Data Protection Bill: Can it ensure your privacy online?

Following WhatsApp's proposed changes to its privacy policy, all eyes are now on the Bill that will be tabled in Parliament in February. But is the Bill robust enough?

Divya J Shekhar
Published: Jan 19, 2021 04:23:30 PM IST
Updated: Jan 19, 2021 06:06:10 PM IST

Image: Shutterstock

The internet, in a post Covid-19 world, has brought us together in a way that it had not in the past. We are doing our jobs online, meeting people online, buying and selling online, and spending more of our lives online.

The State of Mobile 2021 report by App Annie, a mobile analytics firm, shows that Indians spent more than 650 million hours using mobile applications in 2020. During that time, consumer spending through apps hit $500 million (Rs 3,652 crore). There were over 24 billion mobile app downloads, and people spent the maximum time on WhatsApp. Every Indian spent more than 21 hours a month on the app, followed by 17 hours on its parent company Facebook, and 9.8 hours on Instagram, also owned by Facebook.

Earlier in January, WhatsApp—it has 400 million users in India—announced policy updates, in which a closer integration with Facebook would result in sharing of private user chat data with advertisers. This has made the need for a legislative framework to empower users against the misuse of personal information more crucial than ever.

Although WhatsApp has subsequently postponed the rollout of its new privacy policy to May 15 for users to review and accept the new terms, all eyes are on the Budget session of the Parliament in February, where a Joint Parliamentary Committee is expected to table its report on the draft Personal Data Protection (PDP) Bill, 2019. The Bill is a result of the Supreme Court declaring privacy as a Fundamental Right in 2017, and it not only has provisions for individual consent and control over private online data, but also outlines strong obligations for companies that use and process this data.

“Had there been a data regulator during the WhatsApp privacy policy debate, it would have assessed if the policy meets data minimisation and purpose limitation requirements, and would have come out with a review immediately,” says Kazim Rizvi, founder of The Dialogue, a technology public policy think-tank. According to him, given that Indians are sharing more personal data online, transacting more through digital platforms, and depending more on internet service providers to go about their daily life than ever before, there need to be checks and balances around data collection and processing practices, in which both technology companies and the state are held accountable.

The PDP Bill, for instance, mandates the setting up of a Data Protection Authority (DPA), an independent body comprising legislators and senior experts to take up matters relating to privacy, and also redress consumer grievances. “Data should be collected only for a clearly defined purpose and not beyond that. If the purpose or scope of data collection is evolving, like in the case of the WhatsApp privacy policy, it has to be identified, outlined and reviewed by the DPA to see if it meets the tenet of data minimisation or not,” says Rizvi.

At present, in the absence of a dedicated data protection regulation, the usage and transfer of personal data of users is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. However, given the growing pace of the digital economy, the Act has shortcomings with respect to how personal and sensitive data is defined, and provisions that can be easily overridden by companies using a contract. “Further, the IT Act applies only to companies, not to the government,” says a note about the PDP Bill, 2019 on PRS Legislative Research.

Provisions That Will Make a Difference

Experts believe that the functioning of the DPA and the legislation itself must be dynamic in order to keep pace with the evolving role of technology and the internet in our lives. Sanjoy Ghose, a senior advocate practicing in the Delhi High Court, explains that when the Constitution was being written in the late 1940s, the focus was on the protection of citizens against the state. Over the years, however, there has been privatisation of state functions. “Both the government and the private companies collect and process a huge amount of citizen data today. So the context of this law must be set accordingly and it must be dynamic.”

Implementation of meaningful, not forced, consent should be at the core of the PDP Bill, apart from data minimisation and purpose limitation, says Mishi Choudhary, tech lawyer and legal director of the Software Freedom Law Center. “The law should prohibit companies offering targeted advertising services from operating consumer-facing messaging systems [such as Gmail, WhatsApp and WeChat], and require technical protection for meta data as well as message content,” she explains.

According to Choudhary, instead of prescribing jail terms as punitive measures, the law should impose large fines as a percentage of global revenue to ensure swift enforcement. The Bill states that processing or transferring personal data in violation of provisions will be punishable with a fine of Rs15 crore or 4 percent of the annual turnover of the fiduciary (a person or a business that controls the means and purpose of processing personal data).

