Shambhavi Thakur

Before the Panama Papers were published in 2016, what if the Indian Express had been hauled before a data protection board for violating the privacy of those who held accounts in tax havens?

If the latest iteration of India’s privacy bill passes, that just might be the case for future exposés, with the government removing exemptions from data protection obligations for journalistic work. This means that for any story containing personal data, journalists may have to prove before the proposed data protection board – and there’s no clarity as to who is on this board – that their story was in public interest.

Public consultation for the fourth iteration of the privacy bill, now called the Digital Personal Data Protection Bill 2022, which was released on November 18, ended on January 2. Importantly, the three previous versions – 2018, 2019 and 2021 – all exempted journalistic work from certain obligations of the bill.

The 2018 iteration had been proposed by a committee of experts headed by retired Supreme Court judge BN Srikrishna. It was amended in 2019 by the IT ministry, and then released in 2021 by a joint parliamentary committee constituted to look at the 2019 version.

Under the previous iterations, news publishers were already considered data fiduciaries but as employers and/or subscription service providers. They were, by default, mandated to protect the personal data of their employees and subscribers. Data fiduciaries are the entities that determine the purpose and means of processing personal data, and have been at the centre of attracting all obligations under the privacy bills. For instance, all social media platforms, most digital service providers, the government’s UIDAI, all employers with employee data — all would be considered data fiduciaries under the bill.

But by removing the exemption for journalistic activities, data protection obligations now extend to the stories themselves. When Newslaundry asked Rajeev Chandrasekhar, minister of state for IT, about this on December 23, he said, “How can someone get a free pass just because they are a journalist? there is no free pass for anybody.”

But, as multiple experts told Newslaundry, this will create significant friction in the reporting process and is bound to have a chilling effect on the media.

Why journalists need exemptions 

In July 2018, the Justice Srikrishna committee released a report alongside the first version of the privacy bill.  The report noted that if journalists are “made to adhere to the grounds of processing personal data, it would be extremely onerous for them to access information”.

Instead, the committee suggested that all media houses publicly commit to observing published privacy standards that are considered adequate by the data protection regulator. These standards could be set by different media regulatory organisations. Only journalists who adhered to them – either through their employers or through self-declarations, in the case of independent journalists – could be exempted.

In its submission to the Srikishna committee, the News Broadcasters Association outlined certain standards that journalists should adhere to, such as publishing facts that are accurate, fair, neutral, objective, relevant and impartial; keeping data securely; and processing personal data while considering people’s right to privacy.

Rishab Bailey, a technology lawyer and a visiting fellow with the XKDR Forum, a cross-disciplinary think tank, said journalists should be exempted from some obligations of data protection laws to “balance competing interests of right to expression and right to privacy” and to “promote a healthy democratic discourse”.

Is ‘consent’ counterintuitive in journalism?

Consent is one of the main guiding principles of any data protection regime. But why would the subject of a media story consent to having their personal information published, especially if the story was critical of the subject?

This was recognised by the Srikrishna committee as well, which noted that “mandating grounds of processing like consent would mean that accounts that are unfavourable to the data principal” – referring to the subject of the personal data – “would simply not get published”.

The report said that notice and consent obligations, especially in cases of investigative journalism, would be counterintuitive.

But the 2022 bill introduced the concept of “deemed consent”. The grounds for considering whether an individual is “deemed to have given consent” do not explicitly include journalistic work. Consent is deemed to have been given if it is in “public interest” but the bill’s non-exhaustive list only includes purposes such as debt recovery, credit scoring, processing publicly available personal data, and fraud prevention and detection.

All purposes for processing data should usually be “fair” and “reasonable”. While determining whether consent is deemed to have been given for a “fair and reasonable purpose”, the bill has recommended some guardrails: interests of the data fiduciary (data controller) must outweigh the adverse effects on the rights of the user, public interest in such processing, and the reasonable expectations of the user.

This story was originally published in newslaundry.com . Read the full story here