Protecting privacy of Individual or legalizing control by State? Decrypting the Data Protection Bill

The misuse of personal data has been the Achilles heel to many Indian nationals for quite some time now. With personal information easily available, owing to the marked absence of an established regulatory regime, everyone from spammers to hackers as well as individuals, have been having their field day in the way they use and secure other individual’s data. It is not so out of the ordinary anymore to learn from a fellow colleague or friend that they were duped off money from their bank accounts owing to the handiwork of petty hackers. Spam marketing calls have been riddling the minds of hapless individuals who access myriad websites for harmless purposes ranging from research to e-commerce. Illegal snooping is a common phenomenon and we are constantly subjected to it to some degree on social media which most of us have access to including adolescents, who owing to their impressionable age, are often the biggest victims. With a view to addressing most of these problems, the Government of India in December 2019, proposed a legislation on the lines of EU’s General Data Protection Regulation (GDPR) that endeavours to regulate the use and processing of personal data of individuals by the government and private entities both foreign as well as domestic. By examining some of its salient features, this article attempts to conclude whether or not the bill is a boon for individuals or an attempt at legitimizing control of ‘personal data’ by the Indian Government.

Conferring rights upon individuals:

The bill under Section 3(28) defines ‘personal data’ as any data of a natural person that can be identifiable with any characteristic, trait, attribute or any other feature of her/his identity or combination thereof, whether online or offline and including any inference drawn from such data for the purpose of profiling.[1]

Section 3(31) defines “processing” as the operation of collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of personal data.

‘Consent’ under the DPB is a vital piece in the entire edifice of the proposed legislation, as it forms the quintessential basis for processing data. The bill under Sections 11, 12, 13 and 14 mandates obtaining free and informed ‘consent’ by a natural person who is defined under Section 3(14) as the ‘data principal’, prior to processing her/his personal data. When compared to the GDPR, this truly stands out, as the processing of data in the EU legislation can be done without ‘consent’ for reasons such as ‘legitimate interests’ whereas the Data Protection Bill necessitates processing purely on ‘consent’ of the data principal, at least in so far as private entities are concerned.

Moreover, unlike the GDPR which uses the more objective nomenclature of ‘controllers’ for the entities that decide the purpose and process of data processing, the bill under Section 3(15), by using the term ‘data fiduciary’, attempts to lay emphasis on the ‘duty of care’ to ensure the lawful processing of personal data in a manner that is ‘fair and reasonable’ as well to highlight the ‘fundamental expectation of trust’ between the data principals and fiduciary.[2] The introduction of a more normative concept in this regard has probably been done keeping in mind the overall object of giving primacy to the privacy concerns of data principals. Given that the onus to prove that ‘consent’ was freely given by the data principal vests with the Data Fiduciary, this certainly seems to a hypothesis that is quite convincing.

Another concept which has been introduced through the proviso to Section 23(5) is that of ‘consent managers’, who are a special category of Data Fiduciaries envisaged for the purpose of assisting data principals to manage their consent and exercise their rights such as that of access to their data, erasure, etc. These officials have been vested with the responsibility of managing the consent of data principals across multiple fiduciaries through the creation of an accessible, transparent and interoperable platform. A provision which fails to clarify who will appoint consent managers and how they are to operate, however despite this ambiguity, this can be advantageous for the Data Principal as it will ease management of consent and facilitate the exercise of their rights. However, it tends to be unfavourable for Companies who will be burdened with huge compliance measures, particularly in terms of integrating with multiple consent managers as well as the additional costs of hiring such personnel, in the event the legislation does include such a provision within its scope.

Some noteworthy features that should put smiles across the faces of most data principals are contained under Sections 9, 18, 19 and 20 which provide the right which mandates deletion of personal data beyond the period necessary for processing, right to erasure and correction, right of portability of personal data between Data Fiduciaries and the right to be forgotten, which is basically a right to restrict the use of their data beyond the period necessary respectively.

