Editor’s note: The Personal Data Protection Bill, 2018, was released by the Justice BN Srikrishna panel on 27 July. Pertaining to that we are doing a multi-part series explaining the finer nuances of the data protection bill. This is Part VI of the series.
The Personal Data Protection Bill, 2018 prescribes a number of provisions legalising the non-consensual processing of data, by both State and non-State actors. Laws often contain provisions which provide certain exemptions for State-related activities. These stem from an assumption that the State acts in the best interests of the people, and is founded on trust.
This equation between the citizen and the State, however, has taken a turn for the worse, in particular since Edward Snowden’s revelations of mass surveillance in the US. Closer home, several activities of the State are provoking similar concerns — be it with the Aadhaar system and the State Resident Data Hubs, the Central Monitoring System, or the proposed and now withdrawn Social Media Communications Hub. The clearest evidence of this mistrust is with the uproar seen on 3 August on the discovery of the UIDAI helpline on people’s smartphones, instantly raising fears of surveillance and unauthorised access by the government.
The nature of these activities raises major concerns with the extent of access and uses of data that can be legalised by the State. A privacy law, then, would play a key role in alleviating these concerns. Under the Personal Data Protection Bill, these concerns are alleviated only to a limited extent.
The application of the Bill to State and non-State actors means that the protections under the law, including rights granted against data fiduciaries and penalties, apply equally to both. However, the Bill also creates specific exceptions to State relating processing, allowing non-consent based processing as well as exempting certain activities from the Bill. These undermine the protections given to the people.
Non-consent based processing for State functions
Firstly, Section 13 allows the processing of personal data without consent for any function of the Parliament or State legislature. Next, it allows processing without consent when necessary for a function of the State, which is authorised by a law, and is required for:
- The provision of any service or benefit to the data principal from the State; or
- The issuance of any certification, license, etc. for any action/activity of the data principal by the State.
Section 19 also allows the processing of sensitive personal data for any function of the Parliament/legislature, or for the provision of any benefit or service.
While the actual interplay between the Aadhaar Act and the data protection law is still to be decided, the processing of data under Aadhaar would be completely legal under this section. The only protection then, would be a finding that the law is illegal. However, the case against Aadhaar has been pending for several years, and in the meanwhile, most of the Indian population has been brought into the Aadhaar ecosystem, on a mandatory basis. Thus, even if the Supreme Court finds Aadhaar to be invasive of privacy, the invasion has already been committed.
This delay in the Aadhaar case makes it clear that the requirement of a law alone will not serve as a guarantee against State violations. The mandatory collection of biometric data and its use as an authentication mechanism, given its unreliability and the risks involved, for instance, is a place where the people would actually like a choice. This choice could have been provided through the requirement of consent, but this has been denied to them through these provisions.
Security of State exemption
The permission for State-related processing has further been supported by an exemption under Section 42 for activities for the security of the state. This exemption continues to be subject to certain requirements, including that there must be a law, there must be procedures established and it must be necessary and proportionate to the interests sought to be achieved.
Exemption related to prevention, detection, etc. of offences
Other exemptions for state-related processing include an exemption for activities in relation to prevention, detection, investigation and prosecution of contraventions of the law. This applies to non-State actors as well. However, this is subject to the same requirements as for the security of state exemption. This will apply to, say the interception and monitoring requirements laid down under laws like the Telegraph Act and the IT (Interception, Monitoring and Decryption) Rules, 2009.
Retention of this data has not been permitted except where necessary for the maintenance of records or database. This is likely to allow the retention of most of the data processed in this respect. Collection of DNA and storage in a DNA databank, for instance, as proposed under the DNA bill, will be valid under this.
Other grounds for non-consensual processing of data
Processing for employment
Other grounds for non-consensual processing of data are also prescribed for State and non-State actors. A broad exception for employment-related processing has been drawn out under Section 16. Personal data can be processed on this basis when consent would not be appropriate or would require a disproportionate effort. Under this, such processing may be done on a non-consensual basis for recruitment/termination of employment, provision of a benefit/service to, verifying attendance, or any other activity relating to the assessment of the performance of the employee.
