Data Protection Bill, an unfinished piece of work

Shashi Tharoor has a strong case when he says that the personal data protection Bill should have come to the information technology standing committee. It does set a precedent when issues as important as the bill do not go through proper channels of debate. Because of the nature of the Bill, there is a tremendous amount of scope for discourse and disagreement.

Let us begin with the most debated aspect of this legislation, the Data Protection Authority (DPA). Because the mandate of the Bill is so large, it can only go on to set guidelines and give direction on where the data protection space should go. The heavy lifting of enforcement, monitoring, and evaluation has to fall on the shoulders of a different (and ideally independent) body. In this case, it is the DPA that has the duty to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the act, and promote awareness about data protection. The body needs to enforce the Bill down to auditing and compliance, maintaining a database on the website that has a list of significant data fiduciaries along with a ranking that reflects the level of compliance these fiduciaries are achieving, and act as a form of check and balance to the government.

However, the DPA may end up not being the force of objective balance that it has often been made out in the Bill. Here is why. The body will have a total of 7 members (a chairperson with 6 others). All of them will be appointed by the government, based on the recommendations of the cabinet secretary, secretary to the Government of India in the ministry (or department) dealing with legal affairs, and the secretary to the ministry (or department) of electronics and information technology. All of this falls under the mandate of the executive and has no involvement required from the judiciary or for that matter the legislative. Also, the current version of the Bill does not specify who (or which department) these recommendations will go to in the central government. Is it MeitY? NITI Aayog? PMO? There is no clarity.

One cannot help but notice a pattern here. The Bill itself is going to go to a committee dominated by members of the ruling party and the enforcer is going to be wholly constituted by the executive.

Where is the feedback loop? Or the chance for scrutiny? You could at this point begin questioning how independent the DPA is going to be in its values and actions.

That is not to say that the Bill is all bad. Specifically, it does a good job of laying out the rights of the personal and sensitive personal data of children. And that is not often talked about a lot. The Bill here has a unique approach where it classifies companies that deal with children’s data as guardian data fiduciaries. That is crucial because children may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data. Here the Bill clearly requires these guardian data fiduciaries to demand age verification and consent from guardians for data processing. Also, fiduciaries are not allowed to profile, track, monitor or target ads at individuals under 18.

This is a loss for Facebook. The minimum age to be on the social media platform is 13. And Facebook’s business model is to profile, track, monitor, and micro-target its users. One of two things will happen here. Facebook will either have to change the bar for entry onto the platform to 18 as per the Bill. Or, it will need to ensure that its algorithms and products do not apply to users who are below 13. Either way, expect pushback from Facebook on this, which may or may not result in the section being modified.

The other thing the Bill should add on children’s rights is the requirement to simplify privacy and permissions for children to be consistent with global standards. For instance, the GDPR mandates asking for consent form children in clear and plain language. There is value in making consent consumable for children and for adults. So provisions in this regard should apply not just for children but also for adults, mandating a design template on how and when consent should be asked for.

In sum, the Bill is an unfinished product in so many ways. It has good parts, such as the section on the personal and personal sensitive data of children. However, it needs debate and scrutiny from multiple stakeholders to guide the DPA to be the best version of itself and it is in the government’s hands to make that happen.