Children and social media:

Additionally, the bill seeks to tighten the way personal data of children (under the age of 18 years) is handled by mandating consent of parents as well as prior verification of their age by a process prescribed by Regulations under Section 16. Going a step further, the bill under Section 16(4) introduces the concept of ‘Guardian Data Fiduciary’ who are entities that operate commercial websites or online services directed at children as well as process large volumes of personal data of children. This category of fiduciaries has been tasked with the ‘duty of care’ towards children.

Amongst other things, the bill also seeks to create an Authority by introducing the function of maintaining a public database under Section 49(2)(c) which will include names of significant data fiduciaries together with a ‘data trust score’ which is basically a kind of review standard for Fiduciaries. An added right has been granted to Data Principals according to which they can obtain all their personal data and their summaries from the Data Fiduciaries along with the right to access in a single place the identities of the data Fiduciaries with whom their Personal data has been shared.

The bill through its statement of objects and reasons seeks to tighten the noose around social media intermediaries by making provisions to notify them as significant data fiduciaries thereby subjecting them to the same rigours of Sections 11, 12, 13 and 14. Furthermore, large social media platforms under Section 28(3) shall be required to offer a mechanism whereby users can verify their accounts subsequent to which such intermediary shall under Section 28(4) provide the user with a demonstrable and visible mark of verification, which shall be visible to all users of the service, display such mark publicly. In the backdrop of the recent ban on 59 Chinese apps[3] as well as the launch of the first indigenous social media App called “elyments” by the Vice President,[4] the argument that the Government has identified social media as a definitive source of threat to personal data cannot be obliterated.

Finally, amongst other things, the bill under Section 28(1) provides for the audit of data processing policies and conduct by independent data auditors provided for under Section 29. Despite these rigours, the fact that data localization shall not apply to personal data does give some scope to breathe for social media enterprises that are below the prescribed threshold in terms of Section 26(4)(i). Whether or not social media houses are able to take benefit of this, is something only time can tell, however, given the tempest of cybersecurity risks[5] ranging from terrorism,[6] hacking, bank fraud to cyber bullying[7] and child porn amongst others that are thriving in the world of social media as well as in light of recent confessions by social media companies such as Facebook,[8] a stringent check on the personal data of users is a welcome initiative from the perspective of parents of underage persons and adults alike.

Companies:

The bill mandates that ownership of data remains in the hands of the data principal. While this is a significant step towards protecting individual privacy rights, the fact that it places stringent compliance requirements for the transfer of sensitive personal data outside India under Sections 33 and 34 is certain to have a considerable impact on the companies operating in and out of India, especially given the fact that personal data is considered to be one of the most crucial assets of most businesses in this digital age.

Under the bill, ‘sensitive personal data’ as defined in Section 3(36) which includes data such as financial, biometric, data pertaining to caste/tribes, etc. can only be transferred outside India for processing, pursuant to the data principal having explicitly consented to such transfer and subject to such data being stored locally in terms of Section 33(1). Furthermore, Section 34 (1)(a) places an additional embargo, which is that transfers can only be made pursuant to a contract or intra-group scheme approved by the Authority established under Section 41. There is a provision for ‘critical personal data’ as may be notified by the Central Government from time to time shall only be processed in India. Also, critical personal data may be processed only within India according to Section 33(2) the definition of which is the prerogative of the State, and this may well be a cause of concern for Companies owing to the uncertainty surrounding the inclusions.

What would come as a major shocker to Companies is contained in the penalties that are inspired by the GDPR. The 2019 bill provides for hefty penalties under Section 57 upon data fiduciaries ranging from the higher of INR 5 crores (USD 667,000) to a whopping INR 15 crore (USD 2 million) for non-compliance with cross-border transfer provisions and complicity with consent and grounds of processing.[9]

To make things worse, the law for ascertaining liability of consent managers if the event of failure of communication of consent, or for instances of data breach is unclear and given the huge penalties specified such ambiguity could prove to be deleterious for Companies and should be urgently addressed for the law to be able to strike a pragmatic balance, as many private companies perform essential functions such as marketing, data analytics, research, etc. on processing personal data of individuals which they have free and unrestricted access to up until now.

