Right to Privacy and The Personal Data Protection Bill of 2019: A Critique

Saharsh Saxena critically analyses the Personal Data Protection Bill of 2019 in the background of the right to privacy, and writes a critique of relevant provisions of the said bill, suggesting necessary changes which should be made to the bill, before it is voted upon.

I. Introduction

In an article published by Harvard Business Review¹, authors termed data science as the sexiest job of the 21^st century. If such an inference is to be drawn, then it is implicit that the raw data upon which data scientist run statistical modelling and analysis thereby producing a cleansed data for machine learning, is the new gold mine.

Being a former statistician, the term ‘data’ is very dear to me for I have spent countless days and nights analysing it. A layman may not be able to fully comprehend what can be drawn from the raw data, but as a student of both statistics and law, I am able to somewhat appreciate what data can provide upon analysis, how it can be used to increase the business manifold, and to violate a myriad of fundamental rights, that too without anyone knowing until it’s too late should that be the intention. Apart from these intended outcomes, there is a risk hovering over us if the security of data is breached and it falls into the hands of someone harbouring a not-so-noble intention, which will then necessarily be one of the worst nightmares.

Data is capable of comprehensively narrating your past and present; your choices; your general course of action; your decisions; and can even be used for projecting whom you may probably vote in the coming elections altogether at the same time. Be aware that predicting your purchase choices, which you very often see in the form of targeted marketing on various e-commerce applications and websites based on your past search history and browsing behaviour, is the least of its majesties and I dare say, one of the nobler ones.

A critical point which I would like you all to know before moving forward with this paper is: “Same data when analysed with different aims gives different results”. This is very crucial for understanding the possible impacts of analysis of data for the other aims than to which individual consents, and why data must only be analysed for the aim to which consent is given by the individual. Analysing data with other than the consented objective will have major ramifications and unimagined effects on your ‘privacy’.

In view of technology growing faster than ever, and data being collected more than ever; it becomes imperative to have a set of laws to govern data processing and analysis. As the need of this law grew, so did the question that do we have a fundamental right to privacy? For any law to be enforceable, it needs to be free from any curb of fundamental rights. Therefore, this question of law became more important than ever to be settled, for once and for all. The decision will have a direct impact on the constitutionality of laws passed for the regulation of data. The story of how this question came before the Supreme court of India is narrated as you move forward in this paper.

II. Background

Hon’ble Justice K. S. Puttaswamy (Retd.) of Karnataka High Court, challenged the decision of the Union Government before the Hon’ble Supreme Court of India, over making Aadhaar mandatory. For those who may not be aware of Aadhaar, it is a database of biometric data of people residing in India and apart from being considered one of the most acceptable proofs of identity and verification, it is required for compliance with many government directions, and to avail benefits of many government schemes. Justice K. S. Puttaswamy was aggrieved by the fact that government had made it mandatory to register yourself in Aadhaar database, and therefore he challenged in the exercise of his right as enshrined in Article 32 in Part III of Constitution of India. It was the understanding of many that mandated collection of biometric data by the government amounts to a violation of the fundamental right to privacy which is implicit in Article 21, which deals with Protection of Life and Personal Liberty.

The Supreme Court while hearing this petition through a Bench of three learned Judges, noted that there were decisions of Benches which were contradictory to each other in the interpretation of the fundamental right to privacy. The learned Attorney General of India presented before the bench that in M P Sharma v Satish Chandra, District Magistrate, Delhi² and in Kharak Singh v State of Uttar Pradesh³, there were observations that the right to privacy is not specifically protected in Constitution, they were rendered by a Bench of eight and six learned Judges respectively. While the petitioners raised that both of the aforesaid judgments were given in the light of A K Gopalan v State of Madras⁴, which basically held that each provision in Part III (Fundamental Rights) of Constitution enjoys a distinct protection. It was held not to be good law by an eleven-judge Bench in Rustom Cavasji Cooper v Union of India⁵. They also mentioned that the majority opinion of Kharak Singh (Supra) was specifically overruled in Maneka Gandhi v Union of India⁶. In light of these arguments, Hon’ble Three-Judge Bench analysed the matter further and noted that there are some of the judgments which have held the right to privacy was protected by Constitution, which are Gobind v State of Madhya Pradesh⁷, R Rajagopal v State of Tamil Nadu⁸, and People’s Union for Civil Liberties v Union of India⁹. However, these judgments were rendered by Benches of smaller strength than those in M P Sharma (Supra) and Kharak Singh (Supra). Therefore, in the view of the importance of this decision, the learned three-judge Bench ordered the question of law: Is Right to Privacy a fundamental right under Constitution of India? to be listed before a Bench of appropriate strength. The same was then listed before a Constitution Bench presided by Hon’ble the then Chief Justice of India, which considered it would be appropriate to be decided by nine-judge Bench.

