Skip to main content

First Impressions: The Data Protection Bill

The Personal #DataProtection Bill appears to be an exercise in contouring human rights to serve capitalism. It clearly recognises privacy as a fundamental right at the outset itself but links the importance of data protection to the economy alone.

Considering the structure of the Data Protection Bill indicated at the outset, it's unsurprising that it makes many of the right noises in terms of recognising rights but, when it comes to ensuring that the ideal is achieved, it often falls short.

The first post-definitional line speaks of "Fair and reasonable processing", for example, and that sounds fab BUT it is a policy statement. Sans clear rules, it isn't enough.

(You know where else "fair" is used. Copyright law. Fair dealing. The result: piles of litigation about what constitutes fairness.)

Without specifics, expect litigation. Which, of course, few have the wherewithal to engage in.

Where there's been the opportunity to circumscribe what can be done with others' personal data, the opportunity has largely been squandered in a morass of provisions that are vague and often consent-centric, where consent is required at all. 

Even the requirement of consent, though it finds mention in the Data Protection Bill, may be inadequate. The definition of data processing is, for example, effectively all encompassing and the requirement that consent be "specific" for data to be processed is geared to specifying the aim of processing in the case of personal data. Although specificity additionally contemplates operational specificity in the case of sensitive personal data, given that the two categories of data are relatively fluid, it isn't obvious that the specificity requirement in relation to consent would be enough to protect individuals. 

There appears to be an emphasis on accountability which is arguably betrayed by the contemplation of "privacy by design" in the Bill. However, accountability mechanisms may not be appropriate or adequate simply because restorative justice isn't a certainty: if wrongful disclosure leaves one ostracised or dead (as is possible in a hierarchical, often-violent society) there's no undoing damage.

Privacy, by design or otherwise, may mean next to nothing without suitable pre-breach protection. Accountability mechanisms may be adequate if one's focus is the market and one limits oneself to addressing the annoyance caused by a pop-up. It is entirely inadequate in many other circumstances.

Compounding concerns is the fact that the #DataProtection Bill is consent-centric & there is also the worry that those who wrongfully disclose data could escape accountability on the technicality of having "consent" (if they do) which, of course, is easily obtained in the real world.

Consent centricity expects techno-legal savvy which most lack & is a concern. It isn't at all clear why a consent-centric model has been adopted instead of a rights-focused one in which what should ideally be inalienable rights cannot possibly be waived by contract. 

A rights-focused model would also have ameliorated concerns about data processing without consent. Not all data processing without consent is immediately bad (eg to enforce court orders) but, bereft of a viable rights-based approach (eg explicitly limiting processing to what's essential for the purpose), it's susceptible to misuse. And that is obviously problematic.

Even if the Data Protection Bill is passed sans amends, there remains the opportunity to refine & improve it via subordinate legislation. That's not an ideal solution but it's better than nothing.

That said, given the gravity of existing concerns, one can only hope that the Bill's revised.

(Edited & cross-posted from Twitter; updated on 29 July 2018.)