With the advancement in technology, devices connected to the internet can pick up a user’s data, sometimes even without the user’s consent. This has given rise to several concerns such as the right to privacy.
To deal with this, in 2019, MeitY introduced the Personal Data Protection Bill, 2019 (‘PDP Bill’) before the Parliament, which was referred to a Joint Parliamentary Committee, whose report has given rise to the Data Protection Bill 2021 (‘DP Bill’). The Bill deals with both personal and non-personal data.
The Bill has been heavily criticised since its introduction for being biased towards the data collecting entity and might have major issues concerning a user’s rights. Globally, data privacy legislations have handed over most of the collection and consent rights to user’s, and rightfully so.
By arming a user with the required rights and power to decide when and how they wish to deal with their data, the laws equip the user to decide how and when can their data be collected, used, stored and shared.
The DP Bill, however, makes the exercise of the user’s rights difficult, even while it does expressly grant individuals certain rights and protections.
The DP Bill complicates a user’s rights to withdraw its consent by stating that if the withdrawal of consent is without any ‘valid reason’, the data subject will have to bear the legal consequences of such withdrawal. This makes the exercise of a right to withdrawal consent prohibitive but also unnecessarily taxing and cumbersome, and also negates the rights of the individual to practice such a right.
To add to this, even more, ambiguity is added since the law does not lay down what constitutes ‘valid reason’ and what the nature and extent of the legal consequences contemplated under the section are.
Furthermore, the law creates situations where it provides for the processing of data without the consent of the data principals. Since technology processes and products already have several layers and complications, the laws providing for such grey areas only makes matters worse for unsuspecting users.
Data of employees
Another concerning area of this Bill is the exemption given to employers to process data of employees without their consent for the recruitment or termination of employees, for delivering services to employees, for verifying the attendance of employees, or for the assessment of the performance of the employees.
A bare reading of these provisions clarifies that the Bill does not consider or respect the privacy of employees, or how their data is being handled by their employer, giving them an unnecessary leeway to misuse their rights and position of authority.
Also interesting is that the DP Bill is applicable to the processing of personal data, sensitive personal data, non-personal data and anonymised personal data and the Bill is now titled ‘Data Privacy Bill’, the term ‘personal’ being removed from its title, in order to perhaps clarify that the law caters to both types of data.
The Bill also grants the government the right to permit government authorities from the applicability in the interest of the sovereignty, public order, security, foreign relations, or for preventing cognisable offence, thereby giving the State, the right to access each subject’s data and use it accordingly.
The Bill has been criticised for focusing more on the government’s interests than on data owners’ privacy. The phrase “to ensure the interest and security of the State” is inserted in the Bill’s preamble, therefore, contextualising it in terms of protecting the State’s interest and security.
The exceptions in the Bill for processing personal data of users without their consent have relatively little protection in circumstances of data processing by the State. This might lead to widespread monitoring under the guise of public order or State security.
Despite the fact that the DPA will regulate government entities, the DP Bill gives the government the authority to decide the members of the DPA, decreasing the DPA’s autonomy substantially.
The need for the DPA to confer with the Central government before granting any permissions or decisions on cross-border data transfers would also result in an exceedingly sluggish and inefficient decision-making process, undermining the DPA’s autonomy and efficiency.
Some have observed that the Bill violates the principles of the fundamental right to privacy established in the Puttaswamy decision by granting multiple exemptions to the government. Another notable point is that the notion of ‘guardian data fiduciaries’ has been eliminated in the Bill.
The Data fiduciary is now prohibited from profiling and tracking data relating to children and the only way to know that the data fiduciary is working with an adult and not a child is for each person to attest that they are of legal age, an important aspect which can be easily surpassed. Additionally, the replacement of the concept of ‘best interests of the child’ is also extremely controversial.
The Bill recommends that the phrase ‘social media intermediary’ in the law should be replaced with the term ‘social media platform’. This change is crucial as the present law and regulations provide the provisions relating to ‘intermediaries’ and not the ‘platform’.
This change alone could lead to several misinterpretations and loopholes, a major concern considering the massive amount of transactions and businesses that intermediary platforms are involved in and the huge amount of data they collect through the transactions.
The Bill takes away the basic autonomy that the Data Protection Authority requires to function without any bias. Reducing the role of government and increasing the independence of the Data Protection Authority needs to be given importance.
Furthermore, the provisions relating to non-personal data shall be given enough attention and shall be open for more deliberation and suggestions from the stakeholders as the personal data was given, because any fast and reckless law regarding the same will lead to a regressive business environment.
It’s been two years since the PDP Bill was brought. The present draft bill shows that India still has a long way to go to have its data protection regime.
The author is Managing Partner, Verum Legal