In early-November, 2022, the Indian Ministry of Electronics & Information Technology published the draft Digital Personal Data Protection Bill, 2022 (‘the 2022 Bill’), which represents the Indian Government’s latest attempt at framing a comprehensive data protection and regulation framework. The 2022 Bill was quickly panned by critics from across the political spectrum and civil society for whittling down key rights and protections, introducing the problematic concept of ‘deemed consent’, and writing the Central Government a blank cheque on critical issues like state surveillance.
In this article, I analyse the 2022 Bill from a constitutional law perspective. I argue that the 2022 Bill’s provisions as to subordinate legislation fly in the face of the Indian Supreme Court’s delegation doctrine inasmuch as these provisions set no coherently determinable legislative policy, thereby allowing the Executive to exercise plenary legislative power through delegated legislation. This, I further argue, is a breach of the principle of separation of powers as it exists in Indian constitutional jurisprudence.
The Indian Delegation Doctrine
The Indian Executive is frequently charged with pushing through legislative proposals that enact wholesale transfers of plenary legislative powers to government departments. The 2022 Bill is no different. However, before undertaking an analysis of the 2022 Bill’s provisions, it is necessary to enumerate the legal position on delegated legislation in India.
The Supreme Court of India discussed the limits of delegated legislation in Delhi Laws Act, 1912. Broadly speaking, the ratio decidendi of the opinion can be summed up as: first, delegated legislation was not unlimited in scope due to the codified nature and supremacy of the Constitution; second, Parliament could not delegate away its “essential legislative powers”; and third, essential legislative power, generally, referred to the Legislature’s power to lay down a particular policy as binding rules and standards.
The reasoning of Delhi Laws Act, 1912 was further clarified by the Supreme Court in Harishankar Bagla v. State of Madhya Pradesh. In this case, the Court was concerned with the constitutionality of Sections 3 and 4 of the Essential Supplies (Temporary Powers) Act, 1946, which granted broad discretionary powers to the Government of India, to be exercised through subordinate legislation. The Court attempted to clarify the concept of ‘essential legislative function’ and held that “the Legislature must declare the policy of the law and the legal principles which are to control any given cases and must provide a standard to guide the officials or the body in power to execute the law. The essential legislative function consists in the determination or choice of the legislative policy and of formally enacting that policy into a binding rule of conduct”. The Court further held that this “legislative policy” could be inferred from a holistic reading of the statute in question, including its preamble, and its attendant context.
The nature of this inferential exercise of determining a particular legislative policy was further discussed by the Supreme Court in Avinder Singh v. State of Punjab. In this case, the Court looked at statutory language that may be used to infer a law’s legislative policy. In particular, the Court reasoned that the Government’s power to enact subordinate legislation was limited to operationalising the “purposes of the Act”. Thus, the Court seemed to suggest a narrow scope for delegated legislation.
Violations, Violations Everywhere: The Content of the 2022 Bill
From this discussion, one can infer the following proposition: When enacting a statute with provisions for delegated legislation, the Legislature must lay down a clearly-enunciated legislative policy as binding rules and standards that regulate the conduct of officials. If such a legislative policy were not laid down or if the delegated legislation contravened this legislative policy, then either the statute or the subordinate legislation, as the case may be, would be ultra vires.
It is not hard to see how the 2022 Bill fails to live up to this legal position. Consider, for example, Section 8 of the 2022 Bill. This provision deals with various aspects of ‘deemed consent’ ( ). Sub-clauses (1) to (8) of the Section attempt to provide a limited set of scenarios where deemed consent can be applied. A perusal of these sub-clauses makes it clear that the legislative policy on deemed consent is for it to be invoked in a restricted manner. However, sub-clause (9), couched in vague terminology like “fair and reasonable”, allows the Central Government to authorise the application of deemed consent in other scenarios via delegated legislation. The only limitation that the 2022 Bill places on this power is a set of ambiguous considerations that the Executive ought to keep in mind when enacting rules. What role and weightage these superfluous considerations have vis-à-vis actual rulemaking is not specified. In effect, the Central Government is free to enforce deemed consent as it deems fit; the careful curation of limited scenarios wherein this consent standard is to apply in sub-clauses (1) to (8) is rendered nugatory by sub-clause (9).
