Technology
Securing data. (A representative image)
The Digital Personal Data Protection Bill, 2023 (DPDP), which was passed by Parliament on 9 August, begins with the paragraph:
“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
The statement of "Objects & Reasons", however, states that the bill "seeks to provide for the protection of digital personal data".
Is this bill good enough to guard your personal data and national interest?
Here is an assessment.
A. Key Features Of The Bill DPDP 2023
The entire framework is essentially a compliance framework, which gives near unrestricted freedom to Big Tech, the Data Protection Board, and the government.
The Data Protection Board (DPB) to be created under the act has exclusive authority and jurisdiction with the powers of a civil court and no proper accountability. Both the central government and the DPB are insulated from prosecution for actions taken in good faith.
All civil courts have no jurisdiction and injunctions are not allowed by any court or authority whatsoever.
The DPDP 2023 does not give any rights or protection to the data principal other than a minimal “grievance redressal” mechanism.
The DPDP 2023 does not recognise the “data principal” as the owner of the data over which she/he has exclusive rights of property, ownership or other civil rights or human rights granted to the “data principal”.
No civil or criminal remedies are available to the data principal in this bill commensurate with the Constitution and the Universal Declaration of Human Rights (UDHR).
Nor are there any sections on offences, remedies and compensation for the individual (data principal) who is affected. The penalty imposed does not compensate the data principal but only goes to the Consolidated Fund of India.
While abrogating the right to compensation (u/Sec 48A of the IT Act, 2000) to the affected person for causing wrongful loss or gain by a body corporate, the DPDP does not have any provision for loss, harm, violation of the obligations of the data fiduciary, children’s rights, or fundamental rights, including the right to privacy, which can compensate the data principal.
Privacy of the owner or data principal, which is the genesis of all data protection frameworks worldwide, including India (vide the Puttaswamy judgement), does not occur in the bill at all. The sole exception is when the right to disclosure under the RTI Act is exempted/abrogated on grounds of privacy of the concerned public official.
By means of the "voluntary undertaking", the data fiduciary and the DPB jointly become the de-facto lawmakers. This allows for a personalised and customised compliance framework practically circumventing Parliament and the provisions of this bill itself.
There is a bar on proceedings against corporations simply for complying with its own voluntary undertaking accepted by the DPB, irrespective of the nature and magnitude of the breach or harm to the individual, national security or to businesses.
DPDP 2023 overrides other laws in case of conflict. This will cause clickwrap licences with conflicting provisions to effectively deny or abrogate the application and reliefs available under other acts.
There is no specified time limit for a data fiduciary to report a breach. Intimation of the breach will be in the form and manner for reporting as may be prescribed.
The rules made under the act can only be modified or stopped if both houses of Parliament agree, without prejudice to something done earlier under the said rule. So Parliament's role as the lawmaker is side-stepped.
The transfer of personal data outside the country is allowed by default. The government can at most notify certain countries where it cannot be transferred.
There is a cap on the maximum penalty of Rs 250 crore (approximately $30 million) that can be imposed by the Data Protection Board.
Compare this with the penalty on Facebook of $5 billion by the US Regulator or being a percentage of the revenue as per The European Union’s General Data Protection Regulations (GDPR).
DPB will proceed and penalise the violator only if non-compliance is "significant", an undefined object. There is no relief or compensation whatsoever specifically available to the individual, ie the data principal.
B. Personal Data And The Ecosystem
Personal data is the counterpart and footprint of the totality of the information, life and activity of a human being, including beliefs, expression, transactions, health, use of her rights and liberty, any activity, communication, etc.
It may be captured and exist on any medium. According to the UDHR, human rights exist and are not affected by the nature of the medium, which includes amongst others the right to privacy, ownership/monetisation, cultural expression, remedies and availability of local/national jurisdiction.
Access, influence and control over personal data can put the physical, economic and other security of the individual at risk apart from affecting her/his fundamental rights and liberty.
Huge volumes of personal data are captured and processed by Big Tech and other entities.
Big Tech is integrated into the US Deep State by employing hundreds of former officials of various agencies, e.g. the CIA, FBI, etc, in a series of revolving doors between the US federal government and various corporations.
Personal data is subject to both benign and malicious use, whether overt and legitimate, or covert. Personal data is used to profile, target, set narratives, de-platform individuals or opinions, act as a source of “truth”, force choices, create deep fakes, delete voters’ lists, create civil unrest, for surveillance and control, blackmail, etc.
Any entity, from the individual to the group, at any scale, whether by community, class, religion, electorate, social, civilisational, geopolitical, etc, has been profiled and targeted.
Big Tech has been weaponised by the US federal government. Currently, senior executives of Big Tech are being interrogated by the US Congress for having weaponised it against US citizens, including members of the Congress.
Big Tech cartels had de-platformed the US President and our own Minister of IT and Law at one point.
C: Impact
Geopolitical: Data is the new oil, for the new economy, the knowledge economy. Like oil, which has costs and controls on the flow, and is used for the war economy as well, unrestricted flow of data has a similar effect while throwing away the advantage.
On another level, the Hindenburg and Soros attempts show that potentially data, along with personal data, can be used to bring down an economy, government or tar the reputation of the persons involved with severe consequences all around.
Raw Material and Competitive Advantage: India is data rich owing to its demography, diversity and Internet penetration growing exponentially.
