Data Protection Authority of India

What the JPC Report on the Data Protection Bill Gets Right and Wrong

Accountability of the state in protecting our privacy continues to elude us.

After nearly two years of deliberations and a few changes in its composition, the Joint Parliamentary Committee on December 17, 2021, submitted its report on the Personal Data Protection Bill, 2019.

The report also contains a new version of the law titled as, “The Data Protection Bill, 2021.”

Concerns regarding the wide power and almost blanket exemption given to the Union government under Clause 35 to exempt any government agency from the ambit of the bill continue and have further been cemented by the insertion of a non-obstante provision in Clause 35 which reads: “Notwithstanding anything contained in any law for the time being in force.”

The only amendment is the insertion of a caveat that the procedure should be just, fair and reasonable.

These concerns have also been highlighted in the dissent notes attached to the report. In this article though, we have highlighted certain other areas of concern of the Bill.

Inclusion of non-personal data within the Bill

One of the first recommendations of the JPC is to change the name of the bill from ‘Personal Data Protection’ to ‘Data Protection’, as according to the JPC, it is impossible to demarcate between personal and non-personal data, and therefore it is important to have a one single legislation dealing with both datasets. The JPC report has recognised that real possibilities exist of identification and subsequent profiling of individuals from non-personal data and anonymised data.

However, unfortunately, it does not seem to recognise the power of the state when it comes to processing of non-personal data and re-identification of anonymised data sets.

On the contrary, exemption/unrestricted power has been provided to the Union government to frame policies for the digital economy. Clause 92 (1) of the Bill states:

“Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data.”

On a plain reading of this provision, it appears as if a carte blanche has been given to the Union government to empower the different departments to frame policies which could be contrary to the provisions of the data protection law. Considering that the Union government is the custodian of a large data set of non-personal data sets; across different sectors such as health, financial data, it is concerning that such a wide unrestricted power has been vested with them. Such clauses also go against the assertion made by the JPC in its report and in the preamble of the Bill that data protection must be privileged over data economy interests.

Non-consensual processing of personal data

The grounds for non-consensual processing of personal remain as problematic as in the 2019 Bill.

As per Clause 12, the state does not need to conform to the consent principle, if such processing of personal data is necessary for the state to provide: (a) any service or benefit; (b) issuance of any certificate, license or permit.

It is problematic that the Bill continues to grant the state the power to bypass the consent principle to process personal data to provide any or all services and benefits. It is also pertinent that any discussion on the ambit of this clause does not find any mention in the report (it has been highlighted in a few of the dissenting notes).

It is further concerning to note that instead of diluting the provision and including the conditions of proportionality and legitimate state aim for non-consensual processing of personal data (as articulated by the Supreme Court in K.S. Puttaswamy v Union of India), the Bill has expanded the entities which can process personal data without consent. It now includes quasi-judicial authorities within such a framework.

The JPC has in the report highlighted the power asymmetry between an employer and an employee and had observed “as the employer collects all the data of all the employees, and there is a trust relation between them, which the Committee think should be respected. Therefore, there should be an equilibrium in processing of data of employee and its use/misuse of data by the employer…”

It is disappointing that this statement did not translate into any specific amendment/dilution of Clause 13 (2) and the employer continues to have right to process personal data( not sensitive personal data) without the consent of the employee, when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.

The only amendment made to the provision is the addition of the line “and can reasonably be expected by the data principle” when it comes to non-consensual processing of personal data for the purpose of employment. The Bill continues to use the terms ‘employer’ and ‘employee’, and as the pandemic has shown us, there has been a great increase in the use of ‘gig workers’ by the different organisations and there have been several instances of the workers privacy being comprised.

Currently such workers do not fall within the ambit of definition of employment, so the protection afforded to the data and privacy of such workers under the Bill still remains unclear.

‘There has been a great increase in the use of ‘gig workers’ by the different organisations.’ Photo: PTI

Dilution of the powers of the Data Protection Authority

An independent and robust data protection authority is the hallmark of a strong data protection regime; unfortunately, the Bill has through its various iterations continued to dilute the independence and powers of the Data Protection Authority (DPA).

As per the 2019 Bill, the selection committee for the appointment of the members of the DPA would comprise entirely of the members of the executive, raising concerns about the independence of such a selection body, and though the Bill appears to have addressed this concern in a limited manner, by including the Attorney General and an independent expert in the selection committee, the underlying concern regarding the independence of the DPA still remain.

