The Digital Personal Data Protection Bill, 2002 is harbinger of a surveillance regime? In gross violation of the 2017 K.S. Puttaswamy judgement of the SC, the Bill limits the citizens’ rights over her data while weaponsing state control over it
24, Nov 2022 | Legal Researcher
For the past decade, India has been dealing with data without a comprehensive policy governing data and privacy. Justice K. S. Puttaswamy & Anr. vs Union Of India & Ors judgement, which, in 2017, declared the Right to Privacy to be a fundamental, right remains one of the few pillars available to guide policy formulations on privacy.
The central government introduced the Personal Data Protection Bill, 2019 and then changed its title to Data Protection Bill, 2019 after a report of the Joint Parliamentary Committee [JPC].
The government then withdrew the Data Protection Bill, 2021 in August and has now published a Digital Personal Data Protection Bill, 2022, inviting public comments. This can be read here and public comments can be made here, the deadline being December 17.
This article looks at the bill within the lens of the rights of users whose data would be in question and examines the accountability frameworks within the bill for data collectors like corporations and the state. Before we discuss this, it is important to understand a few definitions of the terms that are used in the bill for the purposes of fully understanding the argument.
Data Principal – The person whose data the bill seeks to protect. This is defined as
“The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;” [Section 3 (6)] of the proposed Bill)
Data Fiduciary – The person who collects and processes the data collected and determines the purposes for which it was collected. This entity is defined as below.
“Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.” [Section 3 (5)]
Personal Data is defined thus, “any data about an individual who is identifiable by or in relation to such data. [Section 3 (13)]”
Processing relation to personal data “means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;” [Section 3 (16) ]
The explanatory note to the bill states that the bill is based on seven principles which are listed out. Pertinently, there is absolutely no emphasis on consent of the data principal contained within these seven principles. Fundamentally, data privacy legislations have been based on the non-negotiable principle of consent – that the user should give explicit consent to the collection and processing of his/her data; purpose limitation – that the data collector and processor should only use the data for the purpose they are collecting it for and nothing else; data minimisation – that only specific and required amount of data should be collected for the purpose and nothing more.
However, consent does not seem to form the bedrock of the Digital Personal Data Protection Bill, 2022 at all. With the absence of consent of the data principle in this newly drafted legislation, an absence that is glaring and could mean rampant unnecessary collection of data and unbridled sharing for commercial, political and surveillance purposes, it is crucial to understand what this bill entails for all users and their rights.
The first section of this article lists the rights and duties of Data Principal and the Accountability framework that has been set up for data fiduciaries, by the bill. The second section deals with how these rights and duties affect individuals and their privacy.
- The Bill.
A. Rights of the Data Principal
a)The Data Principal can know if the data they gave to a data fiduciary is still under process (processing) or if (the entity) has processed the data; can get a summary of all the data of theirs, available with the data fiduciary and the processing activities undertaken on such data; identities of other data fiduciaries with whom the data has been shared; and any other information as may be prescribed.
An example for a part of this right could be how we can download the details of our account on social media platform Instagram and it would provide us the data it has on us.
b)The Data Principal can erase and remove data as according to laws and in the manner a may be prescribed.
c)The Data Principal also has the right to get their grievances redressed by the data fiduciary or by a Central Government set up Board if the Data Fiduciary does not reply within seven days or if they are not satisfied with Data Fiduciary’s response.
d)The Data Principal can also nominate another individual to exercise their rights in the event of death or incapacity.
The rights of a data principal are accompanied by Section 16 of the bill which deals with duties of the data principal. One of the duties mentioned is that the data principal shall not lodge a false or a frivolous complaint to either the Data Fiduciary or the Board that will be constituted by the Central Government. The bill also mandates that the data principal can, under no circumstances, furnish any false particulars or suppress any material information or impersonate another person.
- Accountability Frameworks.
The Accountability framework from the bill can be divided into two sections. One is the positive obligation and the second is the exemptions from such obligations.
