As the Joint Parliamentary Committee considers the Personal Data Protection Bill, 2019, MediaNama will publish a series of articles from legal experts focussing on the key aspects of the Bill and how they will affect users and companies. This is the twelfth article in the series. Read our extensive coverage of the Bill here.

By Kriti Trehan

As I sat to pen down this piece, my phone buzzed thrice in rapid succession. Distracted, as we oft are wont to be with alerts on our devices, I hastened to read the messages I had received. They were from family friends, following up on leads for a matrimonial alliance for their sibling. No, this is not my job; I just happen to know folks who know folks who are trying to get them married. Yet curiously, I received a plethora of information on the prospective party, including age, religious affiliation, employment details and a picture.

So without asking for it, I now had with me some incredibly private information about this person (which, needless to say, I purged from my device immediately). I had also, in the process, been entrusted to help find a match for this person. This meant that I would need to use this pool of information and compare it with another person’s, and handling different individuals’ personal information was just not an endeavour I was going to take on lightly. It was at this point that the sheer gravity of the responsibility upon matrimonial websites’ proverbial shoulders dawned upon me. And things are about to get significantly more onerous (with good reason) under the proposed Personal Data Protection Bill, 2019 (the Bill).

Will the Bill cover matrimonial websites?

When I visited the websites of three of India’s most prominent online matrimonial platforms, I noticed the wealth of information sought from a potential user at the stage of registration. Most of these sites required potential users to share a wide range of data: name, gender, date of birth, contact information, religion and mother tongue. Once registered, even more personal data is required to build the person’s profile. For two of the three websites, employment and health information are mandatory requirements. Under the presently applicable Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), all these categories of information qualify as personal information, with only gender and health crossing the threshold to “sensitive personal information”.

However, the PDP Bill extends the definition of sensitive personal data to include religious affiliation, caste or tribe, and an expanded notion of financial information. Under the Bill, personal data may be processed subject to valid consent, which means consent that is free, informed, specific, clear and capable of being withdrawn. In addition, processing sensitive personal data requires explicit consent, which means consent obtained must (i) inform the data subject about the purpose processing which may cause significant harm, (ii) be direct and not inferred, and (iii) be separate for different purposes and categories of sensitive personal data. Sensitive personal data can be processed without consent for state function, when required by law, to comply with judicial diktat, in cases of medical emergencies, and for ensuring safety and assistance in case of disasters or breakdown of public order.

Therefore, typically, to process some of the aforementioned categories of information, most of which are sensitive personal data, matrimonial websites will need valid and explicit consent. A quick check of privacy policies of these matrimonial websites disturbingly revealed that:

  • Two of the three platforms, in their privacy policies, do not expressly state that the users’ information is published or shared with other users on their service. While one may argue that this would be an obvious use case for information shared with a matrimonial website and therefore consent may be inferred, under the Bill, such a policy would fail to meet the compliance threshold.
  • Two out of three websites don’t have a consent mechanism built into the privacy policy to make the users’ profile or snapshot thereof visible to non-registered users. In some platforms, the snapshot of the profile, which is visible to non-registered users, includes caste, religion and income related details. One platform shows user photos while two blur or remove them.
  • Unlike data confidentiality which is typically protected by contractual arrangements, data privacy is protected by law. This means that data privacy has to be protected irrespective of whether or not it is contractually mandated. In this case, all three platforms contractually commit to data confidentiality but don’t appear to fully carry it out.

Under the Bill, matrimonial websites will be well-served to reassess their privacy policies, make them clearer and more robust, and establish back-end processes in line with valid and explicit consent requirements.

Are matrimonial websites discriminatory?

News reports [editor’s note: available here] from the United Kingdom earlier this month indicated that a leading matrimonial website had been hauled up for engaging in caste bias. The website has reportedly pushed back, of course, but this once again brings to the fore the question of whether or not matrimonial websites are inherently discriminatory as they allow for search parameters on religious and caste basis. My personal views on caste-based marriages aside, there are certain nuances that are relevant from a legal/policy perspective.