Subsequently, the question of law was settled by nine-judge Bench in the favour of the right to privacy, and inter alia following was held:

“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”

This landmark judgment¹⁰ set the status of the right to privacy as a fundamental right, in the stone; and acts as the light under which all future legislations on data protection or processing are to be based.

In that judgment dated 24^th August 2017, Hon'ble Justice D.Y. Chandrachud held that right to privacy is an intrinsic element of the right to life and personal liberty under Article 21. He also made it clear that as the right to life and personal liberty is not absolute, in a similar fashion right to privacy shall not be absolute. The limitations which operate on right to life and personal liberty shall also operate on right to privacy. The backing of law for any curtailment of this right will be required, and the procedure established by law to do so must be fair, just and reasonable. The said law shall also be subject to constitutional safeguards.

Justice D.Y. Chandrachud also stated the conditions which are required to be satisfied before a restriction can be applied on this right. Three conditions need to be satisfied: first, there is a legitimate state interest in restricting the right; second, that the restriction is necessary and proportionate to achieve the interest; third, that the restriction is by law. This test lays down a finely crafted sphere of judicial protection of personal data of an individual.

As a side note, for the knowledge of the reader, Aadhaar Act¹¹ was later on held to be constitutionally valid by the majority opinion¹² of Constitution Bench. With due respect to the majority opinion, I most humbly concur with minority opinion of Justice D.Y. Chandrachud as far as it concludes that the bill which was introduced in parliament to give legislative standing to Aadhaar should not have been allowed as a money bill and it was completely erroneous on the part of the then Speaker of Lok Sabha to allow such introduction.

Further, the sphere of privacy includes a right to protect one’s identity. This right recognises the fact that all information about a person is fundamentally her own, and she is free to communicate or retain it for herself.¹³ This makes it clear that the right to decide whether the data should be used for analysis, or machine learning, or in any way be processed with an aim to draw some conclusion(s), always rests with the person who may decide either way. This right is of paramount importance, and as an effect of this right, any data which is analysed as without explicit consent is done at the peril of who so ever does so.

This right to privacy is, of course, subject to reasonable and fair restrictions as are many other fundamental rights. But there is a minute difference in this and other fundamental rights, which is that a violation of this right may occur without the knowledge of such person whose data is used and he may not be able to sue the violating entity/person. This makes a point here; the balance of scales must be titled in the favour of such person whose data remains at risk of unlawful exploitation; while the person or entity who is involved in such unlawful activity suffers no harm unless and until their act is caught, even after that there is a process of law which does take considerable time. Therefore, at every juncture, wherever a lacuna may occur, rights of the person whose data is analysed should be given highest order of precedence against any and every profit-making business or even government, for India till date is not a police state rather a welfare state.

The union government in the course of hearing, placed on record that they are constituting a committee under the chairmanship of Hon’ble Justice B.N. Srikrishna, a former judge of the Supreme Court to examine the data protection laws, and suggest a framework for the protection of the right to privacy. It was on the suggestion of this committee, the government introduced The Personal Data Protection Bill, 2019 in Lok Sabha on 11^th December 2019 but not without bringing certain changes in the suggested framework. The same was pointed out by Justice Srikrishna in a webinar¹⁴. Now I shall go on to discuss, relevant provisions of this bill along with some important definitions and distinctions.

III. Critique of the Bill

This Bill¹⁵, as per its aims, strives to provide protection for an individual’s privacy, and create a sense of trust between the persons and entities processing their personal data. A watchdog for data protection is also intended to be established by the provisions of this Act, which is to be known as the Data Protection Authority of India, and shall regulate the data analysis. It will also carry the obligation of ensuring the availability of remedies to the aggrieved individuals, hearing to their grievances and providing a lawful remedy if their concerns and prayers are bona fide.

