Remember the recent admission by Facebook that data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica? With little information about what the latter was doing with such volumes of data, and the very thought of personal information being used for unknown intentions, sent ripples across the globe. The controversy prompted many nations into considering the need for stricter laws to protect citizen data.
Result? India’s Personal Data Protection Bill, 2018.
On 27th July, the justice BN Srikrishna committee submitted a draft Personal Data Protection bill, 2018 that laid down data protection laws, prescribing how organisations should collect, process, and store citizens’ information. Watch the video below to understand the bill in detail.
The move came after European Union’s successful release of the GDPR (General Data Protection Regulation) – a law that protects the data of all citizens in the EU and prevents it’s sale to institutions within and outside the EU. This law received so much support that weeks after it was launched, companies across the Union changed their data processing standards in line with the GDPR. Remember those multiple mails in your inbox about changing privacy policies by websites you don’t even remember subscribing to? That was the GDPR effect.
But even in its draft phase, the Indian bill doesn’t compare to its British counterpart. It’s flawed, unclear and shortsighted. It has received a lot of flak for lack of clarity on key issues and may need to go through few rounds of relook before it can be considered effective. Here’s the problematic features of it.
Right to consent
The proposed bill essentially makes citizen consent central to data sharing. This literally means that companies have to, at any cost, take explicit consent from users to use their information. To meet this expectation, the bill requires any fiduciary to store the data on a local server in India.
There’s a major problem with this system. Experts believe this may become a big hurdle for existing companies to operate in India, and new ones to set shop. It will particularly impact foreign firms, which already have millions of users in India but store their data in their own country. And while bigger entities may manage to muster the resources to meet this new requirement, India will become extremely undesirable for smaller players. Mandating localisation of all personal data is likely to become a trade barrier.
So while the bill solves the short term issues of data protection, it creates long term economic issues. And this is just unnecessary. The GDPR, for example, has a similar localisation system but with more foresight. It only requires you to have a local representative or a subsidiary company. So if Facebook, for instance, breaks data privacy laws, you can arrest the representative, and file cases against him directly bringing losses to FB.
Right to withdraw consent
What if you realise that giving consent to a certain company in the past was a bad idea? Or what if you hit the “allow/consent” button by mistake without really approving of it?
Well, there’s no way out of it. At least not an easy one. The thing is, the draft has made “consent” so central to the law that it fails to recognise or elaborate other issues.
The bill confidently asserts the withdrawal of consent without offering any plausible explanation of how is that possible in a global market once data has been processed, transferred and profiteered. Even the GDPR outrightly states that already processed data doesn’t come under the purview of withdrawal. But the Indian draft confidently says it can do so.
But that’s not even the primary matter. The bigger problem is the process of withdrawal. The bill doesn’t lay any specific framework for it and has made withdrawal a very subjective matter. For example, if you decide to withdraw, you must first furnish a justification for your decision backed by evidence that the company you’ve consented is misusing your data. If you can’t get proof, then forget about it, because the law states that unless there is measurable damage the issue can’t be taken further. Now if you do have proof, for one, the process of getting it through is also long-winded and fuzzy. Lots of documentations, running about, legalities, and at the end of it the bill conveniently places the responsibility of all legal ramifications of the withdrawal on us.
So if the consented company decides to charge you with defamation or take you up in court for alleging their misuse of your data, you face the court alone.
Right to be forgotten
There is no such mandate in the bill.
You can give consent or go through a tardy process of withdrawal, but in no way can you demand the companies to delete your information. Whatever you’ve submitted before (name, address, email ID) through autofill forms or personal choices, are all stored forever!
This is a big flaw with the bill, because in a time where data is being largely used illegally and without consent, the bill banks on the honesty of data companies rather than taking away their very weapon of privacy breach. The GDPR on the other hand, has allowed citizens to demand deletion of all their information, serving as a fresh start in the data world. Since then, Google reported to have received 655,000 requests to delete 2.5 million personal data links form its search history alone. It was further asked to take down sites that hosted inaccurate data mentioned in the requests. The company has already complied with 40% of those requests and is working on more. This is the intensity of a robust data protection bill. India must understand that by bringing in right to be forgotten in its bill, it will have the same power to pull down barrages of wrong and illegal information from the internet.
Of course even the GDPR gives no explanation on how data shared with remote companies can be deleted and what happens in the event of lost data. These are road bumps, sure, but at least the mention of deletion in the bill can urge the government to take necessary steps or figure ways in which processed data can be deleted. If the Indian bill doesn’t even mention the right to be forgotten then there’s no incentive for the government to stop illegal use of data at all.
In conclusion, any data protection legislation must protect the people and not just data. But instead of recognising that mere consent is inadequate to protect rights, the report turns consent into “an end in itself”. As of now the only action meant to stop data crime is the proposal to charge non-compliant companies a fine of Rs5 crore ($727,450) or 2% of its turnover, whichever is higher. For one, this is way less than the GDPR which is 4% of the total turnover. And second, with a complicated withdrawal process and non-existent deletion, how will the government pin down non-compliance at all?
The bill also gives the Central government excessive powers under Section 98. Under this, the Centre can set up a Data Protection Authority to look into matters of privacy breach, and can also issue directions to the authority and ask them questions about their investigations. This mandate leaves more remove for corruption to seep in and make the bill more ineffective.