Opinion | The data protection bill is far from a finished product
The B.N. Srikrishna committee’s draft data protection bill gets some things right but fails to impose credible checks and balances on the state
The Justice Srikrishna Committee had an unenviable task before it. It had to lay the foundations of a data protection regime of considerable scope that would have far-reaching economic, sociopolitical and governance implications. And it had to do so while juggling the interests of individual citizens, the state and businesses. Given this, it was never going to satisfy everyone. The committee report and draft Personal Data Protection Bill, 2018, released on Friday bear this out. They get some things right, but contain a considerable number of loopholes as well. They should be taken as the starting point of a vigorous public and political debate.
Last week, in an interview in Mint, Nandan Nilekani had noted that any data privacy law should apply equally to the government and private actors. The committee report says the right things in this regard. It emphasizes the need for a regulatory framework that addresses the asymmetry in bargaining power between individuals and data processing entities. And while it acknowledges the transformative potential of the data economy, it rightly points out that “Despite the fact that the State is able to exercise substantial coercive power, and despite ambiguous claims to personal data that may not be necessary for its functions, the State remains largely unregulated on this account.” Unfortunately, in practice, the committee’s solicitude for individual rights falls short when it comes to the state.
In both the report and the draft data protection bill, the committee has placed user consent and specificity of purpose for data processing front and centre when it comes to businesses. The former is more tricky than it seems. Consent as it exists now is largely ineffective—lengthy boilerplate forms full of legalese that users rarely bother to read, leave alone understand. The committee has tried to address this by hedging both user consent and contracts between users and businesses—data principals and data fiduciaries—with caveats to ensure that the consent is informed, specific and limited to what is necessary. These are good guiding principles. Translating this into practice will be tricky, however. The bill makes provisions for data auditing of fiduciaries to ensure that data security and the terms of data use are being honoured; the report’s suggestion of blockchain being used for this purpose to ensure credibility and transparency is a good one, if currently technically iffy.
However, such regulation comes with a competitive and potentially economic cost. The report blithely dismisses the cost. This is facile. Take the report’s equating a consent contract for data collection and processing with product liability norms. This means that it is not sufficient that a user gave full consent for his data to be used. The fiduciary could still face some liability. Or there is the bill’s treatment of consent withdrawal. As a principle, this is well and good. But the report paints scenarios of implied consent—a user entering personal data with the knowledge that it will be used to complete a transaction even if he hasn’t explicitly agreed to it being used—where consent withdrawal could have high costs. E-commerce and financial service transactions are examples of this. The bill does stipulate that the data principal will bear the costs of withdrawing consent. But these liability and consent burdens create uncertainty that large companies with deep pockets will be able to weather much better than scrappy start-ups. That doesn’t bode well for competition.
It’s when it comes to checks upon state power that the bill truly takes its eye off the ball, rhetoric in the report notwithstanding. Section 13 (1) states, for instance, that “Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.” Section 19 expands this logic to cover sensitive personal data—which can readily identify individuals and can contain critical information to do with, say, finances or health—as well. Section 42, meanwhile, exempts the state entirely from most provisions of the bill if the relevant data processing is in keeping with a law passed by Parliament.
There is a legitimate tension between data privacy rights and the imperatives of governance and security. Resolving this tension requires a careful balancing act. What the bill has done, instead, is given the state carte blanche. This is disappointing and dangerous. It becomes even more so in light of the fact that the bill steers clear of addressing state surveillance at all. Other provisions—such as on data localization—play into this, giving the government easy access to personal data collected by third parties.
The committee’s work highlights areas of future churn as well. Independent data auditors and third party data fiduciaries that handle data collection and compliance burdens for companies—small companies in particular could benefit from this—could be big business going forward. Internationally, data treaties could become important to ensure interoperability of data privacy regimes and avoid jurisdiction hassles. And, perhaps, most importantly, the Data Protection Authority that the committee has vested with immense powers to regulate the data ecosystem and create its rules will have a prominent public role no matter what shape it eventually takes. Ensuring its credibility, competence and independence will be critical.
The report and the bill that is built upon it lay down some sound principles. The committee’s work is not without merit. But it is far from a finished product.
Should there be more checks on the government’s power to collect and use citizens’ data? Tell us at firstname.lastname@example.org