The Data Protection Bill, 2021: It’s no longer personal

Remember the time Sachin Tendulkar had to wait for over a year to score his 100th century? In that period of waiting, there were several false starts, raised expectations and recurring disappointments. When he finally did score those runs, it was one of his most underwhelming knocks–a workmanlike innings of 114 against an uninspired Bangladesh. 

The Joint Parliamentary Committee (JPC) released its much-awaited report on the Personal Data Protection Bill, 2019 last week. Two years is a long time—in that time, the basic structure of a bill can be altered, fundamental concepts changed, new enforcement mechanisms introduced. But the JPC report does none of that (with the exception of suggesting an expansion of the bill into the domain of non-personal data). It feels a bit like Sachin’s seemingly unending quest to score a century of centuries–something that took a long time to come and when it did come, everyone’s happy, but also relieved that it’s over and done with! 

To understand why I feel this way, let’s turn to the key features of the report: 

1.    Inclusion of non-personal data (Recommendation No. 2, p. 26): The most headline-worthy recommendation made by the Committee is to not limit the Personal Data Protection Bill to personal data but include non-personal data. For the uninitiated, personal data simply put, is data through which an individual can be identified. Eg. someone’s name or a photograph. All other data is non-personal data, that includes data that was personal to begin with but is now anonymised (like a blurred photograph that cannot be reasonably unblurred).

The Committee believes that such non-personal data should also be included within the ambit of this bill. It offers three justifications- first, non-personal data can also affect privacy; second, it is difficult to distinguish between personal and non-personal data and; third one cannot have two different data protection authorities to deal with two different kinds of data.

Its first argument, for which it offers no justification, is simply incorrect. Non-personal data cannot affect privacy because an individual cannot be identified through the data. If an individual cannot be identified, her privacy cannot be affected.

The only way in which the first argument could have some justification is if the protocols for anonymisation are not strong enough, thereby enabling re-identification (i.e. the second argument). It is precisely to offset this concern that the bill, in Clause 82, makes reidentification a criminal offence. It is crucial to note that this is the only criminal offence in the entire bill showing how seriously everyone takes this issue. This is a significant deterrent to any slipshod anonymisation being done.

Apart from this possibility that an individual is re-identified (for which there is a deterrent), there ought to be no difficulty in distinguishing personal data from its non-personal counterpart. In making its case that such distinction is difficult, the committee has missed the wide swathes of non-personal data that has nothing to do with individuals and no question of re-identification arises in the first place. Military data with our armed forces, corporate data with our companies, reams of multilingual training data sets to enable AI-based translation are all now conceptually part of the data protection bill as a consequence. If there is a definition of overkill, this is it.

Its third argument that we should not have different regulatory authorities for different kinds of data has some merit. Too many authorities will replicate a colonial licensing regime in data, something that needs to be avoided. At the same time, given the tremendous impact which data has on people’s lives, its careful regulation is imperative. This is a question of regulatory design that would have confronted those who were tasked with regulating non-personal data in the future. It cannot be a reason for making the personal data protection bill an omnibus legislation ahead of time. A single authority and a single legislation are two different matters and ought not to have been conflated.

2.    Children’s data (Recommendation No. 38, pp. 72-74): The Committee has been perceptive in raising this issue of privacy for children as one of the most critical issues in the Bill, giving it the importance it deserves. It has also made a valuable suggestion that on attaining majority, children should be given the opportunity to re-validate their consent and that should not be assumed.

Beyond that, more troublingly, the Committee has deleted the concept of guardian data fiduciaries. This now means that every data fiduciary (that could literally be anyone who processes data from Amazon to your local kirana store) is barred from profiling and tracking data that relates to children. This is laudable in theory. But how does the data fiduciary know that they are dealing with a child? The only way to know is by age-gating the whole of the internet, i.e. every individual, having to certify that they are an adult. This is an inelegant proposition.

The Srikrishna committee had sought to avoid this pitfall by dividing those who process personal data of children into two categories—first, those like YouTube Kids of Hot Wheels who have services primarily directed at children and second, others whose services may be incidentally utilised by children (eg. WhatsApp or TOI). The former would be recognised as a special category of significant data fiduciary called a guardian data fiduciary who cannot track or profile children in any way. In other words, it will be assumed that those who access their services are, ordinarily, children. For the rest, appropriate age verification and parental consent mechanisms would have to be devised depending on the level of harm such data might cause children. So the homepage of a travel website allows you to book tickets might not require age-gating, a news website that may feature some objectionable content might require a light-touch notice, a social media platform may require some more stringent parental consent mechanisms.

The JPC has undone this distinction, seemingly unwittingly. It states that the concept of a guardian data fiduciary does not add value. As shown above, this is a misunderstanding. Second, that it may lead to a dilution of the law. Here it has its heart in the right place in trying to prevent anyone from violating the right to privacy of a child. But actually what it has ended up doing is age-gating the entire internet, which is a remedy worse than the cure. It will not protect children, and it will infinitely worsen the user experience of the internet for everyone. Also, the JPC for some inexplicable reason, suggested a removal of the principle “best interests of the child” and replacing it with the language of rights. Again, the JPC seems to have its heart in the right place as it feels that best interests will allow data fiduciaries wiggle room leading to dilution of the law. But “best interests of the child” is a cardinal principle of law relating to children. It is enshrined in Article 3(1) of the Convention on the Rights of the Child to which India is a signatory. Doing away with this principle was unfortunate and it appears that the Committee was poorly advised in this regard.  

