Personal Data Protection Bill: Loopholes pertaining to empowerment of children, consent and surveillance State

This two-part series attempts to bring before you six major dilemmas and requires your suggestions to resolve these dilemmas.

Editor's Note: This is Part II of a two-part series on the loopholes in the Personal Data Protection Bill. This two-part series attempts to bring before you six major dilemmas and requires your suggestions to resolve these dilemmas. The first part dealt with the loopholes pertaining to data ownership, Right to Information Act and more.

No means No!

Those who can exercise any kind of power over us — emotional, financial, physical — find it difficult to accept a 'No' because it empowers the weaker. Hence the importance of consent. It is at the very heart of any mutually-respecting relationship, be it between intimate partners, citizens and the state or business and its consumers. And since our data has become an important transactional tool in some of these relationships, the element of consent attaches itself to our data also.

But what happens when our laws permit consent to be bypassed?

Servers inside a Google data centre. Image: Google

Servers inside a Google data centre. Image: Google

First let’s remind ourselves that in August 2017, the Supreme Court held that Indians have always had a Fundamental Right to Privacy. In the judgment, the Supreme Court also outlined the importance of the ‘private realm’ — those aspects of an individual so integral to their being that privacy would be a hollow concept if an individual could not exercise choice over who can enter that realm. ‘Informational control’, a crucial element of this realm was considered important to ‘empower the individual to use privacy as a shield to retain personal control over information pertaining to the person’. Bottomline: We exercise control over who has access to our data and consent is the gatekeeper.

The Government has finally put in motion a process to operationalise this control over data. A Committee of Experts formed to suggest ways in which personal data can be protected, has submitted its report and a draft of Personal Data Protection Bill (PDP), 2018. The Government has opened the PDP Bill for comments, from citizens at large, till 30 September, 2018.

But the Bill is replete with dilemmas which must be resolved in favour of the citizens so that privacy can be achieved in its true import.

In part II of the series, we discuss the rest of the three loopholes.

Empowerment of Children vs. Inadequate protection of Children

The PDP Bill identifies a child as a person who is yet to attain the age of 18 years and provides for the collection and processing of their data with parental consent. It also casts an obligation on those collecting large volumes of personal data of children or those operating commercial websites directed to children to desist from tracking, profiling, targeting advertising at children etc. While prescribing these much needed higher-order responsibilities, it has been argued that the Bill misses out on a foundational obligation – to ensure that a child is informed in a ‘simple and explanatory manner, the need for care in handling date concerning herself’.

This is premised on the reality that many children are involved in online activities involving the exchange of data without the knowledge of their parents or guardians, with little or no awareness about digital security. Substituting their consent with parental consent, only in those rare instances when parents are aware of their child’s online activities, will not ensure adequate protection. The Bill also creates an obligation on those collecting data to put in place appropriate mechanisms for age verification.

But the absence of any need to educate and make children aware and relying solely on parental consent, may, on one hand provide a convenient escape and on the other reject the notion that children can also have agency.

Fixing of the age of consent with respect to sharing of data at 18 years is also considered problematic for the same reason. Much younger children are active on the internet and need to be made aware of the importance of data protection. For instance, the General Data Protection Regulation in EU provides that consent of children above 16 years of age is required to process their data, in UK, children above 13 years of age can provide consent. It can also be argued that while children are given special protection under the law, they must also enjoy similar rights over their data as adults. For instance, the PDP Bill doesn’t explicitly provide that an adult will have the right to opt-out or prevent further processing of data which was collected on the basis of consent given on her behalf by her parents / guardian when she was a child. This is imperative to ensure meaningful data protection for children.

Consent vs. No Consent

The PDP Bill provides that one of the grounds for processing is consent, i.e. you consent to the processing of your data for specified purposes. But it also provides that your data can be processed without your consent because in some cases it will either be impossible to seek consent or consent is not an appropriate ground. Some such problematic instances are discussed below.

