Last Thursday, after just over two full years of deliberation, the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill submitted its report along with a revised draft. With this, India has taken one more, albeit agonizingly slow, step in the direction of having a full-fledged privacy law.
Many of the amendments suggested by the JPC are welcome. The 2019 draft required children’s personal data to be processed in a manner that was in the “best interests of the child”. Given that decisions as to what constitutes the child’s best interests are best left to parents and natural guardians, the new language proposed by the JPC which states that the personal data of children should be processed in such a manner as would protect the rights of the child, is welcome. Similarly, the introduction of a new Section 62, under which data principals can file a complaint with the Data Protection Authority if they are not satisfied with how their grievance was redressed by the data fiduciary, neatly ties up one of the last remaining loose ends in the grievance redressal mechanism of the draft law.
Other recommendations are somewhat innocuous, if a bit misguided. For instance, the new definitions of “data fiduciary” and “data processor” now specifically include a reference to non-governmental organizations in the definition even though the existing language, which includes “companies and any juristic entity”, would have extended to them anyway.
Other changes, though seemingly insignificant, could have a substantial impact on how the law is implemented. While much public attention has been focused on Section 35, the effect of the amendments throughout the draft law on exemptions under Section 36 are perhaps more insidious. The latest draft exempts in its entirety the applicability of Chapters II through VII for, among others, law enforcement purposes. While similar language has been part of the draft since 2018, these exemptions have always been qualified—in the 2018 draft by an obligation to process personal data in a fair and reasonable manner that respects the data principal’s privacy and in the 2019 draft by an obligation to process personal data only for specific, clear and lawful purposes. The current draft does away with all such qualifications on the processing of personal data.
Similarly, the scope of Section 12, which permitted personal data to be processed without consent for the performance of state functions on just two grounds—(i) the provision of services or benefits and (ii) the issuance of certifications, licences or permits—has been expanded innocuously through the insertion of the word “including”, to now suggest that these two categories are only illustrative of the many other grounds on which the state could collect data without consent.
But what is perhaps of most significant concern are concepts that have been introduced in this draft for the very first time. Take, for instance, the recommendation that a framework needs to be established for the monitoring, testing and certification of hardware devices. To the best of my knowledge, this sort of a provision is without precedent anywhere in the world, and while it makes sense to worry about the privacy risk posed by the proliferation of hardware devices, are these concerns not already addressed more than adequately in the privacy principles that serve as the basis of the law?
The obligation to appoint data protection officers has always been cast upon significant data fiduciaries, but the new draft clarifies that these officers must belong to the C-suite of the company. While the objective behind this stipulation seems to be to ensure that companies do not appoint a low-level functionary to meet their obligations, when applied in the context of global internet businesses providing services to customers in India, it seems to suggest that only the chief executive officer, chief financial officer or a whole-time director of the overseas company providing the service can be appointed as a data protection officer for India.
But perhaps the most extraordinary change, by far, is its expansion of the scope of the law to also include non-personal data. The JPC has gone so far as to change the very title of the bill to reflect this thinking from the Personal Data Protection Bill to simply Data Protection Bill, replacing references to “personal data” in various sections with the term “data”. In my view these amendments are both unwarranted and misguided. Non-personal data has no bearing on privacy, unless some of that data becomes personally identifiable. Personal data, by its very definition, means directly or indirectly identifiable data about or relating to a natural person, suggesting that the moment any non-personal data becomes identifiable, it will automatically be covered by the law’s provisions. This should sufficiently address any risk to privacy posed by non-personal data.
I have long argued that data fiduciaries must be encouraged to anonymize and de-identify personal data, so that in the unfortunate event of a data breach, the resulting privacy harms are minimized. One way to do that would be to exclude non-personal from the ambit of this law. Now that anonymized data is included within the purview of the proposed law, this powerful incentive will no longer exist.
Non-personal data regulation should be oriented towards unlocking the value inherent in data. Including it in a data protection regime will have the opposite effect.
Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.