One of the most jarring examples of facilitating Executive abuse is Section 18, which deals with exemptions. If the ostensible legislative policy of the 2022 Bill is to create a framework to protect citizens’ data, then Section 18 single-handedly militates against that inasmuch as it authorises the Executive to exempt its agencies and instrumentalities from the application of the 2022 Bill’s critical provisions. Furthermore, sub-clause (3) allows the Central Government to exempt data fiduciaries from key provisions of the proposed law. Now, this is not to argue that limited exemptions cannot be provided to the state. For example, the United Kingdom’s Data Protection Act, 2018 clearly specifies instances where data protection ought to give way to other considerations like national security; it sets a coherent legislative policy that limits Executive discretion. The Indian Bill, however, in stark contrast, leaves it to the Government to decide when it should exempt itself from data protection provisions. The subjective satisfaction of the Executive is prioritised over coherent standards enacted by the Legislature.
The final nail in the coffin of any oversight over the Executive’s actions under the proposed law is Section 19, which provides for the creation of a Data Protection Board of India. According to the 2022 Bill’s explanatory note and the text of the provision, the Data Protection Board is supposed to be the principal regulatory authority set up under the law, which is to enforce the Bill’s provisions against both government and private actors. However, instead of setting up a truly effective oversight mechanism (which would have been the appropriate approach from a legislative policy standpoint), the 2022 Bill enacts a wholesale transfer of powers as to the Board’s composition, selection process, conditions of service, functioning, etc. to the Executive. The Executive, thus, has the power to decide almost all aspects of the body created to regulate its actions vis-à-vis personal data processing. The 2022 Bill fails to set a coherent legislative policy with regards to the Data Protection Board, allowing the Executive to exercise plenary legislative power.
Therefore, in conclusion, the 2022 Bill comes across as an enabling (or blank cheque) legislation for the Executive instead of a coherent regulatory framework for data protection in India. In addition to infringing the sophisticated delegation doctrine that has developed over a series of Supreme Court decisions, the 2022 Bill also violates the principle of separation of powers under the Indian constitutional scheme.
Killing Separation of Powers
The Constitution of India does not envisage a strict separation of powers akin to the American Constitution. However, that is not to say that the Constitution does not recognise separation of powers at all; according to the Supreme Court in Rai Sahib Ram Jawaya Kapur v. State of Punjab, it clearly does. Furthermore, the principle itself is a part of the basic structure of the Indian Constitution today.
The 2022 Bill infringes separation of powers on two principal counts:
Firstly, when the Legislature fails to enact a coherent and determinable legislative policy as to a particular issue in a law and provides for delegated legislation, it impliedly transfers plenary legislative power to the Executive. According to the Supreme Court in Delhi Laws Act, 1912, and other decisions on excessive delegation that have followed, this is a violation of separation of powers as law-making is an essential legislative function. By failing to set coherent legal standards and policy on a whole range of issues, as the previous section demonstrated, the 2022 Bill makes the Executive the primary lawmaker on multiple counts. This derogates from the role the Legislature is supposed to play under the Indian constitutional scheme and is, thus, constitutionally suspect.
Secondly, the Data Protection Board, as a quasi-judicial body, does not enjoy sufficient independence from the Executive in any of its spheres of functioning. According to the Supreme Court in B. Rajagopala Naidu v. State Transport Appellate Tribunal, separation of powers extends to the functioning of quasi-judicial bodies (i.e., bodies created under statutes to adjudicate between two or more contesting parties) as well. The scheme of the 2022 Bill envisages the Board to be the principal regulatory and adjudicatory body under the proposed law. However, by failing to provide for independence of the Board from government control, the 2022 Bill violates the Supreme Court’s jurisprudence on this point and runs afoul of the Constitution. Additionally, the 2022 Bill is not in consonance with global best practices wherein substantive oversight mechanisms have been created in order to guard against abuse of power.
In conclusion, the 2022 Bill, from a constitutional standpoint, represents a naked government usurpation of power instead of a cogent, clear data protection framework. This Bill, if enacted, would place the Central Government in near-total control of how data collection and processing is regulated in India, with almost no significant oversight or accountability.