The Personal Data Protection Bill 2019 (hereinafter PDP 2019), was shared with the Members of Parliament in December 2019. The Personal Data Protection Bill was first introduced in 2018, but since then it has gone through a few changes and a new Bill was presented in 2019. There are a few provisions which are progressive and further the goal of protecting privacy of the individuals; however, as a whole the 2019 Bill is inadequate in upholding privacy rights. The Bill under the aegis of protecting privacy is legitimizing mass surveillance over citizens and users in India. Though the proposed legislation is a huge disappointment, the right to erasure is an addition made in the Bill which is a step in the right direction for informational privacy. The PDP 2019 also focuses a lot on consent of an individual for any action by the data fiduciary (essentially the organization that takes your personal data) which would require processing of personal data. This consent mechanism itself has its pros and cons. The major concerns surrounding PDP 2019 are that it gives a lot of leeway to the governmental authorities and does not value the inherent right of privacy as a fundamental right. An instance of the latter would be the regulatory sandbox. I will discuss a few of the features of the PDP 2019 and then give specific focus to the sandbox provision by tracing its origin and application.
This is one of the most significant introductions in the Indian Privacy law regimes. The PDP 2019 provides the users with the right to erasure and right to correction. These rights will allow the user to demand the data fiduciaries to delete data no longer necessary and also correct data which has been incorrectly stored. All this will be regulated through independent consent managers who will be registered with the Data Protection Authority (DPA). The users can demand, through consent managers, the data fiduciaries to provide information about what data they have about the user and with whom the data has been shared. This would ensure that once a person has stopped using a particular service, their information is not with the fiduciaries.
Apart from the right to erasure, the bill also gives a lot of significance to the consent of individuals. The proposed law is heavy on the requirement of consent from the data subject whose private information is being shared. The Bill is mainly applicable to data fiduciaries which are defined in section 3(13) of the Bill. The Bill places obligation on data fiduciaries to take consent of all its users before sharing their personal data. This consent has to inform the user of what data is being shared, with whom this data will be shared and also for what purpose the data is being shared. This purpose has to be clear and specific, and if a user decides to not give consent to the sharing of their personal data, then the fiduciary cannot deny services to the users which were provided earlier. Further, the sharing of personal data has to be resorted to when it is necessary to provide the service.
All of this would seem to be consistent with the privacy rights and such a consent-heavy approach would normally protect the rights of the individuals; however, the exceptions to the obligation are so broad that they allow surveillance which would violate privacy rights. This brings me to the evils that Bill suffers from.
This is one aspect of the Bill which makes it open to abuse. The Bill provides safeguards from 3rd party intervention, but does not consider that there is protection needed against state sanctioned violations. The situations in which these exceptions can be resorted to are extremely broad and would violate the requirements in law. The Bill allows government departments to get access to personal data of users by the mere discretion of the Data Protection Authority (DPA). This is problematic on two levels, first the Data Protection Authority as provided by the 2018 Bill had a judicial member, but the 2019 Bill removes the requirement of a judicial member and the DPA will now comprise of only executive members. The effect of this is that it will be a governmental body which will have the authority to allow other governmental departments to use personal information.
The second problem with the exception is that discretion is unguided discretion. This would not only be contrary to the recognised administrative law principles, but would also be contrary to the principles of necessity and proportionality recognised by the SC in the Aadhaar judgment. The Supreme Court in the judgment held that any information which the law enforcement agencies want to make use of, has to fulfil the necessity and proportionality principle. Thus, the exception which has been added is contrary to legal requirements. The earlier Bill of 2018 satisfied the necessity and proportionality requirement, and it is only in the present Bill that the provision has been added. Hence it is evident that the motive of the Bill is not protection of privacy, but to ensure effective surveillance by the government.
Section 91 further provides that the central government, in consultation with the DPA, can ask for non-personal or anonymised personal data from fiduciaries and intermediaries. There is plenty of research available to prove that anonymised data can be backtracked to identify the personal identity of the individuals. Also the definition of anonymised data does not deal with situations where anonymised data is combined with other data, to identify the data subject. All these “exceptions” are drafted such that it would legitimise governmental surveillance of its citizens without any safeguards.
Section 26 of the Bill gives authority to the government to treat a social media intermediary as a significant data fiduciary. The criteria for such social media intermediaries are to be decided by the DPA and have not been disclosed yet. Section 28(3) provides for social media intermediaries notified by the DPA to provide an option of verification of accounts and the verified accounts to have a publicly visible mark. Such a provision would require government IDs to be used for verification which would lead to collection of personal information from the IDs, profiling of individuals and increase risk of data breach. This would even affect freedom of expression and whistle blowing as verified accounts could be traced back to the user.
The Personal Data Protection Bill 2019 places the same importance on privacy rights, and the need of a digital economy for progress and innovation. This is evident from reading of the preamble and with the presence of provision such as the sandbox mentioned in section 40 of the PDP 2019. I disagree with such an understanding as rights of an individual are the most important and the flourishing of digital economy is too low of a standard to be given the same priority. Let us look at these aspects in detail
The preamble sets the general course of the legislation and is an important tool for interpretation. The preamble states that the objective of the Bill is to-
…Create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.
