Essential Features of a Rights Respecting Data Protection Law #SaveOurPrivacy

Tl;dr

IFF has responded to the call for public comments and suggestions by the Joint Committee on the Personal Data Protection (PDP) Bill, 2019 and sent across a submission on behalf of the #SaveOurPrivacy campaign. In it we have provided substantive inputs on essential privacy principles and a thematic analysis of major issues with the Bill. We have also appended a public brief containing a high-level clause by clause analysis of the Bill. Additionally, we have appended two issue specific briefs on (a) workplace surveillance and (b) the relationship between the PDP Bill and the National Population Register.

Essential First Principles

As a first step we apprised the Committee that since the right to privacy as recognised by the Supreme Court also includes informational privacy this should be the primary lens through which the eventual law should be framed. In this regard, we also mentioned that the Supreme Court in the right to privacy judgement (KS Puttaswamy v Union of India) made the observation that the right to privacy subsists in public spaces as well. In this regard, we highlighted that a lot of users’ experiences online occur in certain corners of the internet which are public/semi-public in nature. Therefore, India’s data protection law must respect that and therefore accord adequate privacy protections in these domains

In addition, we noted that the Joint Committee could shape India’s data protection law to incorporate the seven privacy principles of the Indian Privacy Code, 2018 which was developed by the #SaveOurPrivacy campaign. These principles are based on the Hon’ble Supreme Court’s decision in KS Puttaswamy v Union of India and global examples like the European Union’s (EU’s) General Data Protection Regulation. The seven privacy principles emphasise that individual rights should be at the center of privacy and data protection and that the government should respect user privacy. They also address the need for the creation of a strong supervisory authority; and for surveillance reform.

Major Concerns that should be addressed by the Committee

Subsequently we have done a thematic analysis of our top substantive concerns with the PDP Bill. This includes but is not limited to themes such as:

1.    Inclusion and treatment of social media intermediaries in the Bill

The Bill requires social media platforms identified as “significant data fiduciaries” to set up infrastructure which allows users in India to voluntarily verify their accounts. This measure hampers online anonymity and thereby the right to privacy. Additionally, it will allow social media entities to access people's government issued identity documents. This can lead to aggregation of demographic information across different social media companies and databases. This creates immense scope for companies to build granular user profiles and commercialise personal and sensitive personal data of individuals. We therefore ask the Committee to remove this provision from the PDP Bill.

2.   Need for a chapter on surveillance reform

Presently, India does not have sufficient privacy safeguards in place when it comes to surveillance carried out by the government. The frameworks currently in place (under India’s Information Technology Act and the Telegraph Act) are geared towards national security and fail to adequately protect privacy. In particular there is a lack of sufficient institutional or legislative oversight. Thus, we have proposed that there is a need for a separate chapter on surveillance reform in the Bill along the lines of the Indian Privacy Code, 2018.

3.   Exceptions for central government to access non-personal data

A provision in the PDP Bill (Clause 91) provides a carve-out for the Central Government to access anonymised or non-personal data to frame policies in the interest of its digital economy. Such provisions show that the proposed law is far more interested in treating data as a resource. We believe that a data protection law should not be used as a legislative backdoor to commodify data.

4.   Issues with proposed structure of the Data Protection Authority (DPA) and the accompanying appellate structure

  • The selection committee consists of secretary-level officials. Two issues that arise here are of: i) accountability (these are neither democratically elected nor judicial members), and ii) diversity (it doesn’t reflect executive, judicial and external expertise). Thus, we have proposed having an open call for applications and for the selection committee to have be inclusive in terms of representation.
  • We have noted that the Bill impairs the independence of the DPA by allowing the Government to frame policies which will be binding on them.
  • To ensure quicker and localised decision making, we have proposed having state and regional DPA benches.
  • We think that as things stand, the Appellate Tribunal would lack transparency. To that end, we have proposed that it must publish all its decisions.

5.   The “reasonable purposes” exemption which allows personal data to be processed without consent for reasonable purposes under Clause 14 of the Bill.

The exemptions granted under this clause are fairly wide. It classifies publicly available personal data as under the “reasonable purposes” category. We think that this is a backdoor towards profiling and allow collation of demographic/individual sentiments on issues. We also think this would allow the government (and other powerful data fiduciaries) to aggregate social networking activities without the need for individual consent. The right to privacy is applicable in public spaces. Therefore, we proposed that this provision be removed from the reasonable purposes exception since it is an excessive encroachment on people’s privacy in public spaces.

In addition to these themes, there are also other major issues with the Bill that we have discussed at length in our submission. The #SaveOurPrivacy collective has also authored briefs and explainers on different areas of the PDP Bill. We are sharing them with the JPC, the public and other relevant stakeholders in the hope that our analysis can inform future outcomes.

Important Documents

  1. Covering Letter of the #SaveOurPrivacy Submission to the Joint Parliamentary Committee. (link)
  2. Public Brief and Analysis of the Personal Data Protection Bill, 2019.(link)
  3. Public Brief on Impact of the Personal Data Protection Bill 2019 on Workplace Surveillance (link)
  4. Public Brief on Impact of Personal Data Protection Bill 2019 on NPR (link)

Tick Tock on the Clock…. Time is running out on privacy. Help IFF #SaveOurPrivacy by becoming a member today!