This Bill is branched into 14 chapters and a schedule; which contains, inter alia, definitions in section 3 of chapter I; obligations of data fiduciary enlisted in chapter II; grounds for processing personal data without consent in chapter IV; rights of data principal in chapter V; exceptions in chapter VIII; establishment and scope of Data Protection Authority of India in chapter IX; penalties and compensation in chapter X; and establishment and scope of Appellate Tribunal in chapter XI.

It is important to mention at the very outset of critique of this bill, that it does not apply to the processing of anonymised data (as per section 2(B) of this Act), except when dealing with anonymised data under section 91. The term ‘anonymised data’ means the data which has gone through the process of ‘anonymisation’ as defined in section 3(2), which means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Data Protection Authority of India (hereinafter also referred as Authority). Section 91 mainly deals with the right of the Central Government, in consultation with Authority, to enquire about any data fiduciary or data processor to provide any personal data anonymised or other non-personal data so as to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.

A. Nexus between Data Principal, Data Fiduciary and Data Processor

‘Data Principal’ is defined in section 3(14); it means the natural person to whom the personal data relates. Further, ‘Data Fiduciary’ is defined in section 3(13); it means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.

A relation between data principal and data fiduciary is implied to be a relation of trust, and there exists an expectation that data fiduciary will ensure that the personal data collected will not be used for any purposes which aren’t consented by data principal. When such a trust is breached, data principal should have every right to pursue legal action against the responsible data fiduciary including the right to be erased from the database of such data fiduciary.

Often the data fiduciary may not themselves process the data themselves but may outsource this to any other person or entity. Such a person or entity who undertakes the processing of the personal data on the behalf of data fiduciary is called as ‘data processor’, and will liable for legal action, should any harm be caused to data principal due to any breach of such data or violation of rights for which such data processor has been found to be responsible.

It is also noteworthy that as per section 31(1), data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor. In the extension of this, section 31(2) states that data processor referred in section 31(1) cannot engage, appoint, use or involve another data processor in the processing on its behalf, except with the authorisation of the data fiduciary and unless permitted in the contract referred to in section 31(1). These form a necessary safeguard against the engagement of an unauthorised entity in such processing, as it may increase the risk exposure of the personal data if such unauthorised entities are provided an access to such data.

B. Harm as defined under the Bill

The relevant section, i.e. 3(20) is quoted below for the quick reference:

The definition of what may constitute as ‘harm’ under this bill is listed in section 3(20), and is very inclusive. In this context, I will particularly appreciate clause (x) of this section to include any observation or surveillance that is not reasonably expected by the data principal. This clause will give the necessary free space for judicial interpretation should the need arise, and can act as a protective shield for data principal.

C. Significant Data Fiduciary

A distinction has been introduced vide section 26(1) of this bill, as it creates a class of data fiduciary which is to be known as ‘significant data fiduciary’ on the basis of certain criteria as given in this bill. Section 26(1) enumerates conditions under which a data fiduciary or a class of data fiduciary can be notified as significant data fiduciary by the Authority. Sections 27 to 30 provides the obligations and duties of significant data fiduciary, which are intended to be a bulwark of sensitive personal data.

There exists a non-obstante clause in section 26(3), which gives the Authority a right to apply all or any of the obligations specified in sections 27 to 30 to any data fiduciary or class of data fiduciary when the authority believes that any processing by such data fiduciary or class of fiduciary carries a risk of significant harm to any data principal. Such a provision will take care of a situation, which is non-existent today, but may arise in future and carry a risk of significant harm to the data principal. The bill does not explicitly declare such data fiduciary as a significant data fiduciary, though all the obligation and duties of the latter are made applicable to former as well. Thus, they become de facto significant data fiduciary.

C.1. Facebook-Cambridge Analytica Scandal and Section 26(4)

There was an infamous scandal of Facebook-Cambridge Analytica, where data of around 87 million of Facebook users was harvested by Cambridge Analytica. A questionnaire was used for the data breach, the first step was to grant access to the user’s Facebook profiles. Once it was done, then the app made its way into their profile and harvested not only their data but also of their Facebook friends. It was an assumption of many that it was a general quiz on Facebook, but that wasn’t true, in fact, it was a lengthy psychology questionnaire hosted by Qualtrics.¹⁶ The data which was harvested sans consent was used for targeted political advertisement.¹⁷

It is my belief that it became the catalyst for the inclusion of section 26(4), which provides for inclusion for any social media intermediary as significant data fiduciary. Any such data processing entity cannot be let at large when they have a potential to directly or indirectly affect elections, as fair elections are the very basis of any democratic setup. Also, section 5(b) mandates that the personal data may only be analysed for the purposes which are consented by the data principal. It effectively prohibits analysis of personal data for election purposes, unless expressly agreed by data principal.

