With the Parliamentary Committee’s draft Data Protection Bill (DPB), not only can individuals’ data be used without their consent (non-consensual), but data that the State functionaries know to be incorrect could continue to be used without the consent of the individuals. State functionaries include the Central or State Governments, through their designated officers, or competent courts. This is a key concern for individuals’ privacy as well as equity and justice.
Why does this matter, especially now? If the Bill is realised in its current form, then employees’ personal data such as working hours, menstrual leaves and break hours could be used by employers to surveil and rate them without their consent, besides structuring work hours so as to minimise costs for the company. To understand non-consensual data processing in India, we need to look closely at the existing and proposed structures that have implications on how citizens live and avail welfare benefits.
A Joint Parliamentary Committee (JPC) was set up by the Parliament on December 11, 2019, to examine the Personal Data Protection Bill, 2019 (PDP Bill). Chaired initially by Ms. Meenakshi Lekhi, and now by Mr. P. P. Chaudhary, the Committee tabled its report before the Parliament on Thursday, 16 December 2021.
Based on public comments and internal deliberations, the JPC put forth the DPB containing numerous revisions to the PDP Bill of 2019. Of the several changes proposed by the committee, those concerned with expanding the scope of non-consensual data processing are particularly concerning.
Globally, data processing adheres to certain standards. Consent from the individual concerned or the ‘data principal’, is recognised as a global standard for the collection, sharing and processing of data. In some situations exemptions are made in which the individual’s data undergoes processing for legal obligations, tasks carried out in public interest, and to protect the vital interest of an individual.
The European Union’s General Data Protection Regulation (GDPR), considered a global standard and the flagship data protection legislation of the EU, recognises consent as one of the basis for lawful data processing.
Today, obtaining consent for data processing can be commonly seen in the form of check boxes (for cookies) while visiting websites for the first time.
What Happens With Our Data
Informing and freely giving consent ensures individuals understand the various purposes their data is being processed for. Such consent also creates awareness about the possible consequences. Obtaining consent provides individuals a genuine choice in, and ongoing control over, how their data is used1. The PDP Bill recognised this in Sections 5 and 11, while Chapter III laid out the three grounds on which data processing could be done without the individual’s consent.
Civil society organisations and the larger public have criticised these three grounds. Lowering user protection could lead to further shifting the power imbalance that favours employers and erodes employee privacy.
Ignoring these pleas, JPC has further expanded the scope of non-consensual data processing in the DPB. As of February 20, 2022, media reports are indicating that the entire DPB could be scrapped in favour of a new data protection legislation. This is yet to be proven. Until then, the current text of the DPB unambiguously threatens the right to privacy.
The Risks Of Storing Incorrect Data
A ‘Data fiduciary’ is “any person, including a State, a company, a non-government organisation, juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data,” as described in the draft DPB. Under section 8 of the DPB, ensuring that personal data is accurate, not misleading, and updated is the obligation of the data fiduciary. Notifying individuals about inaccuracy in data is part of the obligation.
The rationale behind such an obligation is to provide users the opportunity to have erroneous information about themselves corrected, thereby reducing the possibility of harms arising from processing of erroneous data.
How this clause would play out in the real world can be understood with the example of educating girl children in government schools.
A State government contracts a private enterprise to assist in delivering welfare schemes. The scheme ensures that girl children from poor families are enrolled into government schools. To enable the private enterprise to carry out their duties as per the contract, the government provides certain information to the private contractor. Access to an Aadhaar-linked database with details of families below the poverty line is shared, but the private contractor notices that the current residential address of certain families is missing. In such a case, the government, in its role as a data processor, has an obligation to inform the families of the same, so that they can have this rectified and avail the welfare scheme for their girl children.
The example shows this exercise to be practical and useful, but the JPC has proposed otherwise. This is an example of how checking the accuracy of personal data collected has practical implications. Yet the JPC doesn’t make data correction a requirement.
JPC has exempted the requirement of a notice under Section 8 of DPB, if giving such a notice could prejudice processing of data for ‘State functions’ (Section 12). These State functions include provisioning of benefits, issuing licences, and providing treatment during a health epidemic.
When a data fiduciary is sharing data with another person as part of a business transaction such as a contract for services, a notice under Section 8 need not be given either. Under Section 12, if permission is given then a notice would in any way prejudice the purpose of processing data. The purpose could be ensuring safety or providing assistance or services to individuals during disasters or breakdown of public order.
These amendments are concerning as they allow for inaccurate or misleading data about individuals to be processed with respect to State functions without the knowledge of the data principal.
