The bill was referred to a joint select parliamentary committee. If the current PDP is anything to go by, there are several opportunity costs. The PDP allows for the processing of personal data for the provision of any ‘service’ or ‘benefit’ provided by the State.
By Vatsal Gaur
India continues to prove to the world that the State needs to act like a parent for her subjects (data). Good parenting is ideally a result of the parent having lived a life full of rich experience and an ability to master life trajectory. With the democracy still young, and dwindling economic parameters over the last three quarters, the locus standi seems weak. Any attempt to monopolise data, on the pretext of due functioning, is an unfounded approach to monetise the now overused ‘demographic dividend’ of young population.
The recent WhatsApp breach gave further succour to push for a Data State. This was done as the government introduced a draft of the Personal Data Protection Bill (PDP) in Parliament on December 11, 2019. The bill was referred to a joint select parliamentary committee. If the current PDP is anything to go by, there are several opportunity costs. The PDP allows for the processing of personal data for the provision of any ‘service’ or ‘benefit’ provided by the State. In contrast, another provision leaves room to define what constitutes ‘reasonable purposes’ for non-consensual processing of data.
PDP does not have a focus like GDPR, where there is at least onus on the data processor to establish how non-consensual data processing must outweigh the data subject’s fundamental right. Ordinary rules governing judicial review on State action will, therefore, become the default rule for enforcing privacy breaches. However, since the Data Protection Authority (DPA) isn’t under obligation to provide reasoned orders before processing data, the grounds of such judicial challenge will be limited. PDP shall, thus, dilute the Puttaswamy judgment on the right to privacy. A suggestion could be to adopt the GDPR framework to allow subjects to object against data processing by the state in certain situations. The current PDP only allows the right to erasure and call for factual incorrectness of data, but doesn’t provide an outright ability for citizens to object to non-consensual data sharing.
Interestingly, since the technology itself is not sacrosanct and is liable to be manipulated, in case of factually inaccurate data sharing, the State could potentially land in embarrassing situations unless an additional layer of legitimacy is in place. Thus, it is important to staff the DPA not just by appointing retired judges and bureaucrats but also seasoned technology veterans. An intensive boot camp for potential training of candidates is not a far-fetched idea. The Central Government reserves its right to issue binding instructions to the DPA severely compromises the independence, calling the need for an overarching ombudsman structure using established principles of administrative law.
The data localisation requirement under the PDP (although eased from the previous version of the bill) is still not challenge-free. For instance, sensitive personal data (SPD) and personal data would usually be stored as a mixed set, and de-identification may be an arduous exercise. Similarly, leaving the definition of ‘critical personal data’ open to the government, in the absence of legislative guidelines, seems like excessive delegation. Third-party transfers of SPD are required to be approved by the DPA, which could reduce agility in fast-paced innovation, especially blockchain and distributed ledger technology (DLT). An exception for real-time data transmission using DLT should be considered. Similarly, while the sandbox introduced in the PDP is laudable, one needs to take care of the selection criteria of companies. The chances of government owned enterprises competing with private players cannot be excluded. Therefore a ‘neutral’ and well-implemented selection procedure will be imperative.
The government retaining the right to seek anonymised data from data fiduciaries, although patently innocuous, leaves room for enough data sets to be generated which would otherwise not be available to the government. Deanonymisation of data is not entirely off-limits. Further, the blanket right to exclude the applicability of the PDP to State agencies in the interest of ‘sovereignty’, ‘integrity’ or ‘public order’ does place the State on a different footing as far as ownership and processing of data is concerned.
Does India want to be the Big Data State after all, and what is so peculiar about her data subjects that call for them being treated like wayward children? We can only read between the lines for now!
Author is Associate Partner at HSA Advocates. Views are personal