Observations/Recommendations on Personal Data Protection Bill, 2018

A historic military data sharing pact, COMCASA was inked yesterday by India-US at the 2+2 bilateral summit. As per the pact, high-end encrypted communication and satellite data would be shared giving Indian military access on platforms installed by the US. This is said to give us real-time information about the movements of other army troops and is said to be safer and more secure than the system India is currently using. The pact was signed amidst security concerns being raised for which a legal framework is put in place for the transfer or sharing of data. The US has also agreed that the data obtained by them through these systems agreeable through the pact would not be shared with a third party without consent. The Data Protection Bill which is under due consideration around the same time however gives the Government extensive freedom to process personal data for necessity and security reasons.

Around few months before the landmark judgment wherein the Hon’ble Supreme Court has asserted ‘Right to Privacy’ to be a fundamental right, the Government had announced demonetization, encouraging the country to be on the path of being a digital economy. Digitalization would involve a lot of data to be shared, escalating the risk of it being misused or manipulated. How are we supposed to digitize to connect globally and also safeguard our fundamental right of privacy the same time?Laws on ‘Data Protection’ have been long-awaited and requisite at this moment.

In July 2018, the TRAI chief RS Sharma had challenged the twitterati to show him that the government claimed secure Aadhar number could by misused by posting his 12 digit number on social media. This came with the statement that a person’s Aadhar details are safe and secure and there are no privacy concerns. However, in no time, the post that was heavily shared, his personal details were dug out and leaked by the ethical hackers who made the payment of 1 Re in his account via Aadhar enabled payment service only using apps like PayTM. The UIDAI contested that the personal details were in the public domain and were not obtained by misusing his Aadhar number. The Supreme Court is yet to decide on the constitutionality fate of the Aadhar that is under challenge through various petitions.

This was happening against the backdrop of the various consultations on the data privacy and protection that were being carried out by ‘The Expert Committee headed by Justice B.N. Srikrishna’. A report and a draft Bill were submitted to the Ministry of Electronics and Information Technology by the Expert Committee. After various consultations and studying the privacy laws globally for over a year, the draft bill, nonetheless, seems to be in line with the GDPR (General Data Protection Regulation) adopted by the European Union recently. The said Regulations itself are in their nascent stage and would be subject to a lot of modifications as per the current global technological and data privacy need. In such a scenario, the draft Bill which is quite similar to GDPR though positively drafted, there is little understanding of the technology, is quite ambiguous and unclear in certain areas. It would necessarily require a lot of fixations and revisions before the final draft can be cleared by the Ministry. Thus, further consultations and opinions of the general public, organizations, stakeholders, third parties or recipients of the data may be welcomed to have a fair understanding of the global technological advancements and the mass data shared before finalizing on the Bill.

Need of a data privacy law: Most of us would have noticed or felt our emails being read secretively by technological giants like Google. Say for example, if you plan a trip and intend to stay at some hotels with prior bookings online, you receive a mail confirming your itinerary. The technological advancement is so extensive that your very own google calendar reminds you of the date when you have to travel or check in.

It has been laid down by the Supreme Court in Puttaswamyv. UOI, that privacy is a fundamental right. By the country being in the path of becoming an absolute digital economy, the laws have to keep pace with the developing technology and thus it was imperative for a comprehensive data privacy and protection law to be passed.

The Bill is extra territorial and extends to any business, systematic activity or activity where the data fiduciaries or data processors are not present within the territory of India but the data processing and profiling is carried on within the territory of India. This is a welcome move where the scope of the forthcoming privacy Act would be extended.

Observations on the Draft Bill:

The current draft of the Bill is ambiguous and unclear in many areas and thus it would lead to a lot of confusions if the Bill is passed as it is without a much needed clarity.

a) Segregation of personal data & sensitive data: The draft Bill includes comprehensive definitions of personal data and sensitive data and separates these two. Personal data as per the said Bill means any data which can directly or indirectly identify the natural person whereas a list is being provided as being sensitive personal data which also includes intersex status, religious or political beliefs or affiliations.

The Bill doesn’t talk about how the already existing mass volume of data of the data principal (natural person to whom the data relates) be segregated into personal and sensitive data. This is an added burden on the data fiduciaries (the one who alone or in conjunction with others determines the purpose and means of processing of personal data) and data processors (the one who processes the personal data on behalf of data fiduciary but doesn’t include an employee of the data fiduciary).

