The Unconstitutional Vagueness Of The Personal Data Protection Bill, 2018
“What happens in vagueness, stays in vagueness...”Police Officer: “Hey, Mr.CEO, you’re under arrest! We’ve found that the website of your company displays….hmmm….what do you call it [Police Officer asks his slightly more informed sidekick]…oh..yes, yes..I know - ‘Data’; this can cause ‘harm’ to people, so I’ve been told [Police Officer grins] Mr.CEO: “What!...
“What happens in vagueness, stays in vagueness...”
Police Officer: “Hey, Mr.CEO, you’re under arrest! We’ve found that the website of your company displays….hmmm….what do you call it [Police Officer asks his slightly more informed sidekick]…oh..yes, yes..I know - ‘Data’; this can cause ‘harm’ to people, so I’ve been told [Police Officer grins]
Mr.CEO: “What! Please wait a minute; I can explain, this was legitimate use of data, ‘X’ (owner of data) allowed us to use it, there is a contract supporting thi….…also there is no ‘harm’; wai…[Mr.CEO’s voice quivers as he is pulled into the police car]”
Police Officer: [cuts the CEO off mid-sentence] “Baaki baatein thaane mein! (Hindi for: We’ll have plenty of time to connect, at the Police Station)..Also, [the police officer adds, in a rather scornful tone] I decide what ‘harm’ is…….words mean what I want them to mean, neither more, nor less…….”[1]
A grim picture; but we are not tilting at windmills. There is a very real risk of certain provisions being introduced in India’s new data protection law, which may lead to this scenario. Provisions introducing serious criminal liability without, or at any rate, extremely blurred and vague signposts.
But before we get ahead of ourselves, let’s start at the start, with a few words on the constitutional requirement of precise, categorical and clear criminal laws.
A criminal statute is constitutionally required to be specific and unambiguous. The idea being: an average citizen should be able to understand as to what constitutes a crime, and as a law-abiding citizen, avoid such conduct. This is precisely why there is little doubt that “blurred signposts to criminality do not suffice to create it”.[2] Criminal laws, which do not explicitly and definitely state which conduct/omission attracts criminal sanctions - are void for vagueness. This is because vague statutes such as these can lead to arbitrary and discriminatory prosecutions and cause the concentration of far too much power in the hands of the law enforcers. A resultant of which would be selective prosecution, based on mere whims and caprice of the power holders. The need for certainty in defining the limits of criminal sanction is ultimately borne out of a natural fear of Rule of Men, as opposed to the Rule of Law.
This vagueness is what the now-departed Section 66A of the IT Act suffered from. It penalized offensive online speech causing annoyance or inconvenience. This provision was struck down by the Supreme Court in Shreya Singhal v. Union of India[3] on the ground of being “open-ended, undefined, vague and “extremely nebulous in its meaning”, and resultantly, unconstitutionally vague. This doctrine of unconstitutional vagueness has been pressed into action to strike down a wide range of statutes across the world, including: a Florida statute providing for punishment for “abominable and detestable crimes against nature”, which was rightly struck off on the ground that this required too much speculation and also, two people of common intelligence can disagree on what an abominable crime is, or what is natural, for that matter. One man’s abomination is other’s love. This pernicious law was rightly held by the Court to be too vague to serve as the basis of criminality[4]. Similarly, statutes punishing activities such as “loafing”, or “strolling” have been held to be bad, as they were found to have the effect of criminalizing some rather innocuous everyday activities like taking an evening stroll, or simply chilling under tree, for example. Imagine, if this statute, outlawing ‘loafing’ was operative in Newton’s time, he could have been hauled to cold police lock up, before he could witness the proverbial Apple fall, depriving the world of his famous epiphany. You see, Newton’s conduct could have very well amounted to ‘loafing’ under this pernicious law, and the world, deprived of valuable insight into the rather important phenomenon of ‘gravity’ (unless, of course, jail cells provided similar avenues of inspiration!).
These are the hazards of vague criminal laws. Sadly, some of the provisions in the proposed Personal Data Protection Bill, 2018 (“PDP Bill”) suffer from the same fatal flaw, which makes those provisions capable of great mischief and, therefore, constitutionally bad.
