This Article is written by Arpita Mohapatra & Sanika Kapse, students of Modern Law College, Pune
“Our own information is being weaponized against us with military efficiency. Every day, billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesised, traded and sold.” – Tim Cook
Data Protection Bill vis-à-vis EU’s General Data Protection Regulation
Consider Chaayos, the popular teahouse chain’s facial recognition technology at a number of its stores in Delhi and Bangalore which uses this technology to create profiles of its customers which is used to “remember” them on subsequent visits, enabling repeat orders and efficient payment. With reference to this Bill, Chaayos is the ‘data fiduciary’ and the customer is the ‘data principal’.
Determining the objectives of any data protection legislation is always surrounded by conflicting interests of the privacy of data principal, state regulations and data commodification. The objectives of EU’s General Data Protection Regulation (hereinafter, the GDPR), are data principal centric, whereas, the Personal Data Protection Bill, 2019 (hereinafter, the Bill), which uses the GDPR as a template, focuses on data as a ‘national asset’. Therefore, to examine the scope of the Bill a comparative analysis with the GDPR is necessary.
The right to be forgotten (RTBF), given in the Bill, has been made unnecessarily difficult to exercise. This right cannot be exercised by directly or indirectly requesting the data fiduciary. The data principal in this case needs to obtain an order from the Adjudicating Authority, which can exercise its discretion, based on wide considerations. This is in contrast to the Supreme Court’s decision in K.S. Puttaswamy which recognized the right to have control over personal data which also includes the right to control its existence on the internet. Similarly, the Delhi High Court and Orissa High Court have held that the RTBF is an inherent part of right to privacy under Article 21 of the Constitution. Conversely, the GDPR incorporates a more extensive right to be forgotten and imposes a requirement on the data controller to erase any data on request.
Similarly, in case of breach of personal data, the GDPR, states that the data controller is to follow a two-step process– firstly, to inform the supervisory authority where there is a low risk to the rights and freedoms of natural persons and secondly, to the data subjects in case of high risk to their rights and freedoms. Whereas, under the Bill, the data fiduciary is to inform the Authority about the data breach and the discretion is vested on such Authority to determine whether the data breach should be reported to the data principal. This at the outset is contradictory to the “fiduciary” relationship which the Bill seeks to establish.
Further, the word ‘consent’ in the GDPR has been used liberally in favour of the data subject. The European data protection authorities have made it clear “that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent.” Contrarily, the Bill consists of an entire chapter which authorises the processing of personal data without consent- by the State and the companies. The Executive is allowed to process the personal data for the provision of “any” service or benefit to the data principal or the issuance of any certification, licence or permit for “any” action or activity of the data principal or for the compliance under any law. This directly contravenes the consent provision in the Bill, which mandates informing the data principal of the “purpose” for which their data is to be processed. Evidently, sweeping powers rest with the government to control citizen’s personal data without consent. The Bill also allows processing of personal data, necessary for purposes related to employment, without the consent of the data principal. The employer with this power can retrieve and process data available on the employees’ computers and mobiles. Another proposed ‘reasonable purpose’ exemption relates to “mergers and acquisitions”. During the transactional stage of any merger or acquisition, dozens of lawyers, financial advisors, and other organizations are given access to the data stored by the companies involved in the transaction. If mergers and acquisition proceedings are treated as a blanket exemption to the requirement of consent for processing, this could act against the privacy-by-design structure of the proposed law.
Defective definitions in the Bill
The Bill makes a deceptive distinction between ‘personal data’ and ‘sensitive personal data’ which is absurd as personal data is also dangerously vulnerable to profiling. For example, online identifiers (like devices, applications, IP addresses, cookie identifiers, etc.) can leave traces which, when combined with unique identifiers or other information received by servers and can be used to create profiles of data subjects.
The requisites of “consent” in the Bill are watered down by the chapter on exemptions in processing of personal data and the chapter on processing of personal data without consent, which gives autonomy to the companies and the government to an extent where it negates the whole purpose of the Bill to protect personal data.
It is pertinent to note that the distinction between ‘processing’ and ‘profiling’ under the Bill is not watertight, and that the term ‘processing’ covers a broad range of activities which may inevitably lead to profiling. The Bill not only allows ‘manual processing’ of data by the small entities which will leave the data even more prone to profiling, it also attempts to put a blanket ban on accountability of data fiduciaries and puts a rider on the rights of data principals.
Under the Bill, the Central government can obtain anonymized personal data and non-personal data for the delivery of services and policy formulation. Such anonymized personal data can nonetheless be de-anonymised; for example, an anonymised Netflix dataset of film ratings was de-anonymised by comparing the ratings with public scores on the IMDb film website in 2014. Such de-anonymisation of personal data by the government can lead to its arbitrary use.
Arbitrary control of government in every sphere of data regulation regime
Every social media intermediary which is notified as a ‘significant data fiduciary’ is to enable the users to voluntarily verify their accounts in such manner as may be prescribed by the Central government. This power given to the State is evident of its arbitrary interference in a place where this role should unquestionably be exercised by the significant data fiduciaries. Additionally, the provisions like data protection impact assessment, maintenance of report, auditing of policies and conduct of processing etc., have limited applicability only to significant data fiduciaries. The data fiduciaries that do not come under the ambit of significant data fiduciaries can violate the objectives of the Bill if left unchecked.
The Bill provides for exemptions to the Central government to exempt any governmental agency to process personal data in the interest of sovereignty and integrity of India, the security of the State or to preserve public order or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India. The terms used in these sections are vague and autocratic and warrant the violation of privacy by the government. Further, the establishment of a Data Protection Authority (DPAI), which will be at the helm of affairs for the implementation of the Bill, is marred with prejudice. The selection committee for the constitution of DPAI will be comprised of Cabinet Secretary as the chairperson, Secretary, Department of Legal Affairs, and Secretary, Ministry of Electronics and Information Technology. The committee lacks legal and subject experts when compared to the former draft Bill of 2018. Therefore, the Data Protection Authority will be executive-oriented rather than being an independent regulator.
Impact of Data Localisation
According to the Bill, all sensitive and critical personal data must be stored in servers located in India. Sensitive data may be processed outside the country but must be brought back to India for storage. Critical data cannot be taken out of the country at all. There are no restrictions for general data. Digital companies currently store and process their data wherever is economically most efficient. This locational divide, proposed by the Bill, would impose additional costs on digital companies, leading to subeconomic storage and processing capacities, and might result in “splinternet” or the fragmentation of global digital supply chains. The impact of data localisation on protection of personal data of users is contingent upon the robust infrastructural and technical capacity to protect such data within the borders. Unless these conditions are fulfilled, storage of personal data within or outside the country would make no difference for the data principal, who in either case will be exposed to risk of data breach.
The Bill provides a mere skeleton, the intricacies of which will take shape only after the constitution and working of the Data Protection Authority begins. This Bill uses the term ‘data fiduciary’ as against ‘data controller’ to emphasise on ‘duty of care’ on the part of the data fiduciary to lawfully process personal data. This ‘duty of care’ cannot be reasonably exercised by the data fiduciaries towards the data principals, if they are constantly under the radar of the government. The data principal is at the losing end, in either case of control over data by the government or data fiduciaries. Also, there is hue and cry over the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (IT Rules) which brings social media platforms under the ambit of government supervision. These regulations mandate the social media platforms to give details of the origin of messages on demand by the government. Coupled with the new IT Rules, the Personal Data Protection Bill will further increase surveillance over significant data fiduciaries which are mostly social media intermediaries, making this framework a tool to build an Orwellian State.