Technology Law Analysis
March 04, 2022
The Data Protection Bill: In Search of a Balanced Horizontal Data Protection Framework
We are excited to announce our latest series of quick takes on the emerging data protection framework in India, and its implications for the Government, the industry and other stakeholders. We are kick-starting the series with our first piece discussing the need for appropriately framed Government exemptions under the proposed Data Protection Bill, 2021 (DPB).
The DPB previously called the Personal Data Protection Bill, 2019 (PDPB)) has been recommended by the Joint Parliamentary Committee after two years of review.1 The DPB proposes a significant overhaul of the existing regulatory framework for data protection, as contained under the Data Protection Rules.2
The DPB, to a large extent, owes its formulation to the observations of the Supreme Court of India in K.S. Puttaswamy v. Union of India.3 The Court in Puttaswamy, recognized the right to privacy (including right to informational privacy) as a fundamental right implicit in the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution, and other fundamental guarantees that flow from Part – III of the Indian Constitution.
However, while doing so the Court noted that the right to privacy is not an absolute right, and that subject to the satisfaction of certain tests and benchmarks, a person's privacy interests can be overridden by competing state and individual interests. Nonetheless, the Court recognized the need for a cross-sectoral and horizontally applicable legislation (i.e. applicable to the Government as well as private persons), noting that the right to privacy, being enforceable primarily against the State, imposes upon the State both negative and positive commitments, i.e. to restrict the State from unfairly interfering in the privacy of individuals, while putting in place legislation to restrict others from doing so, and providing conditions for the development and dignity of individuals.
Resultantly, as opposed to the Data Protection Rules, the DPB is horizontally applicable, rights-based (i.e. it defines a data subject’s rights vis-à-vis her personal data) and cross-sectoral in nature. However, in its present form, the DPB maintains widely worded provisions, that could enable the Government to exempt itself from the applicability of the DPB once enacted – which arguably go beyond the permissible limits of impinging upon individual privacy, as set forth in Puttaswamy.
Clause 35 of the DPB and Potential Issues
Clause 35 of the DPB enables the Central Government to exempt any agency of the Government from any or all provisions of the DPB.
The Supreme Court has previously observed in PUCL4and Puttaswamy, that derogations from the right to privacy, need to be assessed against (a) the requirements under Article 21 of the Constitution (i.e. for the derogation to be just, fair and reasonable); and (b) the limits prescribed for imposing reasonable restrictions on any other right that is impacted.
Resultantly, exemption provisions such as Clause 35, need to meet the four-step test that emerges from the Supreme Court’s prior observations: (a) legality (existence of a law); (b) legitimate goal (existence of a legitimate State aim underlying the derogation); (c) proportionality (existence of a rational nexus between the objects and the means to achieve them, narrow tailoring of derogation in line with reasonable restrictions, such that derogation is proportionate to the aim sought to be achieved); and (d) procedural guarantees (existence of a fair, just and reasonable procedure).
The grounds for triggering the exemption under Clause 35, have been linked to the grounds specified under Article 19(2) of the Constitution of India (i.e. reasonable restrictions relatable to the exercise of freedom of speech and expression), thereby establishing a legitimate State aim. However, despite the limitations introduced, Clause 35 falls short of meeting the test of narrow tailoring and proportionality – since the provision offers no guidance as to the scope of the exemption, instead enabling the Government to exempt its agencies from any or all of the provisions of the DPB.
While the newly introduced Explanation (iii) to Clause 35 adds that exemptions granted under this Clause, would be subject to just, fair, reasonable and proportionate procedures – thereby implying the existence of procedural guarantees – it does not explicitly define the contours of such procedural guarantees in the DPB.
Bringing the DPB in line with Puttaswamy
To remedy this, the Government should consider amending Clause 35 of the DPB and bring it in line with the requirements of narrow tailoring and procedural and substantive proportionality, as previously set forth by the Supreme Court in PUCL and Puttaswamy.
You can direct your queries or comments to the authors
1 See, Report of the Joint Parliamentary Committee on Data Protection, 16 December 2021, Available at URL:
2 See, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules) issued under the Information Technology Act, 2000 (IT Act), read with Section 43A of the IT Act, Available at URL: https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf;
3 See, K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
4 See, People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.