Skip to main content

Data Protection and the Bill of Unintended Consequences

      This write-up describes first impressions of the 2022 Indian bill dealing with data protection. It has not been edited, and considering that it's been drafted after close to 36 hours without sleep — some days are especially long — it will almost certainly be rethought and edited at some point.

It's difficult to miss the deficiencies of the 2022 Digital Data Protection Bill: the proposed statute appears to be well intentioned, and it does attempt to protect those whose data is collected — data principals as the document refers to them — but it's inability to set meaningful boundaries and to draft with a degree of specificity has resulted in its falling far short of its ostensible aims.

The bill does not go so far as to explicitly state that only such personal data as is essential to provide services or goods may be collected and then retained for no longer than necessary or until the data principal withdraws consent for data retention. However, it does, through the Explanation to Section 5 and through Section 7(8), attempt to limit the processing and collection of personal data. Although the latter provision reads: "The performance of any contract already concluded between a Data Fiduciary and a Data Principal shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose", unfortunately, as is obvious from Section 5, which only allows data processing for a lawful purpose — with 'lawful purpose' meaning any purpose 'not expressly forbidden by law' — those who wish to deal with others' data have a free rein provided they do not act in a manner inconsistent with the other provisions of the legislation.

Structural Issues

The evident desire to protect data principals is rather dampened by three factors. Firstly, the provisions to protect them are often clearly inadequate. For example, Section 9(5) contemplates having data principals be informed of data breaches affecting them but then fails to actually accord meaningful protection to them by omitting any mention of a time frame within which the occurrence of breaches must be communicated from its text.

Secondly, not all the provisions of the bill appear to have been carefully thought through. For example, Section 18(1)(c) states that various provisions of the proposed statute shall not apply where: 'personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law' — even if the beneficiaries of the exemption were limited to law enforcement agencies, that would probably spark a valid debate on the propriety of the exemption. However, there is no such limitation which presumably means that the exemption applies to absolutely anyone, law enforcement agency or private person wanting a shot at playing the role of Sherlock Holmes in real life, without limitation. It is hard to believe that that is the intention of the bill despite its being what its text indicates.

And, thirdly, the bill is disjointed. Provisions relating to data fiduciaries acting in conjunction with others, to take just one example, are sprinkled throughout the proposed statute in Sections 2(5), 9(2)(b), 9(9), and 12(3). Unsurprisingly, it is, as a result, remarkably difficult to read the bill as a coherent whole.

Definitional Issues

To compound concerns springing from the bill failing to explain and potentially realise it's underlying rationale, the 2022 Digital Personal Data Protection Bill seems to demonstrate that there are times when not even plain English can shield a document from manifest vagueness despite all that may recommend the use of plain English in legal drafting.

To begin with, the definitions in the bill are so unclear that it is difficult to determine what they are intended to apply to.

'Personal data', according to Section 2(13), 'means any data about an individual who is identifiable by or in relation to such data'. This doesn't seem to suggest that the term 'personal data' does not apply to anonymized personal data; the definition is entirely agnostic to possible anonymization and de-anonymization. As long as an individual can be identified obliquely or directly through data, that data is personal data; this interpretation seems to be confirmed by Section 9(6) which confirms that the bill is not oblivious to the possibility of the anonymization of personal data. However, the problem with that interpretation of the definition, even leaving aside the fact that the relevant provisions are not examplars of clarity, is that the proposed Section 2(12) entirely unhelpfully states:
“person” includes— (a) an individual; (b) a Hindu Undivided Family; (c) a company; (d) a firm; (e) an association of persons or a body of individuals, whether incorporated or not; (f) the State; and (g) every artificial juristic person, not falling within any of the preceding sub-clauses;
An individual presumably refers to a sentient being, likely human, given that the proposed Section draws a clear distinction between it and various other categories of persons envisaged by the bill. However, devoid of legislative clarification, one can't be certain. And to make matters even more confusing, the definition of 'personal data' in the bill only makes reference to individuals. Unless the word 'individual' (undefined in the bill, incidentally) is intended to act as a demonstration of synecdoche in action, it would appear that personal data does not go beyond the data of individuals, whoever they may be.

