The joint parliamentary committee (JPC) studying the PDP bill may expand its ambit to include sensitive non-personal data as well, a recent Mint report said.
WhatsApp has been sharing user data with Facebook since 2016, but with the option to opt out of some of them. The policy update, which takes effect on 8 February, takes away that option to opt out. Now users have no choice but to allow WhatsApp to share the information with Facebook or they won’t be able to use the platform.
The final PDP bill should ensure protection against modification of terms in a detrimental fashion from the time when users have signed up, Nappinai said. “It takes one provision to be added to say that terms of contract cannot be modified thereafter," she said.
“The proposed PDP bill, which codifies the data protection principles of purpose and storage limitation, and proposes a relationship of trust between persons and entities collecting or transferring their data, may restrict sharing or transfer of data for reasons which do not directly relate to why it was collected," said Arun Prabhu, partner at Cyril Amarchand Mangaldas, a law firm.
One of the provisions of PDP bill 2019 states that provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose. Privacy advocates point out that existing laws are not entirely toothless.
“Right now, we cannot afford to wait for PDP. By the time it reaches the government, and they make changes and place it before the Parliament, a lot of water would have flown under the bridge," said Pavan Duggal, advocate and cyberlaw expert.
Existing laws have provisions to protect users in cases like this, Duggal pointed out.
“Section 87 of the IT Act 2000 gives the government the power to come up with distinctive rules and regulations specifically to prohibit this kind of arbitrary conduct by intermediaries," said Duggal.
Nappinai agreed that while laws are minimalistic, if they are enforced, they are powerful enough to protect the rights of users.
“Under 43A, IT rules have been formulated and they explicitly capture and set out data principles on consent, use, retention and transferring. If you apply the rules, we already have protection against any company trying to expand terms merely because a user has consented to earlier terms," Nappinai said.