The Personal Data Protection Bill, 2018 (referred to as the Draft Bill) marks a definitive step in establishing a data privacy regime in India. However, three major aspects are missing from the Bill.
The Personal Data Protection Bill, 2018 (referred to as the Draft Bill) marks a definitive step in establishing a data privacy regime in India, intending to define boundaries for processing of personal data of individuals or data principals (owners), however, three major aspects are missing from the bill.
Considering that it is in its initial stages, the Draft Bill does cover some of the key tenets which form the basis of any data privacy framework. These include:
- use of personal data should not be unchecked (i.e, it should be regulated)
- personal data should be processed only for the purpose for which it was collected
- data should be processed on the basis of consent from the data principals (data owners)
Aspects not covered by the Draft Bill:
The Draft Bill completely steers clear from mentioning or acknowledging as to who owns such data. The recent recommendations on data privacy issued by the Telecom Regulatory Authority of India (TRAI) and published on July 16, 2018, specifically proposed that the ownership of the data should lie with the individuals with whom the data relates to. Even though the recommendations were not accepted, the Department of Telecommunications (DoT) did refer the same to the committee headed by Justice BN Srikrishna. It was perhaps expected that such a stipulation would be present in the Draft Bill.
Perhaps one of the most critiqued miss from the Draft Bill, non-attribution of the ownership raises questions in relation to the effectivity of the Draft Bill. As a result of its absence, it is not clear to what extent the obligations prescribed by the Draft Bill may be effectively implemented in order to ensure data privacy to a data principal who demands so.
A liberal reading of this provision does convey that data fiduciaries have more expansive control over personal data available with them to use for purposes neither of which were initially intended nor for which any consent is required from the related data principal. Such an enhanced control, along with Section 27 may unwantedly give an impression that at least the individual is neither in absolute control of the personal data.
Right to be forgotten
At a glance, one may conclude from the title of section 27 that the Draft Bill, similar to the GDPR, provide data principals (owners) with the right to have their personal data deleted. Although the Draft Bill does empower data principals (owners) the right to restrict the continuing disclosure of personal data based on the request by the related individual, it does not provide an unfettered right to the individual to have such data deleted in its entirety from the repositories of the data fiduciary, if they so desire so.
The Draft Bill mandates under the Data Storage Limitation provided in Section 10 that data fiduciaries firstly, are to retain data only as long as it may be reasonably necessary. Secondly, when retention of such data is no longer necessary, then data fiduciaries are required to delete such personal data. Considering these provisions, it is aptly clear that the intention of the Committee had been to only allow retention of personal data to the extent it is reasonably necessary, and that such data should be deleted if it is no longer so.
Despite such obligations being mandatory in nature for data fiduciaries, similar privileges (i.e., right to seek deletion of data when no longer required) have not been imparted upon data owners. This aspect, along with the non-acknowledgement of ownership of personal data may have inadvertently widened a gap between data owners and their personal data, and perhaps have given a far more greater control to data fiduciaries.
Furthermore, the right to impose restrictions on processing of personal data is to be determined by an Adjudicating Office (AO). The AO, perhaps, is intended to strike a balance between the underlying conditions based on which such restrictions may be sought and fundamental rights of other citizens. The report has offered some justification by citing examples involving individuals, who willingly share their locations for availing location-based services.
The report exemplifies that in such cases personal data such as the location of other accompanying individuals, who may have not have provided their consent, inadvertently does end up getting recorded. This hypothesis cites the importance of such Community Data and also acknowledges the need for protecting such data. However, such a hypothesis may have perhaps ignored the notice requirements prescribed by the Draft Bill. With these requirements, and with the right to have the personal data deleted, could have effectively secured such other individuals’ personal data.
Impact on Technology Development
Data fiduciaries have been defined as entities, which may also determine the means through which such personal data may be processed. However, such means are not anywhere referenced throughout the Draft Bill. Of all the data that is available, a large proportion is digital and has been collected through personal digital devices. These services define the digital environment which has become a part of our daily lives.
The Draft Bill does not test the framework it proposes against the rapid changes in this digital environment. Rapid advances in the field of information technology and Internet-of-Things (IoT) will result in huge volumes of personal data being collected and processed for providing a wide variety of services. The provisions of the Draft Bill are quite broad, but at the same time may not be sufficient to address issues with more recent technologies.
The Draft Bill is most certainly in the right direction and does provide a decent foundation over which the data privacy legal framework for India may be built upon. The Committee is likely to review the comments and suggested changes which will only supplement the effectivity of the proposed draft. Such revisions would most likely address many of the issues which are being presently discussed.
Prashant Phillips is a Partner at Lakshmikumaran & Sridharan Attorneys. Views expressed are the author’s own.