The 2018 Bill had expressly stated that the salaries, allowances and other terms and conditions of service of the chairperson and other members of the DPA would not be varied to their disadvantage during their term. This provision had been deleted under the 2019 Bill and this Bill; thereby giving the Union government the power to reduce the salary or amend the terms of appointment to the detriment of the members of the DPA.

Further, under the 2019 Bill, the DPA was bound by the orders of the Central Government on “questions of policy.”- with the Central Government also having the power to decide whether a question is one of policy or not. Unfortunately, under 2021 Bill the powers of the DPA have got even more diluted as under Clause 87(2) of the Bill, the DPA will now bound be by the directions of the Union government on all matters, and not just on questions of policy.

Considering the wide exemption given to the Union government to bypass the privacy and data protection mechanisms, such further dilution of the authority of the DPA is very concerning.

The JPC and the Bill recognise the importance of privacy and the need to protect all facets of data; however, unfortunately, this is only for the private actors. The expansion of the scope of the encroachment of privacy by government actors continues and the accountability of the state in protecting our privacy continues to elude us.

Pallavi Bedi is a Senior Policy Officer at CIS, where she works on privacy and data protection.

India’s Privacy Bill Will Alter How it Regulates Social Media Platforms, Not all of it Good

The Bill gives the Centre the power to designate certain social media intermediaries as significant data fiduciaries.

The Personal Data Protection Bill was tabled in the Lok Sabha in December following much anticipation and debate.

The tabled Bill significantly differs from the one proposed by the Justice Srikrishna Committee, especially when it comes to provisions relating to governmental access to citizens’ data, with (retd) Justice Srikrishna going so far as to call it ‘dangerous’ and capable of creating ‘an Orwellian state’.

What has gone under the radar, perhaps, amidst this is the implications of the ‘social media intermediary’ construct that the Bill introduces, and the proposal to require certain social media platforms to provide users the option to voluntarily verify their accounts.

Section 26 defines ‘social media intermediary’ as a service that facilitates online interaction between two or more ‘users’ and allows users to disseminate media. While e-commerce, internet service providers, search engines, and email services are explicitly excluded from the definition, this term is broad enough to cover messaging services like WhatsApp, Telegram and Signal.

The Bill further provides for certain social media intermediaries to be designated as ‘significant data fiduciaries.’

Also read: Privacy Bill Will Allow Government Access to ‘Non-Personal’ Data

Apart from the generic obligations that the Bill proposes for significant data fiduciaries, Section 28(3) requires these designated entities to provide users with an account verification mechanism.

Scope and permissibility

Clearly, the intended effect of the provisions is outside the ambit of what we generally understand by ‘data protection.’ Perhaps the drafters also recognised this, and therefore awkwardly included ‘laying down norms for social media intermediaries’ in the preamble.

The fundamental issue here is that the obligation conflicts with a core tenet of similar legislation globally that has been emphasised in the Bill as well: data minimisation, i.e. the principle that organisations should not collect more information than needed to fulfill their purpose. The verification requirement is essentially a State diktat coercing social media companies into collecting more information about their users than is necessary.

Another way to look at the provision is as a move to indirectly expand the amount of information available to the government. Interestingly, the intention behind Section 28(3) is not mentioned in the Bill or its Statement of Objects and Reasons. The legitimate aim required to justify privacy infringements by the State as laid down in Puttaswamy v. Union of India has not been sufficiently clarified in the case of this provision.

Also read: Final Privacy Bill Could Turn India into ‘Orwellian State’: Justice Srikrishna

Therefore, this provision could very well flounder on being subjected to constitutional scrutiny.

Excessive delegation: Is the devil in the detail?

Another striking feature of the provisions is that several important decisions are left to the executive. The Bill gives the Centre the power to designate certain social media intermediaries as ‘significant data fiduciaries’ if they have with users higher than notified thresholds, whose ‘actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India’.

We can contrast this with the fact that the general power to classify entities as significant data fiduciaries lies with the Data Protection Authority (DPA). However, when it comes to social media intermediaries, the DPA is reduced to a paper tiger, with only consultation (and not even concurrence) being sought from the DPA.

This concentration of power in the hands of the government should be viewed in conjunction with the obvious conflict of interest created by the Bill: the government would be incentivised to designate platforms which attract dissenting speech, thereby increasing their obligations and concomitant costs.

The classification criterion is also problematic as ‘significant impact on electoral democracy’ is a subjective standard. Such powers could be a case of excessive delegation to the executive, possibly having an arbitrary impact on all growing social media platforms. Given this ambiguity, social media platforms may be incentivised to err on the side of caution and to apply harsher content moderation practices to police dissenting speech.

