The Government of India. recently released the Justice Srikrishna Committee Report and The Personal Data Protection Bill, 2018.
The Government of India. recently released the Justice Srikrishna Committee Report and The Personal Data Protection Bill, 2018. Before proposing this draft bill, the said committee had issued a white paper on the subject as well. The draft bill is largely a copycat of the EU’s General Data Protection Regulation(“GDPR”). the personal data protection obligations contained in Chapter II of the Bill are very similar to those made in GDPR or the earlier OECD principles. Although the proposed legislation has introduced some new terminologies, I honestly do not understand the intent or purpose. For example, the terms “data fiduciary” and “data principal” respectively replace the by now well-known terms “data controller” and “data subject”.
The draft legislation propounds following guiding principles and makes the data fiduciary accountable for ensuring compliance:
1. Personal data shall be processed in a fair and reasonable manner that respects the privacy of the data principle.
2. Personal data shall be processed only for purposes that are clear, specific and lawful
3. Only those personal data be collected which is required for processing
4. The data fiduciary shall provide a detailed notice before collecting the personal data
5. The data fiduciary has the responsibility on ensuring quality of data
6. Data should not be retained for a longer duration than required.
The draft bill has not defined what is fair and reasonable, giving unfair opportunity for the data fiduciary to play with the data.
The draft Bill allows “Personal data” to be processed only on the “lawful processing” grounds mentioned in Chapter III of the Bill. Accordingly, personal data can be processed on the basis of the following:
a. the consent of the data principal
b. for the functions of the State
c. in compliance with law or any order of any court or any tribunal
d. necessary for prompt action like medical emergency, treatment, safety etc.
e. for purposes related to employment
f. any other reasonable purposes. (Note: this provision gives enough justification for data fiduciary to use the personal data even without consent of data principal)
Essentially, this draft bill proposes to create a legal regime for personal data use based on notice and consent of the data principal. This could well be a problem area because “Consent” as a mechanism has been grossly misused by digital companies. ISPs, internet websites, social media providers, web-based entertainment streaming companies, mobile apps etc. all already have elaborate privacy notices and purportedly, they have obtained consent from their subscribers. As the law mandates many things to be covered in the notice, such notices naturally become lengthy and elaborate.
If this proposed law is enacted, then digital companies and internet providers, web browsers can use the customer personal data on the basis of this privacy notice and alleged consent. Everybody is well aware that the consent so obtained has no meaning as the customer has no option not to give the consent if he wanted to use the said service. If consent is not given, the customer will not be able to use the service at all.
Many of the digital services have become essential services. Like internet browsing, maps, emails, data storage services, e commerce etc.. No one can imagine life without using google and other browsers, YouTube and other for video streaming services, WhatsApp or other messaging platforms, Facebook or other social media networking sites. Most of these services are now essential services where majority of citizen is regularly using it.
It will be difficult to live in this world without having most of these services. Hence, every user (popularly called data subject/ principal) has no option other than agree to the notice and give the so-called consent allowing these companies to use their personal data. He has no negotiating option or bargain. He is at the mercy of these digital service providers.
Instead of addressing concerns of data subject/ principal, the proposed law merely legitimizes this pernicious practice of at least some digital companies unscrupulously monetizing and otherwise commercially exploiting personal data of their users compromising their privacy, because they have received “consent”.
Notice and consent -based regulation is not an effective mechanism to prevent rampant mis-use of personal data and commercial exploitation of it. What we need is a strict law that guarantees some basic privacy rights and personality rights to consumers of digital services. A regulatory and redressal mechanism based on data protection officers, data protection authorities etc. will be highly ineffective in the Indian context.
What would have been more appropriate is to define more responsibilities and impose strict obligations on every personal data user. That set of responsibilities should be formulated on the basis of normal ethical behaviour expected from any citizen and based on moral and legal principles.