D. Prohibition of Data Retention

The data retention after such data has served the objective to which the data principal had given consent is now prohibited under section 9. An obligation has been created upon the data fiduciary to conduct periodic reviews to determine whether is it necessary to retain personal data in its possession.

E. Unique Nature of Consent and Right to Withdraw Consent

An essential feature of the right to privacy is the right to withdraw your consent. When consent is given to analyse or process your personal data, it has to be a consent with the nature of continuous qualification i.e. continuous consent of the data principal until the same is withdrawn, and as soon as it stands withdrawn, every processing of his personal data must immediately be stopped. This unique nature of consent relating to the processing of personal data is recognised and protected under section 11(2)(e). I can’t help but praise the inclusion of such a right to withdraw consent for it is most important to the effective enforcement of the right to privacy.

F. Right to be Forgotten

Right to be forgotten is materialised in section 20 of this bill, however, it may be enforced only on an order of the Adjudicating Officer made on an application filed by the data principal. I believe that such an application should not be made necessary, and the right should have been made enforceable upon the receipt of first such request of data principal made to data fiduciary, save for the provisions of section 12 of the bill. Section 12 takes care of the scenarios where a need to retain personal data for public good overrides the right of data principal to be forgotten. The provision of application should be made less troublesome for individuals by allowing them to file an application online, and speedy enforcement of the same must be ensured without creating unnecessary impediments.

G. Safeguards for Security of Data

Section 24 mandates the data fiduciary and data processor to implement safeguards for security of data which includes encryption, de-identification, prevent misuse and unauthorised access to personal data. This section remains an important part of directions to the data fiduciary and data processor.

H. Breach of Personal Data

Section 25, at its face value, may look like a positive step in ensuring that the data breach does not go unreported but a perusal of its sub-sections shows that it may not be as noble as it appears. There are two points which I would underline and explain in relation to this.

Firstly, every data fiduciary is duty-bound by section 25(1) to report any breach of personal data processed by such data fiduciary where the breach is likely to cause harm to any data principal, to the Authority. The problem which lies here is the way term ‘likely to cause harm to any data principal’ has been used; this undoubtedly leaves the decision of whether the breach may harm the data principal or not, to the data fiduciary who has an interest in hiding such a breach. They should not be allowed to make this decision and every breach, which is likely or not to harm data principal, should be reported to the Authority.

Secondly, section 25(5) states that upon the receipt of the notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm. The problem with this section is that the Authority has been given the right to decide whether such breach should be reported to data principal; this discretionary right amounts to gross violation of right to privacy and right to withdraw the consent. Every breach, no matter how small or large, should be informed to every data principal whose data has been affected or may have been affected for this may be the basis on which he may choose to withdraw his consent. Even if the harm is minimal or no harm has been caused or data principal is not capable of doing anything to mitigate the damage, then also hiding of such crucial information is tantamount to alienating the data principal of his right to make an informed decision as to whether he would like to withdraw his consent and/or pursue legal recourse. Thus, upon receipt of notice of such breach, Authority should be duty-bound to report it to every data principal whose data had been affected or may have been affected.

Therefore, I vehemently register my dissent for the following sub-sections of section 25:

• Section 25(1) as far as it allows data fiduciary to decide whether the breach is likely to cause harm to any data principal, and ultimately the decision of not reporting it to Authority. They should not be allowed to make this decision and every breach, which is likely or not to harm data principal, should be reported to the Authority.
• Section 25(5) as far as it allows the Authority to decide whether such data breach should be reported to the data principal. The authority should be duty-bound to report it to every data principal whose data has been affected or may have been affected in that breach, as soon as possible.

I. Data Protection Impact Assessment

Section 27 is an important section regulating the significant data fiduciary who intends to under take any processing involving new technologies or large-scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals. Such processing is not allowed to be commenced unless the data fiduciary has undertaken a data protection impact assessment in accordance with the provisions of this section. This assessment needs to be submitted to Authority, which on receipt of it if has a reason to believe that the processing is likely to cause harm to the data principals, may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as the Authority may deem fit. This forms a crucial piece of this bill which will deter the processing sensitive personal data which is not in accordance with the law, or may be used for unlawful purposes.

