Data Protection Bill is vague and intrusive
The Personal Data Protection (PDP) Bill, 2019 introduces significant new requirements and challenges for legal and compliance functions. This entails changes to the ways in which technologies are designed and managed, including focus on search, storage and security of data. The PDP framework needs to stand test of time in the era of artificial intelligence, machine learning, robotic process automation (RPA), Big Data and the Internet of Things, as well as gadgets like Alexa and the Google Assistant, which are evolving at higher speed and posing many challenges in addressing data protection and privacy.
The Joint Select Committee of Parliament, which is examining the PDP Bill, faces a complex and multifaceted challenge. A number of transformations are at the core of current digital transformation: the blurring of distinction between reality and the virtual world; of a distinction between human, machine and nature; the issue of information abundance; a shift from standalone IT assets to networked assets; and of data and information processing from centralised hardware architecture to distributed-software designed architectures. The size of data in 2022 is to be about 40 times than that of 2020.
The PDP Bill, therefore, needs to be considered keeping in view such transformations in the backdrop, along with key objectives such as promotion of the digital economy, innovation and protection of citizen and consumer interest — with a focus on data privacy — and of the state and public interests.
The interests of the tech and commercial entities need to be balanced with that of the public and state, given reliance of the latter on such entities.
The current PDP Bill must meet such objectives for at least the next five years. The Bill, however, creates a ‘monopoly’, wherein all of the data, personal and non-personal, will be under the purview of the state and its agencies. The Bill does propose to provide checks and balances, albeit in only one or two cases, through rules and regulations. Nevertheless, its important to not only provide robust checks and balances for accessing the data, but also for lawmakers and citizens to know the principles behind them while formulating the law. The lawmakers, at least, would need to be satisfied by the proposals.
Defining personal data
Discussions have been intensely taking place in the country on expanding the scope of the PDP Bill; in particular, the definitions of ‘personal data’ and ‘non-personal data’. Many such discussions are critical to the broadening of the concept of personal data, and the inclusion of non-personal data. Given the technological advancements and the large amount of data available for analysis, absolute and irreversible anonymity may no longer be possible. All data in the near future will either be or will contain personal data, leading to the application of ‘data privacy and protection’ to just about everything. The data-analysis technology is rapidly moving towards perfect identification. Any information is likely to relate to a person.
A more principle-based holistic approach may thus be needed with regard to personal and non-personal data, because of the difficulties in distinguishing between the two.
The concept of personal data as in the PDP Bill is also likely to raise considerable legal uncertainty. According to Clause 3 (28), this concept covers data about or relating to a ‘natural person’, who can be identified either directly or indirectly. The problem here is that identifiability may only result from additional information or data available to and from the data fiduciary. This, as such, prevents anonymisation.
It will thus be necessary, in light of technological innovation, to consider applying the law uniformly to all kinds of personal and non-personal data. The other solution would be a clear separation of personal and non-personal data. In fact, the latter data could be limited to machine-generated data, and be aimed to implement an efficient market-oriented non-personal data law.
The pros and cons of Clause 91 of the Bill have also not been debated before its inclusion. It basically allows the government to ask companies for non-personal and anonymised personal data.
There are certain provisions relating to social media as well. Such provisions should be included in the Information Technology Act, rather than the PDP Bill. In this hyper-connected world, can data localisation be possible, particularly where data is hosted, posted, updated and accessed using public networks in a decentralised environment? Only data that is hosted, posted and accessed on a captive private network can be localised.
It would be necessary to study the European Union’s GDPR (with which the PDP Bill bears many similarities) and other international frameworks, and align the provisions relating to cross-border flow of data while addressing Indian environment, culture and sovereignty of the country. Ultimately, country has to get its data protection and privacy framework recognised with other jurisdictions in the world, keeping in mind the larger interest of commerce, trade and manufacturing. The pitfalls of the GDPR also need to be taken into account.
The PDP Bill is expected to reshape the hierarchical structure of both public and private sectors, which would include the state, too. The state must have assessed this and may be ready for addressing implications of such reshaping, including standards for anonymisation, de-identification and filtering of non-personal data from the composite data set.
It must be noted that while creating and saving the numerous documents and data which may help in the compliance and verification needs of the PDP framework, “Big Data” and AI/ML will be present and applied. The very concept of Big Data, however, is in clash with that of data minimisation, an underlying concept in the PDP Bill.
It is, therefore, important to lay out a proper system of modern law for the digital economy that also integrates the perspective of privacy-based data protection, which may drive efficient market regulations. At the same time, all the stakeholders be made accountable and responsible while recognising their roles and functions.
The framework thus needs to be more modular, and may be expanded as we learn from experience and technological innovations. Care needs to be taken, that the PDP Bill does not become “the law of everything”.
Taneja is a lawyer with Karanjawala & Co. Rai is former National Cyber Security Coordinator, Government of India.