Also, how such segregation would serve the purpose of privacy or protection from unrequited surveillance. Sensitive data, say for example religious beliefs, biometrics, political affiliations or health data can also be collected through google searches or a combinations of various other factors.

As reported in New York Times, a man walked into a Target company store demanding the reason of a mail with coupons for baby clothes and cribs being sent to his teen daughter. The manager was baffled and had no explanation. Conversely, it later came out to be that the man’s daughter was in fact pregnant. The digital world knew way before her father could have an inkling of it. How eerily accurate Target was in data mining their shopping details and sending exact coupons to people knowing what they need and would make them happy. Such sensitive information is reached at through various other details. 

b) Ownership of data: There have been a lot of debates as to who would be the owner or custodian of the data that is being collected, shared and processed in such a high volume. The draft Bill is silent on this issue. This is in stark contrast to the TRAI recommendations that find the users as the primary owners of the data and the rest being mere custodians.

c) Anonymisation: As per the Bill, personal data may be irreversibly processed converting it into a form in which the data principal cannot be identified. The Act doesn’t apply to the processing of anonymised data and thus the provisions of the Act need not be complied with in case of anonymised data. The companies dealing with analytics or research where data mining takes places of huge volumes of data can process and analyze their anonymised data without fear of any repercussions. However the Bill clearly states that anonymisation has to meet the standards set by the Authority. How far it can remain anonymised where the source data is not deleted is a food for thought as the source data can be used to identify the anonymised data. The Bill doesn’t talk about regular audits or reviews to check whether standards have been met for the data to be anonymised or whether the source still contains the personal data of the data principal.

d) Data Deletion: Sec 10 of the Bill states that the personal data which is no longer required for the purpose for which it was collected, must be deleted in a manner as may be specified unless such retention is explicitly mandated or necessary under law. Such data if not deleted regularly, would be at a huge risk of being misused. There’s always a higher chance for the data to be not deleted and used for purposes for which the data principal hasn’t given his consent. The Bill doesn’t put a larger emphasis on this vital aspect involved in data protection.

e) Consent: It is specifically stated in the Bill that the data of a data principal cannot be processed without his consent given no later than at the commencement of the processing. Such consent has to be free, informed, specific, clear and capable of withdrawn. Also, once the data principal wishes to withdraw his consent, the Bill hasn’t specified about what needs to be done with data that was collected prior for processing.

 Children’s data if collected has to have a parental consent after age verification as per the Bill. However, this has to be looked at as most of the social media sites have profiles of children created by them. The Bill is also silent about any retrospective action in such cases.

f) Data Auditors: The Bill gives the freedom to the data fiduciaries to have their own policies and conducts of their audits for compliance. The data auditor will evaluate the compliance. But, at the same time, the Bill also lays down that where the Authority is of the view that data processing is carried out by any data fiduciary in a way that it could cause harm to the data principal, order can be passed to conduct an audit by appointing an Auditor. As the new data privacy and protection regime plays out, timely planning/action will help organizations continue their business as usual and enhance their business reputation-NASSCOM. How mandatory the auditing process is, under what conditions do the companies need to get it done suo-moto, periodicity thereof, and what all would be checked/evaluated as part of the auditing process is not clearly laid out which we hope the final Act would. 

g) Collection limitation and Purpose limitation: The data collected should be limited as per the requirement and used only for the purpose for which it was required. The data fiduciary is under an obligation as per the Bill to state the purposes for which the data is being collected. However, this is never the scene. Even if the companies do mention the purpose, the same is very high level and can include multiple actions, part of which may be allowed by the data principal and other may not be. Therefore, it should be mandated that the data fiduciary has to give in specific purpose for which the data would be used. Albeit, the Bill talks about periodical review of the data it is silent about the usage of data that would be considered to be redundant.

h) Privacy by Design: 29 talks about privacy by design and expects the data fiduciary to design their business, technical systems, innovations that it can anticipate, identify and avoid harm to the data principal. This is something which cannot be done as the data fiduciaries cannot be expected to bring about a change in their overall design and structure their business model once again. 

i) Transparency: Sec 30 of the draft Bill discusses about transparency being an important requirement in the processing of the personal data. The Aadhar Act which lays down the laws relating to the biggest data repository in the country is required to be amended, as per the submitted Report by the committee. The Bill does not seem to mention its findings about the same. Transparency in data processing is one of the major provisions of the draft Bill, where Aadhar itself may fall short of. No one knows where the data collected through Aadhar has been processed or stored or where the servers are. However, by providing such exemptions to the State for its functions and for welfare in the Bill, Aadhar may escape from the clutches of the other provisions of the Data Protection Act.

