Data Protection Bill 
Columns

The Great Data Protection Debate: India’s new Data Protection Bill

Should the Data Protection Bill pass, India would have taken an encouraging step toward better data regulation, but not without pitfalls.

Rohin Dubey

Enthusiastic linguists have long argued over whether ‘data’ should be considered singular or plural. A far more pressing concern has emerged in recent history: Is data public goods like sunlight, or private goods like oil? Much like sunlight, data can be widely shared for the benefit of society and the prosperity of its people. Think knowledge on the internet. Conversely, like oil, data must be refined over time to have any use. Think targeted advertising.

The inherent malleability of data has prompted larger questions about ownership, regulation and sovereignty. Thus far, India has declined to engage with these questions. India’s fractured privacy law is seldom heard and rarely applied. In the face of mounting criticism, on December 11, 2019, the Government of India introduced the Personal Data Protection Bill to address emerging data concerns. What does this law seek to achieve?

Take ownership first. Defining data property rights is thorny because the creation of information can never be attributed to one person. Who, for example, owns the fact that a dating app matched two people resulting in their union? The service provider? The couple? The advertisers who pay for the service that make its use free to users?

India’s Data Protection Bill recommends that the person to whom the data relates be given rights over its control. Such data may only be processed “on the consent given by the data principle” [Section 11(1)]. Given the ease with which we consent to give away our data in exchange for free apps, marginal discounts, and online games, the law fails to address the core problem. Indian courts may ultimately be called upon to intervene and balance the unequal bargaining power embedded in these data transactions.

Nevertheless, the benefits of ownership may be overstated. Revealingly, no one has ever considered paying users for the data they routinely generate. Data economics put pressures on pricing too. Social media companies no longer need to offer free services in exchange for user data. With millions of data points being generated on a daily basis across a variety of online platforms, these firms can make frighteningly accurate predication about our behaviour by crunching data from other users. How do we structure a law to defend against that?

Modi Operandi

The Data Protection Bill suggests that personal data should include data “…relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity… or any combination of such features, or any combination of such features with any other information…” [Section 3(28)]. Verbiage apart, the Bill essentially says that any data that identifies you in connection with any other information is your personal data. Naturally, this creates a recipe for competing claims. What if ‘any other information’ were to include somebody else’s personal data?

All these complications have led data experts to argue that citizens should hold control over their data collectively, rather than individually. These ‘data-co-operatives’ would act as trade unions within conventional markets. Among others, they may negotiate rates for data, ensure quality digital output, invoice organizations that benefit from the output, and distribute the profits.

Global data trusts may not be far away. In January, Microsoft’s CEO, Satya Nadella, at the World Economic Forum called for greater respect for “data dignity” - meaning individuals should have greater control over their data and a larger share in the value it creates.

All that said, how does India propose to regulate all this information? Borrowing heavily from the European Union’s General Data Protection Regulation, the Bill obligates organizations to (a) act transparently in its processing of data, (b) implement appropriate security measures, and (c) promptly notify the authority about any data breaches. Additional obligations include yearly audits and accurate record keeping.

In turn, individuals have the right to (a) determine what personal information is being processed in the organization’s possession, (b) request correction of any inaccurate information, and (c) have the data portable to any other organization rendering the same service. Chillingly, the proposed law does not grant a person the right to secure deletion of all his data in another’s possession, only to prevent its continuing disclosure. Soon, data entrustment maybe a lifetime commitment greater than marriage.

Global Trotting

Online giants have always assumed that data will be a global affair, unshackled by borders. Data freedom, however, is increasingly under assault by governments looking to protect their people, economy and ultimately, sovereignty. The Data Protection Bill is no different. Virtual borders are erected so that data may not freely enter and leave the country. The Indian government has already blocked the usage of certain mobile applications on three different occasions in 2020; other restrictions may not be far behind. Conditionally, certain cross-border transfers may be deemed permissible provided firms create digital centres to give data local residence.

This will doubtless have a larger economic impact. The free flow of information makes the world, if not a better place, certainly a more efficient one. Industry experts are raising larger geopolitical concerns about digital protectionism resulting in AI nationalism.

Given data’s infinite duplicability, naturally one wonders how these laws may be effectively applied and enforced? The Bill proposes that it apply to (1) organizations that collect or process data in India, or (2) foreign companies profiling the data of individuals within India. Thus, an American company profiling the data of a German who is taking a holiday in India will, for the time of his sojourn, have to comply with India’s data protection law!

To contend with enforcement intricacies, the Data Protection Bill establishes an authority to oversee the implementation of the law and prevent misuse of data. This authority will act as judge, jury and executioner with the ability to issue directions, call for information, conduct inquiries, and undertake search and seizures. Penalties include fines of up to Rs. 5 crore or two per cent of the offending party’s worldwide turnover, whichever is higher.

The Data Protection Bill is currently being analysed by a Joint Parliamentary Committee in consultation with experts and stakeholders. Should it pass, India would have taken an encouraging step toward better data regulation, but not without pitfalls.

Back in the 19th century, the Industrial Revolution resulted in a massive increase in production, along with dismal social and working conditions for individuals at the factories. It took over 100 years for some societies to adapt, while others never did. In the emerging world of data, it will take time to develop proper institutions and appropriate mechanisms to face mounting complications. Societies that do not act now, risk losing not only their oil, but their sunlight too.

The author is a practicing lawyer at the Gurgaon based law firm N South, Advocates.

Principle of estoppel does not apply when error by court needs to be corrected: Kerala High Court

Bombay High Court quashes Judicial Officer's FIR against in-laws

India was born out of love, not hate: Supreme Court Justice Sudhanshu Dhulia

Don't get carried away by "WhatsApp University" messages: Supreme Court Justice KV Viswanathan

Plea before Delhi High Court alleges misuse of UAPA against journalists

SCROLL FOR NEXT