For any function of State authorised by law • State provides many welfare services to citizens and citizens are in no position to deny or choose any other service provider. Hence validity of such a consent is questionable.
• State performs regulatory functions like giving building permissions. If citizen refuses to share necessary information, permission can not be given. Hence, consent is a formality.

In other words, this can be looked at as a quid-pro-quo arrangement: Citizens provide data, State provides services. But unlike other commercial services, state services, in most cases are entitlements guaranteed by law, like ration. It has been argued that it is a duty of State to provide welfare services and citizens cannot be forced to ‘surrender their privacy’ for availing these services. This logic of the Expert Committee is faulty also because, as argued, it is based on an incorrect framing — it first places the State ‘as a facilitator of human progress’, and then considers individual fundamental rights as the bulwark to keep the State under check. As per the Constitution, fundamental rights take precedence over functions of a welfare State.

The report, in anticipation of criticism of such sweeping permission to the State to process data without consent, attempts to provide some checks. It says that any such collection must be limited to necessary data only and any such processing must be fair and reasonable. The implication of this is that though consent may not be taken, other obligations will continue to apply. For instance, the State may provide you with a 'Notice' that your data has been collected without consent, but the fact of the matter is that even then you will not be in a position to object if you don’t agree with the purpose or the manner of processing stated in the Notice.

The report also argues that any such function of the State must necessarily be a public function. The Bill, however, doesn’t use this term. Instead, it says ‘any function’ authorised by a law.

What are the implications of this? Let’s look at Aadhaar as an example. Aadhaar Act provides that state can insist on Aadhaar for providing welfare services — a quid-pro-quo public function authorised by law. The Act also provides that State or a body corporate or any person can use Aadhaar number for establishing your identity for any purpose — not necessarily a public function but authorised by law. Remember when you were forced to either link your Aadhaar with your mobile number or risk deactivation of your number. It has been argued that this quid-pro-quo approach is what makes Aadhaar so problematic, by which people have been made to either enrol for the program or are under threat of denial of services. It seriously undermines an individual’s freedom and autonomy.

For purposes related to employment
• Recruitment
• Termination
• Providing any service or benefit
• Verifying the attendance
This will apply only when seeking consent is not appropriate or will require disproportionate effort.
• Employees are dependent on employer and seldom in a position to freely give consent, refuse or revoke it.
• Some processing activities may require seeking consent multiple times or on a regular basis. Will require disproportionate effort from employer and cause consent-fatigue in employee.

The line of argument then seems to be — employee will have no choice but to give consent and it will require disproportionate efforts by the employer. It has been argued that employer-employee relationship doesn’t lead to cessation of fundamental rights of the employee. This provision uses a broad brush to include all the employment-related activities. Why should recruitment be covered, a function often outsourced and at which stage the employer-employee relationship hasn’t even come into existence? Why data of an employee cannot be collected with her consent for providing any benefit or for performance assessment?

It must be remembered that consent requirement corrects the imbalance in the relationship between a citizen and the State, a consumer and a business, an employee and an employer and so on. In all these cases, the collector and processor of data are in a more powerful position. Thus, consent increases the bargaining power of the individual who has to part with data.

Further, diluting consent are those provisions which allow ‘reasonable purposes’ and ‘further grounds’ to be added in the future, to permit processing of personal, and even sensitive personal data without taking consent.

For reasonable purposes like-
• Prevention and detection of unlawful activity
• Whistleblowing
• Merger and acquisition
• Credit scoring etc.
Some conditions are prescribed for proposing such purposes, first of which is - interest of person collecting the data and fourth in the list is - effect on rights of individual.
• A residuary ground is needed in order to provide flexibility to those collecting data.
• It may not be possible to take consent in all such situations
• Relying on consent will hinder evolution of new technologies relying on data analytics.

