There is much that can be and has been said about the data protection Bill, which was just passed in the Lok Sabha with a voice vote. Like the fact that the Bill removes rather than establishes boundaries around what the government can do with people’s personal data by, for example, proposing a Data Protection Board lacking independence, or by being silent on surveillance. Or how, in a reflection of the growing trend of the state going after those seeking justice, the proposed law also allows for the Data Protection Board to penalise “frivolous” grievances or complaints, thereby going after the very people it is supposed to protect.
But this article is not about any of this.
Data protection is not an end in itself. It is the means to protect the people to whom the data pertains. If a data protection law protects only the person’s data but not the person, then it is not serving its purpose. Globally, most data protection legislation is rightly built on the principle of consent. But the way that consent is usually operationalised in law gives people very little control to protect their data, including the approach that has been adopted in the present Bill.
Most digital consent frameworks merely allow for a yes or no answer. More sophisticated consent managers allow for more granular sharing of data, allowing people to respond to which data they want to share and select which purposes they want to provide consent for. A wider framework which creates space for discussion and allows people to suggest rather than respond to what digital services can do with their data is yet to be properly conceived.
Also read: Why the Personal Data Protection Bill Won’t Stop Data Proliferation in Digital India
For example, I have little meaningful choice to not use WhatsApp to be in touch with my friends and family as well as for work. Refusing consent to WhatsApp’s terms of service practically means staying less in touch with those I love and work with – not a choice most people will make. Similarly, taxi drivers and other gig workers can’t really opt out of terms and conditions of ride-sharing and delivery apps and say no to them, since they have EMIs to pay and are financially locked in. Likewise, current shopping habits make it increasingly hard for retail businesspersons to not be on popular e-commerce websites, often on conditions unfavourable to the sellers. Therefore, meaningful data protection frameworks should allow people to decide how digital services can operate rather than the other way round. This is because even while consent is obtained in theory, often the real world allows for little choice in practice.
Apart from the surveillance state, data needs protection from those with commercial interests who abuse it against the financial interests of people. Data protection has a privacy component for ensuring the political rights of people as well as a commercial component for ascertaining economic rights. By looking at only privacy without safeguarding people’s financial interests, legislation will only be taking a half-hearted approach to data protection. For gig workers, those selling on online platforms and even people on the internet who receive spookily accurate targeted ads, current data protection regimes will merely assuage symptoms and not address the root cause – the fact that people have very little control on how their data is used beyond a yes or no consent. For genuine people protection, we must create laws that enable participatory governance of the digital services they use so that people can ensure that their data is protected from being used against their interests.
Lastly but gravely, this Bill is an example of how one right is used to compromise another right and, in the process, deny people both rights. While not adequately ensuring people’s right to privacy, this Bill is used as an occasion to also disastrously undermine the Right to Information (RTI) Act. This Bill seeks to break the harmony the RTI sought to create between the people’s right to information and their right to privacy, by comprehensively amending the Section 8(1)j in the RTI Act that sought to create this balance by defining the right to privacy in the context of the RTI. The framers of this legislation, while dismantling this balance, have failed to provide an alternative harmony.
The present approach to data protection is not the be-all and end-all of people’s protection online. People’s protection should be the end, and a more well thought out approach to data protection legislation the means.
Nachiket Udupa is a member of the Mazdoor Kisan Shakti Sangathan (MKSS).