These are very broad categories, covering several employer activities such as, say, processing financial data for paying salaries. However, it also allows more invasive activities including employee monitoring and surveillance activities, which necessitate more safeguards. It is to be noted here that the processing of sensitive personal data has not been authorised under this head. As a result, use of biometrics for verifying attendance will have to be done on the basis of explicit consent only.
Processing for reasonable purposes
Next, the Bill under Section 17 allows the Data Protection Authority of India to allow processing for ‘reasonable purposes’. This includes a wide range of activities including for whistleblowing, mergers and acquisitions, credit scoring, debt recovery and the processing of publicly available data. While the data protection authority (DPA) is required to lay down safeguards, it can also determine whether or not notice is required.
The Report gives some examples of this — such as fraud prevention activities by an insurance company, where obtaining consent would defeat the purpose. The issue with this provision, however, is that the term ‘reasonable purposes’ is very vague, and is without any restriction or boundary as to the activities it can constitute. This could possibly legalise a wide range of activities.
It is also to be noted here that the Bill does not directly permit the processing of publicly available data. However, the extent of the safeguards determined for this processing of such data will have to be watched.
Exemption for research or archival purposes
In addition to the Social Media Communications Hub, several suggestions have been made for the largescale use of data. This includes similar social media monitoring proposed by the UIDAI, the suggestion of a data sandbox, and the proposal for a National AI Marketplace. The Report accompanying the Bill also talks of ‘community data’, which is data sourced from multiple individuals, and will be akin to a ‘natural resource’. An activity like Google Maps would constitute an example of community data. These suggestions clearly indicate that the government envisages massive collection and use of data. This exemption has been discussed in detail in Part IV of this series.
Processing for compliance with law/court order
Another ground is for the processing of personal or sensitive personal data for compliance with a Court order, or if explicitly mandated by an Indian law. The Report confirms that this will not include foreign laws and international treaties. Normally, an exception for such processing is required, taking into account say account/record keeping or related obligations prescribed under the law, which ensure the legal running of a business, or assist in fraud prevention. However, these same exceptions also authorise the processing of data by various actors under the Aadhaar Act or under the proposed DNA Bill, without bringing in the concept of consent.
An exemption has also been drawn for the processing of data in relation to legal proceedings, such as a legal right or claim.
Processing for prompt action
Another ground for non-consensual processing is for that needed for a medical emergency, for the provision of health services during an epidemic, or for any measure taken during a disaster. Such an exemption is commonly found in many data protection laws. Certain categories of sensitive personal data may also be processed for this includes processing of passwords, financial data, health data, official identifiers, genetic data and biometric data.
Other exemptions under the Bill include for personal or domestic purposes, which will not apply if the processing involves disclosure to the public or is undertaken in connection with a professional or commercial activity. Processing for journalistic activities has also been exempted. This, however, will be subject to the processing being in accordance with a code of ethics issued by the Press Council of India or any other media self-regulatory organisation.
Exemption for manual processing by small entities
Lastly, the Bill also exempts manual processing by small entities from certain provisions, including the need to provide notice, data quality requirements and data storage limitation provisions. A small entity under the Bill is one with a turnover of fewer than twenty lakhs, which doesn’t process the data of more than 100 persons in a single day, and does not collect personal data for the purpose of disclosure to others.
For most of the exemptions under the Bill, the following provisions will continue to apply despite the exemption — the requirement for fair and reasonable processing under Section 4, and the requirement for security safeguards under Section 31. The offences and penalties, to the extent applicable, will continue to apply to such exempted activities as well. For instance, failure to process in a fair and reasonable manner will still attract the prescribed penalty, which is either Rs 15 crores or 4 percent of the annual global turnover. This does provide some safeguards for violations.
The next part of the series will deal with the rights granted to data principals. You can read the previous parts as follows:
The author is a lawyer specialising in technology, privacy, and cyber laws. She is also a certified information privacy professional.