Concerns
In its scope and definition, the DPDP Bill only protects personal data, that is any data that has the potential to directly or indirectly identify an individual.
In the modern data economy, entities use various types of data, including both personal and non-personal data to target, profile, predict, and monitor users.
Non-personal data is typically anonymous data that does not relate to a particular individual — for example, aggregate data on products which numerous users look at between 9 PM and 11 PM on Amazon.
Often, this non-personal data when combined with other datasets can help identify individuals, and in this way become personal data, impacting user privacy.
For instance, anonymous datasets about individual Uber rides in New Delhi can be combined with prayer timings to identify members who belong to a certain community, which could include their home addresses.
This process of re-identification of non-personal data poses significant risks to privacy.
Such risks were accounted for in previous versions of India’s draft data protection Bill, in 2018 and 2019, but do not find a place in the latest draft.
By not recognising these risks, the DPDP Bill is very limited in its scope and effect in providing meaningful privacy to Indians.
A simple and effective solution — as in the earlier versions — would be to add a penal provision in the Bill that provides for financial penalties on data-processing entities for the re-identification of non-personal data into personal data.
Another gap is the inability of the proposed data protection board to initiate a proceeding of its own accord.
Under the Bill, the board is the authority that is entrusted with enforcing the law.
The board can only institute a proceeding for adjudication if someone affected makes a complaint to it, or the government or a court directs it to do so.
The only exception to this rule is when the board can take action on its own to enforce certain duties listed by the Bill for users.
This is for the adjudication of disputes between the law and users — for example, an obligation on users not to register a false or frivolous complaint with the board, and not between users and data-processing entities.
In the data economy, users have diminished control and limited knowledge of data transfers and exchanges.
Due to the ever-evolving and complex nature of data processing, users will always be a step behind entities which make use of their data.
For example, a food delivery app can take all data and sell it to data brokers in violation of customer contractual relationship with them.
Individually, the user have little resources or incentive to approach the data protection board.
The board, on the other hand, may be in a better position to proceed against the food delivery app on its own — on behalf of all such affected users.
Suggestion is to have a provision in the DPDP Bill that allows the data protection board to initiate complaints on its own.
COMMENTS