Reading ‘Necessity’ in India’s New Data Protection Bill

In July 2018, a committee of experts headed by Justice BN Srikrishna submitted its draft Personal Data Protection Bill1 to the Government of India. As the bill makes its way through the government, and potentially the parliament, several questions have been raised about the enforcement of the principles laid out in it as well as in an accompanying report.

One of these questions is about how the legal principle of “necessity”, developed in international law and by constitutional and administrative courts in several jurisdictions, will be imported into the reading of India’s data protection law. The draft bill uses the terms “necessity” and “necessary” in many different contexts and “proportionality”, which is typically a counterpart of “necessity”, in specific cases.

The Srikrishna committee report dwells on “necessity” in some detail as it lays out its reasoning for the provisions in the draft bill. For example, while discussing data processing obligations, the committee explains that “necessity” is used to connect the information sought by a data fiduciary with the purpose it seeks to achieve. To put it simply, what is the purpose of a data fiduciary for seeking information and is that information necessary for that purpose? The committee also refers to the use of “necessary” and “reasonably necessary” in its White Paper, released earlier, to explain that these terms are meant to qualify the time for which data can be stored. They are also intended to make it easier for the government to issue guidelines and court to interpret the provisions clearly.

This paper by Nehaa Chaudhari, Smitha Krishna Prasad and me identifies the different uses of the concept of “necessity” in the bill and looks at the development of the legal principle of “necessity” in international law and specific jurisdictions like the European Union (EU), the United Kingdom (UK) and India. It concludes that the jurisprudence on “necessity” is extremely sparse in India and that it will be instructive to see how the data protection authority and courts interpret this term in the way personal data is collected, secured and processed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s