THE DRAFT DATA PROTECTION BILL, 2021: TESTING THE WATERS

As we progress further into the information age, governments across the world- especially India- have come to realize that data is not only the new oil but rather, the new soil, having irrigated itself into every facet of life. The advent of the Joint Parliamentary Committee’s(hereinafter ‘JPC’ or ‘the Committee’) report on the Personal Data Protection Bill, 2019 and the Draft Data Protection Bill, 2021 (hereinafter ‘Bill’), is on the horizon. The timing is material as data protection, privacy rights and fears about mass surveillance loom large in the current digital age. India has been struggling to come up with a robust policy for data protection like European Union’s comprehensive General Data Protection Regulation (GDPR). This is India’s attempt to do so.

The bill asserts the following purposes for its promulgation: first, to provide for the protection of the digital privacy of individuals relating to their personal data; second, to specify the flow and usage of data; third, to create a relationship of trust between persons and entities processing the data;  fourth, to protect the rights of individuals whose data are processed; fifth, to create a framework for organizational and technical measures in the processing of data; sixth, to lay down norms for social media platforms, cross-border transfer, accountability of entities processing data, remedies for unauthorized and harmful processing; seventh, to ensure the interest and security of the state; and lastly, to establish the Data Protection Authority of India.

The questions that arise from a preliminary glance are plenty- whether the flow of data and how it is specified is reasonable, whether the rights of protection of individuals are actually robust and actionable and not mere black letters on the draft, how will other data protection regimes such as the European Union’s GDPR interact with ours during cross-border transfer of data, are the penalties suggested effective, and whether the objective of ensuring the interest and security of the state takes precedence over individual data protection rights.

Under Section 12 of the Bill, sweeping exemptions are provided to both State and corporate interests, which is a major cause of concern. An important balance has to be struck between the data protection rights and the interest for state sovereignty and security. Similarly, the interests of a digital economy also need to be balanced with personal data protection rights. If consent is foregone on any grounds, only legitimate and proportionate aims must be secured.

In comparison to its 2019 counterpart, the Bill makes two major suggestions- first, the inclusion of non-personal data into the scope of the Bill; and second, raising the issue of data protection specifically for children. Perhaps the most glaring difference between the former and current bills is the change in name. The name of the bill has been changed from the ‘Personal Data Protection Bill’ to the ‘Data Protection Bill’, significant of its inclusion of non-personal data. This new addition has increased the scope and contributed to the Billhavingawiderreach than before.

Personal data is information which relates to an individual who is identifiable. Non-personal data, on the other hand, is that which does not contain personally identifiable information- for instance, the registration number of a company. The JPC makes three main arguments to justify its inclusion of non-personal data in the Bill.

The first argument made by the Committee is that privacy is also affected by non-personal data. The Committee simply states this and fails to substantiate this argument. This argument can easily be refuted because since non-personal data is that which does not contain identifiable information, an individual’s data is not interfered with and thus, the individual’s privacy is not infringed. The second argument made was that it is difficult to distinguish between personal and non-personal data. The Committee justifies itself here by mentioning that distinguishing between the two types of data may lead to re-identification- something which Clause 82 of the Bill labels as a criminal offence. Therefore, while there are certain mechanisms that prevent re-identification of information, should these mechanisms fail, there is a possibility of a crime being committed. The third and most important argument made by the Committee is that there cannot be two different data authorities dealing with two different types of data, especially when differentiating between them is difficult.

The Bill includes within itself a separate chapter dedicated solely to the protection of personal data of children- a welcome addition but not without its faults. The Committee reiterates the importance of consent by suggesting that the child must be given an opportunity

to re-validate their consent on attaining majority. Two troubling changes made is the deletion of the concept of guardian data fiduciaries and the elimination of the phrase ‘best interests of the child’.