1) Obligations of the Data Fiduciaries.
a)The Data Fiduciary can only process data for a lawful purpose and such data has to have been collected with consent or deemed consent of the data principal; the data fiduciary has to give the data principal, on or before collecting the data, an itemised notice in clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.
b)Data Fiduciaries are obligated to employ reasonable security safeguards to prevent personal data breach and should remove data from its possession once the purpose for which the data has been collected is fulfilled and it need not be retained for any business and legal purposes.
c)Data Fiduciaries should have a Data Protection Officer, whose contact details need to be mentioned on their website and should have procedures in place to redress grievances of data principals.
d)Additional Obligations for Data Fiduciaries arise regarding children’s data where any processing of data on children that might cause harm to them cannot be done and a verifiable consent of the parent or a legal guardian and they shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
e)The government will notify what constitutes a significant data fiduciary on the basis of the volume and sensitivity of personal data processed; risk of harm to the Data Principal; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the State; public order; and such other factors as it may consider necessary.
f)These significant data fiduciaries will have to appoint a Data Protection Officer and will have to conduct periodic audits and Data Protection Periodic Assessment.
The bill proposes a vast number of scenarios in which an express consent from the Data Principal is not necessary and their consent would be deemed to have been given for the processing of their data. These scenarios include for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order; for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance.
The bill also deems that people have given consent for the processing of publicly available data among others in the wide scenario of public interest. Additionally, the consent is to have been deemed for any fair and reasonable purpose as may be prescribed after taking into consideration whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal; any public interest in processing for that purpose; and the reasonable expectations of the Data Principal having regard to the context of the processing.
b)None of the obligations, except the obligation to keep the data secure with reasonable security practices, apply to the case when such non-compliance is done and personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law, among other reasons such as performance of judicial and quasi-judicial function.
c)The Central Government can also notify and exempt such any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these from the provisions of the whole act.
d)The Central Government is also empowered to notify having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries as Data Fiduciary from the obligation of purpose limitation, additional obligations of a significant data fiduciary and the additional obligations regarding processing of the data of the child.
e)The State and its instrumentalities are also exempted from purpose limitation i.e. the state and its instrumentalities can retain the data for indefinite periods.
f)And finally, there is a Data Protection Board of India which will determine the non-compliances with the bill and also pronounce decisions after giving a fair hearing; the appeals from the decisions of this board will lie to the High Court.
- The Impact of the Bill on Rights of People
- a)Potential tools for Surveillance State.
The state will now be legally allowed to retain the data for indefinite periods without any directive whatsoever could open doors for a big brother state which is ready to see and hear everything.
This exemption is not applicable just to the state’s core functions like the police, civil supplies etc, for whom the indefinite data storage exemption is problematic in itself, but also to the instrumentalities of the state which mean all government bodies including government hospitals, colleges, schools and any entity that constitutes the government. This means huge amounts of data could be stored with the government and its arms for indefinite periods of time despite the purpose for which the data was collected.
The definitions of instances in which the data principal is deemed to have given their consent are not only broad and vague, but also allow for even broader expansion by the state.
For example, the data principal is deemed to have given consent for processing of his data for the purpose of taking any measure to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order. After this, a special case is made for public interest, and then again the government was empowered to prescribe the instances in which the consent is deemed to be given. And the government is directed to take into consideration whether the legitimate interests of the data fiduciary outweigh the adverse effects on Data Principal and if the processing has been done in Public Interest and the reasonable expectations of the Data Principal in the context of that processing. This clearly indicates an alienation of the data from Data Principal and gives its ownership to the state and empowers it to decide what could be done with such data.
The deemed consent in the case of personal data processed for the purposes related to employment is a particularly concerning one, especially given how the employment modes have changed after the pandemic. There are multiple scenarios in which employee personal data that is collected by the employers could be processed in an unfair or prejudicial manner.
