By removing the exemption for journalistic work, news publishers run the risk of becoming data fiduciaries.
Before the Panama Papers were published in 2016, what if the Indian Express had been hauled before a data protection board for violating the privacy of those who held accounts in tax havens?
If the latest iteration of India’s privacy bill passes, that just might be the case for future exposés, with the government removing exemptions from data protection obligations for journalistic work. This means that for any story containing personal data, journalists may have to prove before the proposed data protection board – and there’s no clarity as to who is on this board – that their story was in public interest.
Public consultation for the fourth iteration of the privacy bill, now called the Digital Personal Data Protection Bill 2022, which was released on November 18, ended on January 2. Importantly, the three previous versions – 2018, 2019 and 2021 – all exempted journalistic work from certain obligations of the bill.
The 2018 iteration had been proposed by a committee of experts headed by retired Supreme Court judge BN Srikrishna. It was amended in 2019 by the IT ministry, and then released in 2021 by a joint parliamentary committee constituted to look at the 2019 version.
Under the previous iterations, news publishers were already considered data fiduciaries but as employers and/or subscription service providers. They were, by default, mandated to protect the personal data of their employees and subscribers. Data fiduciaries are the entities that determine the purpose and means of processing personal data, and have been at the centre of attracting all obligations under the privacy bills. For instance, all social media platforms, most digital service providers, the government’s UIDAI, all employers with employee data — all would be considered data fiduciaries under the bill.
But by removing the exemption for journalistic activities, data protection obligations now extend to the stories themselves. When Newslaundry asked Rajeev Chandrasekhar, minister of state for IT, about this on December 23, he said, “How can someone get a free pass just because they are a journalist? there is no free pass for anybody.”
But, as multiple experts told Newslaundry, this will create significant friction in the reporting process and is bound to have a chilling effect on the media.
Why journalists need exemptions
In July 2018, the Justice Srikrishna committee released a report alongside the first version of the privacy bill. The report noted that if journalists are “made to adhere to the grounds of processing personal data, it would be extremely onerous for them to access information”.
Instead, the committee suggested that all media houses publicly commit to observing published privacy standards that are considered adequate by the data protection regulator. These standards could be set by different media regulatory organisations. Only journalists who adhered to them – either through their employers or through self-declarations, in the case of independent journalists – could be exempted.
In its submission to the Srikishna committee, the News Broadcasters Association outlined certain standards that journalists should adhere to, such as publishing facts that are accurate, fair, neutral, objective, relevant and impartial; keeping data securely; and processing personal data while considering people’s right to privacy.
Rishab Bailey, a technology lawyer and a visiting fellow with the XKDR Forum, a cross-disciplinary think tank, said journalists should be exempted from some obligations of data protection laws to “balance competing interests of right to expression and right to privacy” and to “promote a healthy democratic discourse”.
Is ‘consent’ counterintuitive in journalism?
Consent is one of the main guiding principles of any data protection regime. But why would the subject of a media story consent to having their personal information published, especially if the story was critical of the subject?
This was recognised by the Srikrishna committee as well, which noted that “mandating grounds of processing like consent would mean that accounts that are unfavourable to the data principal” – referring to the subject of the personal data – “would simply not get published”.
The report said that notice and consent obligations, especially in cases of investigative journalism, would be counterintuitive.
But the 2022 bill introduced the concept of “deemed consent”. The grounds for considering whether an individual is “deemed to have given consent” do not explicitly include journalistic work. Consent is deemed to have been given if it is in “public interest” but the bill’s non-exhaustive list only includes purposes such as debt recovery, credit scoring, processing publicly available personal data, and fraud prevention and detection.
All purposes for processing data should usually be “fair” and “reasonable”. While determining whether consent is deemed to have been given for a “fair and reasonable purpose”, the bill has recommended some guardrails: interests of the data fiduciary (data controller) must outweigh the adverse effects on the rights of the user, public interest in such processing, and the reasonable expectations of the user.
The central government is also allowed to prescribe other “fair and reasonable purposes” to process personal data using deemed consent through subordinate legislation. This means that at a later date, the central government can pass rules and regulations (for instance, the IT Rules 2021 are a subordinate legislation under the Information Technology Act) under the DPDP Act to detail such purposes.
Retired Supreme Court judge Jasti Chelameswar told Newslaundry that “a subordinate legislation cannot go beyond the remit of the parent law”. Chelameswar was part of the nine-judge bench that upheld the right to privacy and gave the Shreya Singhal judgement that struck down section 66A of the IT Act.
Experts whom Newslaundry spoke to disagreed about whether or not “deemed consent” would suffice as a means to exempt journalistic work.
“No exception has been made under the concept of deemed consent for journalistic work. The deemed consent will apply if the personal data accessed is [already] in the public domain,” said Justice Srikrishna.
However, Justice Chelameswar disagreed. Since the public interest provision under deemed consent is not exhaustive, it could include journalistic work, he told Newslaundry. Bailey agreed.
Impact of the removal of the exemption
“If you are dealing with personal data, you are in trouble,” said Justice Srikrishna. “This will have a chilling effect on free speech.”
Data protection regimes seek to empower users by allowing them certain rights, such as the right to correct their data, or get certain personal data erased. But how do you allow a data principal, who in this case is the subject of the story, to exercise such rights?
The Srikrishna report had taken this into consideration, saying that allowing data principals to exercise their rights to access, confirm and correct would “often be incompatible with journalism”. Such requests could therefore be rejected both before and after the publication of a news story.
The report also recognised that, without the exception, journalists could be inundated with requests to “block or slow down investigation or publishing of a piece of news”.
