Personal Data Bill: Here are four significant ways it affects your rights

Under the new Data Bill, your personal data has been left completely unprotected if you made it public or if it was made public under a law.

After years of work going into the development of a data privacy law, there is now every indication that the government intends to get the Digital Personal Data Protection Bill passed in Parliament this session. There is a sense of urgency now that the legislation should at least get the basics right to ensure smooth development of this new area of law in future. While the most recent iterations of the Bill have attempted to simplify it and address worries regarding data localisation, many old issues remain and a number of fresh concerns have emerged.

Some of the gravest issues such as the failure to reform surveillance, exemptions to the government, the independence of the data protection regulator, the power to block webpages, and amendments to the right to information law have been touched upon elsewhere, so only four of the less obvious (but equally significant) ones are discussed below:

Consent

With a data protection law, there should be clarity about when your personal data must be used only with your consent and when it can be used even without your consent. It should also be clear what counts as consent and what doesn’t.

The new Bill, however, has two overlapping provisions. There is one provision which says that data can be processed if consent for this processing is given through a clear affirmative action after receiving adequate information. On the other hand, there is another provision which says that your data can be processed if you have “voluntarily provided” it and have not actively refused consent.

This failure to refuse or withdraw consent is treated as permission to process the data. This second provision makes the first redundant. If your data can be processed under the second provision without you clearly agreeing to it through some positive action and without you having to be informed about what you are agreeing to, then what is the point of requiring those things in the first provision?

This is likely to lead to confusion about the correct legal standard for consent under data protection.

Necessity, Notice, Non-Consensual Processing

When should your personal data be used without asking for your permission? Previous drafts of the Bill had clarified that this could be done if it was “necessary” for governmental functions, legal obligations, emergency situations etc. The person taking your data has to show they really need it and don’t have viable alternatives.

This requirement is a critical part of how privacy is prioritised and is also part of the test for privacy laid down by the Supreme Court in 2017. If your identity can be verified in more ways than one or if your job application can be assessed without asking for your political views or health status, then you shouldn’t be forced to give up such extra information, even if it helps the verification or assessment process in some loose or speculative sense.

Part of what makes this work is that the purpose for usage has to be fixed and specified in a notice sent to you. Under the new Bill, for a range of non-consensual purposes, there is no need for notice and the word “necessary” has been removed. Thus, your data can be processed in unnecessary ways and without informing you.

Publicly Available Data

Under previous versions of the Bill, publicly available personal data was treated as a special category that required special treatment. In early versions, specific safeguards for the use of public data were supposed to be laid down by the government in more detailed rules.

In the 2022 version, the requirement for safeguards were removed, but usage of such data was still subject to various duties such as maintaining accuracy, deletion after certain periods of time, and accepting requests from persons who wanted to correct inaccurate data, for example.

Under the new Bill, your personal data has been left completely unprotected if you made it public or if it was made public under a law. But the idea that personal data loses all claim to privacy once it is made public is inaccurate.

Consider how someone can morph a public photograph of yours or take your phone number from a webpage to put you on a marketing list. This kind of usage can and does happen, and you should have the right to prevent it.

Journalism

Journalists use and publish vast quantities of personal data without the consent of the persons involved. In fact, when news is about public figures and authorities, asking for the consent of the person involved is entirely counter to the idea that journalists have to keep the public informed and hold officials accountable, even if they err on the side of caution at times.

Out of respect for this critical function and the role of the free press, data protection laws across the world exempt journalists. The latest iterations of the Bill fail to do so, leaving a huge question mark on how journalists can carry out their functions effectively if they are subjected to a wide range of data protection duties and can’t even process data without consent.

While some of the other issues with the new Bill continue to be discussed more prominently, the four concerns mentioned above warrant greater public attention as well.

Lalit Panda is Senior Resident Fellow (Charkha) at Vidhi Centre for Legal Policy. Views are personal, and do not represent the stand of this publication