The draft personal data protection bill is flawed
It will increase compliance costs for industry, stifle innovation, weaken privacy, and strengthen State power
The recent debate on privacy that started with Aadhaar is at a curious inflection point with the introduction of The Personal Data Protection Bill, 2019 in Parliament. The bill introduces significant compliance requirements, dilutes property rights in data, and strengthens State power — without actually protecting privacy. The fight for privacy has led us to into a situation in which we could potentially lose privacy as well as stifle innovation.
The bill provides a preventive framework for the collection and use of personal data. No entity can collect a person’s data without their consent, and higher requirements apply for processing “sensitive personal data”. Unless the user consents, personal data cannot be stored and processed except for the purpose it was collected for. Businesses who collect data have to comply with a number of requirements, including security and transparency, segregation of different types of data, and conducting data audits. Additionally, certain user rights must be provided — access to data, correction of data, port data from one business to another, and the right to be forgotten.
The primary issue is that it relies on the idea of user consent and disclosure about data practices by businesses. This approach has been criticised as inadequate since the 1990s. Today, data is collected by taking consent through contracts users do not read or take the time to understand. This framework has been critiqued as requiring too much consent, causing user fatigue and desensitisation. The Justice Srikrishna Committee that drafted the first version of the bill itself acknowledged that “consent is broken”.
The bill also places reliance on the concept of “harm”. It proposes that regulatory requirements take into account the harm that may be caused from the use of personal data. For example, the risk of harm is a consideration in deciding what kind of security safeguards and privacy by design policies businesses will have to incorporate. Critically, penalties will be imposed based on whether harm has been caused. However, the definition of harm is extremely problematic and includes many legitimate activities that all businesses have to engage in. The bill’s conception of “harm” may impose serious constraints on business activities without protecting privacy.
One of the components of harm is “any discrimination” caused by the use of data. However, businesses necessarily have to discriminate in many cases when conducting business. For example, businesses have to discriminate on the basis of age while deciding whether to serve alcohol to underage individuals. The Indian Constitution precludes discrimination on certain specific grounds such as religion, race, caste only with regard to employment and access to public spaces. In doing so, the Constitution itself recognises that only certain forms of discrimination are problematic. This bill does not do so.
Another example of imprecise wording within the definition of harm is: “any loss or withdrawal of benefit based on an evaluation of the user”. This also does not balance the legitimate interests of a business against that of a user. The reliance on this problematic definition of harm, and the preventive framework that the bill creates, are likely to increase compliance costs for the economy significantly. Other than small businesses that manually process data, the bill will regulate all other businesses across the economy.
Other jurisdictions like the European Union that have recently revamped their data protection laws already had pre-existing versions of data protection laws. This is not the case in India. Other than some sectors like banking and telecommunications, businesses in India do not have pre-existing privacy requirements. The magnitude of increase in compliance is therefore likely to be significant.
Lastly, the bill gives the government the power to mandate any business to share anonymised non-personal data with the government. It states that this will be used for ostensibly noble purposes such as increasing the efficiency of service delivery, but is silent on whether this data will be shared publicly (with business competitors, for example), or whether the government will compensate businesses for expropriating their data. This is likely to have is a deleterious impact on long-term incentives for innovation and growth.
The problem with schemes like this is that the benefits accrue in the short-term while the costs are paid over the long-term.
When one combines the power to mandate handing over non-personal data with the creation of a regulator that will oversee this large regulatory framework (which may not actually protect privacy), and add the power given to the government to exempt its agencies from the requirements of this bill, one is left with the disturbing conclusion that this bill doesn’t only increase compliance costs to the detriment of innovation, it dilutes privacy more than it strengthens it.