Prachurya Sahu | Symbiosis Law school, Pune | 12th June,2020
Introduction
The landmark judgement of K.S. Puttaswamy v. Union of India paved the way for the Right to Privacy to become a protected right within the purview of Fundamental Rights as defined in Part III of the Indian Constitution. This allows the right to be readily enforced by the existing judicial mechanism as opposed to a right that is available only as far as it impacts constitutionally guaranteed freedoms. This allows for a foundation to be laid which advocates for the protection of rights such as the right against invasive and arbitrary scrutiny by the State, free expression of one’s sexual or gender orientation, religious and spiritual expression as well as data protection. An offset of this revolutionary judgement is the introduction of the Personal Data Protection Bill.
With the intention to create a cohesive and effective data protection law, the Government set up a committee under the chairmanship of retired Supreme Court judge, Justice BN Srikrishna[1] which birthed the Draft Personal Data Protection Bill, 2018. However, after much debate and engagement with industry professionals and policy think tanks, a revised bill has been approved by the Cabinet and finally tabled before the Indian Parliament as the Personal Data Protection Bill, 2019.
The Bill essentially regulates the processing of personal information and data by the government as well as domestic and foreign companies.[2] It therefore seeks to protect personal information and privacy rights of individuals. The bill does contain some fair points which are a determined nod towards data protection. However, the bill, in its totality falls short of this agenda of protection of data and digital rights, instead providing more pervasive and invasive powers of surveillance to the government. The Bill, instead of protecting personal information of citizens from all external agencies, allows for such information to be delivered to the government on a silver platter.
The Good
Reduction of the Data Localization Requirements.
The PDP, 2019 Bill has diluted the proposed Data Localization requirements as had been mentioned in the PDP, 2018 bill. Data Localization refers to the mandatory storing of one serving copy of personal data on the server by every data fiduciary within the territory of India.[3] Under the new bill, personal data, even sensitive and critical personal data, can be transferred in accordance to a regulatory framework. It is a positive move to allow easier operation of businesses as global companies can now transfer and process personal data across different jurisdictions. This may result in actively decreasing operational costs for a number of organizations.
However, the Bill still mandates localization of sensitive personal data.[4] Given that under the 2019 Bill, the Central Government can expand the span of ‘sensitive personal data’[5] as well as ‘critical personal data’[6] by consulting the Authority[7], such localization, even if explicit consent of the data principal is taken, just seems to allow surveillance by the State. The lack of a concrete definition of ‘critical personal data’ further creates ground for confusion and misrepresentation.
Right of Erasure
One of the positive aspects of the 2019 PDP Bill is the provisions which allow for the right to erasure[8] as well as the right to correction or modification of personal data.[9] It also vests the data fiduciary with the responsibility to provide principals in writing, the relevant justification[10] if they are rejecting an application of erasure or modification and further even indicate this disputation by the principal alongside the relevant personal data.[11]
This allows for the data to be adequately modified to reflect true information by the data principal personally and also to prevent retention of personal data by the data fiduciary after it has been duly processed, thereby protecting private information of the individuals.
The Bad
Government to use Anonymized Personal/Non-personal data
One distinct provision of the PDP, 2019 Bill is that the Central Government reserves the right to direct any data fiduciary or processor to share personal anonymized data or non-personal data with the intention to use such data reserves “…to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”[12] While, in policy this seems well and good, given that there are provisions of anonymity so sharing of such data cannot be traced back to the data principals. However, there are numerous concerns when it comes to implementation of this provision.
Firstly, given that the definition of “non-personal data” has not been clearly defined in the Bill, the execution of this provision becomes questionable. Secondly, there are no safeguards instituted to prevent any leak of information. This is a major problem because given the infrastructural disparity, without safeguards in place, we have no guarantees if proper anonymization of personal data can be done by all fiduciaries. Further, there could be cases where non-personal data can be converted into personally identifiable data. Lack of safeguards will lead to shoddy implementation which. This can result in major violation of privacy, with hardly any attachment of accountability.
Creation of a sandbox
The PDP Bill 2019 requires for creation of a sandbox for “...the purpose of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest.”[13]
This sandbox is essentially to allow certain entities involved in work as mentioned above to be exempted from complying with all or some requirements of the 2019 Bill. However, what is problematic is that the requirements which could be overruled by the entities in the sandbox are those relating to purpose limitations[14] and restrictions on retention of personal data.[15] This means that the entities are exempted from providing “clear and specific purposes of the technology or activity.”[16] In circumstances where the purpose has not been defined clearly, it becomes extremely difficult for data principals to give free and informed consent. Allowing enterprises to process personal data for without the explicit consent given by data principles to that particular activity leads to violation of basic principles of privacy.
Social Media User Verification
While growing influence of social media allows for political engagement, solidarity, vocalization of dissent, it has also allowed for an uncontrollable thread of fake news and misinformation being disbursed under anonymous profiles so much so that elections have failed to remain free and fair. In an attempt to combat this spread of misinformation, the Bill allows the Central Government to deem any social media intermediary as a significant data fiduciary.[17] As a significant data fiduciary, they have wider responsibilities such as data protection impact assessments[18], maintenance of records[19], audit of policies[20], and appointment of a data protection officer.[21]
It further obligates every social media intermediary to enable users who register their service with them, to voluntarily verify their accounts.[22] This voluntary verification will have an overt visible mark of verification, noticeable to all users. Such a provision will entail people attaching government issued IDs to their social media account, allowing for such companies to be in possession of sensitive personal data which can then be used for profiling and targeting users. Not only does his provision in no way combats misinformation but the idea of willingly thrusting sensitive personal data into the hands of big players in the social media space also achieves the opposite of data privacy of individuals.
