[Ed Note : The following post, the third post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on the enforcement mechanism of the Draft Bill, 2018.
The first post in the series an be found here. Keep watching this space for more posts!]
Immediately, the Personal Data Protection Bill (hereinafter known as ‘the Bill’) makes it clear as to whom its provisions will affect. Section 2 of the Bill states that it will apply to processing of any personal data by the State, any Indian company, or any Indian citizen or other person incorporated under Indian law[1].
Therefore, it is evident that there exists a vertical application of the bill.
Vertical Application of the Bill
Section 3 of the Bill defines ‘data fiduciary’, which includes both the State and any person or company. State is defined as per Article 12 of the Constitution. The Bill states, under Section 4, that data processing has to be done in a ‘fair and reasonable’ manner that respects the privacy of the data principal[2]. Naturally, an important element in this is consent, which is elucidated upon in Chapter III of the Bill. Section 12 gives a list of conditions that must be fulfilled in order for consent of the data principal to be valid. However, the Bill exempts the State from the obligation of taking consent from the data principal in certain situations, which are enumerated below.
Section 13 of the Bill states that personal data may be processed if it is necessary for the function of the parliament or any State legislature, or for a function of the state that provides a benefit to the data principal from the State, or certifies, licenses or permits any action of the data principal by the State[3]. Section 19, likewise, gives an exception for consent for sensitive personal data for the same reasons. Section 17 allows for non-consensual data processing for any ‘public interest’ or for ‘prevention or detection of any unlawful activity’[4] Section 42 covers processing of data for the security of the State, and it says that if such processing is necessary and proportionate to the interests achieved, the processing is exempt from several key aspects of the bill, such as consent of data principal, rights of data principals and transparency and accountability[5], the only caveat being that there must be a law and procedure must have been established.
While it is obviously favorable for the Bill to make clear when the State is legally obligated to take data from individuals, it does not do enough to define in what situations they can exercise their power, which raise concerns of the possibility of misuse due to the blanket exception for consent of the data principal. The usage of the words ‘necessary’ and ‘strictly necessary’ in the Bill does not offer much in terms of assurance as to when the State can bypass the conditions laid out in Section 12. Firstly, there is no concrete definition of either of the words, which make it unclear as to what kind of situation would allow for the State to process personal data. Furthermore, there no clear distinction made between what constitutes as ‘necessary’ and ‘strictly necessary’, which makes no sense as the standard for processing sensitive personal data has to be substantially higher than for processing personal data that is not sensitive. The Bill defines ‘sensitive personal data’ under Section 3 as data that relates to a data principal’s passwords, sex life, genetic data, caste or tribe, religious beliefs, etc.[6], which merits a much higher standard of protection and the situation must completely demand the processing of this data in order for it to be legitimate. As a general principle, any personal data should only be processed with the express consent of the individual. Therefore, it is imperative for there to be some broad definition as to what constitutes a ‘necessary’ situation in order for there to be a clear framework on when the State can take data. However, this is lacking in the current Data Protection Bill. The current usage of the word points to vagueness and allows for arbitrary exercise of authority. Experts have commented saying that tighter provisions that would not dilute rights of data principals would be a welcome addition to the Bill[7].
The test of necessity is not a new concept when it comes to data collection. It is an essential requirement with which any proposed measure of data collection must comply[8]. It is an essential factor in assessing lawfulness of processing of data[9] .In Article 52 of the Charter of Fundamental Rights of the European Union, which lists conditions that limitations on protection of personal data must adhere to, the necessity of such a limitation is an important factor. Necessity is defined as ‘the need for a combined, fact based assessment of the effectiveness of the measure for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal’[10] while ‘strict necessity’ is observed through situations where violations of fundamental rights occur[11]. In this jurisdiction, the test itself is a four-pronged checklist that examines the limitations a proposed measure puts on rights vis a vis the objective of the measure in question. Such a definition of necessity is absent in the Data Protection Bill, and it should be incorporated in order to promote transparency in how the State collects data.
Data should only be collected by the State for performance of regulatory functions or functions which would be intrinsically linked to a form of governance. Having a wide ambit for non-consensual collection of data would defeat the purpose of such a Bill and would result in potential misuse of sensitive data by the State. An obvious instance of the State taking data from individuals is the Aadhar scheme. At the moment, Aadhar is a part of many of the benefits that we as citizens are entitled to: health care benefits, SIM cards, IT returns, etc.[12] In recent times, PayTM even made it mandatory for linkage of Aadhar to its databases in order for continuous usage. The aforementioned sections provide the government with the blanket exception for collection and processing of personal data. In the absence of a clear definition of necessity, the possibility for widespread collection of private data is apparent. The simultaneous existence of the seemingly never-ending reach of Aadhar and the regulations of ‘fair and reasonable’ data procession[13] is something that the Bill must consolidate and resolve by bringing about amendments to ensure that people are aware of how their data can be used by the government.
The next post can be found here.
[1] Section 2, Personal Data Protection Bill 2018.
[2] Section 4, Personal Data Protection Bill, 2018.
[3] Section 13, Personal Data Protection Bill, 2018.
[4] Section 17, Personal Data Protection Bill, 2018.
[5] Section 42, Personal Data Protection Bill, 2018.
[6] Section 3, Personal Data Protection Bill 2018.
[7] Shaikh Zoaib Saleem, 3 things to know about the new draft law on data privacy, livemint, https://www.livemint.com/Money/DiBBSl9e4ybGBI5Me0bWEI/3-things-to-know-about-the-new-draft-law-on-privacy.html
[8] European Data Protection Supervisor, Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit (available at https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en_0.pdf)
[9] Necessity & Proportionality, https://edps.europa.eu/data-protection/our-work/subjects/necessity-proportionality_en
[10] Ibid.
[11] Ibid.
[12] Praavita, Can the Aadhar Act and a Data Protection Act Coexist?, The Wire, https://thewire.in/law/can-the-aadhaar-act-and-a-data-protection-act-coexist
[13] Section 4, Personal Data Protection Bill 2018.