‘Voluntary’ verification of users

The Bill requires intermediaries to extend to users the option to verify their accounts, and verified accounts are to be provided a mark that shall be visible to all users. The manner in which platforms are supposed to facilitate this verification is yet another critical matter that is left to delegated legislation. If the history of Aadhaar is any indication, such delegation may result in rules that compromise the stated ‘voluntary’ nature of the provision.

Also read: Looking Beyond Privacy: The Importance of Economic Rights to Our Data

Even if left truly voluntary, this obligation may have an adverse impact on the exercise of freedom of expression online. Almost all leading social media platforms rely on user insights to drive personalised advertisement services that generate most of their revenue. These platforms have normalised private-actor surveillance of human behaviour, and seek to collect as much information as possible about users and non-users alike.

For instance, despite criticism, Facebook has a ‘real name’ policy, going as far as collecting information from users’ friends and third-parties to verify the ‘real’ identities of its users. Therefore, platforms like Facebook may incentivise the verification of accounts by increasing the visibility and reach of content created by ‘verified’ accounts, thereby eroding the legitimacy of pseudonymous expression.

The proposal is in sharp contrast with EU’s General Data Protection Regulation, which has led to rulings in Germany that Facebook’s ‘real name’ policy violates the law. The primary motivation of data protection legislation is to limit the personal and social harms that arise out of such indiscriminate collection of information. Unfortunately, instead of mitigating these, the Bill may very well end up entrenching these harms.

Legitimising surveillance

It is also relevant to note that the intermediary guidelines proposed by the MeitY were criticised for placing onerous requirements on ‘intermediaries’, a term in the Information Technology (IT) Act that remains a Procrustean bed for almost all internet services. Since the IT Act does not provide a separate definition of ‘social media intermediary’ and only defines an ‘intermediary’, the inclusion of the provision in the Bill may be a more convenient, albeit misplaced, effort to classify intermediaries and subsequently carve out specific obligations.

However, as we point out, this classification is outside the scope of the PDP Bill and would be better suited in the IT Act. The proposed provisions lack a clear and legitimate aim that is sought to be achieved from user account verification, and an excessive delegation of powers to the executive.

The provisions also need to be looked at in conjunction with Section 35 of the Bill, which empowers the Central government to exempt any government agency from obligations relating to processing of personal data in the interest of security of the State where necessary.

This provision marks a significant dilution of the Bill proposed by the Srikrishna Committee, which clearly incorporated the Supreme Court’s ruling in Puttaswamy v. Union of India: any invasion into privacy by the government must be authorised by law, be necessary for a legitimate state purpose and be proportional to the said goal. If the Bill is passed in its current form, exempted law enforcement and intelligence agencies would be able to demand data from social media intermediaries, including information on the ‘real identity’ of users, with little safeguards.

Unfortunately, it seems that several provisions of the Bill, including the schema relating to social media platforms, seek to legitimise disproportionate forms of state surveillance rather than curbing the power of the government to invade citizens’ privacy.

Tanaya Rajwade and Gurshabad Grover are researchers at the Centre for Internet and Society (CIS). Views are the authors’ alone.

Disclosure: The CIS is a recipient of research grants from Facebook.

The Good, Bad and Ugly on India’s Template for How Your Data Will be Protected

While the draft bill lays the beginnings of a solid foundation, there are troubling landmines that must be defused and debated before it is sent to Parliament.

New Delhi: After nearly a month’s delay, the Justice Srikrishna committee on data protection submitted its report and a draft bill to the IT ministry on Friday.

The report is a sprawling, nearly 200-page document that highlights the committee’s thought process in drafting the data protection framework, the reasoning behind its decisions, the dilemmas that it struggled with and the academic and non-academic sources that it drew upon.

The draft bill – which lays down the rights of ‘data principals’ (Indian citizens), proposes the creation of a data authority to enforce the Act, and sets penalties for violations by ‘data fiduciaries’ (public and private sector entities that collect, process and store data) – is a template that could be modified depending on what further consultations or steps the Narendra Modi government intends on taking before introducing it in parliament.

At a press conference on Friday afternoon, IT and law minister Ravi Shankar Prasad indicated that it would go through inter-ministerial consultation before being sent for cabinet approval.

“There are more steps for further debate and stakeholder comments. The entire parliamentary process will be followed,” Prasad said, without giving details on whether it planned on introducing its draft bill by the winter session of parliament.

While the Justice Srikrishna committee has been criticised by activists and civil society stakeholders for its lack of transparency, on Friday the retired judge hit back, insisting that he was an “open, transparent man”.

