Personal Data Protection Bill

You only need to text your friend about how you would love to own red boots once in order to see advertisements for red boots every time you open your phone. You only need to allow Google Maps access to your location once for it to be able to recommend the best restaurants each time you go to a new place. The ‘internet’ knows you. Sometimes better than you know yourself. It knows what movies you like, what your family looks like, and where you are at any moment in time. But what can it, and the corporations moulding it, do with this infinite knowledge of you?  

Personal data includes any information about an individual stored online. This includes transactions, social media posts, messages, internet histories, etc. Data of this nature has become a currency of its own, one priced at a very high value. To quote ‘The Social Dilemma’, “If you aren’t paying for the product, then you are the product”. When you use the internet and its free resources, the product being monetised is your attention and your personal information. 

This process of commodifying your digital presence creates incentives for those that control your information to misuse it. They want you to continue to engage with their platform even if it destroys your mental health and interpersonal relationships. They want to continue to monetise you even if this means they trade and use your data without your consent. 

A corporation’s primary motive is not to protect its consumers, but to make money. Which is why the government needs to establish and enforce protections to safeguard an individual’s online privacy. These protections are what the Personal Data Protection (PDP) Bill aims to provide. 

(The Bill will also have effects on corporations, international regulations, etc. This article does not examine those, but only what a reader as an individual can expect the government to do to safeguard their data.)

Rights Awarded to an Individual under PDP 

(What control do you have over your information?)

Data privacy broadly refers to an individual’s ability to determine for themselves when, how, and to what extent their personal information is conveyed or shared with others. This ‘personal information’ includes online and real-world behaviour.

The bill seeks to safeguard Personal Data, which is data tied to the identity of a person, that is, data that could be used to identify them. The PDP further defines Sensitive Personal Data  which includes information such as financial data, biometric data, caste, religious, or political beliefs, etc. Under the PDP, an individual can :

  1. Access their personal data and confirm whether it has been processed.
  2. Correct inaccurate, un-updated or incomplete data.
  3. Request for their personal data — and any analysis done using it — to be transferred to another company.
  4. Withdraw their consent to share their data. This right is referred to as “The Right To Be Forgotten”. Under it, you can have your data erased from all online platforms.

The Bill also outlines a Data Protection Authority, a committee that an individual can approach if they believe any of their rights under the PDP have been violated.

Duties of Data Fiduciaries

(What can a company do with your data?)

The PDP sets out regulations for data fiduciaries. Data fiduciaries are individuals or organisations that decide what data is processed and for what purpose. An internet service (such as Google) that collects your information and decides what to do with it, would classify as a data fiduciary. Similarly, so would all social media sites — Instagram, Facebook, Twitter —  and e-commerce sites such as Amazon, Flipkart, Myntra. 

Data Fiduciaries mine data, a process that searches for patterns in large amounts of data. They use algorithms to analyse this data and build effective marketing campaigns which allow advertisers to directly target their customer base. It has also been used for governance and political purposes. 

Under the PDP these companies must :

  1. Only collect data that is necessary for a clear and lawful process.
  2. Inform the individual when their data is collected or processed. 
  3. Obtain consent before the data is processed.
  4. Delete personal data after it has been processed.

The bill describes punishments for corporations that violate data privacy. These  include hefty fines — up to ₹150 million or 4% of the firm’s global turnover in the preceding financial year —  and jail time. 

PDP and the Government 

The PDP bill has received severe criticism for the exemptions it makes for the Central Government. Under the bill, the Central Government has been given the ability to process an individual’s data without needing their consent. This exemption is available to the government in situations it deems “necessary and expedient”. Activists, researchers and policy experts have criticised the phrasing for being overly broad and easily manipulatable. 

Additionally, the Data Protection Authority, the committee outlined by the Bill to protect individual’s rights, will be composed exclusively of senior Civil Servants. The committee will have no independent members, calling its autonomy into question. The government’s ability to appoint and remove members allows it to influence decisions made by the DPA. 

The bill also allows the Centre to command firms to share non-personal data that they have collected with the government. The bill does not outline how this data will be used or whether it can be shared with other private businesses. This could potentially allow the government to use this data as a surveillance tool. B N Srikrishna, the chair of the committee that drafted the original bill, has warned that these exemptions risk creating an “Orwellian state”.

These criticisms are relevant especially in the wake of the government’s employment of surveillance technology. Post the anti-CAA protests and the Delhi riots, Amit Shah claimed that the police had identified 1100 people through facial recognition technology. Both the Aadhar Card initiative and the Aarogya Setu app have also been questioned for the lack of data protection.

Nuances Necessary to the Bill
(TW : Mentions of Sexual Assault)

A woman’s naked photographs are leaked by her ex boyfriend after they break up. Her face is clearly visible. They are circulated with her name and information attached. In another city, a man has multiple allegations of sexual assault made against him. Again, these allegations are attached to his name, picture and video proof. How does an Act protect the first individual’s right to control her data while not protecting the sexual assaulter’s? 

Revenge porn sparked India’s first conversations around the need for users to be able to control their digital data. These were extremely intimate moments being put online without the survivor’s consent, in order to hurt them. This personal, vulnerable content would exist and follow the individual around for the rest of their lives — available to every friend, family member and employer. 

Yet, the same law that protects the survivor could also protect the abuser. Sexual assaulters could have their allegations deleted and erased. Individuals could have racist, homophbic, or casteist content they have created no longer linked to them. How do you quantify the difference between “All queers should be killed” and “All Nazis should be killed”. How does an Act differentiate between someone who makes derogatory comments about women and someone who makes derogatory comments about sexist people.

Digital memory is permanent. Laws relating to erasing or updating it will fundamentally change how the internet functions. Therefore, it is necessary for them to be clear, well-defined and comprehensive.

Conclusion

Increasing amounts of our lives are online, especially since the advent of the pandemic. Considering the long life of digital data and the incentives that exist to misuse this data, it becomes necessary to do a cost-benefit analysis everytime you send a message or enter a virtual meeting. 

The Personal Data Protection Bill is, in some ways, a step in the right direction. An individual’s digital presence directly ties into their identity and self image. They deserve to be able to control this image, editing and updating it to make it accurate. Controlling who we are online should be our right. Additionally, corporations that have access to personal and intimate details need to be kept in check to protect their consumers.

Apps that scan faces to add filters are used by government surveillance. Elections are manipulated remotely through Facebook. Should you record that work meeting? Should you make that Instagram post criticising the government? Should you upload a picture of your child on Facebook?  How does the Personal Data Protection Bill, with all its safeguards and exceptions, affect what your answer to the above questions might be.

In order to sufficiently protect individuals, the Bill requires regulations for the government. Independent checks need to be kept on its right to access and process data. Corporations and the State each have significant power which they wield largely in their own interests. The PDP Bill’s interests should lie solely with the individuals it aims to protect, not with any external fiduciaries.

Wynnona Fernandes is a third year political science major at Ashoka University.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s