To give just one example, in a service centre of the multinational clothing brand H&M, large amounts of employee data was collected including their illnesses, vacation times, family issues, religious beliefs and other facets of employees’ life. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights. Since there is no consent that is being given, explicitly, by the employee-the company would be able to use the data collected any way without the employee ever having a clue. Therefore, effectively, via the deemed consent, the act empowers some sections of data fiduciaries to bypass the provisions of the act.
c)Excessive Delegation and Delegation without Direction
For the exemption of significant data fiduciaries from additional obligations and notification of significant data fiduciaries in the first place, the central government is empowered.
The legislation does not give any directions to the government for it to follow while laying down the rules. For example, the bill mandates that the data fiduciary take consent, a verifiable one, from the parents or legal guardian before collecting the data of a child and it also mandates that the data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. However, a bypass of these two mandates is available to the data fiduciary as prescribed by the government, as per its whims and fancies and without any directions.
Another example is that the bill gives a right to the data principal for correction and erasure of the data, but according to the laws and in the manner prescribed. Here, the government is given the power to curb the right of the data principal to erase their information completely. At least, such power has not been recorded in the bill. These excesses of delegation give arbitrary powers to the administration on crucial legislation.
d)The Bill also imposes a penalty of up to ten thousand rupees in case of a data principal not complying with the duties as specified among which one is to not file a false or frivolous complaint. There are two issues with this provision – one is that there is no indication whatsoever as to what can be considered as false and frivolous and what cannot be. And on another level, to impose a penalty on data principals goes counterproductive to the legislation that aims to protect the digital personal data since it would discourage people from lodging complaints.
e)The Board, which the bill proposes to constitute, has members appointed by the government and such members only. This is concerning on two levels. One is that if they are appointed by the government, an inherent conflict of interest arises when deciding the issues concerning the state itself. Secondly, no other information about the board including the qualification of the members has not been provided by the bill. It empowers the executive to make the rules.
Despite more than six years of intense, public discourse on privacy legislation, backed by jurisprudence from the highest court, the government has yet again come up with a bill that completely undermines the rights of people more than the previous bills did. People are a reflection of the memories they accumulate and the actions they then perform, also become their memories. To store records of such actions and to be able to analyse them is a process that commands huge power. Through this Bill, not only does the state divest unto itself the power unilaterally, but it also empowers itself to extend such power to any other entity. To amend and better this bill too would be a facile act, given that the bar is set so low. Again, the Modi 2.0 government is weaponising the state with a law that specifically annuls a citizen’s right to privacy and control over personal data, a hard earned right, finally only articulated in 2017 in the Puttaswamy judgement.
(The author is a legal researcher currently giving his post graduate examinations)
Image Courtesy: livelaw.in
Electoral Bonds: A Democracy’s Trojan horse
Collegium System of Judicial Appointment: A critique
Digital Personal Data Protection Bill seeks to amend RTI Act to bar disclosure of personal information
New data protection law comprehensive but full of exemptions
Why Centre withdrew Data Protection Bill 2019 and what is in the offing
 Section 3(6), Digital Personal Data Protection Bill, 2022
 Section 3(5), Digital Personal Data Protection Bill, 2022
 Section 3(13), Digital Personal Data Protection Bill, 2022
 Section 3(16), Digital Personal Data Protection Bill, 2022
 Section 12, Digital Personal Data Protection Bill, 2022
 Section 13, Digital Personal Data Protection Bill, 2022
 Section 14, Digital Personal Data Protection Bill, 2022
 Section 15, Digital Personal Data Protection Bill, 2022
 Section 16, Digital Personal Data Protection Bill, 2022.
 Chapter 3, Digital Personal Data Protection Bill, 2022.
 Chapter 4, Digital Personal Data Protection Bill, 2022
 Section 8, Digital Personal Data Protection Bill, 2022
 Section 18, Digital Personal Data Protection Bill, 2022
 Section 18(3), Digital Personal Data Protection Bill, 2022
 Section 18(2), Digital Personal Data Protection Bill, 2022
 Section 22(2), Digital Personal Data Protection Bill, 2022