In this post, the third in our series on the Data Protection Bill, we explain the various issues with the Personal Data Protection Bill, 2019. There is, of course, a lot to write about, so think of this as a list of the key issues with the bill such as: the dilution of user’s rights, non-consensual processing of data, ambiguities in the definitions, the threat of large scale surveillance, a lack of independence of the Data Protection Authority, and the stifling of social media
What we’ve already learnt
Part 1 of our series dealt with the need for a data protection bill, and illustrated emerging threats that threaten our modern digital life. We also provided some historical context for the Bill, and gave some updates on what the future lies with respect to the report of the joint Parliamentary Committee on the Bill.
Then came Part 2, in which we dug into the nitty gritties and explained the various provisions of the Bill. We began with an explanation of all the definitions and jargon, and then showed how the Bill:
- provides users with certain Rights;
- lads down a consent mechanism for the processing of personal data;
- imposes on obligations on data collectors and processors
- lays down transparency and accountability measures to be followed
- provides the government with certain exemptions
We also provided an update on the Bill: the Joint Parliamentary Committee on the Personal Data Protection Bill will now be releasing its report in the first week of the monsoon session. As we said, this gives us time to ensure that we, the citizens of India, understand and analyse the Bill so that India can implement a robust data protection framework that protects the rights of users.
In this post, we want to highlight the key issues with the Bill that we feel require the most scrutiny. Our analysis here draws heavily from our earlier work under the SaveOurPrivacy campaign, through which have been writing about privacy regulations vociferously over the last 2-3 years. However, while we do go into some detail in this post, our aim is to provide a sampler of issues for the reader to engage with. A more detailed and in-depth dive into these very concerns shall be forthcoming.
Dilution of user’s rights
Whilst the Personal Data Protection Bill does grant individuals certain rights and protections, it also makes the exercise of these rights difficult. For example, data principals can withdraw their consent for the processing of personal data; however, it is not as easy to exercise this right as it sounds. The Bill states that if the withdrawal of consent is without any ‘valid reason’, the data subject will have to bear the legal consequences of such withdrawal. Here, the burden to prove that the reason for withdrawal was valid is on the data principal. This is against the principle of consent under the Bill which requires that consent should be as easy to give as it is easy to withdraw. Further, it is not clear what constitutes 'valid reason' and what the nature and extent of the legal consequences contemplated under the section are. The threat of legal consequences would deter the data subjects from exercising their right to withdraw consent to data processing, questioning the freeness of consent.
The Bill creates a further impediment to the exercise of the rights of data principals by allowing data fiduciaries to charge a fee from the data principals for processing their requests. Such a provision does not take into account prevailing socio-economic conditions in India, and the fact that in India technology is used by the rich and the poor alike. Hence creating a fee requirement would create a gap in the exercise of the rights under the Bill, where certain rights under the Bill would become the prerogative of the rich.
Processing of data without consent
Chapter III of the Bill provides for certain grounds for the processing of data without the consent of the data principals. While some of the non-consensual grounds for processing data seem to be standard clauses, there are certain provisions that raise concerns. One such provision is that personal data can be processed by the State without consent for delivering services or benefits and for the issuance of any certification, license or permit to the data principal. This is very broad and it needs to be balanced by giving some limited rights to the data principals.
The most worrisome clause under the non-consensual grounds for processing data is the exemption given to employers. Employers can process the data of employees without their consent for the recruitment or termination of employees, for delivering services to employees, for verifying the attendance of employees, or for the assessment of the performance of the employees. These purposes are very broad and do not respect the privacy of the employees. The blanket exemption given to the employers from the consent requirement would allow them to engage in various monitoring activities under the guise of assessment of the performance of the employees. Indeed, such practices are already taking place: for instance, the PSU Broadcasts Engineering Consultants India Limited (BECIL) had put out a tender last year to procure employee tracking smartwatches.
The reasonable purposes clause is another exemption that allows data fiduciaries to process data without the consent of the principals. The Bill also enumerates some grounds which count as reasonable purposes. One such ground is the processing of publicly available personal data. This exemption is untenable as it undermines the fact that informational privacy does not make a distinction of publicly available personal data. This is a very dangerous exemption as it allows both the State and private actors to process publicly available data of individuals for various purposes such as discriminating against individuals based on their political and religious views, political advertisements, profiling, etc.
Social media intermediaries
The voluntary verification of users of social media intermediaries raises concerns of violation of privacy and profiling of users. The Bill classifies certain significant data fiduciaries as social media intermediaries and requires them to provide mechanisms to enable its users to voluntarily verify their accounts. Such verified users are given visible marks of verification. User verification and visible marks impede online anonymity, which is an important feature of the internet. Anonymity is very important in online space as it creates a safe space for the users to express their views without any fear. And it goes without saying that an attack on anonymity is an attack on privacy. Moreover, it is not proven that anonymity fuels fake news, hate speech and the online abuse on social media.
Another danger inherent in the voluntary verification of users is that the social media entities get access to official identifiers of the individuals such as ID card, Aadhar etc. Identification documents are sensitive personal data and hence the sharing of these documents requires utmost caution and care. These measures give social media entities easy access to sensitive data which can be used for creating user profiles and engage in more advanced targeting.
The Personal Data Protection Bill, 2019 gives the government unabated access to personal data without adequate checks and balances against surveillance. The various provisions under the Bill are in fact enablers of State surveillance. The exemptions granted to the State under the Bill empower the Central government to exempt ‘any agency’ of the government from the provisions of the Bill, and to prescribe the procedure, safeguards and oversight mechanism to be followed by such agencies. This is quite alarming as it enables the intelligence and law enforcement agencies to process the data of the individuals without being subject to the provisions of the Bill and engage in mass surveillance. With the government having the powers to lay down the boundaries within which the surveillance has to take place the Bill makes the government the arbiter of its own actions. The broad exemptions granted to the State can render the rights and protections granted to individuals under the data protection Bill meaningless.
Independence of Data Protection Authority
An independent Data Protection Authority (DPA) is one of the core principles of data protection laws. The DPA has a significant role in determining the rights of the individuals under the Bill and hence, for the effective protection of the rights of individuals it is pertinent that the DPA is an independent authority. However, the independence of the DPA has been called into question by the various sections under the Bill. Firstly, the Bill does not mandate the requirement of a judicial member in the composition of the DPA. This would lead to executive dominance of the DPA impairing the independence and accountability of the DPA. Secondly, the DPA is bound by the directions of the Central Government, which only adds to concerns about the DPA essentially becoming beholden to the Centre.
Government access to non-personal data
The data protection Bill is a special legislation dealing with the protection of personal data of natural persons and the application part of the Bill makes it clear that it does not apply to anonymised data under section 91 as an exception. Section 91 empowers the Central Government to access non-personal personal data with any data fiduciary or data processors for framing policies for the digital economy. This section seems to be a misfit in the Bill as the objectives behind the section are not in consonance with the objectives sought to be achieved by a personal data protection regime. Moreover, the extant literature doubts the existence of anonymised personal data as anonymisation can be reversed. We have voiced similar concerns about the draft framework for the governance of non-personal data, which is thoroughly unconstitutional and ignores concerns about privacy and data monopolies.
This is the third blogpost in our series on the Data Protection Bill; read part 1 here and part 2 here. Join us next week in part 4, where we delve into alternative models of data protection legislation that address the concerns listed here.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)