Surveillance power, diluting privacy: Why Modi govt’s data bill needs urgent modification

How should a legal framework for data protection balance the imperatives of protecting privacy and ensuring innovation and productivity growth? In December 2019, the Narendra Modi government introduced the Personal Data Protection Bill, 2019, in Parliament, which would create the first cross-sectoral legal framework for data protection in India.

The bill does not correctly address privacy-related harms in the data economy in India. Instead, it proposes a preventive framework that oversupplies government intervention and strengthens the state. This could lead to a significant increase in compliance costs for businesses across the economy and to a troubling dilution of privacy vis-à-vis the state.

The notion of informational privacy has become salient in the past decade but India has privacy jurisprudence going back several decades. Most of it focuses on privacy in the context of harms caused due to a violation of privacy. This jurisprudence changed in 2017, when the Supreme Court in Justice K.S. Puttaswamy vs Union of India held that the Indian Constitution included a fundamental right to privacy. While deciding the case, though the court listed a long line of jurisprudence, the central deficiency in the existing jurisprudence in the court’s opinion was the lack of a “doctrinal formulation” that could help decide whether privacy is constitutionally protected.

The jurisprudence on privacy therefore changed—from being valued as a right that protected other ends to being an end in itself. Along with holding that privacy is a fundamental right, the judgment also declared informational privacy to be a subset of the right to privacy. This shift is consistent with the approach taken in the bill, which aims to protect the informational privacy of individuals by creating a preventive framework that regulates how businesses collect and use personal data, as opposed to protecting informational privacy with a view to the consequent harms caused by the violation of such privacy. In doing so, it focuses primarily on regulating practices related to the use of data.

Not only is this problematic since the proposed framework is unlikely to protect privacy adequately, the bill also significantly strengthens the state’s role in the data economy, dilutes property rights in data, and increases state power to surveil without creating adequate checks and balances. This is likely to have deleterious consequences for innovation in the economy while leaving unfulfilled the stated objective of protecting informational privacy.

Also read: India has to toe a fine line in defining non-personal data — between public interest and IPR

Why the bill should be modified

First, the bill’s reliance on strengthening consent-based mechanisms for protecting personal data is not likely to be effective. Increased disclosure requirements to users about the use of their data is becoming ineffective in light of modern technological developments. A reliance on such mechanisms could be counterproductive and lead to individuals taking less responsibility while sharing their data.

Second, the preventive framework proposed in the bill could lead to significant compliance costs, which will be borne across small and big businesses except those that are specifically exempt. This is problematic since most businesses in India are small. Such compliance requirements would be especially onerous for them. This bill also allows the government to compel businesses to share non-personal data with it. This could have deleterious consequences for innovation and economic growth in the long run.

Third, the bill’s proposed design of the Data Protection Authority (DPA). This body will be tasked with regulating the provisions of the bill to frame regulations on issues such as mechanisms for taking consent, limitations on the use of data, and cross-border transfer of data. The supervisory mandate of the DPA is sweeping, given the fact that it has to regulate a wide array of preventive obligations, such as security safeguards and transparency requirements, that have to be implemented by businesses. It is likely that the DPA may not be able to either effectively implement the bill or effectively protect informational privacy. Given its cross-sectoral mandate, the DPA may struggle to build internal capacity, leading to either under-regulation or over-regulation. The former would defeat the intent of the bill while the latter would add unnecessary burdens for compliant businesses. Additionally, the bill does not provide adequate checks and balances to ensure that the central government and the DPA exercise their vast supervisory powers in a reasonable manner.

Lastly, the bill allows the government to exempt any of its agencies from the requirements of this legislation and also allows it to decide what safeguards would apply to their use of data. This, as the paper argues, potentially constitutes a new source of power for national security agencies to conduct surveillance—and, paradoxically, could dilute privacy instead of strengthening it.

