By Bharat Manwani. The author is a student at Gujarat National Law University.
Introduction
Data, often regarded as the oil of the 21st Century, is more valuable than ever in the present-day reality of digital economies. The largest democracy of the world houses over 658 million active internet users, and this statistic is expected to only double in the upcoming years. Personal data in particular, lies at the core of our digital economy, facilitating several business models and algorithms that enhance user experiences in the digital world. In this background, it is extremely essential that there exist effective legislation around which companies could build frameworks governing the use of personal data. On 18th November 2022, the Government of India seeking consultation from various stakeholders, released a draft version of The Digital Personal Data Protection Bill, 2022 (hereinafter referred to as “the Bill”). The following article highlights certain promising features along with some worrying concerns that arise out of this draft Bill.
Promising features of the proposed Bill
The Digital Personal Data Protection Bill, 2022 has proposed several forward-looking laws that are expected to be instrumental in protecting and safeguarding personal data. In a first, the Bill makes use of the pronouns ‘her’ and ‘she’, to refer to individuals regardless of anyone’s gender. It has been stated that the implementation of such a novel drafting practice is in furtherance of the government’s philosophy of women empowerment. Section 6 of the Bill mandates a Data Fiduciary to produce an ‘itemised’ description of the personal data sought to be collected, which, more importantly, has to be enunciated in ‘clear and plain language’.
Most digital platforms obtain informed consent through standard form contracts encumbered with legal jargon that consequently resulted in individuals not fully comprehending how their personal data will be processed. The Bill seeks to eliminate the occurrence of such situations by enabling data principals to better understand and fairly assess what kinds of personal data they have consented to provide and how such data will be processed. Additionally, the Bill provides for such consent notices to be presented in English or any other language part of the 8th Schedule of the Constitution that may be requested by the data principal. The drafters of this Bill have rightly considered the pertinent linguistic demographics, enabling data principals to better understand terms relating to the use of their personal data.
Moreover, Section 7 (8) of the Bill expressly states that data principals would not be forced to provide personal data that is not absolutely necessary for rendering services by the fiduciary. For example, you would not be mandated to provide your phone number for the use of a social media platform as the furnishing of such information would not be absolutely necessary for the use of that service. This was incorporated in view of the principle of data minimisation in our digital economy, that has been regarded as an essential practice for framing provisions under this Bill. The additional obligations imposed upon ‘significant’ data fiduciaries have been remarked as another salient feature of this Bill. Section 11 prescribes the additional procedures and safeguards that significant data fiduciaries (as notified) are mandated to follow. The determination of what is a ‘significant’ data fiduciary depends on a host of factors including the ‘the volume and sensitivity of personal data processed’ along with their associated ‘risk to electoral democracy’. The reports of Russian influence on the presidential elections of the United States of America that first arose in 2016, have only underscored the need to prevent the misuse of personal data in such instances. Section 11 attempts to protect the interests of data principals in a functioning democracy, and enables a greater scrutiny on the management of personal data by fiduciaries.
Most digital platforms obtain informed consent through standard form contracts encumbered with legal jargon that consequently resulted in individuals not fully comprehending how their personal data will be processed. The Bill seeks to eliminate the occurrence of such situations by enabling data principals to better understand and fairly assess what kinds of personal data they have consented to provide and how such data will be processed. Additionally, the Bill provides for such consent notices to be presented in English or any other language part of the 8th Schedule of the Constitution that may be requested by the data principal. The drafters of this Bill have rightly considered the pertinent linguistic demographics, enabling data principals to better understand terms relating to the use of their personal data.
Moreover, Section 7 (8) of the Bill expressly states that data principals would not be forced to provide personal data that is not absolutely necessary for rendering services by the fiduciary. For example, you would not be mandated to provide your phone number for the use of a social media platform as the furnishing of such information would not be absolutely necessary for the use of that service. This was incorporated in view of the principle of data minimisation in our digital economy, that has been regarded as an essential practice for framing provisions under this Bill. The additional obligations imposed upon ‘significant’ data fiduciaries have been remarked as another salient feature of this Bill. Section 11 prescribes the additional procedures and safeguards that significant data fiduciaries (as notified) are mandated to follow. The determination of what is a ‘significant’ data fiduciary depends on a host of factors including the ‘the volume and sensitivity of personal data processed’ along with their associated ‘risk to electoral democracy’. The reports of Russian influence on the presidential elections of the United States of America that first arose in 2016, have only underscored the need to prevent the misuse of personal data in such instances. Section 11 attempts to protect the interests of data principals in a functioning democracy, and enables a greater scrutiny on the management of personal data by fiduciaries.