The bill at Section 22 introduces the concept of a “privacy by design” policy which is basically a public disclosure of things such as business practices employed, a declaration of obligations, technology used in processing data amongst other things. The bill provides that data fiduciaries ‘may’ chose to have this certified, albeit the lack of clarity on whether or not the same is mandatory, this can certainly serve as a very important facet in the upcoming legislation to secure the primary objects of the law. Nonetheless, mandating compliance with these provisions might prove to be burdensome as well as expensive for Companies.

However, given that most companies around the world are subjected to such laws,[10] and the fact that the current bill is based on the GDPR which contains similar provisions, Companies ought to consider putting up their systems in place instead of waiting for that last-minute whistle.

Enforcement of rights & obligations:

Unlike the GDPR where the right to be forgotten is more or less automatic, the bill under Section 20 provides for the same at the discretion of an Adjudicating Officer. All other rights can be asserted either directly before the Data Fiduciary by a process of grievance redressal that the latter is mandated to put in place under Section 32 or through consent managers appointed in terms of Section 24(5) of the bill.

The bill also envisages under Section 32 for the escalation of grievance in the event of a failure on the part of the fiduciary, to the Authority provided for under Section 41 called the ‘Data Protection Authority of India’ which has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908 and by virtue of which sweeping powers upon fiduciaries including the power of inquiry, search and seizure as well as punishment. The bill also provides for a system of appeal before an Appellate Tribunal under Section 72 and also provides that orders of these bodies shall have the same force as those of local civil courts. Interestingly, the fact that the Authority is not bound by the Rules of Code of Civil Procedure, 1908 as stated under Section 73, the breather here is that matters taken up can be expected to be speedily resolved compared to suits. All these mean that the bill does indeed provide for an exhaustive and robust mechanism for the fulfilling the objects and purposes that it speaks of.

The speculated trade-off between the rights of individuals vis-à-vis the Government and its instrumentalities: Privacy of individual vs national security?

The most controversial provision which has attracted huge attention of multiple stakeholders is that of the exemption given to governmental agencies for processing of data. Citing national security reasons, the government can secure for itself, any personal data and this is being perceived of by many as being detrimental to the interest of the individuals as well as Companies in the role as data fiduciaries.

Another feature that has attracted controversy is the requirement to share anonymized and non-personal data with the Government. It has been argued that this power to the Government to access data and verify social media users can pose a new and significant threat to an individuals’ right to privacy, this issue, however, is debatable given the Indian Supreme Court’s verdict in the landmark Justice K.S. Puttaswamy Case.[11]

Since the submission of the first draft of Justice Sai Krishna Committee Report[12] which suggested mandatory consent of the ‘data principal’, the bill proposes to exempt the need for the data principal’s consent in favour of the Government under Section 35 and 36 in matters of sovereignty, integrity of the state and national security. While the inclusion of this has invited a fair amount of criticism, when compared with the GDPR, one will find similar exceptions contained under Articles 1 and 23. Also, some of the provisions of the Indian Penal Code[13] as well as the Constitution of India[14] itself, contains similar powers conferred to State and its instrumentalities in offences of similar instances which places fetters on the individual’s rights in favour of the State. It is common nowadays that Governments such as UK and USA seek access to personal data every now and then, in the interest of national security,[15] therefore as long as done with fetters and in line with the confines of Sections 35 and 36, these arguments are premature and predominantly presumptive. With the heightened risk of online security breaches being perpetrated all over the world, in jumping to conclude that the bill is arbitrary and may not stand the test of Constitutional legitimacy by the Courts, one must first consider that their presumption will always favor legislation and hence, while the concerns are genuine, any exclusion should be made upon careful consideration of any subsequent facts or instances of actual privacy breach by the Sovereign in the backdrop of the whether or not such action was outside the confines of national interests, and if found to be so, should be a genuine reason to be struck down. However, till such time these debates are anachronistic and will unnecessarily delay in providing the much-needed blanket of protection for an individual’s personal data.