This is similar to deindustrialisation of the mineral rich states due to the freight equalisation policy that was in force before 1991.
Patenting, Innovations and the Ecosystem: Patents are enforced by jurisdiction/country. Data outside the country will involve processing or executing the algorithms and patents in a foreign country.
This leads to Indian patents being infructuous, circumvented and a waste of resources with a negative impact on patenting, innovations and the development of the entire value chain, infrastructure and ecosystem related to it.
Leadership, creation of core technology, and R&D will be affected adversely as a result.
Freedom of Speech, Cultural Expression, Rights and Remedies: These are unique to every individual, country, civilisation, and require localisation and control in the hands of the individual or citizen.
Rights and remedies can be enforced by providing local cause of action and remedies, as is — for example — available for relatively “minor” infringements of patent or copyright.
Nor can individuals negotiate foreign data servers, jurisdictions, licences, regulators, multilateral trade agreements, etc. Relying on foreign entities for day-to-day administrative or executive actions by the government in itself is a loss of sovereignty, in addition to real time data not readily available for law enforcement.
Economy and Business: Big Tech has annual revenues in billions of dollars individually and between $1-5 trillion or more collectively with market valuations even greater than that.
The advertisement revenues of the big three or four tech firms in India, leaving out some like Twitter which do not give an India split, is upwards of Rs 50,000 crore.
Additionally, personal data is monetised and used for creating various products, services, or analyses. Often the product is the person herself, ie, the personal data.
The impact of data flowing without restriction, cost or control is easily in the range of tens of billions of dollars, likely in the range of $100 billion. Add to this the opportunity cost and the strategic cost due to the factors mentioned above.
Monetisation by individuals due to content creation or compensation needs to be added, not merely recognised, as their right and ownership till date. Data is a strategic asset in the trinity of code, algorithms and personal data of which the other two are recognised as property.
D: Recommendations
First, the law needs to be modified and must define and re-legislate personal data as the personal property of the individual concerned, with exclusive rights and the following attributes.
The law must post the rights of individuals online; the words data principal must be replaced with “data owner”; personal data should be non-assignable; ownership cannot be overridden by a business contract/click-wrap licence; the owner can sub/licence non-exclusively the data or any parts of it; the individual must have the right to information, edit, erase, forget, de-identify, anonymise, and insist on (no) collection, (no) storage (“no” means do not store, etc), (no) record, (no) use — (no) algorithms, (no) mining, (no) processing, (no) cookies, (no) profiling.
The rights should include the right to consent and monetisation, and the pursuit of civil, criminal or remedies in local jurisdictions, the right to seek compensation, and nominate legal heirs.
The individual has the right to be informed of a data breach, say, within one week of knowledge of the breach by the data fiduciary or other processor.
Each company/website/app must pay an appropriate amount (say, for example, Re 1 per company or website or app per year, nil for start-ups) to each citizen, held with the government of India and utilised for a citizen protection body/fund which will assist the citizen in the implementation of her rights in this bill.
The law must also allow for posting quantum and pre-online rights. As quantum computing may disrupt the entire cyber security infrastructure, we need the following additional rights):
The right of an individual to not be online at all (right to free speech/expression)
No right, goods or services (by the government) shall be refused merely because the individual refuses to be online or carry out a transaction online. This right shall apply to essential services as well.
Exceptions could be data in the custody of the government, e.g. Aadhaar, or kept for purposes of national security, or under due process of law. This data should be kept extra secure by the government.
The Data Protection Board should be accountable to Parliament:
1. Officials of the DPB should have a non-compete or a cooling off period between jobs at the DPB and corporates or a foreign entity, of a few years at least;
2. Injunctions may be permitted;
3. DPB can facilitate/enforce search and discovery or any process complying with law;
4. There must be transparency on data to data owners, ie, the individual;
Localisation of personal data should be the norm. Exceptions, including copies, should be spelt out in detail in the bill, (or in rules framed under the act) after considering the impact on national and personal security, fundamental rights, justiciability, impact on innovations and patenting, SMEs, or other relevant factors.
This bill provides for processing through a "Data Fiduciary", which implies an element of trust as the key to all activity. Trust is essentially a human attribute and relates to who, ie, the person/data fiduciary, and is not a territorial attribute in the first place.
Furthermore, there is nothing like “trusted” geography when the current paradigm of cybersecurity is zero-trust.
Additionally, the right to free speech and expression suggest that democracy is itself an expression of the limits of trust of the government, or any entity with intelligent actors.
Most importantly note that Big Tech has been integrated into and weaponised by the US federal government.
Penalty should be proportionate to the breach and harm, and other factors. It cannot be capped a priori.
The DPDP overrides other acts in case of conflict, whereas it should be the other way around. Alternatively, the principle of harmonious construction of laws should be used.
Neither is “digital” defined in the bill, nor does the right to freedom and expression depend on the medium, (irrespective of whether digital or analog), also stated in Article 18 of UDHR. Accordingly, the word “digital” should be dropped from the bill.
Rules must be placed and affirmed by both houses of Parliament and shall only be used after notification.
The above points are not exhaustive and more elements or nuances may need to be considered.
This will enable security, inclusivity, democratisation and monetisation by the owners of the personal data and content creators, growth of the patenting and innovations ecosystem; revenue generation for GOI; creation and leadership in core technology, R&D, and related infrastructure; leveraging competitive advantage, demography and talent; and control of a strategic asset.