Number of user rights recognised under the Personal Data Protection Bill should increase and it should be easier for users to exercise their rights, Dvara Research said in its submission to the Joint Parliamentary Committee on the Bill. Unlike submissions by industry bodies such as NASSCOM and BSA, Dvara Research’s submission focusses at length on preserving and strengthening users’ rights. Also, a child should be redefined under the Bill as it could severely restrict children’s ability to access data-driven services. For older children, the age threshold, currently at 18 years, and related obligations need to have a graded approach as is the case with the RBI, EU’s GDPR, and Office of Australian Information Commissioner.
In addition, the Bill must offer time frames for when different provisions and aspects of the Bill will come into force, it proposes.
- Expand user rights to strengthen users’ position and give them greater recourse against non-complying data fiduciaries. These should include:
- Right to clear, plain and understandable notice for data collection
- Right to be asked for consent prior to data collection
- Right to adequate data security
- Rights to privacy by design (including privacy by default)
- Right to breach notification
- Right relating to automated decision-making
- Right to informational privacy
- Right against harm
- Allow users to approach courts directly for both criminal and civil offences under the Bill. Also allow individuals to approach the Appellate Tribunal to challenge orders for seizure of documents, as was the case in the 2018 Bill.
- Right to Data Portability should deal with all data, not just data processed through automated means as it otherwise exempts data analyses by human analysts using tools that are not automated.
- Remove barriers to exercising of user rights:
- Make exercise of rights free or at a nominal fee only. Right now, the Bill has a provision that allows data fiduciaries to charge “such fee as may be specified by regulations”. Data fiduciaries should accept requests for exercise of user rights through multiple channels including “online lodging [editor’s note: logging], toll-free calling lines, e-mail, letter, fax or in person”, not just in writing or though a consent manager.
- Automatically refer a rejected user request to exercise their right to an internal grievance redressal procedure within the data fiduciary. If it’s not satisfactorily resolved within 30 days, data fiduciary must give the user full details of how the complaint can be made to the DPA.
- Narrowly define when a data fiduciary can reject requests from a user. Harm to other users is too broad an exemption, and the fiduciary must instead undertake a balancing test (considering public interest and effect on other users), and execute the right of the requesting user “by masking or removing the information pertaining to others who may be impacted by this request to the best extent possible”.
- Rights and obligations should be fulfilled irrespective of whether or not harm occurred; they not be determined by harm caused. Harm should be more broadly defined. Dvara has suggested one such definition:
Suggested definition of “harm” by Dvara Research: ” ‘harm’ is actual or potential injury or loss to an individual, whether such injury or loss is economic or non-economic, quantifiable or non-quantifiable”
Processing without consent needs to be fettered
- Notify users if their personal data is processed without consent to avoid information asymmetry between the user and the data fiduciary.
- Withdrawal of consent should not place liability on the user for all legal consequences of such withdrawal . It should just mean termination of contract.
- Prescribe clear criteria for the DPA to specify “reasonable purposes” for processing personal data without consent. Obligation to notify users of the use of their data should be waived only in emergency situations.
- Employers should generally take consent of employees before accessing their data. If they cannot, the DPA must issue regulations to restrict the employers’ discretion, and require them to file a justification with the DPA or their Data Protection Officer.
Make Data Protection Authority independent again
- Independent members must dominate the management board of the DPA. Ideally, 4 of the 7 members of the DPA should be independent members.
- Selection Committee should consist of a cabinet secretary, a Supreme Court judge, and an independent expert, as was the case in the 2018 Bill.
- Limit DPA’s discretionary powers. Any enforcement action authorised by the DPA must be proportional to the contravention, and specific factors (nature and seriousness of the contravention, etc.) should determine the choice of the enforcement tool by the DPA.
- Mandate publishing of results of inspections or inquiries conducted by the DPA, as was the case in the 2018 Bill. The DPA must also release monthly reports on complaints received and annual reports on enforcement actions and complaints acted upon.
- Maintain a register of all codes of practice in force to provide convenient access to stakeholders and to promote transparency. Also, data fiduciaries and processors should be allowed to demonstrate before the DPA if they have adopted an equivalent or higher standard of practices compared to the prescribed codes of practice.
- DPA, not the central government, should retain certain powers as “it will have a day-to-day understanding of data practices because of its proximity to the market and its regulatory peers”. At most, the DPA could work in consultation with the central government, but the powers should remain with the DPA. These include: notification of more categories of sensitive personal data, specifying age-verification mechanisms, classification of significant data fiduciaries (and social media intermediaries),
- Mandate regional and zonal offices of DPA to make it easier for the DPA to discharge its duties and to offer locally accessible points of grievance redress. The DPA should be able to determine the location of these offices independent of the central government.
- Allow DPA to levy civil penalties for negligence as was the case in the 2018 Bill.
Government exemptions need to be curtailed
- Restore Section 42(1) of the 2018 Bill that exempted government agencies as it offered “meaningful” data protection through judicial oversight mechanisms.
Section 42(1) of 2018 Bill: Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law,and is in accordance with the procedure established by such law,made by Parliament and is necessary for, and proportionate to, such interests being achieved.
- Reinstate the obligation for “fair and reasonable” processing and security safeguards as an overarching non-derogable obligation of all data fiduciaries so that exemptions under Section 36 can be blunted, and user rights be preserved. This will also ensure that users are not made less secure through the research exemption.
Remove Non-Personal Data from the Bill
- Remove all mention of non-personal data from the Bill as the Bill is related to personal data, not non-personal data which is “separate and distinct” from personal data. The government has already set up a separate committee of experts to come up with a data governance framework for dealing with non-personal data. Also, the moment the data being processed becomes anonymised or non-personal data, then entities cease to be “data fiduciaries” or “data processors” under this Bill.
- Redefine anonymisation to consider standard of “identifiability” rather defining it in terms of an “irreversible” process by which a user can no longer be identified. This is because absolute irreversibility is unachievable at present.
Data fiduciaries need to be held to a higher standard of accountability
- List “well-reasoned parameters and guidelines” ex-ante to determine the criteria for classification as significant data fiduciaries, including social media intermediaries.
- Mandate notification of personal data breaches to the DPA, but let notification of users remain a subjective call of the data fiduciaries.
- Mandate implementation of the Privacy by Design Policy, not just its preparation.
- Participation in innovation sandbox needs more clarity: Objectives and perimeter of the sandbox must be clarified to avoid regulatory arbitrage or over-regulation. Also, data fiduciaries that take part in the innovation sandbox must ensure users’ rights. Exempting such data fiduciaries is an “uncommon vacation of consumer protections”.
Read all the other submissions made to the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, here.