The 2019 edition of the Bill defines guardian data fiduciaries as entities that operate commercial websites or online services directed at children; or process large volumes of personal data of children. Therefore, a data fiduciary- who is not a guardian data fiduciary- is barred from tracking and profiling the personal data of children. Since the JPC has deleted the concept of a guardian data fiduciary, there is no practical mechanism that will allow a data fiduciary to know that they are dealing with the data of a child nor is there an increase in the scope of the data fiduciary’s functions so as to include this. In Section 16 Clause 2, it is stated that ‘a data fiduciary shall, before processing any personal data of a child, verify his age and obtain the consent of his parent or guardian’. This is troubling because the only way by which a data fiduciary may now know that they are dealing with a child is through verifying the age i.e. basically age-rating the entire internet. Doing this would mean that each person- adult or child- will have to certify and verify their ages each time they use the internet. This is both impractical and unfeasible.

Next, the Committee has suggested the elimination of the phrase ‘best interests of the child’ and replacing it with the ‘rights’. While they have not specified a reason for the same, it is something whose reversal must be considered. Article 3(1) of the United Nations Convention on the Rights of the Child states that the ‘best interests of the child’ is a cardinal principal. India, being a ratified signatory to this Convention, must adhere to its Articles. Therefore, while the heart of the JPC was in the right place by placing the protection of children’s data on a priority note, they have gone about its execution in an incorrect manner.

Additionally, conspicuous in its absence is any regulation on state surveillance or wide-ranging surveillance in general. Justice A.P. Shah Committee points out the need for a regulation: “With the initiation of national programmes like Unique Identification number, NATGRID, CCTNS, RSYB, DNA profiling, Reproductive Rights of Women, Privileged communications and brain mapping, most of which will be implemented through ICT platforms, and increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons.” The Bill fails to mention surveillance regulations. Surveillance regulations are an important tenet of personal data protection and need to be addressed more pertinently as concerns arise from sweeping exemptions provided to the state under section 12 and elsewhere.

Moreover, another crucial element conspicuously absent is the idea and implications of measures taken that deprive individual data protection of being ‘reasonable and proportionate’. Sometimes, sweeping exemptions are provided in the favour of state or corporate interests but no qualification is added in the form of ensuring its reasonableness or proportionality. In Maneka Gandhi v. Union of India[i], it was held that the procedure that deprives individuals of their personal liberty and privacy be fair, and just-a qualification again not explicitly codified. Perhaps the intention of the drafters is in alignment with similar elements but it not being explicitly applied or promulgated or recognized in any form causes reasonable concern in a country that has seen countless privacy violations in the past decade; concerningly, even by the state.

Substantial powers are assigned to data fiduciaries and the Data Authority. Most critically, the standards of irreversibility in the process of anonymisation of personal data shall be specified by the Data Authority. This is an incredibly important juncture for confidentiality and privacy rights; therefore the authority exercising this power must be lawfully appointed and there must be inbuilt accountability mechanisms to ensure that authority with such powers is acting in the best interests of individuals in regards to personal data protection rights and measures to ensure so. Another important position is the Consent Manager: a data fiduciary which enables a data principal to give, withdraw, review and manage his consent through an accessible, transparent and interoperable platform. The Bill does not talk enough about it and leaves questions unanswered.

Worries loom large about the balance between individual data protection rights and corporate interests for the promotion of a digital economy. The same concerns are extended to the balance between individual data rights and protection and state interests of sovereignty and order. Both the corporate and state interests are provided with substantial exemptions that render the balance ultimately in their favour to an extent. It is important to ensure that while making provisions that are necessary to protect legitimate state and corporate interests the overarching and critical goal of personal data protection rights is not waylaid or straitjacketed to fit something that is in essence, contrary to what it aims to accomplish. However, on an optimistic note, the JPC has gained cognizance of the main goals insight-increasing the scope of the law to include crucial aspects such as non-personal data and children’s data in addition to personal data protection. While there still is a long way to go, this Bill is a step forward in the right direction.