Data Bill: Endless riddle of right to privacy entangled with consent

The PDP Bill does not make an effort to comprehend the nuances behind obtaining consent
Last Updated 05 December 2022, 03:09 IST

Since the introduction of the new data protection draft, its features and characteristics have been under debate, and the primary purposes of the privacy policy need to encompass these discussions. The new Digital Personal Data Protection Bill (PDP Bill) has brought substantial changes and delights.

The new PDP Bill is written in plain language, moving away from the norm of drafting legislation in the ‘incomprehensible’ language of the law. It has dropped stringent requirements such as data localisation, certification, and portability, among others.

However, past learning and delights are clouded due to the contractual arrangement of a consent framework to protect personal data and the implied limitation on data transfer. The PDP Bill was meant to strengthen individual rights to privacy and enable the easy use of data for business, but it has undermined the individual’s ability to assert control over information and also placed implied restrictions on the free flow of data in the electronic market.

The PDP Bill provides a contractual framework of notice -- consent to collect and process the personal data of individuals. Consent has to be freely given and specific with explicit affirmative action, and ‘notice’ specifies the intended collection and use of data.

The PDP Bill neither makes an effort to comprehend the nuances behind obtaining consent, nor prescribe measures to prevent the coercive and deceptive nature of contractual clauses to obtain consent. In practice, privacy notices are daunting for ordinary people to understand and dissect because they encourage the disclosure of personal information. These notices include contractual clauses that propagate more extensive uses of personal data and carefully de-emphasise privacy options, such as opt-outs that are buried inside the text.

Research has shown that ‘bounded rationality’ limits an individual’s ability to process information while making privacy choices. Individuals may value their privacy highly but tend to freely exchange it for services and other conveniences without contemplating its long-term consequences.

The bill introduced ‘deemed consent’, under which consent and notices are not mandatory. The data principal voluntarily providing personal information and being reasonably expected to do so is one of the grounds for assuming deemed consent.

The need for collecting personal data is often pre-conceived based on already-formulated design concepts by the system developer or data fiduciary. Data minimisation is the core tenet of the privacy framework. The ‘collection limitation’ is an early principle of privacy published by the Organisation for Economic Cooperation and Development (OECD), suggesting refraining from collecting personal data, if there are alternative means to achieve the intended purpose.

Besides, the PDP Bill puts the burden on the individual to bear the consequences of their refusal to give consent. Data fiduciaries may use this to discriminate against and de-incentivise individuals who assert their privacy rights by refusing to provide personal data if it is not necessary to complete a transaction. Unfortunately, the PDP Bill does not stipulate any safeguards against such selective discrimination.

Privacy is not just an individual’s ability to grant or deny access to their data. It is also the individual’s ability to control the information available to others.

There needs to be clarity around a few major aspects of the PDP Bill, primarily the need for classification of personal data, which is essential to applying different levels of security measures. Also, no time period is specified for data retention, and the time to report a breach and response procedures for a breach are yet to be specified. Additionally, the power to establish the Data Protection Board (DPB) and rule-making is vested with the central government, with no requirement of any consultative process.

Besides, the PDP Bill exempts government and state agencies from its application. It allows agencies unhindered access to process personal information on grounds such as India’s sovereignty, and the security of the State. Though the exemption is necessary, it needs to be layered with reasonable procedures, audit logs and the requirement of conducting Privacy Impact Assessments (PIAs). In the global context, E-Government Act 2002, FTC, Secretariat’s Directive of Canada, mandates PIAs, and NIST SP 800-53 provides a catalog of controls for agencies to mitigate information processing violations.

Unlike EU law, GDPR and Working Party (WP 29), which provides binding corporate rules (BCR) and standard contract clauses to facilitate cross-border data transfer, the PDP Bill confines the cross-border transfer of data to the countries and territories that the central government specifies. This will make data transfer more reliant on geopolitics instead of economic activity.

The reason behind this restraint appears to be to protect citizen privacy and cyber security, but this may also enable government agencies to access data stored outside India with bilateral arrangements instead of complying with statutory requirements, if any, that exist in the global arena.

Engineering privacy into design

The PDP Bill has omitted its earlier reference to “privacy by design.” This principle recommends data-oriented privacy techniques such as separation, minimisation, hiding, and abstraction without losing the informational utility of the data. The system applications are the centre of data collection and processing. Research indicates that the ‘privacy friendliness of the system’ depends upon the ‘degree of identifiability and centricity’. The sole objective of business entities to ‘maximise information utility’ may conflict with the ‘minimise privacy risk’ objective. The default design of system application development should be privacy-preserving.

In conclusion, consenting for convenience or voluntarily providing information that intrudes on personal privacy or tranquility may lead individuals to lose trust in technology and business entities.

With our growing dependency on technology, the contractual framework is no longer enough to protect personal data. Informational privacy is an intrinsic part of the right to privacy. Observable and measurable harms exist when individual privacy is violated. The policy approach should empower individuals with more control to evaluate risks and also enable them to claim damages for violations. It should protect the individual from selective discrimination for their choice of non-disclosure of data. Similarly, in an increasingly complex electronic business environment, simplifying rules and fostering the free flow of data are essential for trade. Restriction obstructs data’s true potential and may lead to the “splinternet.” Complying with the policy alone will not be sufficient to mitigate privacy risks unless system applications embed appropriate security safeguards.

(The writer is a lawyer and privacy technologist.)

(Published 04 December 2022, 17:30 IST)

Follow us on