The only legal protection in the event of incorrect personal data being shared is recourse to the Data Protection Authority (DPA). DPA is a regulatory body, first mooted in the Personal Data Protection Bill, 2018, which oversees implementation of the protections provided under the Bill and Act as an independent national regulatory authority. Yet, as per Section 86 of PDP Bill, the DPA is bound to always act in accordance with the interests and directives of the central government.
Consequences of Incorrect Data
In the draft DPB, the State functionaries can continue to use private data without consent but also can include data that they are cognizant of being incorrect. This opens up avenues for actions leading to gross injustices owing to non-consensual usage of incorrect data. These actions could include denial of legally entitled welfare schemes, denial of access to treatment, and wrongful rejection of licence or permit applications. This could have a damaging impact on lives and livelihoods of citizens, as seen with incorrect Aadhaar data leading to the denial of welfare schemes.
For example, Sanni Tuti’s name is misspelt, so her linking does not work because it does not match with the database with which it is being linked to.
Such issues become even more serious when the government agencies need not notify data principals when their personal data is shared with third parties as part of business arrangements entered into by the government as per Sections 8(4) and 12 of the DPB.
With this amendment, the DPB is aiding the private capture of data while securing it from public knowledge—allowing private entities to get access to personal data of individuals not only without their informed consent, but also without their knowledge.
Amplifying this issue is other government policies. One such recent example is the draft Karnataka Open Data Policy, mandating that data shared between government departments and third parties are bound by non-disclosure agreements.
Through a joint working of the DPB and the Policy, not only would citizens’ data be shared without their consent, citizens would have no visibility into who their data is being shared with and for what purposes. And this is worrying.
What Employees Have At Stake
Earlier, in the PDP Bill, an employer was allowed to process an employee’s data without their consent only if such processing was necessary as per Section 13. In its recommendations regarding Section 13 of the PDP Bill, the JPC notes that, “there should be equilibrium in processing of data of employees by the employer and its use/misuse of data by the employer.” Despite this, the JPC has gone ahead with expanding the employer’s powers to process employees’ personal data without their consent, by allowing for non-consensual data processing when “such data processing can be reasonably expected by the employee”.
To explain the gravity of such data processing, let’s look at how women’s menstrual health data can be used for surveillance.
A company providing menstrual leaves to its employees could collect and track data regarding the menstrual cycles without their consent. With a possible justification being that it is ‘reasonable’ to expect that such collecting of data is to determine when menstrual leaves could be given. Not only is this violating the privacy of employees, such data could be used for ‘optimising business’. This could have deleterious consequences for employees.
This standard of ‘reasonable expectation’ by the JPC is vague and not elaborate. Such a standard relies on what is currently accepted in society, even if problematic and requires improvement. In the present context, we see the accepted norm in society is that when tech firms are collecting data, it is under their control—and in some cases, ownership as well. To address such norms, courts around the world are attempting to introduce normative content to bolster a ‘reasonable expectation’ test and provide basic protections preventing it from diluting data protection standards.
In India, where digital literacy rates vary widely between rural (25% digital literacy) and urban areas (61% digital literacy), between sectors, and within sectors themselves such standards can be problematic.
Given this wide disparity, it is unclear what the standard of “reasonable expectation” means for employees. Whether the standards will vary, not just between sectors, but between different types of wage earners within a sector itself is unclear as well.
Introducing this vague standard will likely affect poor and uneducated workers disproportionately, adding to the existing imbalance in power between an employer and employee.
Towards Safer Data Processing Future
JPC’s amendments to Sections 8, 12 and 13 of the PDP Bill merely serve to aid the non-consensual processing of an individual’s data without adequately safeguarding their rights and interests. Acknowledging that State functions have legitimate reasons for processing personal data without consent, expanding the scope further may not be reasonable. Expanding the scope could lead to a stage where incorrect or misleading data is processed despite the active knowledge of the State functionary that is processing the data.
It is crucial that citizens have insight into who the government is sharing their personal data with and for what reasons. Similarly, employers having such a significant degree of leeway in processing their employees personal data should not be allowed. Employers are already exercising a great degree of power in the employer-employee relationship dynamic. Such provisions will deepen the imbalance and give employers greater control and leverage over their employees.
It is important for any data protection legislation to preempt concerns around obtaining consent in certain cases. However, the allowances for non-consensual data processing must not reach a level that it threatens an individual’s right to privacy and opens the door to further harm being caused to individuals. It would be socially beneficial if the allowances for non consensual data processing in the DPB are read down. This will ensure that the DPB is interpreted to accommodate the concerns that public and civil society organisations have been highlighting.