In a digital world, in a smart city or smart home environment, human life is revolving around data, and law ideally should permit and facilitate every kind of data processing for the growth of digital driven economy.
By Rajesh Vellakkat
Strong measures to prevent harmful use of personal data to the detriment of data subject is highly desirable. Privacy and human rights activists have been complaining that India inadequately protects privacy rights, despite it being a fundamental right. An enactment for protection data privacy would be a welcome step. Jurists have been debating about a data privacy law for past many years and humongous efforts were made especially in last two three years to formulate a legislation that is appropriate for us. Now it is almost certain that the Personal Data Protection Bill (PDP Bill), will be tabled in the parliament for consideration in the ongoing budget session. The framework of the PDP bill is similar to the European General Data Protection Regulation (GDPR). Informed consent of the data subject, minimum collection, specified use and destruction of data after use are essential requirement under this law. Both GDPR and the PDP Bill mandates that any processing of personal data is not legal unless the processing comes within any one of the permitted grounds. This law regulates, data collection, recording, use, re-use, adaptation, alteration, indexing, transmission, sharing and storage (collectively referred as processing). It is not a data protection law rather a law regulating all kind data processing. In a digital world, in a smart city or smart home environment, human life is revolving around data, and law ideally should permit and facilitate every kind of data processing for the growth of digital driven economy. The concern in this article is, PDP Bill may disproportionately impair the digital economy of the country.
“Personal Data” Defined
The definition of personal data in GDPR and in the PDP Bill are very similar. Any directly or indirectly identifiable information about a natural person is considered as personal data. The said definition has been interpreted by the European Court of Justice and other national courts of different countries to be all-encompassing. Every data set in one form or the other is capable of directly or indirectly identify a natural person, thus a personal data. For instance, it was ruled that an evaluated answer sheet of a student is a personal data of the student as well of the evaluator because it could be used to identify both. Similarly, IP addresses, both static and dynamic, are considered as personal data of the owner of the computer. Further, a Google search result is considered as personal data of individuals shown in the search result. An electric meter reading, telephone logs, internet access, any data from a smart device is thus a personal data of one or many of the people. Even those data that are manifestly made public by one, would also qualify as personal data and the law would be applicable to processing the same with some limited exception. The scope of legislation thus expands beyond privacy of individuals and it covers every data collection, access, use and storage activity. Such a wide definition to personal data deviates the core proclaimed purpose of the legislation which is protecting the privacy of individuals.
Impact on Digital Technology Driven Activities
Digital business is currently one of the major sources of employment in India. All tech companies are setting up offices in India and Indian talent in this area is highly recognized world over. A recent study suggests that Indian analytics, data science and big data industry is estimated to be $2.71 billion in revenues and growing at a healthy rate of 33.5 percent compound annual growth rate. Apart from that internet-based services, e-commerce companies, social-media based businesses are growing rapidly. Moreover, India is an established hub for data analytics, artificial intelligence (AI), machine learning and related technology creation, development and services. Millions are employed in these sectors, many startups and new services are mushrooming all around. The technological capabilities of our energetic young population have been acclaimed all over. The data driven services have helped to improve our living conditions. Hence, any legislation in this regard should be carefully made so that economy is not impacted disproportionate to the cause.
Curtailing the expansion of digital technology driven activities in the false pretext of privacy could lead to a decline in the growth trajectory. Therefore, the law should restrict and regulate only those data which bothers or creates harm or is likely to create harm to individuals or to their privacy. There is no legitimate need to regulate the creation and use of every data set or processing of data.
Purpose, Collection and Data Storage Limitation
The PDP Bill has provided purpose limitation on processing personal data. However, for most of the new technologies like internet of things (IoT) and AI, data is not always collected for any specified purpose rather intelligent use of this data is derived at a later stage. Predetermination of the purpose at the stage of collection is an unnecessary restriction and rather impossible achieve in most cases. The purpose limitation rule will retard development in these sectors.
Similarly, the collection limitation imposed by Clause VI of the bill would also be detrimental to innovation, especially, for sensor-based data collection and IOT technologies. For instance, sensors in wearable devices, automobiles, mobile telephone, traffic junctions, smart meters or any device that connects to the internet keeps on collecting data automatically and for such collected data, apart from specific purposes known at the beginning, could be used for many other purposes. Further, in a world of ubiquitous data processing using technologies like IoT, Cloud, AI, considering every data set as personal data and, in that pretext, regulating all these technologies would be disproportionate to the cause.
Furthermore, the data storage limitation allows personal data to be stored as may be reasonably necessary to satisfy the purpose for which it is processed. In the digital world data is the new oil which has immense value and high utility. It helps people get intelligence and facilitates economic and technological activity. Data science is an emerging field, where knowledge and insights are extracted from these unstructured, old and seemingly useless data. Restricting data storage is thus of no use.
The draft Bill insists on giving notice to the data subject about collection of data and get consent. This has already proved impractical in Europe, it ended up in consent fatigue and has observed by many that it did not serve the purpose at all. Voice, image and other data capturing devices prevalent now, automatically collects personal data of many. Giving notice to everyone is firstly not possible and does not ensure better rights to data subjects.
Data Protection Impact Assessment
Both GDPR and draft PDP Bill try to regulate profiling of individuals. This may be due to an eagerness to control the ever existing evils of economic disparity, racial profiling, gender discrimination which are so intrinsically imbibed world over. Ensuring equality and equal opportunity is paramount and presumably GDPR premised that profiling may perpetuate the evils mentioned above. Hence, profiling was highly restricted where automatic decision making was applied, and it was mandatory to provide information to the data subject on the logic involved in the processing. In line with this, the PDP Bill mandates a data protection impact assessment in case of profiling.
It is true that we are all grown up in a biased and exceedingly discriminated world and machines should not be allowed to perpetuate this bias. However, to conclude that all automated processing is against the interest of individuals would be fallacious. Discriminated and harmful profiling should be regulated not profiling per se. Predictive policing and other automated decision making has considerably helped in reducing crimes. Big data and IoT gives greater observational powers which result in meaningful inferences. Instead of preventing bad inference or incorrect observation resulting in bias and discrimination, preventing the entire profiling per se would be detrimental to the society.
We should learn from the experience of last one year of GDPR’s enforcement. PDP Bill should not blindly imitate all those impractical clauses to merely match with the Europeans. This legislation should not be made a tool for controlling the entire digital economy. It should not hamper technological growth in data processing or data analysis, which employs a huge mass of the working population of India. Law should not be a roadblock for growth in IoT, machine learning and AI. PDP Bill should only regulate harmful use of private data. The economic impact of this legislation should be deeply examined and reconciled before moving ahead with it.
Rajesh Vellakkatt is Partner, Fox Mandal & Associates. (Views are the author’s own)