The Ugly
Arbitrary exemptions for law enforcement and other agencies
One of the provisions that is a major threat to the data privacy rights of individuals is Section 35 of the PDP Bill, which allows the Central Government to unilaterally exempt any government agency from all or select provisions of the Bill, thereby providing easy access to personal data of many. At least the 2018 draft Bill also allowed this but restricted such access for security purposes based on principles of “necessity and proportionality and on the basis of authorisation of law.”[23]In the 2019 PDP Bill, determinants such as necessity and proportionality, acting as safeguards are nowhere mentioned, in complete defiance of the Puttaswamy judgement which evolved these concepts. This grants massive and largely unfettered access of personal data to the Government, enabling pervasive surveillance. Such the lack of such safeguards readily hampers privacy rights of individuals.
The Data Protection Authority’s lack of Representation.
The PDP Bill 2019 establishes a Data Protection Authority to regulate and enforce the provisions. It has wide ranging powers including creation of guidelines on how various provisions of the Act apply, to ensure that data protection regulations remain consistent and to enforce compliances.
However, in a horrible move, the entire selection committee, which has been constituted to give recommendations to the Central Government for the appointment of members to the DPA, are made up entirely of members of the Executive.[24] In the 2018 draft there was provision for inclusion of a judicial member in the selection committee,[25] which allowed for diverse representation.
With the 2019 PDP Bill, the DPA becomes fully reliant on the Central Government in terms of its formation as well as membership. This completely obliterates the separation of powers doctrine because the enforcing agency as well the entities that are being enforced are both part of the Executive. The only way the Bill will ensure fair applicability of its provisions is when the DPA becomes independent of the State. For that, there must be sufficient involvement of members from the judicial community to ensure proper representation and prevent conflict of interest.
Conclusion
The bill has been conceived with the intention to ensure protection of data from external agencies and to some extent it carries this in spirit. However, certain problematic provisions as well as lack of explicit safeguards create grounds for criticism. The Bill, allowing for serious ungrounded access of sensitive information to be granted to the State through broad exemptions, sandbox provisions as well as social media verification, legitimise vigilance by the Government. Furthermore, the absence of mechanisms to safeguard the possible leak or release of such sensitive information just warrant poor implementation. Both these scenarios inevitably lead to violation of the principles of privacy that the Bill seeks to protect. If such measures are allowed to manifest as law, India will turn into an Orwellian disaster state.[26]
[1] Surabhi Agarwal, Justice BN Srikrishna to head Committee for data protection framework, The Economic Times (10:30AM 7th June, 2020) https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn-srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms
[2] Section 2(A), The Personal Data Protection Bill, 2019.
[3] Suneeth Katarki , Namita Viswanath , Ivana Chatterjee, Rithika Reddy Varanasi, India: The Personal Data Protection Bill, 2019: Key Changes And Analysis, mondaq, (10:30AM 7th June, 2020), https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis
[4] Section 33(1), The Personal Data Protection Bill, 2019.
[5] Section 15, The Personal Data Protection Bill, 2019.
[6] Section 33(2), The Personal Data Protection Bill, 2019.
[7] Section 3 (5) defines ‘Authority’ to mean the Data Protection Authority of India established under sub-section (1) of section 41, The Personal Data Protection Bill, 2019.
[8] Section 18(1)(d), The Personal Data Protection Bill, 2019.
[9] Section 18(1)(a), The Personal Data Protection Bill, 2019.
[10] Section 18(2), The Personal Data Protection Bill, 2019.
[11] Section 18(3), The Personal Data Protection Bill, 2019.
[12] Section 91(2), The Personal Data Protection Bill, 2019.
[13] Section 40(1), The Personal Data Protection Bill, 2019.
[14] Section 40(4)(c)(i), The Personal Data Protection Bill, 2019.
[15] Section 40(4)(c)(iv), The Personal Data Protection Bill, 2019.
[16] Supra. note 12
[17] Section 26(4), The Personal Data Protection Bill, 2019.
[18] Section 27, The Personal Data Protection Bill, 2019.
[19] Section 28, The Personal Data Protection Bill, 2019.
[20] Section 29, The Personal Data Protection Bill, 2019.
[21] Section 30, The Personal Data Protection Bill, 2019.
[22] Section 28(3), The Personal Data Protection Bill, 2019
[23] Section 42, The Personal Data Protection Bill, 2019.
[24] Section 42(2), The Personal Data Protection Bill, 2019
[25] Section 50(2), The Personal Data Protection Bill, 2018
[26] Meghna Madavia, Personal Data Protection Bill can turn India into “Orwellian State”: Justice BN Srikrishna, The Economic Times (06:30 PM 8th June, 2020) http://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms
Leave a Reply