This is a new series on the Personal Data Protection Bill, 2019 to deal exclusively with the issues and pathways for reform under the Bill. Will the bill serve ordinary Indians, or the government and large corporations is a big issue dominating our minds. To clear this up we need the law, to have clear objectives that record what is a priority. People, or profit. Unfortunately the Preamble of the Personal Data Protection Bill, 2019 engages in some hand waving and tries an awkward balancing exercise that is inconsistent with principles of data protection.
Over the course of the last few weeks, we had provided a series of explainers on various facets of the Personal Data Protection Bill, 2019. In part 1, we gave an introduction to the Bill and provided some historical context to data protection in India; in part 2, we explained the key definitions and clauses of the Bill; in part 3, we briefly touched upon the various issues with the Bill; and in part 4, we looked at alternative paradigms of data protection legislation.
In this new series #DataProtectionTop10, we wish to discuss the concerns surrounding the Personal Data Protection BIll, 2019. Unlike part 3 of our #StartFromScratch series, which was more of a sneak peak, this series aims at pulling out important issues related to the Bill and dissecting each one in detail. As the issues with the Bill start right from its beginning, this post will delve into the concerns around the Preamble of the Bill.
The issue: Lack of clarity on the objectives
Behind every law, there is a purpose. This purpose constitutes the objectives of a statute (a statute is basically an act of parliament). They are set out at the very beginning of a statute in its preamble. These ultimate objectives anchor the interpretation of the statute and hold together the various provisions in it. The preamble along with the objectives of a statute will tell you what the lawmakers are trying to achieve through that particular legislation.
At the end of the day, a strong data protection regime has to be clear on what it is trying to achieve. Determining the objective of a data protection legislation is no easy task, mainly due to the unique nature of the data and the interests of the State involved in the regulation of the data. Data has long since been seen as what belongs to you or what information you generate, and is now a valuable commodity in the market. The commodification of data in this highly technology driven world has presented two conflicting choices before policy makers: protection of information privacy of the citizens, and fostering the data economy of the country.
The founding document of the Personal Data Protection Bill; the Sri Krishna Committee report throws light on what the considerations should be in formulating a legal framework on data protection which would work as a template for the developing world. The report states that the protection of personal data holds the key to empowerment, progress, and innovation. It also notes that any such legal framework on data protection should be not only for India, but for Indians. Such a framework should also understand from the ground up the particular concerns and aspirations pertaining to personal data shared by Indians, their fears and hopes. However this draft bill and the report by the Sri Krishna Committee was also disappointing for it brought into priority issues of promotion of data side businesses along with data protection. A good way to think about this is to pose a question. Will legislation or law for, let’s say, protection of the environment (like the Air Act) also in its preamble mark an equal priority for the promotion of industries?
The Data (Privacy and Protection) Bill, 2017
Now that we have the second draft of the Bill, in the form of the Personal Data Protection Bill, 2019, it is pertinent to analyse whether these were the considerations that influenced the drafters of the Bill, or if they were influenced by some other objectives. From the preamble of the Bill we can discern that the primary objective of the Bill is to create a collective culture which promotes a free and fair digital economy, progress and innovation, while respecting informational privacy. This essentially means that the PDP Bill aims to promote digital economy of India through data protection legislation. This leads us to the obvious question: how does protection of information privacy fit in this matrix?
Rather than prioritising the informational privacy of individuals over economic benefits of data, the PDP Bill 2019 places these two competing and contradicting goals on the same footing. The natural consequence that flows from this is that the informational privacy of Indians, which should have been the primary objective of the PDP Bill gets sidetracked. In addition to this, because of the ambiguity in the primary objective of the data protection law, the balancing of competing interests also gets messy.
The preamble also appears to have failed to mention the need for protecting the right to privacy of individuals from one of the powerful and biggest processors of personal data: the State. The right to privacy, being a fundamental right, is essentially a right that is available to us against the State. The State has a duty to not intrude into the personal lives of individuals, and to protect the privacy of individuals. Furthermore, in these times, where State sponsored mass surveillance runs rife, it is important to state in clear terms in the preamble of a data protection law that it is applicable to the State - the primary focus of the Bill should be on protecting the data and informational privacy of individuals from both the State as well as private actors.
Solutions : Clearer objectives to secure your digital rights
The problems with the objectives of the PDP Bill, 2019 become more glaring when we compare it with the GDPR, which sets the standard for comprehensive data protection laws, or the two private member Bills which we discussed in Part 4 of the #StartfromScratch series : the Data Privacy and Protection Bill, 2017 and The Personal Data and Information Privacy Code, 2019.
The objectives of GDPR are enshrined in the recitals. The recitals set the context and objectives of the GDPR, and supplements the articles. Recital 4 of the GDPR starts by stating that the processing of personal data should be designed to serve mankind. The recitals acknowledge that individuals should have the control of their own personal data. The need for development of the digital economy is also addressed by the GDPR. The recitals note that a strong and coherent data protection framework is required, for this would foster the trust that is essential for the development of the digital economy.
Economic benefits of data and development of the data economy find no place in the objectives of the Data Privacy and Protection Bill, 2017 and The Personal Data and Information Privacy Code, 2019. These Bills place the protection of informational privacy of the individuals from private actors as well as the State at the heart of the data protection framework and based on these objectives devise an individual centric rights based data protection regime.
Fostering the digital economy is indeed a legitimate interest of the State, but it should not become a playground for the trade off of informational privacy for innovation and economic growth. In our comments submitted to the Sri Krishna Committee, we had highlighted this very fact; that a data protection law must place individuals at its centre, and their interest should be paramount, especially when weighed against state expectations or commercial interests.
The first out of the 7 privacy principles states that the protection of the right to privacy of the individuals promotes innovation in a sustainable way. This essentially means that right to privacy of the individuals should be the means to promote innovation. The efficient use of data and adherence to the principles of data protection will help businesses in gaining and retaining the trust of customers, and loyal customers equals the good growth of businesses.
The other related concerns regarding innovation etc. can be addressed through suitable compliant norms, once a data protection law and its modalities are in place. Thus, the objective of the Personal Data Protection Bill must be restated in unambiguous terms, affirming that the overriding objective of the Bill is the protection of data and informational privacy of the individuals from both private as well as State actors. Doing so would ensure that data protection regimes in India remain focused on the user and provide us, the citizens of India, with control over our own data!
This is the last blogpost in our series of explainers on the Data Protection Bill; read part 1 here, part 2 here, and part 3 here. In the coming weeks, as promised, we will be discussing the various issues with the Personal Data Protection Bill, 2019 in greater detail, so stay tuned!
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- The Personal Data and Information Privacy Code Bill, 2019 as introduced by MP Dr. D. Ravikumar (link)
- The Data (Privacy and Protection) Bill, 2017 as introduced by MP Dr. Shashi Tharoor (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
- IFF's #StartfromScratch series on the Personal Data Protection Bill, 2019 (Part 1, Part 2, Part 3, & Part 4)
This post was drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow.