The new Personal Data Protection Bill 2018 reflects the lopsided nature of the government’s interests for Digital India. The recommendations of the Justice Srikrishna Committee stated that a new data protection law would need to balance innovation and privacy due to various technological advancements including use of Big Data, Internet of Things (IoT) and Artificial Intelligence (AI). Notwithstanding the partial fulfillment of this statement in favour of growing ‘Digital India’, the main concern is this unfettered growth where the state may process personal data, without consent or ‘explicit’ consent, which is ‘necessary for the exercise of any function of the State’.
State Interests: No consent or specification of purpose
Big Data is complex structured and unstructured data sets which includes non-personal data, personal data, sensitive personal data and network data used for understanding trends, analysing behaviour etc., all of which could assist in tremendous growth and optimisation of technological prowess of India via public and private entities. The Personal Data Protection Bill 2018 has paved the way for tremendous growth in big data fuelled AI initiatives led by the state and individual consent for use of personal data, by the State shall not be required. This is in sharp contrast to the requirement of ‘consent of the data principal’ for processing personal data required for any AI initiatives, which may be conducted by private entities.
‘Purpose specification’, as was addressed in the White Paper, is not possible with Big Data primarily because of its fluidity for secondary uses by interconnecting various fields such as education with health etc. This limitation has been placed on data collectors under Section 5 i.e., ‘Personal data shall be processed only for purposes specified or for any other incidental purpose…’. A prima facie reading, of the Section, seems just and in keeping with the tenets of privacy but it is flawed for two reasons – one, the reasons for de-identification and anonymisation of data is to ensure secondary uses of data and hence purpose specification should not be mandatory if personal data can be processed to prevent identification.
An example of Big Data in social media is microtargeting via social mediator retail advertising – it makes people’s lives easier. Second, this restriction of ‘purpose specification’ for personal data has been placed only on activities of data fiduciaries excluding the State as long as the ‘function of the State’ is ‘for the provision of any service or benefit to the data principal from the State’. Consent for personal data and ‘explicit’ consent for use of sensitive personal data, is not extended to certain functions of the State but what entails ‘explicit’ or ‘certain functions’ is unknown.
Critical personal data: A third type of Personal Data
The Bill further tries to regulate the fluidity of data in Section 40 of the Bill. So far, we had three main categories: non-personal data, personal data and sensitive personal data. However, the government has introduced a third category: Critical Personal Data. The Government shall notify categories of ‘critical personal data’, which can only be stored in a server or data centre in India.
Additionally, if ‘Security Safeguards’ (Section 31) including the requirement of de-identification of personal data is specified as an obligation on every data collector i.e., the State and private entities, then why does ‘critical personal data’ need to retain only in India? If it is critical, and not sensitive, then the data can be ‘anonymised’ and still be moved out of the country. The difference between ‘anonymisation’ and ‘de-identification’ is that the former is an irreversible process of the latter and is defined in the Bill. However, anonymisation has strangely not been linked to cross-border data flows when it would help in innovation and also increase the privacy of individuals.
Basically, the government has carved out every possible way of regulating the flow of data –personal, sensitive or critical, for ‘state interests’ while clearly preventing a complete ‘data drain’ from the country by private entities. While, the regulation of ‘data drain’ will assist in fuelling state initiatives, in the technological field including AI and IoT, which is $480 million in 2018-19, significant impact shall be felt by private entities including technological companies and corporates due to the restrictions on consent and data flows.
Quality of Data
A basic necessity for any AI project is ensuring the collection of a large, error-free and bias-free data set. The quality of data collected is of utmost importance. In the Bill, the Authority established by the central government shall lay down the Codes of Practice under Section 61, which shall be ‘measures for ensuring quality of personal data’. This section shall be applicable for all entities focussed on AI initiatives but not the state, in cases of security of the state, which could also include AI-defense projects taken up by the government.
Any processing of personal data for security of the state is exempted from following the necessity of a ‘complete, accurate, not misleading and updated’ data set. Also, the right of ‘data portability’ which is the right of each person to receive information given to any data collector, is also not available where processing is ‘necessary for function of the state’. So, while the quality of data may be compromised for AI initiatives undertaken by the state, the security and privacy of people may also be compromised.
In its current state, the Bill not only seeks to promote unfettered state interests in technological advancements but also places hindrances in the path of private entities, both Indian and foreign, aiming to tap into the Big Data pool in India in the field of AI and machine learning. The Bill also requires much re-work to satisfy and allay the privacy concerns related to state AI actions and initiatives which are currently unregulated and exempted from several obligations provided under the Bill.