3.    Data regulation sans privacy (Recommendation Nos. 8, 14, p. 37, pp. 46-47)

If Parliament represents the voice of the people, then the JPC’s recommendations that data is critical for governments and companies to provide beneficial services, goes to show how little data protection and privacy matter to the people just yet. This is a sobering thought.

The JPC is categorical in stating that ‘data is the fuel for the new economy’ and ‘a significant enabler towards achieving the vision of an “AatmaNirbhar Bharat”’. In fact its entire introduction is devoted primarily to the power of data to drive the economy, with only a hat-tip towards data protection as a “global concern”. Even here, its focus is primarily on data breaches and localisation rather than a holistic understanding of data protection itself. Now ordinarily this wouldn’t have been worthy of comment, since data is critical for any nation to flourish in the digital age. But for a committee whose mandate is to provide recommendations to the government on the proposed personal data protection bill, framing it as an issue that primarily relates to economic growth and national prosperity is an odd choice.

In fact, it is precisely this framing that has led the Committee to change the long title of the Bill to include the words “to ensure the security and interest of the state” as one of the key objectives of the bill. Now undoubtedly data is needed to ensure the security of the state. But putting it in the long title gives the impression that this is a segue into the data protection bill becoming a general bill governing the use and misuse of data in the economy generally.

Other suggestions appear to be in the same direction. A recommendation to set up an alternative payment system to SWIFT because of some data security issues SWIFT had in 2014, the recommendation to include non-personal data, as well as the inordinate importance paid to social media platforms all suggest that the committee interpreted its ambit quite widely. This, in my view, is a mistaken approach. Just like it would be senseless to have the Economy Act, 2022 to govern all aspects of the economy from banking to natural resources, it would be similarly meaningless to have the Data Act, 2022 to govern the entire digital economy. Undoubtedly the vision underlying all regulation should be to ensure a steady growth of the digital economy to ease living, ease doing business and ease access to services, but all of it cannot happen in one legislation. 

4.    Surveillance (Recommendation No 56, pp. 119-121)

On surveillance, the issue where the maximum dissent notes have been filed by members of the opposition, the committee largely goes along with the formulation of the Central Government that any agency that processes personal data in the interest of sovereignty, security, public order or for preventing a crime that may impact these interests, can be exempted by the Central Government from all or any provisions of this Act. It introduces one important safeguard that while exempting the agency, the government must lay down a procedure for oversight which must be just, fair, reasonable and proportionate. This is an important recommendation since it will mean that agencies, if they want to act in accordance with the law, cannot simply process anyone’s personal data at will but must do so on the basis of some reason. Despite this, the JPC does not go anywhere near far enough on this question. From the tenor of the report itself this isn’t surprising given the wide berth given to the Central Government as a matter of ideological faith.

Such an ideological view is however one thing. It is entirely another thing when it leads to confused thinking. Sure- the Central Government can be given wide powers to gather intelligence in the interest of the security of the state; but does this mean the Central Government does not have to maintain appropriate cyber security standards? Does it mean that it should have no obligations if there is a breach from Central Government servers? Ideological fixity should not come in the way of plain common sense.

Second, what has been provided for is that the procedure for processing such data, including its oversight and safeguards be just, fair, reasonable and proportionate. But what about the decision of the Central Government to authorise such surveillance? If the names that surfaced in Pegasus were surveilled by following a procedure that is fair, would that make it all right? It is critical that the committee itself should have laid down the guardrails of this procedure to authorise such requests by the Central Government in the law. The hard work has been left to the government itself.  

Though this is a definite improvement over the draft introduced in Parliament but it is still short of where it ought to have been.  

The Committee has made several other suggestions in its report. A subsequent blog will discuss each of these changes and what impact it has. But on an overall analysis, for a bill with such global significance, the report of the JPC is disappointing. This is not because I disagree with its recommendations; in fact, except for the points I’ve discussed, I do agree with many of its recommendations.

It’s rather that its treatment of the issues demonstrates a lack of a clear vision both of the role of data protection of citizens in India’s digital economy and how to ease the growth of digital business. If it believed data protection is critical, as it has said in a number of places, then that criticality does not come through in its recommendations. In fact, in its tenor it appears to soften the compliance blow of data protection. If indeed the Committee believed that data protection is not always beneficial but can also be a hindrance to the data sharing that is necessary in the digital economy, it could have been upfront about this view. It wasn’t.

It also fails to walk its own talk on making the digital economy seamless for business. Though it makes some symbolic gestures to promote start-ups and reduce compliance, if there is a fundamental principle to be discerned from the committee’s report on what the Indian digital economy will look like, it certainly looks like the Government of India will be at its centre.

The government is certainly going to be an important player and perhaps the most significant data fiduciary in the country. This ought to have entailed significant obligations. But instead the Committee has gone further and given government a range of powers over private players— to approve group contracts (within a group company) for transferring data abroad, laying down qualification of personnel within a company on who can be a data protection officer, lay down rules to regulate journalists who can claim exemption from consent requirements before filing stories. Once again, the point is not about whether governments form such a major focus of the bill. It’s rather that one should not talk about ease of doing business in India and still insert governmental approval into a range of private activities where no regulation is needed. The JPC ought to have consistently practiced what it preached. 

Two years was plenty of time for the Committee to reflect on the data protection bill and its foundations. It has now given the country the fruits of their reflections. It is now time for the bill, with whichever amendments the government chooses to accept, to be finally debated and passed by Parliament. 

Let’s remember that even Sachin Tendulkar made it to Parliament after his 100th 100! 

Arghya Sengupta is Research Director, Vidhi Centre for Legal Policy. He was a member of the Committee of Experts headed by Justice BN Srikrishna which drafted the Personal Data Protection Bill, 2018. Views are personal.