The Bill empowers users to seek correction of inaccurate, incomplete or out-of-date personal data, and even completely erase their data, if they want to do so. Processing of data that has been de-identified by individuals without their consent is also punishable with imprisonment of up to three years, or a fine, or both.

Needs More Work

The Bill in its present form is the result of several changes from the initial 2018 draft, and needs further examinations and corrections, say experts, in order to ensure that people receive the empowerment they need to safeguard their personal data.

While the provisions for companies are quite stringent, a particular cause for concern is the expanded scope of exemptions for the government, and control vested in the Centre, among other things. A December 2019 blog post about the PDP Bill written by public policy experts Jochai Ben-Avie and Udbhav Tiwari for Mozilla states that the new legislation “reduces the powers and independence of the DPA by significantly weakening the commission that will appoint the chairperson and members.”

The blog post says that while the 2018 draft said appointments to the DPA will be made by a diverse committee with executive, judicial and external expertise, the new Bill limits this committee to members of the executive. “As with the last Bill, Adjudicating Officers are also appointed by the government. Together, this will make it much harder for the DPA to be empowered and effective as the entire governing structure will be appointed exclusively by the government,” the blog says. Also, there is ambiguity about how the legislation will be implemented, with decisions being at the discretion of the Centre.

While Rizvi believes that gender diversity is a must for the DPA to particularly protect sensitive health and other data about women, Devdutta Mukhopadhyay, litigation counsel for the Internet Freedom Foundation, says there must be a bar on persons with “vested political or business interests” to be appointed to the DPA. According to her, “surveillance reform is a glaring blind spot in the PDP Bill”. She points out that the Bill exempts activities carried out to protect national security and conduct criminal investigations “without creating a parallel structure that provides independent judicial oversight for such activities”.

The Bill also includes provisions where the government can direct entities or companies to provide it with non-personal data for policy-planning purposes. According to Mukhopadhyay, this will blur the demarcations between personal and non-personal data, and anonymised data can be re-identified in many cases. Mozilla’s blog post gives an example of the consequences of transferring non-personal data: Sales location data from ecommerce platforms, for example, can be used to draw inferences or patterns based on caste, religion or sexuality.

The Bill also has a provision for social media verification, where companies provide users the option to voluntarily verify their identities on social media. Experts believe that this provision could also incentivise collection of personal data from the government IDs that are submitted for verification, which can again be used to profile users.

Choudhary believes that neither should government agencies have unlimited access to data “in the name of national security”, nor should private companies have access to government data without clear safeguards. Rizvi suggests that all exemptions provided to the government or state agencies must not lose sight of the landmark 2017 Puttaswamy judgement that recognises privacy as a Fundamental Right. “Everything should be done within the tenets of the judgement—proportionality, legality and necessity should be specified while collecting and processing data. That is important,” he says.

A positive change in the current Bill compared to the 2018 draft is the comparatively relaxed norms for cross-border transfer of data. The 2019 Bill provides for transfer of critical personal data outside the country for health or emergency reasons, or to any country approved by the central government. If passed in its current form, experts say, it will be the first-of-its-kind privacy legislation in the world with data localisation obligations and provision of vast exemptions to the state. The Bill states that while sensitive and critical data can be processed outside the country, it must be stored in India. “Data localisation requirements fail to appreciate the global nature of the internet, which does not recognise traditional nation-state boundaries,” Mukhopadhyay says. “In the absence of surveillance reform, data localisation also makes it easier for the Indian government to spy on its citizens.”

Rizvi agrees that the data legislation needs to be progressive and dynamic. “It should protect user privacy and also be an enabler of digital India where tech becomes more mainstream,” he says. “It should help and enable startups grow in terms of being compliance-friendly, allow free flow of data and have interoperability with global progressive privacy laws like the General Data Protection Regulation (GDPR) of the European Union.”

Experts also agree that the last leg of implementation of a robust data protection law should involve building a strong culture of cyber hygiene among people, where both the government and the civil society take the lead in making people aware of sensitive data leakages, possible ways in which it can be abused, and how they can take charge of protecting it.

Graphics: Pradeep Belhe