Even as the draft Data Protection Bill has attempted to tilt the balance in favour of individuals from entities that process their data, it has left out some key aspects impacting consumers such as clearly ascribing ownership of data to the individual and leaving out scope for surveillance.
“… any regime serious about safeguarding personal data of the individual must aspire to the common public good of both a free and fair digital economy. Here, freedom refers to enhancing the autonomy of the individuals with regard to their personal data in deciding its processing which would lead to an ease of flow of personal data. Fairness pertains to developing a regulatory framework where the rights of the individual with respect to her personal data are respected and the existing inequality in bargaining power between individuals and entities that process such personal data is mitigated,” the report said.
The draft bill has extended the definition of sensitive personal data to include passwords, financial data, health data, sexual orientation, biometric data, genetic data, caste, tribe, religious or political belief, etc. It also lays down the legal grounds on the basis of which personal data can be used. The mandatory requirements for an entity to process data include consent from the individual, functions of the state, compliance with law or order of a court, prompt action in case of emergencies.
The committee has envisaged two standards of consent — ordinary and explicit. Ordinary consent, the report said, should be free, informed, specific, clear and capable of being withdrawn as easily as it was given. In case of explicit consent, the aforementioned five features go deeper into the concepts and require additional attention of the user to be able to provide that consent. For example, the report explains, an ordinary consent would make a user check the ‘I agree’ box, but for an explicit consent, the entity will have the user check a box that says ‘I agree to the processing of the personal data entered above for the purpose of maintaining X Association’s register of members, for communication of matters necessary for my membership in X Association and for transactions between the Association and myself’. The draft bill states that explicit consent is a must in case of collection or processing of sensitive personal data.
Further, following the principle of transparency, which is incumbent on a data fiduciary, the entity will be obligated to provide the notice to the data principal about the use and collection of data “no later than at the time of the collection of her personal data”. The draft also says that the law will not have retrospective application and will come into force in a structured and a phased manner. While users can exercise their rights to be forgotten and revoke consent for processing of data that has been collected prior to the law, the rights are conditional in nature.
Under the right to be forgotten, users can de-link, limit, delete or correct the disclosure of their personal information held by the data fiduciaries. However, the applicability of the right to be forgotten will be determined by the adjudication wing of the Data Protection Authority based on the sensitivity of the personal data sought to be restricted.