New Delhi — In July, the nine-member expert committee headed by Justice BN Srikrishna submitted its report and draft bill titled The Personal Data Protection Bill, 2018 to the government. The long-awaited report is expected to have a far-reaching impact, although, of course, it is only the first step in a long process towards the creation of a law. And before that happens, there is still time to address some of the serious concerns raised by the report and draft bill.
As the report's authors observe, India must have a data governance regime that contributes to a "free and fair" digital economy in India, and it must protect the rights of Indian citizens. Having declared this, the experts quickly lose their grasp of the obvious and the reams of paper fail to deliver.
As we have said multiple times, any data protection legislation must protect people, not data. All persons are entitled to control the collection of information about them: about their bodies, their behaviour and their thoughts. But instead of recognising that mere consent is inadequate to protect rights, the report turns consent into "an end in itself". Privacy destruction is similar to an environmental problem, for which "consent" is inadequate to protect rights. Environmental regulation cannot be based on requiring polluters to obtain individuals' consent to drinking contaminated water or breathing deadly air.
Here's an example. Suppose the government embarked on a campaign to get citizens to "consent" to breathing New Delhi's poisonous air. Having bought or otherwise acquired 50.1% of the population's consent, could the government then declare an end of the air pollution problem? Treating consent as an end in itself is a licence to hide problems rather than solve them: the antithesis of protecting rights.
Remedies that discriminate against one's own citizens are not worthy of favourable consideration.
The report confidently asserts the perfect reversibility of consent without offering any plausible illustration of how, in the global commerce in personal data, such withdrawal of consent could actually occur once data has been processed, transferred, embodied in downstream derivatives and inferences, etc. It also conveniently makes us responsible for "all legal consequences for the effects of such withdrawal".
The value of consent requirements lies not in the formalities, but in the informational disclosures underlying them. This is the principle of "informed consent" in the US law of health care, for example. Privacy law is about information flows; consent means that relevant information about rights, usage and risk has been provided to sources of personally significant data. Consent shows they received the information they were entitled to in order to make their own informed and dignified choices but not in long form legalese that nobody really reads. At the same time, the state has been blessed with more power. A wide exception has been created for any processing of personal and sensitive personal data necessary for any function of Parliament or any state legislature.
Creating cognizable, non-bailable criminal offences on which a police inspector can predicate the arrest of an executive is unhelpful, unless the goal is to disadvantage Indian firms in the global digital economy. We can say for sure that however such a provision is used, foreign executives from non-Indian firms will never be subjected to it. Remedies that discriminate against one's own citizens are not worthy of favourable consideration. Similarly, the provision related to data localisation will end up increasing the costs for any new company by depriving them the benefits of "cloud computing".
The bill is a start and can be improved to give the committee's vision a reality.
Processors and handlers of personally significant data, referred to in the report as "data fiduciaries", should have two responsibilities in the event of data breaches and misuses: they should be required to disclose what has happened to all the victims, not just a government authority, and they should be required to use all practicable efforts to clean it up. At a minimum, the law should require them to notify every data subject whose personally significant information has been lost, stolen or mishandled, explaining at the same standard level as original informed consent what has happened, what the risks are, and what remedial measures can and will be taken; and to notify every party to whom this information has been transferred or disclosed, or who has received information made by processing this information, that privacy was breached in relation to what they have received, and that it must be destroyed, returned or otherwise prevented from contributing to further harm.
This is too important to be left to years of litigation and myriad processes that citizens will find too cumbersome to work with. The bill is a start and can be improved to give the committee's vision a reality. But hastily introducing this bill in its current form in the Parliament will render the work of all those involved a complete waste.
Eben Moglen is Professor of Law and Legal History at Columbia Law School. Mishi Choudhary is a technology lawyer and managing partner at Mishi Choudhary & Associates.