In this blog post, we share our comments on the draft Personal Data Protection Bill 2018 (hereafter “the draft Bill”) in response to the call for comments from the public by MEITy (Ministry of Electronics and Information Technology, 2018). Our response, accessible here, presents a set of overarching comments and section-by-section feedback and proposals on particular provisions of the draft Bill. Our response builds on our past work on the principles and design required for an effective, consumer-friendly data protection framework that takes into account the unique exigencies of the Indian context.[1]
Though we welcome the draft Bill’s attempt to erect a much-needed data protection law for India, we urge further development of the draft Bill to arrive at a truly user-protecting framework. We are deeply concerned that the draft Bill, in its current form, fails to provide adequate user protection. Despite speaking in the language of empowerment and fiduciary responsibility, the draft Bill fails to give users a wide set of rights or incentivise effective, user-focussed grievance redress by data fiduciaries.
In this post, we summarise eleven significant concerns with the draft Bill. These are grouped into (i) foundational concerns, (ii) user protection concerns and (iii) transparency and accountability concerns.
Foundational concerns:
1) The aspiration for a “data fiduciary” paradigm falls short in application: Although the draft Bill uses the language of fiduciary responsibility, by identifying individuals as “data principals” and the entities that process their data as “data fiduciaries”, the substantive provisions fail to articulate the higher protections and standards of conduct central to a fiduciary relationship. Obligations in Chapter II (Data Protection Obligations) and Chapter VII (Transparency and Accountability Measures) do not require a consideration of the interests of data principals prior to processing.
We submit that the draft Bill must raise the data protection obligations to a fiduciary standard.
2) The definition and usage of “harm” in the draft Bill limits user protections and rights: “Harm” as currently defined sets out a wide variety of unrelated consumer injuries that may not always be a consequence of a misuse of personal data. The absence of a conceptual definition of harm leads to a lack of clarity on how to interpret the list-based definition and creates the risk of excluding unforeseeable data harms. This is problematic because significant provisions of the draft Bill are predicated on establishing the occurrence or likelihood of harm or significant harm.
We therefore propose that (1) the draft Bill should include a broader definition of “harm” in a way that allows future jurisprudence and data practice to develop, and (2) avoid using “harm” as a threshold or trigger for any substantive obligations or entitlements under the draft Bill, (3) contain a broad “right against harm” which imposes a reasonable obligation on data fiduciaries to avoid causing harm to the data principal.
3) The potential to create a clear, non-derogable standard for “fair and reasonable” processing needs to be fulfilled: The draft Bill creates an obligation on all data fiduciaries to process personal data in a “fair and reasonable manner” that respects the privacy of the data principal. We welcome this overarching, non-derogable obligation. However, the draft Bill does not articulate any clear criteria for determining “fair and reasonable”. This precludes the ability of the proposed Data Protection Authority (henceforth referred to as “DPA”) to effectively enforce the provision and the ability of data fiduciaries to comply with the requirement.
We propose that this obligation should require data fiduciaries to balance their interests in processing the personal data with its impact on the interests and rights of the data principal. Support for such balancing is available in the draft Bill itself, albeit in a different context in section 17 (Processing of data for reasonable processes).
User protection concerns
4) All user data should have the same standard of protection: We question the utility of distinguishing between “sensitive personal data” and “personal data” considering first, the sensitivity of personal data is heavily contextual. Second, modern data aggregation technologies can reveal sensitive information by processing personal data. Third, technological advances can create newer data types, requiring a future regulator to constantly update the list of “sensitive personal data”.
Therefore, we reiterate that all personally identifiable data should receive the same standard of protection.
5) The draft Bill disincentivises and penalises withdrawal of consent: Despite an emphasis on making the withdrawal of consent as easy as giving it, section 12(5) of the draft Bill, states that the data principal would bear all legal consequences for the withdrawal of their consent. This threat of legal consequences would disincentivise data principals from withdrawing their consent, even leading to situations where their personal data is retained under duress.
We propose that withdrawal of consent should only result in a termination of contract (and the related contract for service) to the relevant data principal and not potential liability for the data principal.
6) Data principals are afforded a limited set of rights: The draft Bill affords only four narrowly defined rights to data principals. Our primary research on data principals’ experiences with the digital economy reveals that they are ill-equipped to exert their autonomy and protect themselves from misuse of their personal data (CGAP, Dalberg & Dvara Research, 2017).
