Draft Data Protection Bill Is A Common Person's Delight; Still Trows Up More Confusing Questions
All must be familiar with the timeline leading up to the new draft Digital Personal Data Protection Bill, released last week for public comments. Its roots can be traced to the Supreme Court's Puttaswamy judgment which exhorted for a data protection law for the country in the light of the iteration of privacy as a fundamental right. Then there was the Srikrishna Committee Report which...
All must be familiar with the timeline leading up to the new draft Digital Personal Data Protection Bill, released last week for public comments. Its roots can be traced to the Supreme Court's Puttaswamy judgment which exhorted for a data protection law for the country in the light of the iteration of privacy as a fundamental right. Then there was the Srikrishna Committee Report which came up with its own version of a data protection law followed by another draft version in 2019. A joint Parliamentary Committee (JPC) after undertaking consultations on this draft, suggested more than 80 amendments. Without any justifications, the Central Government withdrew the draft, promising a more comprehensive draft in the near future taking into account all inputs received. A look at the JPC Report convinces us that proceeding on with the draft would have produced an 'abtruse epic'. The challenge of this article is to examine whether the fresh draft lives up to the promise in form and content.
A New-Dawn in Indian Legislative Drafting
Origin of the demands for simple language can be traced to the Plain Language Movement in England which has over fifty years of legacy. A school criticizing the movement believes that complex ideas are to be expressed in complex language. But the general public governed by laws need to understand them implying that the employed language has to be simple and not jargon laden. We could mark three instances in India in recent history which acknowledge the value of simple legal language. First is a PIL entertained by the SC seeking use of plain language in laws, government orders, and notifications etc., to make the law discernible to common people (Dr Subhash Vijayran vs UoI). Second is the SC snub of a Himachal Pradesh High Court judgment for using 'incomprehensible language' and called for employing plain English in judgments. Third is an attempt by former HC judge Dama Seshadri Naidu beautifully re-drafting the complex section 65B of Evidence Act. All these along with the language employed in European data protection laws would have encouraged drafters to use a simple and lucid language in the fresh draft which has to be appreciated for being a smart baby step. Now it is the content of the draft which asks a few confusing questions. Addressing those aspects would reveal whether the fresh draft is to be proceeded with or not.
Exclusion of Non-personal Data
As the JPC Report says large sections of non-personal data is derived from 'personal, sensitive and critical personal data' which has been anonymized or in some way converted to re-identifiable data. The Committee felt that 'it is impossible to distinguish between personal data and non-personal data' and hence both need to be covered in a data protection law. The present daft defines personal data as 'any data about an individual who is identifiable by or in relation to such data'. EU Regulation 2016/679 on protection of personal data while processing such data and Directive 2016/680 on protection of natural persons regarding processing of personal data connected with crimes crimes or execution of penalties, cover non-personal data. Techniques are available to de-anonymize anonymous data and the exclusion of non-personal data puts data stored in India in a precarious condition. The draft needs to take care of reconverted data to do complete justice to individuals.
Bidding Farewell to Localisation and Atmanirbharata
The JPC report strongly recommended localization of data as 'national security cannot be compromised on the ground of promotion of businesses'. This was also seen useful for the national economy creating more data-related jobs in the country. But industry has other ideas for promoting free international flow of data there by furthering free trade. As a compromise the JPC Report suggested that 'mirror copy of sensitive and critical data be mandatorily brought back to India'. But position of the industry stands vindicated in the new draft in which section 4 speaks about extra territorial application of the law and section 17 which stipulates that data fiduciary may transfer personal data to foreign countries and territories notified by the central government. The terms and conditions for the transfer will be specified in later regulations. Let us imagine that data is transferred to a European country where EU regulation is applicable and a data breach occurs there. Though it is a question of private international law, according to section 4, Indian law is applicable in such a situation, denying Data Principals the benefits of a more favorable law. There should be a provision that law which is more favorable to the Data Principal will be applied in such a situation.
Deemed Consent and Exemptions
Section 8 allows Data Fiduciary to assume consent for any fair and reasonable purpose upon satisfaction of three conditions; 1) legitimate interests of Data Fiduciary outweigh adverse effects or rights of the Data Principal,2)public interest and 3)reasonable expectation of the Data Principal in the processing context. Thus, it is the call of the Data Fiduciary which is deeply problematic in Indian conditions where the concept of consent itself is a myth. Section 18 of the draft exempts Data Fiduciaries in the following instances thereby exempt them from almost all obligations under law ;1) data related to legal process; 2) through notification any instrumentality of state for specified objectives ; and 3) data for research, archiving and statistical purpose. The Central Government may notify such Data Fiduciaries. The only binding obligation is section 9(4) which says Data Fiduciary or Processor shall protect personal data by taking reasonable security safeguards. The Data Principal has no rights and financial penalties will not be imposed on the Data Fiduciary even if found at fault. This is the widest exemption in comparison to the EU law which only exempts personal data for the purpose of national security. Section 18 may fail the tests of necessity and proportionality in determining the constitutionality of reasonable restrictions. Also, there is a requirement for a provision asking Data Fiduciaries to anonymize data if used for other purposes as there could be international flow of data outside the framework set by Section 17.
