By Radhika Roy, Tanmay Singh: The wait for Godot seems to have finally come to an end with news reports stating that the Union Cabinet has approved the Digital Personal Data Protection Bill, 2022 (DPDP Bill). The Bill, which has seen numerous changes since the recommendation of the Justice BN Srikrishna Committee on Data Protection in July 2018, is slated to be introduced in the Monsoon Session of the Parliament later this month.
Last year, the Data Protection Bill, 2021, was withdrawn by Union Minister for Communications and Information Technology Ashwini Vaishnav in the Lok Sabha. Thereafter, on November 18, 2022, the DPDP Bill was released for public consultation. While we are yet to see if any radical changes have been implemented, the DPDP Bill, as structured, reads more as a Data Processing Bill rather than a Data Protection Bill.
Read More
One aspect of the Bill that manages to take the cake is the provision pertaining to deemed consent. The vastness and vagueness surrounding the usage of deemed consent renders the fundamentals of consent to be illusory. Simply speaking, by deeming consent for subsequent uses, your data may be used for purposes other than what it has been provided for and, as there is no provision for you to be informed of this through mandatory notice, you may never even come to know about it.
Moreover, what makes the provision glaringly outrageous is that its understanding of consent surrounding personal data is contrary to the right to informational privacy and the principle of specific informed consent, as established by the Supreme Court in the landmark case of KS Puttaswamy v. Union of India. With over 760 million active users, and a push for Digital India by digitising records and launching platforms such as DigiLocker, BHIM, Parivahan Sewa, etc., a citizen-oriented data protection regime is the need of the hour.
Clause 5 of the DPDP Bill states that the personal data of a Data Principal, i.e. the person to whom the personal data relates, may be processed for a lawful purpose for which the Data Principal has given either their consent or deemed consent. Clause 8 of the DPDP Bill illustrates when a Data Principal is deemed to have given consent. These illustrations range from responding to a medical emergency, involving the Data Principal or any other individual, to breakdown of public order.
The array of reasons for which consent is deemed to be given is extensive, and unlike Clause 7(4) of the DPDP Bill, consent under Clause 8 cannot be withdrawn, though it is not expressly clear why deemed consent is not revocable. Clause 8(a) states that the Data Principal is deemed to have given consent for purposes it has not explicitly indicated that its data cannot be used. Accordingly, by employing a negative checklist and making the Data Principal categorically note purposes for which they do not want their data to be processed, the DPDP Bill places the burden on the Data Principal to ensure that they cover all grounds, failing which their personal data will be processed for purposes with which they may not agree.
What makes matters worse is that the situations for which an individual can be deemed to have given consent are vague and broad. Stretched to its logical conclusion, deemed consent can be interpreted as anything under the sun. What does public order entail, what is the exact extent of purposes of employment; all of these phrases have been left undefined and indeterminate. Such unestablished grounds will allow Data Fiduciaries, i.e. the entity authorised to collect and process personal data, to interpret this clause to their convenience and justify processing personal data for reasons that may not be palatable to the Data Principal, and even evade legal consequences for the same.
With burgeoning fast-paced technology, the right to privacy pertaining to personal information of an individual has assumed significance, i.e. informational privacy. While deciding the constitutional validity of Aadhaar, a biometrics-based ID made by the State, the Supreme Court held in K.S. Puttaswamy v. Union of India that the right to privacy included the right to informational privacy. It was further observed that in the age of information, dangers of violating this right did not just originate from the State, but also non-state actors.
It was in this context that the Supreme Court had recommended to the Union Government to construct a robust data protection regime for which the committee chaired by Justice BN Srikrishna was constituted. While legitimate state interest in accessing personal data for processing was emphasised, the Supreme Court also noted that providing notice and seeking informed consent formed an intrinsic part of procuring this personal data. This observation was based on a report of a Group of Experts on Privacy (dated October 16, 2012), which had been constituted by the Union Government itself.
As per Clause 6(1), every request by the Data Fiduciary to a Data Principal for consent is to be accompanied or preceded by an itemised notice. This notice must contain a description of personal data sought to be collected as well as the purpose of processing such personal data. Clause 7 provides a clear and concise definition of consent, and carves out the responsibilities of a Data Fiduciary while processing personal data based on consent. Clause 7(4), as discussed before, stipulates that consent given by a Data Principal for processing personal data can be withdrawn at any time.
Giving the landmark judgment on right to privacy a complete go-by, none of the aforementioned safeguards have been included in the case of deemed consent, which is the antithesis of informed consent. Not only are you not notified before your personal data is processed or about the purpose for which it is being utilised, you are also left without the option to exercise withdrawal of consent. Additionally, the concept of purpose limitation is laid to waste as deemed consent extends to all purposes, barring those for which the Data Principal has indicated that they do not wish to give consent. The burden of covering all bases while giving consent is on the Data Principal.
Further, the fact that the DPDP Bill fails to differentiate between personal data and sensitive personal data such as name, bank details, and biometric data, invalidates the higher expectation of privacy attached to the latter. This becomes an issue as, even though Clause 9(5) delineates the obligation of a Data Fiduciary to ensure that personal data in its possession remains protected, security breaches are regular occurrences, and in 2017, India experienced 37% of the data breaches in the world.
In June 2023, it was reported that after a major privacy breach on the CoWIN app, a bot leaked personal details on Telegram of all individuals who had been vaccinated against COVID-19. In May 2023, an e-commerce retailer, Zivame, suffered a data breach, and the personal information of thousands of Indian women who had used Zivame was put up for sale. Just a week ago, 12,000 confidential records of State Bank of India employees, including screenshots of SBI passbook and Aadhaar card, were made public on Telegram. Such leaks, coupled with the lax approach to obtaining consent of vulnerable and unaware users, can leave its victims at the receiving end of identity thefts, extortion, etc.
The DPDP Bill creates an illusion of imposing obligations on a Data Fiduciary and strengthening a consent-centric statutory framework. However, in reality, instead of protecting the citizens, or Digital Nagriks, from function creep and data mining by State and non-state actors, the DPDP Bill legitimises the mal-intent of a Data Fiduciary and reduces the burden, both legal and penal. The Bill requires major reconfiguring and the judgment in K.S. Puttaswamy v. Union of India should be the guiding principle while devising the provisions. It seems that the State has forgotten that the Bill is for the protection of people, and not corporates and itself.
(Tanmay Singh is Senior Litigation Counsel and Radhika Roy is Associate Litigation Counsel at the Internet Freedom Foundation, Delhi)
(Views expressed in this opinion piece are that of the author.)
Link:
Read More..