge Bench

of the Supreme Court in Justice KS Puttaswamy v. Union
of India, in which the Court upheld privacy as a
fundamental right. In the judgment authored by
Justice Sanjay Kishan Kaul, proportionality can be
ascertained on the basis of the following:

 (a) the action must be sanctioned by law;

(b) the proposed action must be necessary in a

democratic society for a legitimate aim; 

(c) the extent of such interference must be proportionate

to the need for such interference;

(d) There must be procedural guarantees against abuse of

such interference

Justice AK Sikri, in the majority judgment, considers the

above for determining whether Aadhaar passes the
proportionality test, albeit with a more nuanced approach.

“It (the proposed Bill) is a significant change from the (Justice BN) Srikrishna
Committee’s (draft regulations) which had positive obligations that had to be
fulfilled by the government to process personal data such as it being pursuant to
a law, proportionality and necessity. This new Bill has flipped this by giving power
to exempt agencies through a simple notification,” said Nehaa Chaudhari,
directorpublic Policy at Ikigai Law. “It is a critical change, where the government
can decide how th ..

Read more at:

https://economictimes.indiatimes.com/news/economy/policy/personal-data-
protection-bill-exemptions-for-government-agencies-worry-
experts/articleshow/72465610.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
Justice Srikrishna’s version provided for an exemption
to the government only on grounds of security of
state. The 2019 Bill extends it to include: Sovereignty
and integrity of India. Friendly relations with foreign
states. Public order. Preventing incitement to the
commission of any cognizable offence relating to
sovereignty and integrity of India, the security of the
State, friendly relations w

Section 90 of the draft

The 2019 Bill has considerably narrowed the list of
offences compared to the version authored by the
Justice Srikrishna committee. Only re-identification
and processing of de-identified personal data comes
with imprisonment compared to a long list that was
proposed by Justice Srikrishna Committee, namely:
Obtaining, transferring or selling of personal data.
Obtaining, transferring or selling of s

Read more at: https://www.bloombergquint.com/law-

and-policy/personal-data-protection-bill-fails-to-
deliver-on-the-promise-of-privacy-experts-say
Section 6: Collection limitation Comments: Section 6 states that the collection of personal data shall be
limited to such data that is necessary for the purposes of processing. The provision currently does not
incorporate the standard of ‘proportionate’ - thus potentially allowing for overcollection tied to overly
broad purposes. https://www.medianama.com/wp-content/uploads/Centre-for-Internet-and-Society-
Submission-India-Draft-Data-Protection-Bill-Privacy-2018.pdf

Section 13: Processing of personal data for the functions of the state Comments: Section 13(1) of the Bill
states that personal data may be processed if such processing is necessary for any function of
Parliament or any State Legislature. Section 13(2) of the Bill states that personal data may be processed
if such processing is necessary for the exercise of any function of the State authorised by law for
providing service or benefit to the data principal or for the issuance of any certification, license or permit
for any action or activity of the data principal by the State. Recommendations: Under subsection 2, the
conditions for the non consensual processing should not just rely on necessity, but also on
proportionality. The Puttaswamy judgement laid out the three pronged test of necessity, legitimacy and
proportionality. The non consensual use of data by the state for providing services for the benefit of the
data principal needs to be not just necessary but also proportional to the exercise of the function of the
state. The report of the DP Bill states that the processing of data by the state must be strictly that which
is necessary and is proportionate to the legitimate purpose at hand. Hence we suggest that 18 this test
of necessity and proportionality for the non consensual processing of data be reflected not only in the
report of the Bill but also in the provision of the Bill. SAME REASON WAS USED IN THE ADHAAR
JUDGEMENT.

SECTION 35

The standard of necessary and proportionate for the security of state, or Prevention, detection,
investigation and prosecution of contraventions of law is too vague. While it may not be possible for
exhaustively define what constitutes as necessary and proportionate, it would be extremely useful to
include explanations which provide guidance about how these legal tests ought to be construed.

DISCRETION OF THE DATA FIDUCIARY TO KEEP THE DATA FOR AS LONG AS HE WANTS

Costs:
https://pure.tudelft.nl/portal/files/41902006/The_effectiveness_of_surveillance_technology_What_inte
lligence_officials_are_saying.pdf

One way to evaluate the actual effectiveness of surveillance technology is a cost-benefit

analysis. Mueller and Stewart (2011) use risk assessment to determine the risk of a
terrorist attack and then gauge whether the costs of security measures are outweighed
by the benefit of a likely-prevented attack. They argue that the enormous amounts of
spending in the U.S. on anti-terrorist measures far outweigh the benefits gained.
But this giant global drag-net is not based on a good and complex understanding what and who we are
supposed to look for. Risk profiles are notoriously imprecise and tend to produce a substantial number
of false positives, leading to an overload of surveillance manpower. Algorithms can help to process and
sort huge amounts of date, but their output ends up at the desk of human beings. And – as in most
cases, where ICT is involved – the human brain is the bottleneck in the decision process leading from
intelligence to practical action. So what remains at the end of the intelligence and data-processing food
chain is the bottleneck of human intelligence and bureaucratic-administrative decision-making. Human
actors have to decide what is important. They have to produce written threat assessments informing
higher-level policy makers and senior officials. At the end of the day decisions have to be made and
someone has to be held accountable for it.https://www.cepol.europa.eu/sites/default/files/26-
reinhard-kreissl.pdf