Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Hindu
The Hindu
Comment
Sunetra Ravindran, Lalit Panda

Word choice in India’s data protection law and a dilution of rights

After years of going back and forth on its contents, India finally has a data protection law, i.e., the Digital Personal Data Protection Act, 2023. While small steps forward may be better than inertia or taking giant and hasty leaps, figuring out how far this law will take us requires that we understand how it protects our privacy in everyday situations and routinely touches our lives. In the search for an answer to this question, we need to look at two basic features of any data protection law: the use of personal data with consent and without it.

Standard situations and the issues

The classic problem in data protection is the standard for consent. When your data is being used, do you have a choice in the matter? For example, your Internet activity can be used to study you. An app could find out your religion from what you eat, your health status from your physical activity, or your sexuality from your movie preferences. Maybe you have given your phone number to a business while making a purchase, but do not want to be bombarded with marketing calls.

As decades of experience in India and other jurisdictions tell us, these are standard situations that even the most minimal data protection law must address. How does India’s new law deal with such problems? There are two relevant provisions in the Act. One says that you should be properly informed about what you are agreeing to and only clear positive actions by you (as opposed to silence) will be taken to indicate consent. But this strict provision is undercut by a second provision permitting use of your data if you have “voluntarily provided” it and “have not indicated” that you do not consent. The choice of words is telling. If you “have not indicated” refusal, governments and businesses can assume your consent for various uses without notifying you. And who is to say you do not “provide” your data simply by visiting a public place or website, or making an online account? After all, “provide” is not the same as “share” or “transfer”. This ambiguity will result in confusion in courts as well as business uncertainty about the correct standard for consent. In all likelihood, the weak standard will gobble up the strong one.

Convenience, not necessity

It should be apparent, however, that personal data cannot always be used with consent. For instance, a person’s choices regarding their data can get in the way of various public functions involving verification of identity, targeting of welfare benefits and implementation of laws. These functions can be thwarted by misrepresenting or withholding information. But does that mean there is no protection for such data? In previous drafts of the new law, your personal data could be used without consent only if it was “necessary” for a specified purpose in carrying out certain legitimate state functions, meeting legal requirements, and dealing with emergencies. The data fiduciary needed to demonstrate that they had no feasible alternatives to collecting and using the information in the manner that they had.

It is important to understand the significance of this: sometimes, consensual processing of data is very much feasible, if inconvenient. Even if consent is not feasible, specific methods of identity verification, or the use of sensitive data on health, religion, political affiliation, and sexuality may not be strictly necessary when designing and implementing many kinds of public programmes. For example, information on membership in a trade union is not necessary in assessing a job application, even if the employer thinks it is relevant for their purposes. If data is allowed to be processed even when it is not necessary, those doing so will always choose the more convenient route. Privacy will always be low priority. This is exactly what the 2023 law does — it allows processing without consent when it is “for” (and not “necessary for”) certain legitimate uses. This small change in wording will make a huge difference in the actual level of protection provided.

An area of concern

What is more, when your data is processed without consent, you will neither be notified of this nor subsequently be able to confirm it. If you somehow find out that your data is being used, you will not have the right to get incorrect data corrected or unnecessary data erased. Data taken for one non-consensual purpose can be freely used for others. This is despite the fact that the Supreme Court of India has held principles such as necessity and purpose limitation to be a part of the right to informational privacy.

Editorial | Falling short: On the Digital Data Protection law

Others elsewhere have raised serious concerns about the way the new law deals with the rights to information and free speech, surveillance reform, and the regulatory structure. On the other hand, while the issues described in this article may seem like legal technicalities, they are in fact conscious policy choices substantially diluting rights that could otherwise have been provided for.

If we want this law to meaningfully protect personal data, it is essential that we find ways to tackle these shortcomings.

Sunetra Ravindran is a Team Lead at the Vidhi Centre for Legal Policy. Lalit Panda is a Senior Resident Fellow at the Vidhi Centre for Legal Policy. The views expressed are personal

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.