Questions on practicality and effectiveness
However, the proposed Bill is not short of certain doubts and concerns regarding the practicality and effectiveness of such provisions. A ‘Data Fiduciary’ is defined as an individual or a group that determines the purpose and means by which personal data will be processed. The inclusion of the conjunctive ‘and’ in the definition raises doubts on whether an entity would be considered as a fiduciary, even if it doesn’t determine the means of processing data. The Bill also widely defines ‘public interest’ in Section 2(18) which includes preventing incitement to the commission of any cognizable offence and dissemination of false statements of fact.
On the surface of it, the provision appears to be utterly beneficial. This however necessitates careful observation as to whether this definition could be exploited inter alia for political purposes such as during elections. Under Section 8 of the Bill, any fiduciary could assume consent for processing personal data in public interest. Having such a broad definition could only increase the scope of exploitation of personal data, ironically working against the interest of the public. A similar instance has already occurred back in 2019, when the Delhi Police admittedly extended the use of confidential personal data using automated facial recognition systems. The personal details of the Anti-CAA protestors were stored on a database using the facial recognition systems, even though they were only permitted to use such systems to find missing children.
Section 9 of the proposed Bill provides the general obligations of data fiduciaries managing personal data. Every data fiduciary and data processor are obliged to protect the personal data in their possession or control by taking ‘reasonable security safeguards’. It is noteworthy to mention that the proposed Bill fails to list down the objective technical standards that data fiduciaries are compelled to follow under the EU’s General Data Protection Regulation. Merely instructing to employ ‘reasonable’ safeguards, would again leave a wide scope for interpretation, consequently jeopardizing the personal data of citizens.
As stated earlier, certain provisions of this proposed Bill lack clarity on how they would be practically enforced. Section 10 of the Bill provides for additional obligations in processing personal data of children, wherein 10(1) mandates data fiduciaries to obtain ‘verifiable parental consent’ before processing a child’s personal data. It is not quite clear as to how data fiduciaries would obtain parental consent or confirm the veracity of such consent. Take into example social media platforms like Instagram, that deal with large volumes of personal data of millions of teenagers. The provision raises the perplexing question of how such fiduciaries would obtain ‘verifiable parental consent’ in such a scenario.
The impact of the proposed Bill seems even more bewildering as it prohibits data fiduciaries to track or monitor any sort of personal data relating to children under Section 10(3). An individual’s preferences relating to the content they enjoy, would fall well within the ambit of personal data. The success of major social media platforms such as Instagram or YouTube relies solely on algorithms that process preferences and accordingly recommend content. The business models of these major platforms are entirely at risk now that the proposed Bill forbids recording personal data of children.
The Bill also contemplates the establishment of a ‘Data Protection Board of India’, for the purpose of determining non-compliance with the Bill, imposing penalties, issuing directions, and performing other such functions as the Central Government may prescribe. The Board aims to act as an independent regulator on a case to case basis. It will be vested with the power to conduct inquiries, summon witnesses, inspect evidence, conduct proceedings relating to complaints, and impose penalties. Thus, it is important that its composition has a right balance, so that it can function independently of the different wings of the State. However, the Bill is silent on the above aspect. It empowers the Central Government to stipulate the Board’s strength, composition, process of member selection and terms and conditions of appointment and removal. This is a departure from the approach that was contemplated under earlier Bills. In the absence of any insights on how the said board will be constituted, there is speculation that the Data Protection Board of India may not be truly independent the discharge of its functions.
The Data Protection Board may, if it concludes that there has been a significant non-compliance by any entity to which the Bill applies, impose harsh financial penalties upon them. Broadly, these penalties will be determined based on a set criterion and the nature of the offense. While the Data Protection Board is empowered to impose financial penalties for up to INR 500 crores, the penalties prescribed for non-compliances under the current version of the Bill do not exceed INR 250 crores.
Conclusion
As provided in the preamble of the Bill, its purpose is to recognize the right of individuals to protect their personal data along with the need to process personal data for lawful purposes. In the author’s opinion, while considering the several obligations placed on data fiduciaries, the Bill tips the balance in favour of the rights of individuals to protect their personal data. The several doubts mentioned above now requisite reconsideration by the legislative bodies on certain provisions. Setting aside loopholes that need to be addressed, the proposed Bill is a step in the right direction for safeguarding citizens’ personal data. The government through the proposed Bill has tackled an essential need in time for our growing digital economy. However, the effectiveness of this law can only be gauged by the test of time.