LAST WEEK, THE UNION CABINET gave the green light to the Digital Personal Data Protection Bill. The Bill is likely to be tabled in Parliament in the Monsoon Session. The Bill provides a charter of rights and obligations for individuals and data processors as well as a hefty schedule of penalties ranging up to ` 250 crore in case of certain violations.
The Bill has been in the works for a long time and was first outlined in 2018. Last August, the government withdrew the Bill and promised to come back with comprehensive legislation. In November last year, it released a draft Bill for debate and discussion. While the Bill cleared by the Cabinet has not been released, it is expected that the broad contours of the Bill will be along the lines of the draft released last year.
As can be expected for any legislation of such magnitude, criticism has begun mounting just before the Bill is to be presented in Parliament. Much of the criticism has come from privacy activists and civil society members who claim the Bill is heavily loaded in favour of the government. Some of it is unwarranted.
For many privacy activists, the deemed consent clause of the Bill (Section 8) is unusually loaded in favour of the government and other data processors/fiduciaries. According to these activists, the deemed consent clause is far-reaching and gives insufficient protection to individuals. But a close reading of Section 8 shows that requirements for deemed consent are essential for both running a modern, information-based economy as well as the functioning of government. The section does include a sub-section that introduces a novel concept of public interest. This is wide-ranging and includes network and information security, operation of search engines for processing publicly available personal data, recovery of debt and prevention of fraud, among other matters.
A further sub-section weighs between the interests of data fiduciaries and individuals—data principals in the Bill’s parlance—as well as the “reasonable expectations” of data principals. All these sections are likely to witness intense debate within and outside Parliament.
On paper, it seems that taking consent of individuals is just a matter of a click for any company or private enterprise. But in reality, there are additional compliance costs associated with such steps. When these ‘benefits’ are read along with the duties of a data fiduciary, the balance sheet is more or less even.
The ire of activists is directed at the exemptions for state agencies in storing data. The reality is that many of these exemptions are necessary for legal purposes as well as processing of data for investigations
Share this on
The one area where the dice is loaded in favour of the government is on public order, national security, and the interests of the state. This was to be expected in this Bill and it is unlikely that there will be any major change on this score in the text of the Bill that will be presented in Parliament.
In this context, there has been a hot debate on the exemptions outlined in Section 18 of the Bill. These are indeed wide-ranging and include a near-blanket exemption for government agencies as and when notified by the government. Activists contend that this can be done on the basis of a ‘mere’ notification. They say this lowers the bar on privacy when compared to the Supreme Court’s judgment in the privacy rights case (Puttaswamy). Many of these activists worry that Section 18(4) of the Bill exempts any government agency from deletion of an individual’s data after use and allows the retention of such data for a possibly long and unspecified period. Privacy activist Apar Gupta claims this violates the “principle of purpose limitation”.
The reality is different. When it comes to the private sector, the danger emerges from the use of large aggregates of data to predict individual behaviour through data mining and artificial intelligence (AI) techniques. This is an emerging area where the effects of such modelling and prediction at the individual and social levels are yet to be fully understood. In this context, it is essential that data retention—if needed—is tightly regulated. It would be best if such data is automatically erased, especially when in the hands of private corporations. Here, the Bill is weak and instead of an automatic erasure of data, it prescribes that a data principal can approach a data fiduciary to erase his/her data. This is weak medicine against powerful corporations that can store such data with the individual having no means to verify if the data has indeed been erased. These are genuine and worrying trends as observers of developments in the use of information by large corporations can testify.
In contrast, the ire of these activists is directed at the government and the exemptions for its agencies in storing data and other provisions of the Bill. The fear expressed is that this could lead to largescale surveillance and that other parts of the state—like the legislature—would exercise insufficient scrutiny of the government. The reality is that many of these exemptions for government agencies are necessary for legal purposes, such as judicial proceedings, law and order matters, as well as processing of data for investigations. The one exemption for national security purposes is outlined in Section 18 Part 2(a). This states: “The Central Government may, by notification, exempt from the application of provisions of this Act, the processing of personal data: (a) by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.”
The wording of this section is identical with the “reasonable restrictions” to Article 19 of the Constitution that deals with “fundamental freedoms”. As such, there is nothing out of place in this section: it transposes to the digital domain what is otherwise available elsewhere.
This is where the hollowness of the activist approach to privacy becomes obvious. If left to civil society, NGOs and others, there would be a blanket ban on government when it came to processing and retaining any kind of data. The reasons are not hard to discern. Many of these activists and NGOs are closely involved in political activities while they profess neutrality. Many of India’s restive regions with a history of violence and separatism require careful handling and in these regions the government is well within its rights to keep a close eye on so-called activists. A law-abiding citizen has hardly any reason to fear these provisions as he is not in the zone where he puts others in danger.
India’s digital economy is estimated to range between $150 and $200 billion in 2023. It is expected to jump to $1 trillion by 2030. It has taken a long time to even formulate a bill for data management. There is no point trying to get a ‘perfect’ law in an area that is still evolving
Share this on
One interesting case where activists have opposed a portion of the Bill is Section 16, Part 4. This section reads: “A Data Principal shall furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.” This is a harmless, good-faith, provision. But the ire against it reflects something else. Imagine you are running an anonymous social media account that vents freely on all subjects. Suppose you delete your account and you want all information deleted. In that case you will have to provide authentic personal information while making the request. But what this will do is make anonymity difficult. This anonymity has been linked to the “right to dissent” by activists. The politics of this right is quite obvious.
The same activist mindset informs criticisms against the compliance framework of the Bill. The Bill provides for a Data Protection Board of India. The board will be tasked with receiving complaints and grievances and hearing these and finding solutions. The board, including its chairperson, will be appointed by the government. This has not gone down well with activists who think the board will not be ‘independent’. If left to these activists, NGOs and civil society members, the board should have an independent appointing authority just as in the case of leading institutions. Government, in this view, is best left with a peripheral role. This is again part of the drive where key institutions are by design sought to be distanced from the executive while turning the government into a series of checks and balances. It is another matter that in a country like India this is a recipe for governmental paralysis where each institution does what it pleases, all in the name of autonomous functioning.
Whenever the Bill gets passed, it will make a beginning towards establishing a system of rights and obligations in the digital arena. India’s digital economy is variously estimated to range anywhere from $150 to $200 billion in 2023. It is expected to jump to $1 trillion by 2030. For an area growing by leaps and bounds it is incongruous that it lacks a charter of digital rights and obligations. India’s digital economy began its slow march at the turn of the 21st century and has grown fast in the last five to seven years. It is strange that it has taken nearly a quarter century for enabling legislation in the area. For sure, there are laws like the Information Technology Act, 2000. But that law deals with regulation and not the management of data and information and privacy safeguards. India has taken a long time to even formulate a Bill for this purpose. There is no point trying to get a ‘perfect’ law in an area that is still emerging and one where technological changes are bound to outpace any legal framework that can be devised. There will be later occasions when the law can be amended after seeing how it works. In the interim, courts and watchful citizens can always keep an eye on how the law evolves.
More Columns
Beware the Digital Arrest Madhavankutty Pillai
The Music of Our Lives Kaveree Bamzai
Love and Longing Nandini Nair