There are two problems here. First, there are no criteria to identify the reasonable purposes. The illustrative examples range from fraud prevention (involves societal interests) to mergers and acquisitions (commercial activity). Second, the power to identify these reasonable purposes in the future is given to the regulator established in the Act — the Data Protection Authority of India, which can lay down Regulations in this regard. It is possible to envision a scenario, where regulations made under a law, which go through very limited consultations and negligible parliamentary oversight, may have more grounds and purposes than the actual law.

The law also dilutes consent by permitting collection of your data from sources other than you, about which you will be notified within a ‘reasonably practicable’ time period — no guideline is provided to define what is reasonably practicable.

Reforming a surveilling State vs. Strengthening a surveilling State

Do you also think that surveillance is alright because you have nothing to hide? That is what we are made to believe – that surveillance is being carried out for the common good, that only suspicious information will be acted upon and it does not affect your rights. But surveillance, carried out by the State as well as private actors has become pervasive. This has made us constantly look over our shoulders, and alter our behaviour because what may not be considered suspicious today, like criticising policies of the government, may be considered suspicious in the future. And that is why surveillance reform is urgently required.

At the outset, it must be noted that the Expert Committee in its report takes a note of the lack of effective oversight over current practices of surveillance and interception (phone tapping), which border on opaqueness. It also acknowledges that the current systems in place are inadequate. For instance, the report notes that a recent RTI revealed that Central Government passes 7,500-9,000 orders for interception every month. Every interception request from police or other law enforcement agencies is authorised by the Home Secretary, which means that on an average,the Home Secretary may need to approve or deny 250-300 orders every day. If you were the Home Secretary, with tons of other responsibilities, would you be in a position to carefully apply your mind to each such request within a short period of time?

Representational image.

Representational image.

There is a review mechanism also through a Review Committee headed by Cabinet Secretary, which meets only twice a month, and reviews the orders approved. The Committee, in its report, notes that the Review Committee has an unrealistic task of reviewing 15,000-18,000 orders in every meeting. Noting these shortcomings, the Committee recommends procedural safeguards like judicial approval and parliamentary oversight on the process of intelligence gathering through surveillance and interception.

If the Expert Committee had translated its recommendation into actual provisions in the Bill, it has been argued, it would have been a ‘death knell’ for any mass surveillance program. But it did not do so. Instead, it exempts collection and processing of data for the purpose of ‘security of the State’ from any rights, obligations and transparency requirement, except ‘fair and reasonable processing’, a phrase which will always be open to interpretation, with ‘security safeguards’ in place. This exemption is available to any law which will be made in future to govern such functions if they are necessary and proportionate. It has been argued that an opportunity to reform surveillance practices has been lost and instead the Committee chose to defer this task to a future law.

It has also been argued that these exceptions have been specifically designed to protect Aadhaar and to continue strengthening the surveillance State. And because of wide exemptions, as and when such a law is formulated, many other crucial obligations will not apply. For instance, there will be no obligation to limit storage of data for a limited period of time, which means data gathered through interception and surveillance can be retained forever and if breached, there will be no notification also.


And when checks and balances are discounted in the name of ‘Security of State’, immense possibilities of abuse arise. For instance, consider the recent incident of the arrest of some activists where it was reported that they and their family members were forced to reveal their email and social media account passwords, without so much so as a warrant in that regard. Forceful search and confiscation of material from the home of a family member of another activist, again without a no proper search warrant, has also been argued to be a blatant disregard of their privacy.

The Government needs your suggestions to resolve these dilemmas. Please fill in this Questionnaire prepared by Maadhyam and let us know your thoughts [Deadline - 26 September, 2018]. All suggestions will be collated and submitted to the Ministry of Electronics and Information Technology.

You can share your views directly with the Ministry also (Link) [Deadline - 30 September, 2018]

Maadhyam is a participatory policy-making platform enabling citizen engagement in policy-making. Maansi Verma, the founder of Maadhyam, is a lawyer and public policy enthusiast. Citizens can also engage with Maadhyam on Facebook and Twitter.

Infographics Courtesy: Civis, a platform that demystifies laws and policies, and enables greater civic engagement.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.