Editor's Note: This is Part I of a two-part series on the loopholes in the Personal Data Protection Bill. This two-part series attempts to bring before you six major dilemmas and requires your suggestions to resolve these dilemmas.
DuckDuckGo! This is where you go if you want to protect yourself from the snooping eyes of search engines like Google which track your online activity to target advertisements at you. That is one of the ways they make money and cannot be expected to let go of their profits for something as intangible as privacy. Therefore, as hapless consumers, we are forced to look for privacy-respecting options. This places the burden of protecting our rights on us and our existing laws do little to empower us.
But something changed in August 2017, when the Supreme Court held that Indians have always had a Fundamental Right to Privacy. The principles laid down in the judgment were recently used by the Supreme Court to uphold the ‘Right to love’ and read down Section 377 of IPC by considering one’s choice of partner as an inherently private choice. These principles may soon be extended to our data and what we choose to do with it. A Committee of Experts formed to suggest ways in which personal data can be protected has submitted its report and a draft of Personal Data Protection Bill (PDP Bill), 2018. The Government has now opened the PDP Bill for comments, from citizens at large, till 30th September, 2018.
But the Bill is replete with dilemmas which must be resolved in favour of the citizens so that privacy can be achieved in its true import. This two-part series attempts to bring before you six major dilemmas and requires your suggestions to resolve these dilemmas.
In this first part of the series, three dilemmas are discussed in detail.
Right to Privacy vs. Digital Economy
The Report submitted by the Expert Committee is titled ‘A free and fair Digital Economy, Protecting Privacy, Empowering Indians’. The priority becomes evident from the title. The Committee and its report has been criticized for ‘exceeding its brief’ - the Committee was tasked with suggesting ways in which personal data can be protected, not how the digital economy can be advanced. One may ask if the two are mutually exclusive and cannot co-exist. The Expert Committee report also argues that both ‘economic growth’ and ‘data protection’ are needed to uphold constitutional values, but the question is - how to bring them together. The answer to this dilemma lies not in diluting right to privacy but in encouraging businesses to adopt privacy-respecting and data protecting business practices.
As a recent survey shows, consumers do not trust businesses to handle their data well and are even sceptical that given the opportunity, businesses will sell their data. In fact, as a PWC report claims, businesses routinely collect more data than required, monetize the data collected and do not adequately invest in data-security. It has also been argued that given the potential of misuse of data in the wake of the Cambridge Analytica scandal, businesses themselves have been asking for more regulations to preserve ‘democracy and individual rights’. And closer home, it is increasingly becoming difficult to understand, whether Aadhaar was designed to provide welfare benefits to people or to create profitable business models.
Ownership over data vs. Rights over data
The PDP Bill doesn’t recognize an individual as an owner of the data which pertains to her. It considers an individual as a ‘Data Principal’ with certain rights available against a person collecting and processing that data called ‘Data Fiduciary’. The Bill has been criticized for not upholding an individual’s ownership of her data which flows from the understanding that ‘one’s data is an extension of oneself’ and one can choose who to entrust it to. Ownership creates not just rights but a sense of control as well, which empowers an individual. However, a member of the Expert Committee has tried to justify this omission by arguing that if an individual is considered owner of her data, then data is reduced to a ‘property’ which can be traded, bought, sold and in some cases, even forcefully acquired (like acquisition of land by government for development programs).
There seems to be an effort to create a false dichotomy between owning data and having rights over it. On the contrary, not owning one’s data can seriously hinder practising the rights provided under this Bill, as will be explained in the discussion on the next dilemma. It must also be noted that just before the Expert Committee’s report, the Telecom Authority of India came out with its report on the protection of data privacy of telecom subscribers, in which it categorically held that each user owns her data and has primary rights over it. Every person who collects the data is a custodian bound by certain obligations. And when we take stock of the many provisions in the Bill in which the State is provided with untrammelled powers to collect and process data without consent, it seems that the argument of the Expert Committee against ownership of data is borne out of convenience because it can give more bargaining power to an individual against vested business interests and state excess.
Comprehensive Rights and Protections vs. Exceptions and Loopholes
The PDP Bill starts to make the right noises with respect to the rights of ‘Data Principals’, but just stops short of going the full distance.
The following table lists down some of the Rights provided in the Bill and how they have been severely limited in operation:
It is also to be noticed that several other complementary and required rights have not been provided for. For instance, you ask your telecom operator to transfer all your data as you have decided to switch service, but they still retain a copy, which later gets leaked. The Bill could have remedied this situation by providing an explicit right to erasure and to demand deletion of data which the service provider no longer needs. Such a right has been provided for in the Indian Privacy Code, 2018 prepared by the Save Our Privacy Collective [to which this author also contributed].
And in the world of algorithms and big data, where automated decision making designed to reduce bias may actually perpetuate it, the right to not be subjected to automated decision making is extremely important. Reports have shown that machines may actually carry the bias of their coders and may unfairly target certain communities without any transparency and accountability. For instance, you can complain against a public official refusing to process your entitlement because you belong to a certain minority group, but will you be able to do the same where you are rejected by a machine designed to look suspiciously at members of certain religious groups?
And the Bill is completely silent on data collected prior to this law, most of which would have been collected without consent or even knowledge. For instance, an App may have been tracking your movements through the maps you use, for any further tracking they will require consent, but what happens to the profile they have already created on you. The Indian Privacy Code, 2018 provides that such data, collected prior to the law coming into force, can be retained only if the individual has not asked for it to be deleted.
Another onslaught of rights is two-fold – incomplete transparency and accountability mechanisms and weakening of the Right to Information. The Bill provides several mechanisms to increase transparency and accountability – building security safeguards, making public information regarding different categories of data collected, purpose for which data will be collected etc., undertaking data audits and data protection impact assessment etc.
The following table provides how these mechanisms can be undermined:
The PDP Bill also seeks to amend the Right to Information (RTI) Act, and as argued, in violation of a ‘sound legal principle’ that right to information cannot be diluted by ‘abusing’ right to privacy. RTI Act in Section 8(1)(j) provides that personal information which has no relationship to any public activity or interest, may not be disclosed if it causes unwarranted invasion of privacy unless any of the public information authorities under the Act is satisfied that a larger public interest requires the disclosure.
The PDP Bill suggests that this provision be amended to say that information related to personal data which is likely to cause harm, where such harm outweighs public interest, may not be disclosed. Who decides the likely harm and whether it outweighs public interest is not provided. It also removes the qualifying words for the personal information - ‘which has no relationship to any public activity or interest’. For instance, the Chief Information Commission, which is quite upset with this weakening of RTI argues that if an RTI is filed to find out if a public servant was promoted despite disciplinary actions, this information could be denied as ‘personal data’. It has been argued that the already the privacy exception under RTI Act is prone to misuse, but diluting it even further means denial of fundamental rights and undermining of democratic values and constitutional freedoms.
Part Two of the series will look at three other dilemmas. Till then, the Government needs your suggestions to resolve these dilemmas. Please fill in this Questionnaire prepared by Maadhyam, and let us know your thoughts [Deadline - 24 September, 2018] All suggestions will be collated and submitted to the Ministry of Electronics and Information Technology. You can share your views directly with the Ministry also (Link) [Deadline - 30 September, 2018]
Maadhyam is a participatory policy-making platform enabling citizen engagement in policy-making. Maansi Verma, the founder of Maadhyam, is a lawyer and public policy enthusiast. Citizens can also engage with Maadhyam on Facebook and Twitter.
Infographics Courtesy: Civis, a platform that demystifies laws and policies, and enables greater civic engagement.