Will The Personal Data Protection Bill Pass The Litmus Test Of Trust?

The Personal Data Protection Bill falls far short of the full range of user data rights available in most data protection regimes.

An employee is illuminated by the screen of an Apple laptop at an office in Mumbai. (Photographer: Dhiraj Singh/Bloomberg)
An employee is illuminated by the screen of an Apple laptop at an office in Mumbai. (Photographer: Dhiraj Singh/Bloomberg)

Our society operates on the basis of trust. We use this trust every day. To build friendships, to buy and sell things, to vote, to claim protection and benefits from the State when they are due. With the rise of the information society and the information state in India, this trust becomes more important than ever. We need to believe that systems that record our personal details and interactions and process them for insight will operate fairly and responsibly. That they will empower us and not harm us.

The introduction of the Personal Data Protection Bill in the Lok Sabha this week, and its referral to a select committee of parliamentarians, should have been a turning point in our efforts to build trust in India’s digital ecosystem. One would imagine that we, the citizens of the Republic of India, would soon be marching into a more secure and privacy-protecting digital world. A closer look at the draft Bill, however, reveals a weakening of provisions required to empower and protect individuals.

This is a grave concern as we move into the final stages of deliberations on the Bill.

To build genuine trust for this law and in our future society, the objective guiding these final deliberations should be the best interests and empowerment of Indian citizens, rather than those of corporations or the state.
Personal Data Protection Bill: The Responsibilities Companies Face In Collecting And Processing Data

Limiting User Rights And Grievance Redress

Data protection and privacy laws are already faced with a notoriously difficult task. They have to safeguard users’ privacy interests in a world where data-processing is ubiquitous and invisible, and harms from misuse of personal information may not immediately manifest. There are many ways to overcome this problem, but a basic, obvious and minimum requirement to do so is to empower users and allow them to complain if and when they are harmed or discover problems with their information.

First, it is important to give users a wider bouquet of rights and a strong complaint process that will ensure that entities meet the obligations required under the law. This Bill contains only four rights:

  • to access and confirm that your information is held by an entity,
  • to correct or erase it,
  • to require an entity to share your information with another entity (data portability), and
  • a right to be “forgotten” or restrict the sharing of old information about you.
This falls far short of the full range of user data rights available in most data protection regimes – such as the right to breach notification or when it comes to automated decisions.

More worrying is the fact that the Bill places barriers to the exercise of these rights. If you want to exercise your new data rights, you will have to make a written request (rather than verbal, through video or in-person) and could be charged a fee. This is problematic for a country like India, which may have areas that have high digital awareness and use with low literacy or income levels.

Second, the bill sets up a grievance process for individuals where they suspect contraventions of the regime. This is a bureaucratic process requiring the filing of complaints with a fiduciary, and then with the Authority – with a separate process to seek compensation directly to the individual harmed. A more modern approach in this law could have created a simple, more accessible process that uses screening and fast-tracking to triage and resolve complaints. Most worryingly, this Bill appears to vacate the right of citizens to directly approach courts when an offence under this act has been committed. A similar provision in the Aadhaar Act was struck down by the Supreme Court on the basis that it violated citizens’ right to seek remedies. Why should we resurrect old ghosts?

Personal Data Protection Bill: The Three Important Rights You Must Know

No Fetters For Responsible Exercise Of Powers

Aside from these limitations on the rights of users, some broader shifts in the architecture of the Bill throws up deep concerns for user data protection.

The first among these is the design of the Data Protection Authority itself. Well-recognised accountability mechanisms in regulatory thinking are absent when it comes to the proposed governance structures of the future DPA. For instance, the selection committee that will decide the future chairman and members of the DPA is now comprised entirely of central government officials. The previous draft of the Bill required a judge of the Supreme Court and an external expert of repute to also be part of this selection committee.

Once established, the DPA will also have no independent members appointed to it, but only ‘whole-time’ member employees.
Personal Data Protection Bill: India Dilutes Data Localisation Proposal; Allows Transfer With Conditions

Independent members will be needed in such a fast-moving space, and to maintain the right incentives and accountability at the DPA.

Finally, the most striking changes in the law—debated by many in the last week—are the wide exemptions granted for the state’s use of data. Entire agencies of the state can be exempted from the requirements of this Bill to have a clear purpose for collecting data, ensure fair processing and to delete personal data when no longer required.

These shifts undermine the Bill’s own framing, that aspires to create a country where the entities holding our personal information will be deemed our data fiduciaries. This dependency brings with it, obligations on to act in utmost good faith and in the best interest of a person where the fiduciary is providing a service or interacting with others on the person’s behalf. The final report of the Srikrishna Committee extended this terminology for the first time into the digital sphere in India – to provide a new and inspiring framing from which to envision the digital world we want to build. The report recognised the “existing inequality in bargaining power between individuals and entities that process such personal data”. It also recognised that those of us who delight in the convenience and play of digital technology do so based on a fundamental expectation of trust.

In the coming months, we must recall that this Bill was forced into existence due to the privacy concerns that arise when the personal information of Indians is used negligently, unthinkingly or maliciously against them. If we march into a data-intensive world without offering people respect and transparency for themselves—their private lives, their personal information, their digital personas—we risk losing the trust required to build a more secure and trustworthy digital sphere. The design choices in this Bill will determine how our digital future plays out in this country. A Personal Data Protection Bill must live up to its name, and offer protections rather than exemptions to help safeguard India’s digital future.

Malavika Raghavan heads the Future of Finance Initiative at Dvara Research.

The views expressed here are those of the author and do not necessarily represent the views of BloombergQuint or its editorial team.

How To Sign Up For BloombergQuint Story Notifications