A reading of this part of the preamble shows that though the Bill intends to protect the individual right to privacy; it also places equal importance to the digital economy. Such an approach to fundamental rights is flawed. Further, as mentioned earlier, the focus of the bill remains on consent. However, privacy being a fundamental right cannot be waived off by consent of an individual. This is the doctrine of waiver which is applicable to fundamental rights. Thus, merely taking consent is not enough, there has to be a more comprehensive mechanism to ensure that rights are not violated. This shows that the Bill is not protecting rights, but is allowing users to know when it is being violated.
This provision is a new introduction and did not occur in the earlier draft of 2018. The provision allows data fiduciaries whose privacy by design policy is certified by DPA, to apply to be included in the sandbox. Data fiduciaries included in the sandbox will be exempted from application of sections 4, 5, 6, and 9 of the Bill, which relate to providing clear and specific purpose of taking personal data, limitation to taking personal data, and the retention of personal data. This exemption will be applicable for a specified period and will only be extended to data fiduciaries for purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. Such a provision is not provided in the GDPR, which was what the 2018 Bill was largely based on. In fact, the concept of sandbox is not usually applied to data privacy; it is a concept which is usually applied to financial technologies.
Sandbox provision was first used in the U.K. Financial Conduct Authority (FCA). This regulatory sandbox would provide a platform to experiment and test products, services, business models etc; in the live market with real consumers. Such experiments and tests would be conducted under a supervisory authority. Thus the idea was to enhance collaboration between private agencies and government so that private agencies could better acquaint themselves with the legal challenges. The concept of sandboxes was thus not envisaged to be used as an exception; it was rather something that would be used to ensure compliance with law, by providing special attention to a few businesses and also play a protective role for such businesses so that they could properly function in an independent atmosphere. The PDP 2019 misunderstood the concept of sandboxes and applied it as an exception which was never the use of sandbox provision. It should further be noted that the GDPR, which is the most comprehensive data protection legislation, does not directly provide any such exception of sandboxes. It creates authorities in all countries which will have to look after the compliances of platforms with GDPR. These authorities have to ensure that there is no violation of GDPR.
In the UK, this authority is called the Information Commissioner’s Office (ICO). The ICO has devised a regulatory sandbox which would help selected organisations with their compliances with the data protection regulations. The selection of organisations for regulatory sandbox, framed by the ICO, is similar to the factors mentioned in section 40 of PDP 2019; thus it is evident the section is based on the UK sandbox regulation. However, the ICO only provides support for businesses to the extent that they do not violate GDPR, and not provide an exception from application of rules as the PDP 2019 proposes. Further contrary to the UK, the Bill does not regulate or supervise the businesses included in the sandbox; rather they work in the same atmosphere as other organisations, just without rules regarding informing the user. This makes it evident that the sandbox provision in PDP 2019 has misunderstood the concept of sandboxes and has created an entirely new concept.
Another important aspect to be considered is that, by working as a sandbox under ICO; if the innovative system is such that the violation cannot be managed, then the system will have to be stopped. When the ICO decided to issue a regulatory sandbox, it was to work on a model where a selected organisation would work with a team of ICO which will help in developing the product so that there is compliance with data protection rules. In the Bill, there is no attempt to make the innovative business compliant with the rules. It attempts to provide a limited period in which the product will be developed without the consumer’s knowledge. Apart from this, there is also a concern regarding the application of sandbox to privacy rights. Some argue that a sandbox helps in keeping the regulators informed for future regulation as working with businesses will help them understand the challenges and risks faced by the businesses, and also help in economic growth. These arguments would make sense when they are put against the harm which fintech businesses cause as the harm in these businesses would lead to loss of money which could be properly compensated. Contrastingly, in the case of privacy legislations, any harm will be harmed to the rights of the individual; which are at a much higher pedestal as compared to finances. Additionally, sandbox is an experimental platform where the innovative applications are tested against real users, thus there is a higher chance of loss to the users. Hence the application of sandbox to privacy legislation is problematic on conceptual level and the manner in which it has been included in the PDP 2019 further worsens the situation.
The Personal Data Protection Bill 2019 is a long way from ensuring protection of privacy rights of individuals. The legislators have to reconsider many aspects of the Bill, right from the preamble to the provisions. There also has to be a shift in approach to understanding privacy, actors who can violate them and to what extent the growth of a digital economy can be brought at the cost of individual rights. To ensure that the legislation does not violate the constitution, it is pertinent that there is a necessity and proportionality requirement to breaching this right and that there is some independence in the Data Protection Authority. Further the regulatory sandbox has the potential of being abusive as it allows data fiduciaries to use personal information without giving adequate notice, thus misinforming them before taking their consent. A Bill which is largely based on consent of users as a tool to uphold their fundamental right of privacy; such misguidance to take consent cannot be justified. All in all, the present proposed legislation cannot be passed as it suffers from many violations and leaves a huge scope for abuse.