We propose that the draft Bill should include the full bundle of rights comprising (i) right to clear, plain and understandable privacy notice; (ii) right to be asked for consent prior to data collection; (iii) right to adequate data security; (iv) rights to privacy by design (including privacy by default); (v) right to breach notification; (vi) rights relating to automated decision-making; (vii) right to informational privacy; (viii) right against harm (as defined in the Dvara Bill).
7) The draft Bill creates high barriers to exercise the rights by data principals: To exercise their rights (except the right to be forgotten), the draft Bill requires data principals (1) make written applications to the data fiduciaries; and (2) pay a fee determined by the data fiduciary. These design choices are unsuitable for the Indian context because they presuppose the data principal to be a literate, educated and empowered individual with the time and money needed to exercise their own rights.
We propose that data fiduciaries should be mandated to make themselves easily accessible to data principals through diverse media including toll-free numbers, postal mails and personal visits; fees if any should be nominal and establishing identity should not be onerous.
8) The grievance redress framework is burdensome and limited for users: Seeking grievance redress is excessively burdensome on the data principals because to raise grievance they are required to (1) identify a violation of the draft Bill and (2) establish a harm (or potential harm). We note that this also precludes the ability of data principal to seek recourse where (1) a violation of the draft Bill has occurred without a manifested harm, or (2) where the data principals may have suffered harm due to misuse of their data, despite an apparent compliance with the provisions of the Act by the data fiduciaries.
Transparency and Accountability concerns
9) Data breach notifications are not mandatory but based on data fiduciaries’ determination of “harm”: Currently, the draft Bill requires data fiduciaries to notify the DPA of those data breaches which are likely to cause harm, based on the data fiduciaries’ subjective assessment. Further, the DPA determines which breaches should be notified to data principals. This is problematic because first, the lack of clarity on the definition of “harm” makes it a poor trigger for such an obligation. Second, incentives of data fiduciaries may not be aligned in disclosing breaches to the DPA. Third, it creates a bottleneck at the DPA, potentially delaying the breach notification to data principals.
We propose that the data fiduciaries should report all data breaches to the DPA and have the freedom to reach out to data principals where direct actions are required to protect themselves.
10) Accountability mechanisms of the proposed Data Protection Authority must be strengthened: The draft Bill empowers the DPA to undertake a range of enforcement actions, including launching investigations, levying of civil penalties and criminal punishment. However, the design of the DPA fails to incorporate the core accountability features required to ensure these powers are used proportionately. We reiterate our call for a wide set of enforcement tools, predicated on a “responsive regulation” requires a measured and transparent escalation of regulatory sanctions from softer enforcement tools to harder actions for entities that infringe a data protection regime (Dvara Research, 2018c).
We reiterate that the DPA should be a board-governed body. Its enforcement actions must be based on clear feedback loops and guided by criteria for the exercise of supervisory judgment. It should contain mechanisms including clear monthly and annual reports on enforcement to a Management Board (Dvara Research, 2018c).
11) Inconsistency in delegation of powers: We humbly submit that there appear to be some inconsistencies in the level of detail and delegation in the primary legislation in some aspects of the draft Bill, that would benefit from further refinement. In accordance with the principles of constitutional and administrative law, the delegation of powers should conform with two grounds, “(i) whether it delegates essential legislative functions or powers, and (ii) whether the legislature has enunciated its policy and principle for the guidance of the delegate (Shukla, 2003)[2]. Some provisions of the draft Bill do appear to raise concerns regarding whether they set out enough detail and guidance for delegated legislation. Likewise, the overlap between the DPA’s and Central Government’s mandate and powers in the draft Bill would benefit from clarification.
In conclusion, we note that the draft Personal Data Protection Bill 2018 is an ambitious document charting out a framework for India’s future law. To ensure it fulfils its ambitions to be a “fourth way” in data protection, it however needs to address certain important concerns and inconsistencies, also set out in detail in our response here.
We welcome engagement or further questions on any of these responses.
—
[1] See further, Dvara Research’s response to the Committee of Experts on Data Protection (Dvara Research, 2018a) and the accompanying draft legislative document produced to support the submissions titled the Data Protection Bill, 2018 (hereafter “the Dvara Bill”) (Dvara Research, 2018b). See also a working paper on the Effective Enforcement of a Data Protection Regime (Dvara Research, 2018c)
[2] Shukla, V. (2003). Constitution of India. New Delhi: Eastern Book Company.