The Supreme court of India has declared Privacy to be a fundamental right. Fundamental Rights are basic inalienable rights granted to citizens under the charter of rights contained in Part III of the Constitution of India. Fundamental rights cannot be waived or legally be taken away by anybody on the basis of a “notice” and “consent”. The State has a responsibility to ensure that those fundamental rights are guaranteed. As such, personal data elements that have privacy implications should necessarily be kept private and their commercial exploitation by breaching privacy should not be permitted. Notice and consent cannot legitimate commercial use of personal data compromising privacy.
In my view, the draft law should cover the following broad issues:
a) Stipulate a strict data use code for every digital company as well as digital users and provide inalienable fundamental privacy rights to citizen.
b) Set standards on personal data acquisition, use, sharing and processing that must be mandatorily followed.
c) There must be a definition for “Essential digital services”. Providers of these essential digital services should be asked to comply with higher standards in terms of do’s and don’ts. and same to be statutorily prescribed keeping in mind that these are essential digital services
d) Any company/app/ internet service provider/browser that provides essential digital services cannot use their subscriber data for any other purposes.
e) The concept of “personality right” to be introduced and granted to all citizens and a set of rules mandating everybody to respect the persona of the person. Any personal data use that compromises, personality rights of the citizen should be regulated.
f) Relook at what constitutes “sensitive personal data” in the context of India’s culture, because certain data currently listed may in fact not be that sensitive for most Indian citizens, adding more and more items to the list will not make the life of data principal better, as “Explicit consent” mechanism suggested for use of such sensitive personal data will also be ineffective.
g) Section 46 of the proposed Bill exempts personal data users from most of the provisions of the proposed law, if the processing of personal data is for personal or domestic purposes. Unfortunately, what constitutes “personal” or “domestic” purposes is not defined. Most of the data shared on social media platforms can arguably come under this definition. If the same is excluded, it takes away almost all digital activities from the purview of this legislation. The draft legislation does not make any effort to bring some code of ethics for social media companies. Of course Section 97 (6) of the proposed bill requires data protection authority to notify a code of practice in relation to data processing. However, as long as ‘consent’ legitimizes personal data use, and exemptions like Section 46 exists, code of practice that may be notified later will not give any better rights to data principal.
h) Section47 of the proposed legislation exempts personal data user from most of the provisions of the Bill, if processing of personal data is for journalistic purposes. But in today’s digital world, every citizen is a journalist. And thanks to platforms like Whatsapp, Instagram and Facebook, millions of people are publishing, posting, tweeting, retweeting, forwarding, liking, commenting on pretty much every possible subject. this exemption is very wide and it may nullify the purpose of the entire legislation. Providers of these publishing platforms like Whatsapp, Instagram and Facebook are merely intermediaries, or they are data fiduciaries is not defined in the Act. It is likely that these companies will get away from the privacy responsibilities stating that they merely intermediaries and platform providers. Whereas users of these facilities can get away from all privacy responsibilities stating that it is the journalistic activity or personal or domestic purposes.
i) The code of ethics of Press Council of India or any self-media regulatory organization is not a binding law. It can be changed any time by the respective bodies, with neither the government nor citizens having any control over it. It is therefore surprising that the proposed law gives statutory recognition to such private self-regulation efforts. If this is not changed, I expect a lot of complications in the future. Instead of relying on such third-party self-regulation, the Parliament should enact a code of conduct for citizen journalists and social commentators.
j) The proposed legislation has not addressed the technological improvements like IOT where there is no one data fiduciary and no single collection point. It is a set of connected devices where all are collecting and sharing each other different personal data elements resulting intelligent outputs. The definition of data fiduciary in the proposed legislation is not addressing this technology architecture.
Notice and consent is not an effective mechanism to regulate the use of personal data. The technology has moved far ahead and machines are intelligently and automatically collecting and processing personal data, where it is impractical to give notice and get meaningful consent. The State has a far greater responsibility to guarantee to its citizens their inalienable fundamental right to privacy by enacting appropriate prescriptions in law.
By: Rajesh Vellakkat, Partner, Fox Mandal & Associates
(Views expressed above are the authors own)