For instance, Section 90 of the PDP Bill attaches criminal liability to the act of - obtaining, transferring or selling of personal data by any person in contravention of its provisions, in two circumstances:
- That the Act was done knowingly, intentionally or recklessly; and
- That such an act of obtainment, disclosure, transfer, or sale (of data) results in significant harm to the data principal.
We are here concerned with the meaning and import of “Significant harm”. The term ‘Harm’ is defined in Section 3(21) of the PDP Bill which includes bodily or mental injury; loss, distortion or theft of identity; financial loss; reputational loss; loss of employment; any discriminatory treatment; subjection to blackmail/extortion; any denial or withdrawal of service or benefit, any restriction on speech movement, etc.
This is an extremely wide definition and rather unprecedented in a criminal statute. Further, if this wasn’t wide enough, the definition is also an ‘inclusive’ one (only illustrating some instances of what may constitute ‘harm’); thereby effectively giving an investigating officer a Carte Blanche to construe anything as a ‘harm’ and make it the basis of criminal liability.
Also, the definition of ‘Significant Harm’ (or the lack thereof!) is especially problematic. Section-3(37) of the PDP Bill, defines ‘Significant Harm’ as harm that has an “aggravated effect’, having regard to the nature of personal data being processed, the impact, continuity, persistence or irreversibility of the harm.
Here we have a definition that fails to define. It is wide, open-ended, vague and vests the friendly police officer in the neighborhood far too much power and makes a due-process lawyer cringe.
Can we really trust our often technically unequipped police officers to make an objective judgment as to whether a particular case of disclosure of data (which may be totally negligent, since intent is not a condition precedent to criminality!) leads to harm - significant or aggravated. What this effectively leads to is: that a police officer has the power to put the principal officers of a Company, behind the bars, for a negligent disclosure of personal data by some employee of the Company, if the Police Officer feels that this has led to ‘significant’ or ‘aggravated harm’ to an individual. The definition of ‘Harm’’ being atrociously wide doesn’t help matters either.
Therefore, a reconsideration of the definitions of “harm”, “significant harm” and “aggravated harm” is imperative. In this regard, a recent decision by the United Supreme Court in Sessions v. Dimaya, 584 US___(2018) can prove to be quite instructive. In this case, a statute defining certain “aggravated felonies” for immigration purposes was held to be unconstitutionally vague. The facts, in a nutshell were: a Philippines native James Dimaya was sought to be deported by the US Government, on the premise that his previous convictions were “aggravated felonies” under the Immigration and Nationality Act and he was liable to be deported on that ground. US Authorities argued that the felony committed by Dimaya was an aggravated felony as it fell within the definition of “residual clause” of the definition of a violent crime, which included “any other offence that is a felony and that, by its nature, involves a substantial risk that physical force against the person or property or another may be used in the course of committing the offence”. The US Supreme Court found this to be extremely vague and struck it down.
Reconsideration is all the more important as any contravention of Section 90 of the PDP Bill (in its current shape and form) can lead to imprisonment of upto three years and/or fine which may extend upto Rs. 2 lakhs. Apart from this, the offence is a cognizable one, which means that an FIR can be registered straightway, giving the police officer practically unbridled powers to arrest (and in case of organizations, go after the managers/directors/other principal officers). To make matters worse, the offence is also non-bailable, which means an accused must mandatorily go behind the bars, and bail can be granted only by the Court, at its discretion, and after arrest.
There is no manner of doubt that, this provision, if allowed to stand, may lead to frivolous prosecutions and arrests. There is an urgent need to rethink this. Two ways in which the rigors of this section can be diluted, and it made less prone to misuse are: i) mens rea i.e guilty intention may be made a sine qua non for fastening of criminal liability; and ii) the definition of harm/significant/aggravated harm has to be restated with precision and sufficient definiteness so as to rule out abuse of this provision.
Authored by Bharat Chugh (Former Judge & Partner Designate), and Rudrajit Ghosh (Associate) at L&L Partners Law Offices, New Delhi (formerly Luthra and Luthra Law Offices). The views of the authors are personal. The Authors can be reached at bchugh@luthra.com
[1] Inspired from an exchange between Alice and Humpty Dumpty in Through the Looking Glass, by Lewis Carroll
[2] (United States v. C.I.O - 335 US 106, 142 (1948) Rutledge, J., concurring)
[3] (2013) 12 SCC 73
[4] Franklin v. State (Fla, 1971)