The Ministry of Electronics and Information Technology (MeitY) has published the fourth iteration of India’s data protection legislation. Dubbed as the ‘Digital Personal Data Protection Bill’ (the Bill), it appears to be a remarkably reductive regime compared to its earlier iterations.
Any personal data protection legislation must safeguard peoples’ right to privacy, which the Supreme Court enshrined as a fundamental right in 2017. The Bill, far from serving this objective, calls for a reminder — why do we need a Personal Data Protection Bill?
The rationale for a Personal Data Protection Bill
A data protection legislation is needed for three reasons:
First, to prevent unwarranted revelation of our identity. In the digital economy, where we express ourselves online, our personal data is an extension of ourselves. As a result, providers can deconstruct deeply personal parts of our identity using our personal data. For instance, in 2012, a major retail shopping brand in the US gleaned that one of its teenage customers was pregnant based on their purchases. They revealed the customer’s pregnancy to her parents in the process.
Similarly, studies suggest that data processing technologies allow providers to glean a person’s political orientation, race, relationship status, alcohol and drug usage, sexual orientation, and personal preferences from seemingly ordinary data like their photos, music preferences or basic social media activity. In the absence of fetters on data processing, this can violate our right to privacy.
Second, to correct the power imbalance between users and providers. Personal data is an indispensable input for both government and private providers while delivering services. While providers have complete visibility of how the data is processed, stored, shared, the same is not true for citizens.
A data protection legislation helps users to wield power over providers and hold them to account. In its absence, there wouldn’t be any check-dams on how providers collect and process personal data – creating risks for our privacy and safety.
Third, to protect users against data-related harms. We are vulnerable to different kinds of harms when our data is breached, misused, or badly processed. However, we may be powerless in protecting ourselves from them. For instance, if breached, our fingerprint may be used for a range of purposes, from fabricating documents and fraudulently authenticating transactions to taking over our mobile phones. In the large network of data flows in the digital economy, we may rarely realise when our fingerprint is breached, by who, or how it might have been or may get misused. Consequently, we will not know how to protect ourselves or seek redress.
A good Data Protection Bill is needed to secure users’ right to privacy.
Also read: Can financial decisions be free of emotion? Why it’s not the case in Indian households
But, what does a good data protection Bill look like?
First, the Bill must reflect the framework stipulated by the Supreme Court in the Privacy Judgment. The court ruled that government agencies cannot process personal data unless it satisfies three preconditions: lawfulness, i.e., it must be specifically authorised by a law, legitimacy of purpose; and necessity, i.e., processing must be necessary and proportionate to fulfilling that purpose.
Similar principles also apply in the private sector, allowing providers to process only that data which is necessary and proportionate to the purpose of processing.
Second, the Bill must have clearly defined provider obligations, directing how providers can process personal data. These include limitations on the purposes for which providers process, the amount of data they process, for how long they process, and in what manner they process our data with narrowly defined, reasonable exemptions. Additionally, users must have a strong suite of data rights that can help express their autonomy over how personal data is processed.
Third, the Bill must provide for a robust and independent regulator. Regulating data processing activities is an enormous task. The regulator must have the necessary tools, processes and personnel necessary to monitor and enforce compliance with the law to effectively operationalise the law. Further, the regulator must be independent of the sway from the government and the industry in its composition and in its function so that it can perform its role fairly without undue influence.
Policymakers could look at these attributes as we actively shape India’s data protection legislation.
Srikara Prasad is Research Associate & Beni Chugh is Research Manager-Future of Finance Initiative, at Dvara Research
The article is part of our series of financial explainers in partnership with Dvara Research.
Views are personal.
Also read: From digitisation to platformisation — how social protection schemes can be made more accessible