The Ambiguities In India’s Attempt At Data Protection – Analysis
On 18 November, the Ministry of Electronics & Information Technology (MeitY) launched the draft Digital Personal Data Protection Bill 2022 (DPDPB 2022). Condensed dramatically from over 90 clauses in its previous iteration, DPDPB 2022, with 30 clauses more concise than its predecessors, loses out on a few definitions and outlines, thus, relying on assisted policies and future guidelines to cover these gaps.
Data fiduciaries over data principals
One such aspect is the ambiguity of consent and deemed consent. In the Bill, consent is required by the data principal—the entity offering personal data, in most cases, the individual user or consumer. However, the “informed” submission of consent is vague. In this Chapter 2, (7): Consent, there is a clause that discusses data fiduciaries—data hosting organisation—authority to stop offering services if the data principal withdraws personal information. However, this clause does not align with the crucial concept of wilful and informed consent, indicating a person’s ability to access services without wanting their data shared. The lack of wilful consent often corners consumers into sharing data for lack of alternative services.
Further, in the next section, Chapter 2, (8): Deemed Consent, lines are further blurred. This section talks about how even if explicit consent is not received from the data principal, there is scope for personal data to be maintained on the data fiduciaries databases. The example given here is of keeping biometric data of employees who sign in and out of work using biometric systems. However, this becomes an area to discuss intensely because of the clauses in the following segment, Chapter 2, (9): General Obligations of The Data Fiduciary, mentioning data fiduciaries who may maintain data records if it is necessary for “legal or business” proceedings. In cases of biometric data submission, even with private parties, and submission of other personal data to the government, that may require intermediaries to collect this data, the data principal is assumed to have given consent not only to the data fiduciary they are dealing with directly, but also any other data hosting organisations, which are not held accountable under this Bill and not required to delete said information as it is “necessary” for business proceedings. This example, provided in the Bill, and many others aligned need to spark discussions of the necessity of explicit submission third-party and removal of deemed consent, especially when third-party fiduciaries are involved.
The area of deemed consent also discusses the non-removal of “publicly available personal data”. However, there are no definitions or outlines of what is considered safe to be publicly available or not. In cases like these, an email id’s availability can vary in importance from person to person. Thus, the idea of what is safe if publicly available needs to be defined and explicit consent needs to be taken for anything that lies on the outskirts of these outlines. In such cases, it would be wiser to begin from the point of public protection, asking for explicit consent for data availability (especially in cases of public figures, apps that identify numbers and emails etc.). Once explicit permission has been acquired, the publicly available information will not counter ethical access issues.
This segment also discusses a vague clause of “legitimate reasons of the Data Fiduciary” that permit the use of personal data with deemed consent. As companies and their business models and interactions with other companies may differ significantly, legitimate reasons need to be defined explicitly. While data fiduciaries may consider legal proceedings and financial requirements, the vagueness of this clause may enable the selling of personal data to third parties, which counters the entire foundation of any privacy act.
Chapter 2, (9): General Obligations of The Data Fiduciary also discusses having general safeguards to prevent data leakages. However, these are still within the Bill. The risk of ambiguity here means different data fiduciaries will create securities that are not standardised and burden the data principal on where their data is submitted or maintained, more than holding data fiduciaries accountable. Such ambiguity also creates loopholes for data fiduciaries to share data with other data fiduciaries outside the already permissive concepts of “deemed consent” and lack of definitions around third-party sharing. One space in this issue of concern is in the financial and health sectors. The BIS standard API’s on Data Sharing may provide a starting point to encourage such guidelines and norms.
In the following section, Chapter 2, (11): Additional Obligations of Significant Data Fiduciary While a Data Protection Impact assessment is required, the minimum acceptable score or standardising needs to be elaborated.
Data protection board
As per the draft, the government will set up a Data Protection Board (DPB), which will have the authority to impose a penalty of up to ₹500 crores if non-compliance by a data fiduciary is found to be significant and liability for data principals if their complaint is found to be frivolous.
In the Bill, Chapter 5, focusing on the compliance framework, lays out the requirements of a Data Protection Board, its responsibilities and constituents, and the conditions of appointments and services. One of the clauses under this chapter (Clause 19(2)) defines the placements of the chairpersons and other members to be overlooked by the Union government at consecutive stages of rolling out this regulation. Further, the following clause also discusses appointing the chief executive of the board to be appointed by the Union government. The Bill, in its current version, already outsources a fair share of responsibility onto the data principal and power to the data fiduciaries, allowing the Union government to make more significant decisions at the Protection Board-level thus creating a reliance on the DPB on the government and limiting it from functioning as an independent party, and reinforcing the power imbalance between data principal and data fiduciary.
With these penalties that even data principals are accountable to, depending on the case and the appointment of the Board requiring the approval of the Union Government, the DPB does not act as an independent body and, thus, does not protect the data principals’ interest as an individual.
Data protection laws in other geographies
The DPDPB 2022 has much to learn from other privacy policies in the global context. While the European Union’s General Data Protection Regulation (GDPR) remains the most popular and comprehensive privacy policy, mainly because it focuses on the individual’s right over data, it is also augmented to protect market factors. The pair of legislation—the Digital Services Act (DSA) and the Digital Markets Act (DMA) balances to ensure individuals are not held accountable in cases of market forces requiring protection; instead, these regulations see market forces as individual agents.
The Indian DPDPB 2022 should focus on personal protection rather than attempting to do what multiple regulations are meant to accomplish.
In the United States, combining different data privacy policies focuses on liberty protection, protecting the individual user. Even with the recent CLOUD Act has two main objectives; the first is to create an environment for data providers to comply with their obligations around the maintenance and sharing of data, and the second is to allow the US government to form executive agreements with foreign governments for reciprocal expedited access to electronic information held by providers based abroad. China’s Personal Information Protection Law focuses on business data, which is expected to be categorised by levels of importance and adds restrictions on cross-border data transfers.
In these other comparative economies, the focus is on protecting the individual and ensuring data remains available to the jurisdictional government. With the DPDPB 2022, this trend needs to be followed.
In an explanatory note accompanying the proposed legislation, the government argued that “national and public interest is at times greater than the interest of an individual” while justifying the need for such exemptions.
The current Bill allows many exemptions to the Centre and other government agencies. As mentioned earlier, it has fewer safeguards for the citizens than their responsibilities, emphasising the onus of responsibility on the data principal. While MeitY does defend the Bill, stating it is built on a “prism of trust”, it is essential to remember that a prism displays different colours than what it absorbs.
Conclusion
While the new DPDPB 2022 is a more comprehensive bill, the underlined aim is to protect the economy and the organisations in it rather than to protect users from exploitation. This is explicitly clear in the different clauses, how the DPDPB compares to other global regulations, rules the lack of protections provided to users regarding international and third-party data sharing. Regulation must look at user protection as a primary concern. To ensure this Bill is a holistic and impactful effort in the right direction, the DPDPB 2022 needs to reconsider some of its concepts that enhance the vulnerability of the users under already empowered structures like governments and organisations.