Also read: How India’s data bill falls short of offering solutions for regulating digital competition

What needs to be done

Since the bill treats privacy as an end, the proposed framework is preventive, all-encompassing, and highly regulated. In doing so, it significantly strengthens the power of the state to regulate entities that collect data and gives the state additional levers to conduct surveillance. Instead, the framework should narrowly and precisely focus on problems that can be meaningfully addressed through regulation. The following points enumerate the possible components of such a framework:

1. Data should not be collected and processed without consent. Businesses that violate this principle would also violate Indian constitutional norms of informational privacy, as well as the property interests of users. At the same time, consenting individuals must be allowed to take responsibility for their choices. Regulation in other consumer-oriented sectors usually takes the form of determining whether certain contractual clauses and practices are unfair, deceptive, or misleading for consumers. The bill should reorient its focus from imposing preventive obligations to identifying and regulating such practices, as well as clauses in data sharing agreements. The bill should also focus on preventing injury to individuals and society that emanate from a breach of data privacy —such as discrimination on constitutionally protected grounds, identity manipulation, financial theft, fraud, and threats to sovereignty and national integrity. This focus on injury prevention must also be used to reformulate the provisions on harms. Data fiduciaries should be held accountable and should not be required to implement preventive measures against all potential misuse of data. Regulation should narrowly address market failures. Reorienting to a narrowly tailored approach would require a shift away from obligations such as privacy by design and appointment of data protection officers.
2. The remaining preventive regulatory obligations should be layered, based on an assessment of their costs and benefits. Obligations for firms that do not process data intensively or that do not handle sensitive personal data should be reduced in a manner commensurate to the risks from their activities. One such reduction may be to remove the condition that businesses have to manually process data in order to avail of the exemptions.
3. Regulatory uncertainty must be reduced. Ambiguities in the bill must be minimised to improve business certainty. Currently, there are three major issues in the bill that could lead to significant regulatory uncertainty. First, it lacks a sufficiently clear definition of critical personal data. Second, it does not specify criteria for approving cross-border transfers of data. Third, it gives the government the power to mandate sharing of non-personal data without any limitation on the use of this power or details regarding the payment of compensation.
4. The power given to the government to exempt any government agency from the requirements of the bill should be balanced with adequate safeguards enumerated in the bill itself. The government should not be given the power to decide which agencies are exempt and the power to decide what safeguards would apply to such agencies.
5. The mandate given to the DPA should be cognisant of state capacity constraints in India. The nature of the data economy will make it close to impossible to regulate data processing effectively. The other proposals outlined here can rationalise the scope of the DPA’s mandate. For example, the authority would no longer have the mandate to regulate the right to access, the right to be forgotten, and others. In addition, it would not have the mandate to decide how obligations such as purpose limitations are to be implemented. Further, the removal of the ambiguities listed above would provide greater clarity to the DPA on how to implement important provisions of the bill. Finally, raising the threshold—below which firms would be exempt—would significantly reduce the number of businesses subject to the DPA’s jurisdiction and enable it to focus on data-intensive businesses.

Also read: More power & data access to govt — all about personal data protection bill

The DPA and the government should follow a highly consultative process for decision-making. This is considerably more important in this case than for other regulators because of the cross-sectoral applicability of regulations under the bill. The bill should accordingly be modified to require the government and the DPA to follow a detailed consultative process for all rules, regulations, and codes of practice they formulate. The bill requires the DPA to follow a consultative process. However, this requirement applies only for formulating codes of practice and entrusts the government to prescribe the details of the consultative process. There is a direct link between the thoroughness of the consultative process Indian regulators follow and the specific details of such consultative mechanisms enshrined in the relevant law. The bill should therefore be modified to ensure that the DPA follows best practices in regulation-making for framing regulations and codes of practice.

Lastly, since the functioning of the DPA has an important bearing on the market, its composition should enable it to avail of independent inputs in an institutional manner. The DPA should have a combination of full-time members and part-time, independent members. Independent members should not be involved in the everyday functioning of the agency. This would allow for independent inputs and a mechanism for external oversight of the agency.

This revised design could enable a more specific and pragmatic framework for protecting the personal data of individuals, while allowing the Indian economy to benefit from innovations in the processing of personal data. The regulatory framework proposed for protecting the privacy of citizens has to be suitably tailored for the realities of the Indian economy and its regulatory landscape. This can only be done through a pragmatic assessment of the costs and benefits of data protection for India.

Anirudh Burman is an associate fellow at Carnegie India. Views are personal.

This article is an edited excerpt of the author’s paper ‘Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth?’, first published by Carnegie India. Read the full paper here.