Opinion | The Personal Data Protection Bill is inadequate in the age of big data

Arunender Singhh 

The term big data has become a buzzword, used frequently, in both the private and public sector as well as in the online media world. According to a recent worldwide study conducted by IBM about 2.5 exabytes (1 exabyte = 1 million terabytes) of data are generated every day. Big data refers not just to the total amount of data generated and stored electronically but also to specific datasets that are large both in size and complexity.

It requires new algorithmic techniques in order to extract useful information from them. Data in all its forms has the potential to provide a wealth of useful information only if ways are developed to extract it.

Big data has the potential to have a huge positive effect by promoting efficiency, justice, customer service, and security, but it might also result in discrimination, privacy violations, and other chilling effects.

Need for Data Protection Law

Governments around the world are grappling with the challenge of protecting the personal data of their citizens. The Supreme Court of India while delivering a landmark decision in August 2017 held right to privacy as a fundamental right recognised under the Constitution. The decision came in the wake of a constitutional challenge to the Aadhaar programme that included the collection of biometric data of the citizens. It firmly laid down the concept of ‘informational privacy’ within the constitutional framework.

Nonetheless, in the second verdict (September 2018) the court upheld the constitutional validity of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act 2016, but with some important caveats. It goaded the government to come up with a law on data protection. After much deliberations and public consultations, the committee of experts under the chairmanship of Justice BN Srikrishna submitted its report and the draft Personal Data Protection Bill.

Towards Information self-determination 

The Bill puts into place the individual right over personal data heralding ‘information self-determination’. It grants right to access to data, the famous ‘right to be forgotten’ as well as data portability. It finds an echo with the European General Data Protection Regulation (GDPR). It defines personal data related to only a natural person that could be directly or indirectly be identified, for instance, name, online identifiers (IP addresses, cookies), etc. On the other hand, ‘sensitive personal data’ includes those possessing a degree of sensitivity like sexual orientation, finance, health, political belief, etc., processed subject to more stringent control. The heart of the Bill lies in the enumeration of eight data protection principles – fair and lawful use, purpose limitation, collection limitation, notice, data quality, data retention and accountability. The approach is similar to OECD privacy guidelines as well as the Council of Europe (Convention 108).

The key factors include data fiduciary (determines purpose and means of processing), data principal (individual whose data is to be processed) and the data processor (processes on behalf of data fiduciary). The building block of the law is the notice and consent framework underlying contours of free consent as well as grounds of lawful processing of personal data. The obligation of notifying data breach rests on data fiduciary and is made to the Data Protection Authority, a dedicated agency ready and able to act to secure interests of individuals.

Countering ‘Data Localisation’

The Bill attempts to tighten up the cross-border flow of personal data. It is based on ‘adequacy’ standard, i.e. data can only be transferred outside India if it is adequately protected in the country of reception — a call that will be taken by the Centre. The provisions underlie the spurt in data localisation that runs against the spirit of ungoverned cyberspace. As observed by noted American cyber-libertarian political activist John Perry Barlow that “[the Internet] is inherently extra‑national, inherently anti‑sovereign and your [states’] sovereignty cannot apply to us. We’ve got to figure things out ourselves”.

In the emerging scenario, countries are expected to embark upon harnessing their cyber prowess to gather strategic intelligence from a remote location. In 2004, the UN Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) was established to develop a common approach to how governments should behave in cyberspace. Its 2015 report provided the foundation for an internationally recognised governmental cyber code of conduct. The concerted norm-setting processes currently underway would need to swiftly crystallise in the form of a legally-binding multilateral treaty as an institutionalised global response.

Countries have become more vulnerable and susceptible to data breaches accentuating the need for a robust legal regime for data protection. The emergence of ‘big data society’ and its predictive regime of truth based on obscure processes seem to be inadequately regulated by the existing data protection law.

The Bill is a modest attempt to put in place a legal framework. As said earlier, many of its provisions are a cut and paste job from the European model. Seemingly, it fails to provide its teeming citizens with a customised and tailor-made solution for data protection.

An effective data governance regime will require close collaboration across industry, international allies and partners, NGOs and with central, state and local governments.

(Arunender Singhh is pursuing a degree in law in Intellectual Property Rights at IIT Kharagpur. Views are personal)

For more Opinion pieces, click here.