Conclusion:

The data protection bill of 2019 attempts to bring about a unique mix of data privacy rights and obligations, most importantly, seeks to provide the much-needed protection for individuals from most actors by keeping free ‘consent’ as the mandatory standard for securing the personal data of individuals. Despite mirroring the many exemptions of the GDPR in favour of State, the bill does in fact dish out an array of much-needed rights and obligations together with the exhaustive grievance redressal and enforcement mechanism, and given the many security threats to individuals and State alike the bill certainly attempts at the creation of a balanced comprehensive regime for regulating the way ‘personal data’ is processed.

Moreover, the bill, if it culminates to legislation, will have severe ramifications for corporations as well as social media houses, particularly owing to the costs of setting up the infrastructure to secure the processing and use of personal data as well as owing to the heavy burden of penalties imposed by it. However, given that they are subject to such legislation in multiple jurisdictions across the planet, this should not be a huge cause for concern.

Also, in wake of the heightened risks to which the individual’s personal data is exposed to in the necessary digital world, any legislation which attempts to secure access to personal data in favour of the Sovereign, especially in the larger interest of national security, is a necessary trade-off provided the use is fair and reasonable and within a well-defined architecture with limits on usage. On this score, the bill does well by highlighting the ‘fundamental expectation of trust’ between data principals and fiduciaries who have a ‘duty of care’ to process personal data in a ‘fair and reasonable’ manner. When read together with fetters on State’s right of access to personal data of individuals in cases relating to matters of sovereignty, integrity of the state and national security, the proposed legislation does indeed appear to have been objectively drafted to balance the needs of individuals and the State. However, to able to better protect the interest of corporations the ambiguities in provisions relating to consent managers and privacy by design policies amongst others, will need further introspection since the bill is fairly harsh on them.

[1] Text of the Personal Data Protection Bill, 2019 accessed at https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 on August 28, 2020

[2] A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice BN Srikrishna, at p7-10 (2018)

[3] https://www.businessinsider.in/tech/apps/news/checkout-the-name-of-the-chinese-banned-apps-in-india/articleshow/76696132.cms accessed on August, 2020

[4] https://indianexpress.com/article/india/atmanirbhar-call-to-galvanise-growth-innovate-venkaiah-naidu-6491865/ accessed on August 30, 2020

[5] https://ciso.economictimes.indiatimes.com/news/37-increase-in-cyberattacks-in-india-in-q1-2020-report/75962696 accessed on August 22, 2020

[6] https://www.washingtonpost.com/opinions/2019/03/16/why-social-media-terrorism-make-perfect-fit/ accessed on August 22, 2020; https://www.gatestoneinstitute.org/12041/facebook-social-media-terrorism accessed on August 22, 2020; https://www.npr.org/2019/04/24/716712161/global-effort-begins-to-stop-social-media-from-spreading-terrorism accessed on August 22, 2020

[7] https://www.thehindu.com/news/national/andhra-pradesh/cyber-bullying-new-menace-haunting-kids-experts/article32320331.ece#! accessed on August 22, 2020

[8] https://www.news18.com/news/india/facebook-india-head-appears-before-parliamentary-panel-on-whatsapp-snooping-issue-2423755.html accessed on August 22, 2020

[9] https://www.dqindia.com/personal-data-protection-bill-2019-mean-tech-industry/

[10] https://www.cmswire.com/customer-experience/when-customers-control-their-data/ accessed on August 22, 2020

[11] Justice K.S.Puttaswamy (Retired). vs Union of India And Ors. (2017) 10 SCC 1

[12] First Draft of Justice Sai Krishna Committee Report July 2019

[13] Chapters 6 to 8 of the Indian Penal Code 1860, http://legislative.gov.in/actsofparliamentfromtheyear/indian-penal-code

[14] Article 19, The Constitution of India, http://legislative.gov.in/constitution-of-india