j) Security Safeguards: The data fiduciary and the data processor shall have to implement security safeguards like encryption, de-identification or the steps to protect personal data they are processing. End-to end encryption is one of the strong ways to avoid data breach and for risk management in companies where the data at the source gets encoded with a key. This data when transferred to the destination can be decoded only with its correct/decryption key. De-identification, which is stated as another security safeguard, may not be as effective as encryption. One of the widely used social application, Whatsapp now claims end-to-end encryption which means no one in between can read the messages when transferred to the person we are communicating with, not even Whatsapp.

The Guardian and The New York Times had reported in March 2018, that 50 million facebook profiles were harvested for Cambridge Analytic a in what could be one of the biggest data scandals. It is alleged that such huge volume of data was collected through an app, this is your digital life, and of the friends in the facebook list of those who have signed up for the app. Facebook doesn’t have an end-to-end encryption as the data of the users are being read and processed by its servers for data analysis. This is the reason why you see relevant ads or any of your recent searches appearing on your facebook.

k) Data Localizing/Mirroring: As per the Bill, personal data to which the Act applies also has to be stored on a server or data centre in India. An obligation has been laid down on the Central Government to notify certain categories data as critical personal data which can only be processed and stored in a server or data centre in India. Thus, there is still confusion as to which categories of data would fall under this clause. If location of a data principal is considered to be a critical personal data, then companies like Uber, Ola would probably not be able to operate in India or the data stays only in their servers or data centres in India.

Data mirroring is an added responsibility and would lead to extra expense and doubling-up the volume of data to be stored by the data fiduciaries. These data which is stored in servers or data centresin India along with the places out would have to be regularly backed up in tapes to prevent its safety and storage in India. The Report of the Committee tries to provide its reasons as to why at least one serving copy has to be stored in India. This is at variance with the global character of digitalization and connecting globally through technology.

One reason that attracts attention is data mirroring being required for the development of artificial intelligence (AI) which again would raise wide concerns over data privacy.

l) Offences: Industry perspectives may need to be looked into while finalizing the Bill. Currently, as we understand, all offences have been attached with a blanket criminality by making them cognizable and non-bailable. This may be a risky proposition as it can damage the reputation of a data fiduciary if the complaint is found to be false and frivolous, and may be a concerning obstacle to carry out business and for individuals. It may eventually create a lot of hullabaloo in the time to come if not reviewed and modified.

m) Government bodies exempted: The Bill seems to be in favor of the State and the Central Government. Wide exceptions are being given to them in terms of data collection, storage and processing. Though it has held the Government also accountable being one of the biggest stakeholders, the vast exemption frees them from their liability at the same time. The Bill lays down that the Government can process any personal data for any functions of the Government and can notify certain categories of personal data for which no data mirroring is required purely on the grounds of necessity and strategic interests of the State.

n) Accountability: The Bill as per Sec. 11 holds only the data fiduciary accountable for complying with all its obligations and be able to demonstrate that all of its data processing is in accordance, whereas not much accountability has been put on the data processors who would be equally or more involved in the process of handling mass data volume of the data principal.

o) RTI: The Report said that neither the right to privacy, nor the right to information is absolute and the two will have to be balanced against each other in certain circumstances.  The Second Schedule in the draft Bill talks about the amendment to Section 8(j) of the RTI Act, 2005. With this amendment, no disclosure of personal data under RTI shall be made if the same is said to cause harm to the concerned individual. This amendment was not warranted as the RTI Act has properly evenhanded the privacy rights of the public servants and the public interest in disclosure of such an information. The amendment has increased the scope of rejection in disclosing personal information.

The aforesaid are some of the initial observations or concerns that have been raised with respect to the draft Bill. A detailed study has to be done also taking into consideration the industry perspectives so that these loopholes can be fixed. The Privacy Act or the Data Protection Act would always be subject to amendments as it has to keep pace with the ever changing and advancing technological expansion.

Author: Anuja Nair, Senior Associate-Media & Entertainment, Litigation,  at  Khurana & Khurana, Advocates and IP Attorneys. In case of any queries please contact/write back to us at anuja@khuranaandkhurana.com.

Leave a Reply

Your email address will not be published. Required fields are marked *