A Critical Appraisal of the Data Protection Bill
Limitations of the Bill in Protecting Data Privacy
Post the regime of Right to Privacy decision (K.S. Puttuswamy v Union of India), Data Protection Bill, 2019 was introduced to provide the legal framework for protection of privacy of individuals with respect to their personal data. The Bill is the result of the Expert Committee on ‘A Free and Fair Digital Economy- Protecting Privacy, Empowering Indians’ headed by Justice BN Srikrishna which worked under the mandate to study various data protection related issues in India along with specific suggestions for a data protection framework and a draft bill.
The Bill aims at replacing the void in the legal sphere with respect to protection of personal data/personal information of the individuals, especially which creates an obligation upon the state to ensure protection of privacy rights of the people from whom it collects personal data. The extant legal framework under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) do not impose any duties upon the sovereign state machinery and are restricted to the private companies.
Devised on the lines of Europe’s General Data Protection Regulation, the objective of the Bill is protection of privacy of individuals relating to their personal data, specify the flow and usage of personal data. Asserting that the right to privacy is a fundamental right, it holds that it is necessary to protect personal data as an essential facet of informational privacy.
The Bill introduces the concepts of ‘Data Fiduciary’ and ‘Data Principal’ and places greater reliance on ‘Obligations of Data Fiduciary’ and ‘Consent of the Data Principal’. Data Fiduciary has been defined as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data and Data Principal is the natural person to whom the personal data relates.
As per Section 4, personal data is to be processed only for a specific, clear and lawful purpose and in a manner which ensures privacy of the Data Principal. The Data Principal is to be given notice of the purpose for which the personal data is to be processed and several other details regarding withdrawal of consent.
Section 11 of the Bill emphasises upon the consent of the Data Principal, which is a prerequisite for processing any personal data. Consent is required to be free, informed, specific, clear and, in an important addition, capable of being withdrawn. As per Section 11(3), the consent of the Data Principal in respect of processing of any sensitive personal data should be obtained explicitly-
a) After informing them about the purpose of or operation in processing which is likely to cause significant harm to the Data Principal;
b) In clear terms without recourse to interference from conduct in a context; and
c) After giving them the choice of separately consenting to the purposes of operations in the use of different categories of sensitive personal data relevant to processing.
The Authority under the Bill is obligated and empowered to ensure protection of data from misuse and compromise. Processing of biometric data, classified as ‘Sensitive Personal Data’ by the data fiduciary mandates additional safeguards. The bill also provides for de-identification and encryption and other steps necessary to protect the integrity of personal data and to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
The data fiduciary is required to immediately notify the Authority of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal. It also incorporates a provision for Grievance Redressal.
Limitations of the Bill in Protecting Data Privacy
The first shortfall of the Bill lies with the conceptualisation of consent and the manner in which consent is to be procured for the purpose of processing the data. As per S. 11(2) of the Bill, consent is valid if it is free, informed, specific, clear and capable of being withdrawn. However, there are numerous practical and procedural difficulties in this process which have been ignored in the Bill.
As discussed by Padmini Ray Murray and Paul Anthony in their article ‘Designing for Democracy: Does the Personal Data Protection Bill 2019 Champion Citizen Rights?’, any consent framework must be both relevant to people and take into consideration Indian realities, so that citizens are able to differentiate between manufactured and informed consent. However, the ‘choice’ which is mentioned in the Bill is fictional and merely pays lip service to the notion of ‘consensual use of personal data’. For instance, when the personal data is being asked to be given for a process like citizenship verification, people do not have a choice in an actual sense to decide whether to give their data or not. They are, in fact, under strict obligation to provide all the personal data to the authorities or else they fear consequences of withholding information.
For instance, if we look at the exercise of collection of data under the exercise of citizenship verification in the state of Assam, the residents can either give their consent and participate in the process of verification or not give consent and face the risk of being rendered stateless by the state. This means that the Data Principal’s consent is assumed for all purposes and there is no real choice presented to them.
Exemptions absolving State’s responsibilities under the Bill
The second limitation is the fact that the Bill creates several exceptions and exemptions for processing of data by State (under Chapter VIII) where personal data can be processed without the consent of the Data Principal. Such situations include national security, prevention of crime, allocation of resources for human development, protection of revenue, etc. It has been asserted by the Committee that these exceptions had been envisaged in the Puttuswamy judgement as legitimate interests of the state.
However, the exceptions are so vast and expanded that any situation could be brought in under the interpretations of these provisions. Moreover, there is nothing which could prevent the personal data from being transferred to the private parties. There is a vast scope of misuse of these exceptional grounds and there nothing in the Bill which protects the data from being used for purposes other than for which it was collected. The people are left utterly disempowered as to any insights as to how their data is being used.
Profiling of data made easier
Thirdly, collection of such a huge amount of personal data makes the process of data profiling extremely simple. AS defined under the Bill, profiling is any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal. Data being used for ‘profiling’ to discriminate against the people as the collection of data in this manner increases their visibility and thus vulnerability.
The Bill, though bars data profiling in case of data belonging to children, it does not explicitly bar the process of profiling. It merely requires the data fiduciaries to undertake a data protection impact assessment before commencing the process of profiling. The huge repertoire of data collected by the government for varied purposes, thus, can be extremely simply used for allied purposes to satiate ulterior motives of the state.
Limited Access to Justice
Lastly, no court is empowered to take cognizance of any offence under this Act, save on a complaint made by the Data Protection Authority of India which has been established under the Bill. Thus, the data principal has no locus to approach any Court in case of infringement of any of his/her rights envisaged under the Bill.
Thus, even though the Bill claims to remove all the roadblocks for complete data protection regime in the country, it has introduced novel and complex hurdles towards data privacy. The Bill has left glaring gaps and it miserably fails to realise the fundamental rights of privacy of the citizenry as was envisaged under the Right to Privacy judgement. The void, which the Bill aimed at filling, by devising a data protection regime still remains unachieved leaving us sans any law.
The writer is a lawyer and barrister, Supreme Court of India