Social Implications

Even more worrying is the fact that the provisions of the bill do not apply to 'personal data processed by an individual for any personal or domestic purpose' according to Section 4(3)(c). Assuming that 'individual' means a 'human being', this potentially legalises such acts as a parent using personal data to track down their adult child who has chosen to leave their familial fold for whatever reason — when an additional factor such as a marriage not approved by the adult's natal family is at play… Well, we've all heard far too many chilling stories to know how and what 'data processing' could lead to.

Further, under Section 4(3)(d), 'personal data about an individual that is contained in a record that has been in existence for at least 100 years' is excluded from the scope of the bill — since this exclusion clearly cannot apply to most human beings who are alive in their own capacity, if it is to apply to them at all, it must apply to them in relation to their ancestors.

In a society where social standing is often determined by birth and in a state where citizenship is usually determined by blood, it is not at all difficult to visualise how excluding the scope of legacy data from the ambit of the bill could be weaponized to target the vulnerable and the marginalised.

Legacy data that is a century old is not digitised from inception, and lo and behold! Section 4(3)(b) explicitly excludes offline personal data from the scope of the proposed statute, with the provision being complemented by Section 4(1) which states that, if passed, the act shall 'apply to the processing of digital personal data within the territory of India where: (a) such personal data is collected from Data Principals online; and (b) such personal data collected offline, is digitized' without any word on how offline data should be treated prior to digitisation.

The extent to which the bill, with its apparent focus on data processing in the corporate sphere, appears to be oblivious to the possible social implications of its text is truly breathtaking.

Conceptual Concerns

Section 4(3)(a) of the bill specifies that data processing must be automated for the proposed act to apply to it — the bill does not contemplate hybrid processing with the active involvement of a human being. So, presumably, to escape having the proposed act apply, if the bill is passed in its current form, all that would need to be done is to ensure that data processing was not entirely automated.

The most startling feature of the bill, however, appears in Section 3 which states that 'unless the context otherwise requires, a reference to “provisions of this Act” shall be read as including a reference to Rules made under this Act'. Much of the detail which would be required to turn the bill into an implementable statute has been left to subordinate legislation, and this Section could potentially, though one hopes improbably, do away with the traditional hierarchy which requires subordinate legislation to conform to the letter of its parent statute in order to be valid. It appears to treat them at par without a single word about how inconsistencies between the rules and the statute are to be addressed, or why it has been deemed necessary to effectively seem to place subordinate legislation which, for all practical purposes, can come into being by bureaucratic fiat at par with legislation that wends its way through parliament via consultation and debate.

A Domino Effect

Unsurprisingly, the issues in the bill go far beyond the bill resting on a shaky foundation — they seep into other areas of law too. For example, personal data is a subset of data which, Section 2(4) defines to mean 'a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means'.

Section 8(7) states: 'A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary …. for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance.'

Read in the context of the scheme of the proposed statute, it could be argued that the provisions defining data, personal data, and deemed consent could effectively allow data mining of works protected by copyright thereby setting up legislation which, against the scheme of the 1957 Indian Copyright Act, sets up a parallel statutory mechanism which flirts with copyright concerns. Somehow, it doesn't appear that the Digital Personal Data Protection Bill was drafted with the intention of achieving such an outcome.

Deemed consent itself is a concept that, as it currently stands in the bill, is challenging to justify. For example, 'public interest' as contemplated by Section 8(8) which deals with it, and the definition of the term in Section 2(18), somehow suggest that mergers, amongst other overwhelmingly corporate acts, are tied to public interest. The bill does not explain why or how this is the case.

If there was ever a bill crying out for a line edit, this is it. One can only hope, for all our sakes, that the 2022 Digital Personal Data Protection Bill receives careful consideration: its heart appears to be in the right place. Much of the remainder of its content, sadly, seems to be misplaced at the moment.

This post is by Nandita Saikia and was first published at IN Content Law