“I’m an open, transparent man but that doesn’t mean I will keep the windows of my bathroom open while having a bath,” Srikrishna said.

To better understand the issues at stake, The Wire breaks down what’s significant, what’s weak and what’s potentially troubling.

Defining user data and user’s rights

The draft bill defines data in two different ways. The first is ‘personal data, which is “data about or relating to a natural person…”. An all-encompassing tag of sorts.

It also carves out a second and separate category for “sensitive personal data” which goes in-depth and covers everything from passwords to financial data. This includes: health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief.

The consent that ‘data fiduciaries’ must obtain for collection and processing of personal data say ‘informed’, ‘specific’, ‘clear’ and ‘capable of being withdrawn’.

For sensitive personal data, the consent standards are higher and more detailed. For instance, the data fiduciary should make sure that the individual is “given the choice” of separately consenting to the “use of different categories of sensitive personal data relevant to processing” and that they should understand that the processing of this data “may have significant consequences” for them.

The bill also goes onto list out a host of rights that individuals have with regard to their data. These include: the ‘right to confirmation’ (is a company or a government department using my data?), the ‘right to correction’ (correction, completion or updating of inaccurate personal data), the ‘right to portability’ (Can I force Zomato to give me my order history data and then give it to Swiggy?) and the ‘right to be forgotten’ (Can I ask Google to delete a search engine result that’s about me?)

The draft bill goes onto list out a host of rights that individuals have with regard to their data. Credit: Reuters

What’s good and bad: The expanded definition of sensitive personal data to include health, financial and sex-related information is important and is a welcome step.

However, as a few privacy commentators have pointed out, the bill doesn’t lay down the golden principle of allowing individuals to be true owners of their own data. There is no right to erasure, only a limited right to be forgotten that is saddled with a bureaucratic process (more on this below). And at the moment, there appears to be a confusing clause where liability for withdrawal of consent is placed on the individual in question.

Putting restrictions on ‘data fiduciaries’

If the user part of the bill is a little lacking, the bill’s focus appears to be in fixing stronger accountability on data fiduciaries, or companies and government departments that collect and handle your data, and how they must act.

Broadly speaking, the rules that these entities now have to follow or comply with are broken down into three categories.

There are theoretical safeguards: All data fiduciaries must design their systems with privacy in mind and ensure that appropriate security standards have been taken. If it’s found later that there was negligence at any step, the company can be punished.

There are also compliance requirements: All companies and government departments that handle data must notify the Data Protection Authority of India (DPA) of any breach of personal user data. As The Wire has pointed out, this has been sorely lacking within the India’s digital ecosystem and thus is a welcome move. The DPA will decide if the fiduciary is required to make this breach public and what the accompanying fines will be.

Additionally, all data fiduciaries will have to undertake annual data audits by an independent auditor. They will also have to appoint a ‘data protection officer’, who will be an employee within their own organisation, to ensure that all of their data processing activities are in compliance with the provisions of the bill.

Finally, there are data localisation requirements: the bill states that all data fiduciaries “shall ensure the storage, on a server or data centre located in India of at least one serving copy of personal data to which this Act applies”.

Put simply, private companies which deal with the personal data of Indian citizens will have to store a copy of that data in India. This will have significant consequences for Silicon Valley-based giants who store the data of their Indian users primarily in the United States, Europe or Singapore.

The bill goes onto to note that the Centre will notify further categories of personal data, called “critical personal data”, which can only be stored in India.

What’s good:The bill is quite strict on how companies and government will be treated if they are found to have committed offences under the Act (the two primary ones being obtaining/selling data contrary to the Act and the other being re-identification and processing of de-identified data).

While government departments and state governments have been let off lightly for leaking personal data in the past, the Srikrishna bill cracks the whip. It notes that if any offence is committed by a department of the central or a state government, the “head of the department or authority shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly”. This ensures that the blame isn’t passed off onto a lower-level government officer.

What’s ugly: The pro-state or pro-government argument for data localisation is that storing data within a country’s borders prevents it from being spied upon by foreign nations. However, the Justice Srikrishna committee hasn’t gone that far – all it asks is that companies store a copy of Indian citizen data within India. This means the data can still go back to US or China.

As some privacy experts have noted, this doesn’t appear to be aimed at at protecting Indian data from foreign eyes. It instead looks more like an attempt at making sure the Indian government will be able to access the data of Indian citizens more easily, without having to wrestle Silicon Valley-based companies and the US government for it. When you combine this with the fact that there is nothing in the draft bill on reforming India’s mass surveillance apparatus, it becomes concerning.