Let’s begin with the obvious one — instances where users of matrimonial websites opt to search for partners based on religion or caste, or where matrimonial websites establish microsites to cater to specific religions and castes appear to be in violation of fundamental rights under the Indian Constitution (on equality and rights against discrimination). However, there are two points to bear in mind in this context: first, fundamental rights under Part III of the Constitution of India are enforceable against the State, and not directly against private entities/persons; second, even if one were to proceed against the State for failing to uphold fundamental rights to equality and against discrimination, historically, by and large, courts have not been known to have meddled significantly with personal laws, especially since Part III itself enshrines the freedom to practice one’s religion, freedom of speech and expression, and the right to life and personal liberty. Therefore, the likelihood of matrimonial websites being considered discriminatory in India seems low.

The other nuance, albeit semantic in nature, is no less important:  where does this bias actually come from which then leads to what is arguably discrimination — in the algorithm of the website or does it emanate from the users and their preferences? Matrimonial websites create a platform where users have the ability to define their preferences, including on the basis of religion and caste. This is a double-edged sword. Websites, arguably, make these features available because of such a demand in society. The question is whether the platform is creating such discrimination, actively propagating it, or passively letting discrimination happen? I would think the website is a passive participant at best. Matrimonial websites create the ability for their users to choose, and so long as the platforms ensure the privacy and security of the data they handle, their operations are above board. Users can always choose not to give their preferences for religion and caste, or reveal it themselves. If, however, the bias emanates from the proverbial “ghosts in the machine” — the coding of the platform itself, it is a completely different ballgame. Where a matrimonial website, without seeking user preferences, shows only like-religion/like-caste matches, the risk (both actual and perceived) would likely increase exponentially.

With this background, an algorithm that makes caste/religion-based suggestions according to user preferences should not be found responsible for discriminatory harm. In this instance, I would find the platform upholding choice, which is the user’s sacrosanct right under the consent, rights and transparency regime of the Bill. This right empowers the user to not share their data with the data fiduciary if it is not essential to the provision of services. However, at the same time, in line with the data minimisation principle, I would argue that asking for this caste-based information at the time of registration (irrespective of its usage to find matches) is excessive, and serves no tangible purpose for the user. At the very least, providing caste based information should be at the option of the user and not mandatory.

Does the Bill have any provisions for algorithmic accountability?

The European General Data Protection Regulation (GDPR) separately addressed automated/algorithmic decision-making. Data subjects have rights like notification, access and objection if subjected to pureplay automated decisions. The Indian Bill, however, does not draw such a distinction – data under the Bill definitionally includes that which is processed by automated means. The Bill includes general accountability and transparency provisions such as those around categories of personal data collected, manner of collection, purpose of processing, data principal rights and process of exercise of rights, right to complain against platform to the relevant authority, trust scores, and information on cross border transfers. However, most of the operative processes around this will emerge under delegated legislation.

Data portability is the only provision where a data subject has an expressly stated right in respect of automated processing – data subjects have the right to receive (and have transferred to any other data fiduciary/platform) their personal data in a structured, commonly used and machine-readable format where processing is conducted though automated means. This includes personal data that users provided to the platform, as well any other information generated about them, or which forms part of their profiles.

While there is no GDPR-esque algorithmic accountability under the Bill (around the facets of decision-making, etc.), slivers of hope emanate from provisions on privacy by design, transparency requirements and accountability provisions generally applicable regardless of the means of processing. Much like data protection impact assessments, it would be helpful if subsequently created regulations under the Bill also create a framework for algorithmic impact assessments, as are being envisaged pursuant to the right to an explanation in the regime in the EU.

Conclusion

The majority of the profiles on matrimonial websites appear to be operated by family members of the person seeking to get married. While some of these platforms obliquely make the registrant responsible for obtaining the requisite consents from the relevant person, I’d be curious to find out how many actually take permission appropriately. In a lighter vein, and now that I’ve completed writing this, perhaps I’ll direct my family friends to these matrimonial websites — I’m sure they’ll receive far better assistance in the matter of the match than I could ever provide!

*

Kriti Trehan is a Partner at the Law Offices of Panag & Babu. She leads the technology laws and policy advisory practice. She works across a wide range of issues in the technology sector, where regulatory frameworks are still evolving. She counsels innovators on strategy and compliance on offerings untested by Indian law. In recent times, Kriti has engaged closely with industry and regulatory stakeholders on privacy, data protection, platform immunity, localisation, next generation networks, access, net neutrality and sectoral regulation for tech services. She tweets at @krititrehan

Edited by Aditi Agrawal