J. Discretionary Right of Central Government

The most important part of this critique comes here: there exists a section 35 which may be considered a little controversial as it gives an unfettered discretionary right to the Central Government to exempt any agency of government from the application of this bill. It may be questioned on grounds of necessity as section 12 already exists for such purposes; and to lawfully restrict a fundamental right, legitimate necessity should be proved before it is given a backing of legislation.

The question arises when personal data may be processed, if necessary, under the following sections:

• Section 12(b) i.e. under any law for the time being in force made by the Parliament or any State Legislature; and
• Section 12(f) i.e. to under take any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health.

In view of the above, there appears to be no need of inclusion of section 35 where a discretionary power is granted to the Central Government to unilaterally infringe the fundamental right to privacy in the name of sovereignty and security.

It is my belief that Justice Srikrishna referred to this section when he condemned revised PDP Bill for watering down an important provision which was protecting the right to privacy and said “Hopefully, the wise 32 men in Delhi will ensure that this right is not infringed” in his webinar (referenced above in this paper).

I am very much motivated to comment upon the constitutionality of this section as well; however, I will refrain myself from it. However, I will go on to mention that I too, like Justice Srikrishna, will rest my faith, upon those 32 learned men and women sitting in Delhi for they have thwarted such unholy attempts innumerable times.

IV. Conclusion

This paper started with discussing various capabilities of data and equating it to one of the most important resources of this digital age. Then we went on to look into how the Supreme Court granted the right to privacy a constitutional validation of a fundamental right under Article 21. In order to regulate data processing, so as it does not violate the right to privacy, Central Government constituted a committee chaired by Justice B.N. Srikrishna to examine the data protection laws, and suggest a framework for the protection of the right to privacy.

Upon receiving the recommendations of this committee, the Central Government introduced The Personal Data Protection Bill, 2019 on 11th December 2019, and it was referred to the standing committee on the same day. The bill is, therefore, pending before Lok Sabha. It has not yet made its way to Rajya Sabha. Thus, this is the appropriate time to write a critique of this bill, in the hope that this will be heard by the Parliament.

Data principal and data fiduciary have a special kind of relationship where the former entrusts the latter with his personal data. This equation entirely rests upon the trust which data principal has on data fiduciary, and it should be kept in the highest degree by data fiduciary. The responsibility for ensuring the security of the personal data is the sole responsibility of data fiduciary and/or data processor, as the case maybe. In case of a breach of such data, the trust which data principal had too comes under the question. Therefore, any breach of data should be followed by a review of their consent by each data principal with respect to that data fiduciary under whose nose such breach has occurred.

The relevant provisions of the bill have been commented upon in detail. So, to avoid the repetition of the information and for the sake of brevity of this paper, I’ll only enlist the provisions which, in my humble opinion, require a review:

• Section 20: I recommend that the application mentioned in this section should not be allowed to evolve into a lengthy mechanism which may deter an individual to pursue his right to be forgotten. Instead, an online application should be just fine and the right should be enforced without any unreasonable delay in order to not render this right in fructuous.
• Section 25(1): It should be amended to remove the phrase ‘likely to cause harm to any data principal’, as on a plain reading it gives the right to decide whether the breach of personal data is likely to cause harm to any data principal, to data fiduciary. Data fiduciary have an interest in hiding such breach, and therefore should not be entrusted with this decision. They should be bound to inform about each or every breach to Authority.
• Section 25(5): It should be amended to make it obligatory on the part of the Authority to inform every data principal whose data has been affected or may have been affected, as soon as it is in receipt of such information from data fiduciary. As data is processed on the basis of an assumption of continued consent of data principal; and when such a crucial bit of information is with held from data principal, it is equivalent to depriving them of the right of making an informed decision whether to with draw the consent or not.
• Section 35: Like I said in this paper, let us rest our hope on those 32 learned men and women sitting in the finest institution which has been protecting the constitution of this great country since 1950, supported by crusaders of democracy having great legal acumen.

With this, I hereby rest my pen with a hope that data analysis and fundamental rights can work hand in hand, respecting the moral boundaries which ought not to be crossed in a democracy.