While reporting, journalists are ethically required to follow a “no surprises” policy – they reach out to the subject of a story before it is published with the allegations made and give them a chance to respond. Under the new bill, the subject of the story could haul the journalist before the Board at this stage itself, ensuring that the story is either delayed or completely dropped.
Hence, the 2018 and 2019 versions of the bill accordingly exempted journalistic work from these obligations. They also removed the limits on the purpose of data collection and data retention periods, while the basic obligation of fair and reasonable processing continued to apply.
Now, without the exemption, as Bailey said, a journalist would have to adhere to all the normal obligations placed on data fiduciaries.
“This will essentially mean that journalists will have to demonstrate that their work was in public interest and did not disproportionately intrude on a person’s privacy rights,” he said. “Fighting legal challenges takes time, money and effort. Therefore, the threat of legal action could stifle investigative reporting.”
Multiple journalists contacted by Newslaundry for this story said they had not considered the impact of this removal of exemptions on their work.
Chilling effect on whistleblowers, sources
Journalists often rely on whistleblowers and sources to share documents and information to hold companies and governments accountable. Without the exemption, if the board says an activity wasn’t in “public interest”, both the whistleblower and the journalist could be found guilty for causing a personal data breach. They would face financial penalties of up to Rs 250 crore.
Justice Srikrishna pointed out that Indian law “does not provide any protection to whistleblowers, which is why there should have been some exception made for bona fide motives.”
Back in December, Rajeev Chandrasekhar told Newslaundry how it could play out.
“If I consent to give you [data fiduciary] certain personal data of mine, and if you decide to put some data of mine online, and someone gets it as a journalist and writes about it – I won’t come after her,” he said, “I will come after you.”
But if a complaint is made to the data protection board, public interest can certainly be offered as a defence, he added.
What if the “public interest” defence isn’t enough for the board? Can a journalist be compelled to give up their sources?
“If you want to defend yourself, how will you defend yourself otherwise?” said Justice Srikrishna. “If you don’t say that you obtained it from XYZ, it will be assumed that you’re the one who unlawfully accessed my personal data.”
Could additional obligations be imposed on publishers?
The 2022 version of the bill, like the other versions before it, allows the central government to place additional obligations on a special class of data fiduciaries and classify them as “significant data fiduciaries”. One of the factors to be considered here is whether there is “risk to electoral democracy”.
Given the importance of the media to a democracy, the lack of journalistic exemption means the government can notify news organisations and influential independent journalists as “significant data fiduciaries”.
“It is quite possible,” said Justice Srikrishna, “and if that happens, you can imagine the disastrous consequences that may follow.”
Additional obligations for a significant data fiduciary would include appointing a resident data protection officer, appointing an independent data auditor, and carrying out periodic audits and data protection impact assessments.
Bailey said that while this could happen in theory, the government would have to show that its decision was not arbitrary. Realistically, he said, this additional burden is meant for social media companies that misuse personal data they collect “to engage in behaviour that has affected elections, including through forms of censorship as well as circulation of fake news, etc”.
Who will determine what is public interest?
The Srikrishna committee report made it clear that public interest must be more than “mere idle curiosity”. But will a data protection board have the power to adjudicate what constitutes public interest?
The answer isn’t clear.
“Nothing related to the functioning or composition or powers of the data protection board has been made clear in the bill,” said Justice Srikrishna. “I don’t know whether it is a regulator or not.”
During the December 23 consultation, Chandrasekhar had said the data regulator would be instituted via the upcoming Digital India Act. But Justices Srikrishna and Chelameswar both said that oral statements – by ministers or ministries or during parliamentary debates – are of limited value, and that the law and its language are paramount.
“The only exception to this that the Supreme Court has recognised is the debates of the Constituent Assembly,” Justice Chelameswar said.
Latest in a litany of SLAPP issues
In India, legal tools like defamation suits are often wielded against the media. For years now, powerful people and companies have used SLAPP suits – Strategic Litigation Against Public Participation – to silence critics. Can the privacy bill be similarly weaponised?
Justice Chelameswar doesn’t see anything wrong with the proposed bill “insofar as it seeks to drop the exemption for journalistic work”, since every legal right “comes with a corresponding legal obligation”.
“Since journalistic freedom is an aspect of free speech, it is necessarily subject to reasonable restrictions imported by law/legislation,” he said. “If this bill considers any standard other than the standards prescribed for the offence of defamation then perhaps a stricter scrutiny of the bill would be required.”
He added that the 10 exceptions to the definition of defamation would be enough to protect journalistic freedom, even after the exemption in the bill is removed.
It should be remembered here that Article 85 of the Generation Data Protection Regulation of the European Union exempts journalistic work from multiple provisions of data provision acts in EU nations. Despite this exemption, it’s not always effective. Romania’s Data Protection Authority tried to use the GDPR to force investigative news website RISE Project to reveal its sources for “personal data” in a series of articles that alleged that senior Romanian politicians were involved in the embezzlement of about €21 million in EU funds.
Journalists aren’t always innocent
In the right to privacy judgement, Justice Sanjay Kishan Kaul noted that “technological development has facilitated journalism that is more intrusive than ever before”.
But Bailey said this is not intended as a means to impose broad curbs on freedom of expression, especially when the matter is of public interest.
And all is not necessarily well in the world of Indian journalism when it comes to balancing the right to privacy and public interest, as Newslaundry has reported over the years. Since the bill envisions the data protection board as a civil court, much will depend on which case sets the precedence and eventually makes its way to a high court.
A weekly guide to the best of our stories from our editors and reporters. Note: Skip if you're a subscriber. All subscribers get a weekly, subscriber-only newsletter by default.