Light at the End of the Tunnel

An analysis of the JPCs draft of the data protection bill has some welcome changes - the amendments to children’s data and the introduction of Section 62 that allows complaints to be filed. It also has some misguided changes such as the introduction of NGOs in the definitions. It also has changes that will have a significant impact such as the amendments to Section 35 and 36 on exemptions to law enforcement. Finally it introduces some new concepts that are problematic such as the requirement that data protection officers in companies need to be senior officials and the inclusion of non-personal data within the ambit of the law.

This article was first published in The Mint. You can read the original at this link.

Last Thursday, after just over two full years of deliberation, the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill submitted its report along with a revised draft of the privacy law. With this, India has taken one more, albeit agonisingly slow, step in the direction of having a full-fledged privacy law. For those of us who have been waiting for a privacy law for over a decade, it finally feels like there might be light at the end of the tunnel.

Welcome Changes

Many of the amendments suggested by the JPC are welcome. The 2019 draft required children’s personal data to be processed in a manner that was in the “best interests of the child". Given that decisions as to what constitutes the child’s best interests are best left to parents and natural guardians, the new language, which states that the personal data of children should be processed in such a manner as would protect the rights of the child, is welcome.

Similarly, with the introduction of a new Section 62, data principals can now file a complaint with the Data Protection Authority if they are unsatisfied with how their grievance was redressed by the data fiduciary. This neatly ties up one of the last remaining loose ends in the grievance redressal mechanism set out under the draft law.

There are other recommendations that, while innocuous, are somewhat misguided. For instance, the new definitions of “data fiduciary" and “data processor" now include specific reference to non-governmental organisations even though the existing language, which covers “companies and any juristic entity", would have extended to them anyway.

Substantial Impact

Other changes, though seemingly insignificant, could have a substantial impact on data businesses once the law is implemented. While much of the public attention has been focused on Section 35, the effect of the amendments throughout the draft law on exemptions under Section 36 are perhaps more insidious. The latest draft exempts in its entirety the applicability of Chapters II through VII for, among others, law enforcement purposes. While similar language has been part of the draft since 2018, these exemptions have always been qualified—in the 2018 draft by an obligation to process personal data in a fair and reasonable manner that respects the data principal’s privacy and in the 2019 draft by an obligation to process personal data only for specific, clear and lawful purposes. The current draft does away with all such qualifications on the processing of personal data.

Similarly, the scope of Section 12, which permitted personal data to be processed without consent for the performance of state functions on just two grounds—(i) the provision of services or benefits and (ii) the issuance of certifications, licences or permits—has been expanded innocuously through the insertion of the word “including", to now suggest that these two categories are only illustrative of the many other grounds on which the state could collect data without consent.

New Concepts

But what is perhaps of most significant concern are concepts that have been introduced in this draft for the very first time. Take, for instance, the recommendation that a framework needs to be established for the monitoring, testing and certification of hardware devices that has, in turn, translated into the Data Protection Authority being charged with ensuring the integrity and trustworthiness of hardware devices. To the best of my knowledge, this sort of a provision is without precedent anywhere in the world. While we should be worried about the privacy risk posed by the proliferation of physical computational devices, are these concerns not already addressed more than adequately in the privacy principles that serve as the basis of the law?

Significant data fiduciaries have always had an obligation to appoint data protection officers, but the new draft clarifies that these officers must belong to the C-suite of the company. While the objective behind this stipulation seems to be to ensure that companies do not appoint a low-level functionary to meet their obligations, when applied in the context of global internet businesses providing services to customers in India, it seems to suggest that only the chief executive officer, chief financial officer, whole-time director and the like of the overseas company providing the service can be appointed as a data protection officer for India.

Non-Personal Data

But perhaps the most extraordinary change, by far, is the expansion of the scope of the law to also include non-personal data. The JPC has gone so far as to change the very title of the bill to reflect this thinking — from the Personal Data Protection Bill to simply Data Protection Bill — replacing references to “personal data" in various sections with the term “data".

In my view these amendments are both unwarranted and misguided. Non-personal data has no bearing on privacy, unless some of that data becomes personally identifiable. However, since personal data, by its very definition, relates to directly or indirectly identifiable data about or relating to a natural person, the moment any non-personal data becomes identifiable, it will automatically be covered by the provisions of the law. This should sufficiently address any risk to privacy posed by non-personal data.

What is of greater concern to me is the fact that the proposed change could result in a re-aligning incentives that could detrimentally affect data governance as a whole. I have long argued that data fiduciaries must be encouraged to anonymise and de-identify personal data. If they do this, in the unfortunate event of a data breach, the resulting privacy harms to individual consumers can be greatly minimised. Both the 2018 and the 2019 drafts excluded non-personal from the ambit of this law thereby offering a subtle incentive for de-identification. Now that anonymised data has been included within the purview of the proposed law, this incentive no longer exists.

Finally, the objective of a personal data regulation to ensure that no harm comes to an individual from the use of her data. Non-personal data regulation, on the other hand is oriented towards unlocking the value inherent in that data. Inserting non-personal data into a personal data protection regime would force regulators to apply a protection mindset to data that ought to be set free.

The Light

That said, the draft law is largely aligned with international principles and, with the exception of a few points that could be improved, is the privacy law that we sorely need. Given the pace at which our data economy is growing, we are fast reaching the point where any further delay will only do more harm than good.