India's Data Protection Bill and Social Media Users: #PrivacyOfThePeople

Tl;dr

In our new weekly series  #PrivacyOfThePeople, we look at the impact of the Personal Data Protection Bill, 2019 on different sections of society. In the past, we’ve covered the effects of the Bill on worker surveillance and agricultural data. In this post, we discuss whether the Bill actually protects user data - specifically when it comes to social media platforms. We examine the need for stronger data protection regulation in a world where data generation is increasing exponentially. We also cover why protecting personal data alone achieves little.

Background

Last week, in the second post in our #PrivacyOfThePeople series, we looked at agricultural data and farmers’ rights under the Personal Data Protection Bill, 2019. Specifically, we also discussed the Consultation Paper on IDEA by the Department of Agriculture, Cooperation, and Family Welfare. In the lack of adequate consultation, consent, or representation, the proposed Agristack seemed to benefit the government and private corporations more than the farmers. Farmers who are direct stakeholders of their own data must have greater say and better protection.

This post continues to discuss how different groups of people are affected by the Personal Data Protection Bill, 2019, and so, for this week, we decided to look at social media users under the Bill. In the past, we have discussed user rights through our blog posts on user rights and voluntary social media verification. We have also detailed some essential features a rights-respecting data protection regulation must have. In this post, we will be taking a closer look at the extent to which the Personal Data Protection Bill protects user data in the content of social media platforms.

The issue

In today’s world, our increased dependence on technology has fuelled data creation exponentially. Google now processes 40,000 search queries every second. According to DOMO’s ‘Data Never Sleeps’, every minute of the day - WhatsApp users share over 41 million messages, Instagram users post 300,000 stories, and LinkedIn users apply for over 69,000 jobs. The fact of the matter is that there’s an enormously high amount of data being generated every second merely by engaging with such platforms. While most companies collect user data for the purposes of targeted advertising or website management, the amount of personal and non-personal data they collect varies. In the absence of any data protection regulation, your data may most likely end up with anyone from a researcher to an advertiser to a foreign intelligence agency.

The Personal Data Protection Bill, 2019 - soon to be India’s first data protection law is definitely a step in the right direction. The Bill intends to regulate the collection, usage, storage, and transmission of personal data of individuals (data principals) by the government and private companies (data fiduciaries). We’ve previously written about some of the essential features a rights-respecting data protection regulation must have.

In a data protection regime that claims to be rights-based, it is imperative that the users are given certain rights against the data fiduciaries. These rights are essential for the users to exercise control over their personal data. As detailed in our explainer on the Bill, Chapter V of the Bill grants users the Right to confirmation and access, the Right to correction and erasure, the Right to data portability, and the Right to be forgotten. Yet data fiduciaries can reject all of these requests if they choose to, and there are no mechanisms in place to contest their decision.

How well does the Bill really protect us when it comes to using social media platforms? Let us take a look at what the PDP Bill has to say about user data that is collected by data fiduciaries, who owns this data, and how it is shared.

The PDP Bill and Social Media

Under the PDP Bill, a data fiduciary (including social media intermediaries) is required to obtain consent for collecting data under Section 7, and consent for processing under Section 11. While seeking consent (by providing notice to a data principal at the time of collection of personal data) under Section 7, a data fiduciary must state the purposes for which the personal data is to be processed under Section 7(1)(a), and inform a data principal about the individuals or entities including other data fiduciaries or data processors with whom such personal data may be shared under Section 7(1)(g). In this context, under Section 11(3), explicit consent is required for processing any sensitive personal data. Furthermore, a data principal must be made aware of the sharing of any personal/sensitive personal data with a third party through a notice under Section 7(1)(g). Thus, the Bill does a fair job at protecting users’ personal data.

Yet, the Bill could be greatly improved in the following regards:

  1. Ownership not clearly defined: The Bill is extremely vague in the ownership of user data. A model example is Brazil’s General Data Protection Law, 2018, which explicitly states “every natural person is assured ownership of his/her personal data”. The ambiguity in our Bill, however, creates great potential for misuse. Even if you have “nothing to hide”, your data may end up in the wrong hands without your knowledge.
  2. Non-personal and anonymized data is ignored: While the Bill largely applies to personal data, non-personal and anonymous data are exempted from the provisions meant to protect user data. The Central government can use Section 91 of the Bill to direct entities to share anonymized and non-personal data with it. In today’s world, it is nearly impossible for everyday users of the internet to achieve true anonymity. One of the landmark cases in deanonymization is this report on a 2008 Netflix dataset of users and their movie ratings - with just 8 movie ratings, 99% of records were uniquely identified in the dataset.
  3. Government access to data: Section 91 provides a carve-out for the Central Government to access anonymized or non-personal data to frame policies in the interest of its digital economy. The government is exempted from providing an objective for data collection and processing. The state-authorized data should be addressed in a more transparent and accountable way so that the class of persons getting affected from such processing could be given a reason or justification for the need for processing. We believe that a data protection law should not be used as a legislative backdoor to commodify data.
  4. Inadequate user rights: Lastly, the current Bill creates impediments to exercise the rights that the users do have. Data fiduciaries can reject user requests for “correction, completion, updation, or erasure” if they disagree with your requests, even though it involves your data. Furthermore, there is no means in place to contest the decision made by data fiduciaries if they reject your requests.

Solution

To remedy the aforementioned issues, here are some of our recommendations:

  1. Renew User Rights: According to the first principle of the Indian Privacy Code, individual rights should be at the center of privacy and data protection. Therefore, the rights of users under the Bill have to be reviewed to ensure that the right to privacy of users gets primacy and the interests of data fiduciaries are addressed through limited exceptions.
  2. Inclusion and treatment of Social Media Intermediaries: The Bill requires social media platforms identified as “significant data fiduciaries” to set up infrastructure which allows users in India to voluntarily verify their accounts. This measure hampers online anonymity and thereby the right to privacy. Additionally, it will allow social media entities to access people's government-issued identity documents. This can lead to the aggregation of demographic information across companies and databases. This creates immense scope for companies to build granular user profiles and commercialise personal and sensitive personal data of individuals.
  3. Protect Non-Personal Data: Allow non-personal and anonymized data to be regulated by the Data Protection Authority. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for non-personal data.
  4. Advocate for Data Minimisation: Data fiduciaries should not collect more data than they need. There needs to be a greater discussion on the kind of data companies require and their goals cannot compromise the basic privacy of people.

This is the third post in our #PrivacyOfThePeople series on how the Personal Data Protection Bill will impact different facets of our life; you can read part 1 on worker surveillance here and part 2 on the Agristack here. Join us next week as we look at the Bill in the context of Healthcare data.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  3. Previous blogpost dated January 18, 2021, titled “Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies” (link)
  4. The SaveOurPrivacy Campaign (link)

This post was largely drafted by Tanvi Roy, who is an undergraduate student majoring in Computer Science at Ashoka University and currently interning at IFF.