Could India’s new data protection bill force journalists to reveal their sources? -Aditi Agarwal

-Newslaundry

The Government of India has removed exemptions for journalistic work from data protection obligations in the fourth iteration of the Digital Personal Data Protection Bill 2022. If this iteration is passed as law a story containing personal data may result in journalists having to prove to a data protection board that their story was in the public interest, Newslaundry reported. The three previous versions - in 2018, 2019 and 2021 - exempted journalistic work from certain obligations in the bill. The latest iteration was opened on 18 November, 2022 for public consultation, which closed on 2 January.     

Under the previous iterations news publishers were considered data fiduciaries, but as employers and/or subscription service providers. They were, by default, mandated to protect the personal data of their employees and subscribers. Data fiduciaries are the entities that determine the purpose and means of processing personal data, and have been at the centre of all obligations under the privacy bills. All social media platforms, most digital service providers, the government’s Unique ID Authority and all employers with employee data would be considered data fiduciaries under the bill. By removing the exemption for journalistic activities, data protection obligations could now extend to the stories themselves. Newslaundry quoted minister of state for IT Rajeev Chandrasekhar saying “How can someone get a free pass just because they are a journalist? there is no free pass for anybody.” However multiple experts told Newslaundry that this would create significant friction in the reporting process and is bound to have a chilling effect on the media.

In July 2018, the Justice Srikrishna committee released a report alongside the first version of the privacy bill.  The report noted that if journalists are “made to adhere to the grounds of processing personal data, it would be extremely onerous for them to access information”. It suggested that all media houses publicly commit to observing published privacy standards that are considered adequate by the data protection regulator. Moreover, consenst is one of the main guiding principles of any data protection regime. But why would the subject of a media story consent to having their personal information published, especially if the story was critical of the subject? This was recognized by the Srikrishna committee report, which said that notice and consent obligations, especially in cases of investigative journalism, would be counterintuitive.

But the 2022 bill introduced the concept of “deemed consent”. The grounds for considering whether an individual is “deemed to have given consent” do not explicitly include journalistic work. Consent is deemed to have been given if it is in “public interest” but the bill’s non-exhaustive list only includes purposes such as debt recovery, credit scoring, processing publicly available personal data, and fraud prevention and detection. Experts whom Newslaundry spoke to disagreed about whether or not “deemed consent” would suffice to exempt journalistic work.

“No exception has been made under the concept of deemed consent for journalistic work. The deemed consent will apply if the personal data accessed is [already] in the public domain,” Justice Srikrishna said, adding, "If you are dealing with personal data, you are in trouble. This will have a chilling effect on free speech.” However, retired Supreme Court justice Jasti Chelameswar disagreed. Since the public interest provision under deemed consent is not exhaustive, it could include journalistic work, he told Newslaundry. Chelameswar was part of the nine-judge bench that upheld the right to privacy and gave the Shreya Singhal judgement that struck down section 66A of the IT Act. 

While reporting, journalists are ethically required to follow a “no surprises” policy – they reach out to the subject of a story before it is published with the allegations made and give them a chance to respond. Under the new bill, the subject of the story could haul the journalist before the Board at this stage itself, ensuring that the story is either delayed or completely dropped. Hence, the 2018 and 2019 versions exempted journalistic work from these obligations. They also removed the limits on the purpose of data collection and data retention periods, while the basic obligation of fair and reasonable processing continued to apply. Now, without the exemption a journalist would have to adhere to all the normal obligations placed on data fiduciaries. 

Journalists often rely on whistleblowers and sources to share documents and information to hold companies and governments accountable. Without the exemption, if the board says an activity wasn’t in “public interest”, both the whistleblower and the journalist could be found guilty for causing a personal data breach. They would face financial penalties of up to Rs 250 crore. 

Please click here to read the original story