The eighth edition of Spotlight looks at Personal Data Protection Bill, 2019.
Personal Data Protection Bill 2019 tabled in Lok Sabha
Following the Supreme Court judgment in K.S. Puttaswamy vs. Union of India, enshrining privacy as a fundamental right under Article 21 of the Indian Constitution, the Government of India tabled the Personal Data Protection Bill, 2019 on December 11, 2019. The bill is currently under consideration by the Joint Parliamentary Committee, which will present its report in the budget session of the Parliament this year.
Definitional Ambiguity: Definition of SPD has excluded passwords. For consumers in India, passwords are a primary data protection tool and consumers may perceive them to be sensitive. Also, the government has been empowered to notify more kinds of data as sensitive personal data in due course, whereas the definition of CPD is open-ended, thus causing ambiguity for data fiduciaries.
Exemptions to the Central Government from the bill: The Central Government has the power to declare any agency of the government exempt from the purview of the bill to maintain sovereignty, security and to prevent the commitment of cognizable offences. However, the bill does not enumerate the legal test of ‘necessity and proportionality’ in exercising such discretion by the government, which may be in violation of the Puttaswamy judgement.
Non-personal Data: The bill provides for the use of non-personal data by the government in anonymised form for evidence-based policymaking although there is no evaluation criterion for these policies. A governmental committee led by Kris Gopalakrishnan is formulating guidelines for the use of non-personal data and hence these parameters are outside the scope of this bill. Non-personal data could possibly include critical business information that could be used for profiling. Also, anonymisation of data is not a full-proof technique hence, poses risk for breach of privacy.
Data Protection Authority (DPA): Appointment of the chairman and members of the DPA by government representatives exclusively, would affect the functioning, independence, and accountability of the institution. Also, further clarity may be required regarding the engagement of DPA with other independent cross-sectoral regulators, such as the Competition Commission of India (CCI).
Consent: The bill provides for consent managers, through which data fiduciaries may manage their consent. However, its implementation remains questionable. Also, considering the under-capacity of the general Indian populace in providing informed consent, the government may consider using privacy labels to facilitate an effective notice and consent mechanism, while avoiding the risk of notice and consent fatigue.
Social Media Intermediaries and Voluntary Verification: The bill has introduced a new category of social media intermediaries (SMI) within the classification of significant data fiduciaries. They are also required to create a mechanism for users to voluntarily verify their accounts, a move that not only threatens freedom of speech but also seemingly tries to address an issue beyond the scope of the bill.
Data Localisation:While the requirement of data localisation has been diluted barring SPD and CPD, there are still concerns regarding the effect of DL requirement on multiple stakeholders, as well as the Indian economy. SPD and CPD may constitute a significant portion of personal data, especially considering the ambiguous contours of their classification.
While the data protection bill is a significant step in the right direction, certain provisions of the bill need analysis and reconsideration. Based on the select challenges listed above, there is a need to undertake a closer look into the provisions of the bill, so as to:
- evaluate the need and mode for generating consumer’s awareness and building their capacity to enforce the many rights given to them under the bill;
- devise an effective notice and consent mechanism, especially for vulnerable consumers and those due to start participating in a digital economy, while curbing the risk of notice and consent fatigue;
- advocate for the need for institutionalising various tools of undertaking Cost-Benefit Analysis (CBA), such as Regulatory and Competition Impact Assessments, within the framework of the DPA. Measures to ensure the independence of the DPA may also be deliberated upon; and
- explore alternatives to data localisation, as it has the potential to expose India’s gross domestic product and consumer welfare to many risks. It is imperative for the government to provide an enabling environment for the country’s data-driven digital economy to thrive.