Editor’s note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice BN Srikrishna Commission and submitted to MEITY for approval. This is Part IV of the series.
Among the stated purposes of the Personal Data Protection Bill, 2018 as per the Report of the Justice Srikrishna Committee accompanying it, is to create a data protection law which protects personal data while facilitating the growth of the digital economy. To this end, it has replaced the traditional concepts of a data controller and data subject with a data fiduciary and data principal respectively.
To further this trust-based relationship, a series of obligations are imposed on the data fiduciaries and data processors, to ensure the protection of the people regardless of other factors such as consent. In achieving the balance sought by the Committee, however, the new fiduciary relationship has resulted in a dilution of the rights granted to the people, and thereby of the control they actually have over their own data.
Data fiduciary, data principal and data processor
The use of data involves three main characters: the person whose data is being collected; the person collecting/using the data and any third person who performs any action on the data on behalf of the person collecting the data, such as collection, storage, alteration, etc.. These, under a data protection law, are normally the data subject, the data controller and the data processor respectively.
The Personal Data Protection Bill, 2018, replaces these traditional concepts with that of a data principal and data fiduciary while retaining the concept of a data processor. A data fiduciary and a data processor include any person (natural/legal), including the State, a company or individual, as per Section 3.
Justifying the fiduciary relationship
The Report accompanying the Bill has provided the committee’s justifications for the introduction of this trust-based relationship. They describe the individual as the focal actor in the digital economy. The relationship with the data fiduciary further is based on the fundamental expectation of trust — to use the data fairly regardless of any contractual or other relationship that may exist between the two.
To further this trust, a series of obligations have been imposed on data fiduciaries and processors under Chapter II of the Bill. The fundamental obligation is to ensure processing in a fair and reasonable manner under Section 4. Further, the principles of purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation and accountability are imposed.
Dilution of rights of the people
Despite these obligations, the requirement of trust as opposed to law and rights to define the relationship between the data fiduciary and the data principal has resulted in a dilution of the rights of the people.
The first place where a dilution of the rights is seen is in the requirement that the processing be lawful. The Report discusses this with respect to contracts, requiring processing to be fair and reasonable even if it is lawful, for instance, a contract signed between the two would make the processing lawful, but not necessarily fair and reasonable.
The issue then is with the forms of processing that have been legalised, and are thus lawful under the Bill. This includes non-consent based processing of data by the State, which can justify the processing under the Aadhaar Act; non-consent based processing for purposes such as employment, which could justify employee surveillance; and broad exemptions for processing such as that for the security of the State. Allowing such non-consensual processing takes away from the individual’s right to have a say in how his data is used.
Dilution of privacy principles
Secondly, the list of principles themselves tick off most of the data protection principles outlined in the GDPR, as well as the National Privacy Principals outlined in the Justice AP Shah Committee Report. Variations, however, can be found in the actual content of the principles in keeping with the Bill’s aims.
The purpose limitation principle under the Justice AP Shah Report, for instance, requires firstly, that data collected be adequate and relevant (data minimisation), be processed only for purposes consented to by the individual on notice, and thirdly, use for a new purpose is to be notified to the person. Lastly, once the processing for the specified purpose is achieved the data is to be destroyed.
Differences in the Bill’s purpose limitation principle
Section 3 of the Bill, however, prescribes a different purpose limitation principle. It requires that the purposes be clear, specific and lawful. Further, it must be allowed either for purposes specified or for compatible purposes. The compatible purposes may include any other purposes which the data principal can reasonably expect the data to be used for, having regard to the specified purposes and the context and circumstances in which the personal data was collected.
The first notable difference in the two is that the emphasis on notice and consent is missing in the purpose limitation principle under the Bill. Secondly, processing is allowed for compatible purposes, which is a broad and vague category of purposes. Third, ‘lawful’ purposes are allowed (as discussed above). Lastly, the requirement to delete the data once the purpose is achieved has been removed.
To be noted here is that the data minimisation seen in the Justice AP Shah Report’s principle, while not mentioned under section 5, is prescribed under the collection limitation principle under Section 6. A limitation on storage can also be found under Section 10, but this allows the retention of data as reasonably necessary for the purpose for which it is being processed. Considering however that processing is allowed for any compatible purposes as well, this reduces the effectiveness of the storage limitation obligation imposed.
Report’s reasons for the difference
The Report has offered a justification for this differentiation in purpose limitation principles as well. It notes, firstly, the difficulty in identifying and specifying purposes. Terms and conditions in use today are evidence of this, which often have a set of general purposes listed out — such as ‘improving consumer experience’ or for ‘better services’. A full list of specified purposes, the Committee notes, might lead to long and unreadable consent forms. For this, the Bill justifies the inclusion of permitting the use of data for compatible purposes, without the specific requirement of notice and consent.
Purpose limitation in the context of Big Data
Next, the Report discusses purpose limitation and data minimisation in the context of Big Data. This is a relevant discussion given the driving role played by Big Data today. The Report takes note of both the benefits and harms of Big Data Analytics. This includes instances such as the tracking of student-related data which helps prevent student dropouts and also includes instances of discrimination with insurance rates against workers on night shifts due to data analytics that people who drive infrequently at night are safer drivers.
These, as per the Report, pose two main challenges: first, that the purposes the data can be put to only becomes apparent over time, and second, there is a possibility of re-identifying a person from even anonymised data sets.
To deal with these, the Report offers the following solutions: first, use anonymised data that later cannot be re-identified. Second, big data processing for improving the service reasonably expected by the data principal should be allowed to continue. Third, when using the data for a new purpose, personal data should not be used in a way which causes harm to the individual. Lastly, it should not be used to take a decision w.r.t or an action directed at the individual. If it does take such a decision, then explicit consent must be taken.
The research exemption under the Bill
The provisions supporting Big Data analytics, in addition to the prescribed purpose limitation principle, can also be found under the research exemption under Section 45 in Chapter IX. This section exempts the use of personal data for research, archival or statistical purposes subject to the fulfilment of certain conditions.
First, the data should be de-identified, it should not be used in a manner that causes harm, and it should not be used to take a decision directed at the individual. This section, however, does not discuss allowing the data to be used in a way that takes a decision using explicit consent, as mentioned in the Report, indicating that for now, this is not allowed.
The missing right to deletion
While a research exemption is common in data protection laws, including the requirement of notice and consent before personal data is put to a new use would have better-protected people’s interests. Further, notable for its absence is the missing right to deletion in the Bill. The data principal, for some reason, has not been given this basic right under the Bill to withdraw the data he has entrusted to a data fiduciary, upon the data fiduciary failing to uphold his trust.
In creating a trust-based relationship, the data principal has thus been required to place his trust in the organisation that it will protect his interests, as opposed to providing him with adequate rights and ultimate ownership over his own data.
The Justice Srikrishna Committee definitely had a difficult task in balancing protecting the individual while encouraging the digital economy. However, in turning to a trust-based relationship to achieve these twin objectives, the result is a compromise with the traditional protections offered to an individual with regards to his data.
The next part of the series will deal with the lawful basis of processing under the Bill. You can read the past parts of the series:
The author is a lawyer specialising in technology, privacy, and cyber laws. She is also a certified information privacy professional.