Post Your Comment
Data Protection Bill: Can it ensure your privacy online?
Following WhatsApp's proposed changes to its privacy policy, all eyes are now on the Bill that will be tabled in Parliament in February. But is the Bill robust enough?
Image: Shutterstock
Earlier in January, WhatsApp—it has 400 million users in India—announced policy updates, in which a closer integration with Facebook would result in sharing of private user chat data with advertisers. This has made the need for a legislative framework to empower users against the misuse of personal information more crucial than ever.
Although WhatsApp has subsequently postponed the rollout of its new privacy policy to May 15 for users to review and accept the new terms, all eyes are on the Budget session of the Parliament in February, where a Joint Parliamentary Committee is expected to table its report on the draft Personal Data Protection (PDP) Bill, 2019. The Bill is a result of the Supreme Court declaring privacy as a Fundamental Right in 2017, and it not only has provisions for individual consent and control over private online data, but also outlines strong obligations for companies that use and process this data.
“Had there been a data regulator during the WhatsApp privacy policy debate, it would have assessed if the policy meets data minimisation and purpose limitation requirements, and would have come out with a review immediately,” says Kazim Rizvi, founder of The Dialogue, a technology public policy think-tank. According to him, given that Indians are sharing more personal data online, transacting more through digital platforms, and depending more on internet service providers to go about their daily life than ever before, there need to be checks and balances around data collection and processing practices, in which both technology companies and the state are held accountable.
The PDP Bill, for instance, mandates the setting up of a Data Protection Authority (DPA), an independent body comprising legislators and senior experts to take up matters relating to privacy, and also redress consumer grievances. “Data should be collected only for a clearly defined purpose and not beyond that. If the purpose or scope of data collection is evolving, like in the case of the WhatsApp privacy policy, it has to be identified, outlined and reviewed by the DPA to see if it meets the tenet of data minimisation or not,” says Rizvi.
At present, in the absence of a dedicated data protection regulation, the usage and transfer of personal data of users is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. However, given the growing pace of the digital economy, the Act has shortcomings with respect to how personal and sensitive data is defined, and provisions that can be easily overridden by companies using a contract. “Further, the IT Act applies only to companies, not to the government,” says a note about the PDP Bill, 2019 on PRS Legislative Research.
Provisions That Will Make a Difference
Experts believe that the functioning of the DPA and the legislation itself must be dynamic in order to keep pace with the evolving role of technology and the internet in our lives. Sanjoy Ghose, a senior advocate practicing in the Delhi High Court, explains that when the Constitution was being written in the late 1940s, the focus was on the protection of citizens against the state. Over the years, however, there has been privatisation of state functions. “Both the government and the private companies collect and process a huge amount of citizen data today. So the context of this law must be set accordingly and it must be dynamic.”
Implementation of meaningful, not forced, consent should be at the core of the PDP Bill, apart from data minimisation and purpose limitation, says Mishi Choudhary, tech lawyer and legal director of the Software Freedom Law Center. “The law should prohibit companies offering targeted advertising services from operating consumer-facing messaging systems [such as Gmail, WhatsApp and WeChat], and require technical protection for meta data as well as message content,” she explains.
According to Choudhary, instead of prescribing jail terms as punitive measures, the law should impose large fines as a percentage of global revenue to ensure swift enforcement. The Bill states that processing or transferring personal data in violation of provisions will be punishable with a fine of Rs15 crore or 4 percent of the annual turnover of the fiduciary (a person or a business that controls the means and purpose of processing personal data).
The Bill empowers users to seek correction of inaccurate, incomplete or out-of-date personal data, and even completely erase their data, if they want to do so. Processing of data that has been de-identified by individuals without their consent is also punishable with imprisonment of up to three years, or a fine, or both.
Needs More Work
The Bill in its present form is the result of several changes from the initial 2018 draft, and needs further examinations and corrections, say experts, in order to ensure that people receive the empowerment they need to safeguard their personal data.
While the provisions for companies are quite stringent, a particular cause for concern is the expanded scope of exemptions for the government, and control vested in the Centre, among other things. A December 2019 blog post about the PDP Bill written by public policy experts Jochai Ben-Avie and Udbhav Tiwari for Mozilla states that the new legislation “reduces the powers and independence of the DPA by significantly weakening the commission that will appoint the chairperson and members.”
The blog post says that while the 2018 draft said appointments to the DPA will be made by a diverse committee with executive, judicial and external expertise, the new Bill limits this committee to members of the executive. “As with the last Bill, Adjudicating Officers are also appointed by the government. Together, this will make it much harder for the DPA to be empowered and effective as the entire governing structure will be appointed exclusively by the government,” the blog says. Also, there is ambiguity about how the legislation will be implemented, with decisions being at the discretion of the Centre.
While Rizvi believes that gender diversity is a must for the DPA to particularly protect sensitive health and other data about women, Devdutta Mukhopadhyay, litigation counsel for the Internet Freedom Foundation, says there must be a bar on persons with “vested political or business interests” to be appointed to the DPA. According to her, “surveillance reform is a glaring blind spot in the PDP Bill”. She points out that the Bill exempts activities carried out to protect national security and conduct criminal investigations “without creating a parallel structure that provides independent judicial oversight for such activities”.
The Bill also includes provisions where the government can direct entities or companies to provide it with non-personal data for policy-planning purposes. According to Mukhopadhyay, this will blur the demarcations between personal and non-personal data, and anonymised data can be re-identified in many cases. Mozilla’s blog post gives an example of the consequences of transferring non-personal data: Sales location data from ecommerce platforms, for example, can be used to draw inferences or patterns based on caste, religion or sexuality.
The Bill also has a provision for social media verification, where companies provide users the option to voluntarily verify their identities on social media. Experts believe that this provision could also incentivise collection of personal data from the government IDs that are submitted for verification, which can again be used to profile users.