Additionally, the bill also lays out that the data protection authority will decide if data breaches will be disclosed to the users that have been affected. As The Wire has reported, Indian companies and government agencies are more than happy to be quiet about their lax security standards. Affected users should have a legal right to know if their data has been compromised, as they have in the United States.

The Data Protection Authority of India

To enforce all of the above, the Centre, by way of a notification, will set up the Data Protection Authority of India, a body that will have meaningful power to monitor and enforce the provisions of the data protection bill. It will also fill some of the more meaningful gaps between the bill’s vision and actual regulation.

The authority will have a chairperson and six members, the former of which will be appointed by the Centre on the reccomendation of a panel headed by the Chief Justice of India.

It will, quite simply, have the power to issue directions, call for information, launch inquiries, levy penalities and in extreme cases even “temporarily suspend” or discontinue the business activity of a data fiduciary or data processor.

The penalties that can be levied are divided into two major categories:

1) If a data fiduciary doesnt follow through on compliance requiremnts, it can be fined up to Rs 5 crore or 2% of its worldwide turnover, whichever is higher.

2) If it doesn’t comply with the standards for processing personal or personal sensitive data it can be fined up to Rs 15 crore or 5% of its total worldwide turnover, whichever is higher.

Then there are a host of other penalties for more minor violations such as refusing to comply with a individual’s request (Rs 5 lakh maximum).

The bad: As with most seemingly autonomous regulatory institutions, the fact is that the data protection authority could be captured by the government (central appointments with 5-year-terms). The bill calls for a separate appellate tribunal to be set up that will hear appeals made against DPA orders. The head and members of this tribunal, as is the norm, will be subject to rules of qualifications, term of office and renewal by the Centre.

On Aadhaar and state surveillance

On these two subjects, there has been a certain amount of trepidation from privacy activists and a section of civil society stakeholders.

For instance, Section 13 of the proposed data protection law clearly notes that personal data be may be processed if needed for the “provision of any service or benefit to the data principal from the state”, which covers Aadhaar numbers. This essentially means that consent is not required in these cases.

Section 19 does the same for sensitive personal data which appears to cover Aadhaar authentication (biometric data processing).

Processing of sensitive personal data for certain functions of the State. —

Sensitive personal data may be processed if such processing is strictly necessary for:

(a) any function of Parliament or any State Legislature.

(b) the exercise of any function of the State authorised by law forthe provision of any
service or benefit to the data principal. (Section 19)

However, as at least one privacy expert pointed out, the European Union’s privacy regulations (the GDPR) also allow for derogation of national identification numbers.

It is unclear to what extent these consent exemption clauses protects the Aadhaar programme, which is currently under Supreme Court judicial review.

On the other hand, in the report that the Srikrishna committee produced (the 200-page document), it makes multiple observations on Aadhaar, the UIDAI ecosystem and its security problems. It acknowledges that the UIDAI has struggled to take enforcement action against “errant companies in the Aadhaar ecosystem”, but chalks it up to the a lack of proper enforcement powers.

To this end, the committee suggests two proposed amendments to the Aadhaar Act, which, incidentally, don’t find a place in the draft bill. The first is to give more teeth to UIDAI by allowing it to “impose civil penalties on various entities” and “issue directions as well as cease and desist orders to state and private contractors”. These entities and contractors, as The Wire has reported, have significantly damaged the trust around the Aadhaar ecosystem.

Secondly, the Srikrishna committee recommends splitting the process of Aadhaar authentication into two: the first would still retain how it was meant to be done, but would be restricted only to entities that “perform a public function”. Other entities who still require some form of identification would use a new system of verifying the “identity of individuals offline”.

On mass surveillance

What has sparked some concern amongst privacy scholars and activists is the number of exemptions the proposed bill offers to processing of data without consent. Of particular concern are the exemptions offered to the state, which are allowed if authorised by a separate law enacted through Parliament.

While some of consent exemptions are benign — such as for “journalistic” or “research and archiving” purposes — others deal with what the committee believes are legitimate state needs including “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”.

The Srikrishna committee report, however, is likely the toughest any government-backed document has been about state surveillance. It notes that the Centre must “carefully scrutinise the question of oversight of intelligence gathering” and “expeditiously bring in a law to this effect”.

“The design of the current legal framework in India is responsible for according a wide remit to intelligence and law enforcement agencies. At the same time, it lacks sufficient legal and procedural safeguards to protect individual civil liberties. Much intelligence-gathering does not happen under the remit of the law, there is little meaningful oversight that is outside the executive, and there is a vacuum in checks and balances to prevent the untrammeled rise of a surveillance society,” the report notes.