Duties of the Data Principal
Going along with the present day rhetoric on prominence of duties in the realization of rights, section 16 spells out the duties of the Data Principal. Thanks to the drafters, rights and duties of Data Principal and Fiduciary respectively are unaffected for failure to observe duties by the Data Principal. The section appears to be expansive in demanding compliance with the provisions of 'all applicable law' while exercising rights under the act. This needs clarification whether there could be failures which are curable. Duty is casted to avoid false or frivolous grievance and to ensure accuracy of particulars provided. Poor Indians will be fined up to Rs 10,000 for duty failures.
Obliterating the Idea of Compensation
The earlier draft had a provision on compensation for data breaches in line with the European law and section 43A of the Information Technology Act (proposed to b omitted by the draft) which makes a body corporate liable for breaches of sensitive personal data or information due to its failure to adhere to security safeguards and if any person suffers wrongful loss or gain. Not even a diluted obligation can be found in the new draft. The purpose of prescribed financial penalty is just an addition of contribution to public exchequer and not compensatory justice to Data Principals who suffered damage. Principles and mechanisms to dispense compensatory justice are badly needed in the scheme of the law. This will act as a protection to Data Principals whose data is transferred to a notified country and encourage other countries to notify India as a data storage destination. There should be a provision in the draft for representative litigation to give voice to voiceless Data Principals who are victims of mass data breaches. The scope of section 15 which allows a Data Principal with incapacity to nominate any individual to represent her is vague at this point.
Clarity on Genetic Information
Definition of data and personal data in the draft covers information related DNA profiling and processing. A marriage of genetics with information technology made possible automated collection and processing of genetic information. Sensitive Personal Information Regulations under the Information Technology Act covers biometric data, but the draft is conspicuously silent on that aspect. Legislation in the making is the DNA Technology (Use and Application) Regulation Bill introduced in the Lok Sabha. The Bill at several places refers to confidentiality of information and ethical human rights issues associated with genetic testing. National DNA Data Bank, Regional Data Banks (a Parliamentary Standing Committee recommended to do away with this) and Accredited laboratories along with the agencies and individual accessing the data banks are the bodies which have obligations in relation to genetic information. According to section 31, the National Data Bank shall remove DNA profile of persons who are neither offenders nor suspects or an under trials upon the written request of such persons and intimate them about the removal. Article 32 mandates the Board to ensure the security and confidentiality of information stored in the data bank. Article 38 prohibits use of DNA profile for purpose other than those for which it has been collected. The Bill prescribes punishment (imprisonment and fine) for unauthorized disclosure, unauthorized access and using unlawful access to information. Thus there is a clear overlap between the draft of the data protection bill and DNA Technology Regulation Bill. Possibly there could be contradictions with the exemption clause in the draft and some obligations of the DNA Technology Regulation Bill. The non-obstante clause in the draft needs to be remembered in this context. The draft needs cross references to the DNA Technology Regulation Bill or clarifications as to the status of genetic information visa vis the draft. This is of utmost importance considering individual and social sensitive nature of genetic information and for the fact that more private players are set to handle such information as gene therapy is set to conquer the health sector.
The Fuss about Act- Regulations approach
It is quite true that the draft leaves a lot of details to rules to be made in future. Experts like Apar Gupta and Adv N.S. Nappinai were quick to note this and denounced the draft as vague and incomplete leaving a number of important aspects to the sweet will of subordinate legislation. It seems a prudent decision not to overburden the body of the draft with too many details. Act-regulations approach is more suitable to address rapid technological advancements resultant social consequences and legal responses. Technology related details in the draft would make it look like archaic within years of becoming law. Subordinate legislation cannot be a free pass to go beyond the parent act. Otherwise rules will be struck down as ultra vires. A careful perusal of article 26 of the draft reveals that Parliament can accept, reject or modify rules laid before it. Then there is the possibility of rules going against the purpose of the act. For example, details on the constitution of the Data Protection Board have the potential to affect its independence. So a provision is needed in the draft for strengthening the purpose of the act even when being intra vires. The draft is criticized on many respects. But by being simple it acts as a perfect new starting point for further deliberations.
Views are personal.