Data protection: Does India want to be the Big Data State After All?
Context:
- India continues to prove to the world that the State needs to act like a parent for her subjects (data). The recent WhatsApp breach gave further succour to push for a Data State.
- This was done as the government introduced a draft of the Personal Data Protection Bill (PDP) in Parliament on December 11, 2019. The bill was referred to a joint select parliamentary committee. If the current PDP is anything to go by, there are several opportunity costs.
Background:
- The Personal Data Protection Bill, 2018, was prepared by a high-level expert group headed by former Supreme Court Judge N. Srikrishna.
- It is the first step in developing a privacy framework to preserve the sanctity of “consent” in data sharing and penalize those breaching privacy norms.
Some important features of Personal Data Protection Bill, 2019:
- Sensitive Personal Datacan only be processed with the explicit consent of the person and this consent need to be informed, clear and specific. This data can only be sent abroad with Data Protection Authority
- The bill also Specifies Penaltiesfor not following its provisions including a penalty of Rs. 5 crore or 2% of the turnover, whichever is higher, if no action is taken on a data leak.
- The government is entitled to direct a fiduciary (entity or individual who decides the means and purposes of processing data) to get access to non-personal data to provide better services to Citizens.
- In certain circumstances, processing of data may be permitted without the Consent of the Individual.
- In the interest of national security, certain government agencies can have access to personal data for any investigation pertaining to offences.
- There is also a provision for central Government to notify critical personal data,which will then be only processed in a server or data centre located in India.
Concerns regarding the proposed Personal Data Protection Bill:
1. The PDP allows for the processing of personal data for the provision of any ‘service’ or ‘benefit’ provided by the State.
2. PDP does not have a focus like GDPR (General Data Protection Rule),where there is at least onus on the data processor to establish how non-consensual data processing must outweigh the data subject’s fundamental right.
3. Ordinary rules governing judicial review on State action will, therefore, become the default rule for enforcing privacy breaches. PDP shall, thus, dilute the Puttaswamy judgment on the right to privacy
4. A suggestion could be to adopt the GDPR framework to allow subjects to object against data processing by the state in certain situations. The current PDP only allows the right to erasure and call for factualincorrectness of data, but doesn’t provide an outright ability for citizens to object to non-consensual data sharing.
5. The Central Government reserves its right to issue binding instructions to the DPA severely compromises the independence,calling the need for an overarching ombudsman structure using established principles of administrative law.
6. The data localisation requirement under the PDP is still not challenge-free like sensitive personal data (SPD) and personal data would usually be stored as a mixed set,and de-identification may be an arduous exercise.
7. Similarly, leaving the definition of ‘critical personal data’ open to the government,in the absence of legislative guidelines, seems like excessive delegation.
8. The government right to seek anonymised data from retaining the data fiduciaries,although patently innocuous, leaves room for enough data sets to be generated which would otherwise not be available to the government
9. Further, the blanket right to exclude the applicability of the PDP to State agencies in the interest of ‘sovereignty’, ‘integrity’ or ‘public order’does place the State on a different footing as far as ownership and processing of data is concerned.
Conclusion:
- The sweeping powers the Bill gives to the Government renders meaningless the gains from the landmark K.S. Puttaswamy case which culminated in the recognition that privacy is intrinsic to life and liberty and therefore a basic right. That idea of privacy is certainly not reflected in the Bill in its current form.