ForumIAS announcing GS Foundation Program for UPSC CSE 2025-26 from 27th May. Click Here for more information.
Source– The post is based on the article “Data protection Bill: Hiding behind consent” published in “The Indian Express” on 14th July 2023.
Syllabus: GS2- e-governance. GS2- Government policies and interventions
Relevance: Issues related to regulation of data
News-. The Union Cabinet recently approved the draft Data Protection Bill.
What are the issues with the draft data protection Bill?
It appears the objective of the bill is to facilitate data collection and processing by the government and private entities rather than addressing the concerns for data protection.
SC has recognised privacy as a fundamental right of citizens. It has emphasised the importance of informational self-determination and control for protecting the privacy and freedom of individuals. To ensure these protections, the SC established the standards of determination through three criteria: legality, legitimacy, and proportionality.
Legality– Legality entails the existence of appropriate laws, particularly for significant government digital applications like digital surveillance.
However, the current Bill seems contradictory. Section 5 of the latest draft implies that the proposed Act would permit any purpose unless explicitly prohibited by law.
Legitimacy and proportionality– Legitimacy is related to the obligation of the state to convey that proposed digitalization involves a valid interest. Digital application should meet the test of proportionality.
There should be a careful balance between the extent to which Fundamental Rights might be affected. But there are currently no established standards for either of these tests.
Legitimacy is disregarded. There is a lack of clear standards for determining proportionality. The draft bill contains the provisions to make “reasonable efforts” and implement “appropriate technical and organisational measures”.
These are insufficient measures for assessing the intrusive nature of the digital application and effectively balances risks.
Consent provision– Draft Bill seems to have heavy reliance on consent. Individuals need to have an accurate understanding of all the privacy risks associated with complex digital applications.
In pervasive applications, denying consent may limit options, create hardships, or impede freedom of expression.
What are the suggestions for improvement in the draft data protection Bill?
Specific guidelines and criteria are necessary for conducting risk assessments and determining legitimacy. These standards cannot be developed without well-defined guidelines and regulations.
It should acknowledge the privacy risks associated with digital applications.
There are not only the risks of illegal surveillance, profiling, and unauthorised exposure of private information. There are also indirect harms when data elements are linked together to create distorted digital representations.
The measures of post-violation complaints and penalties are not adequate for protection. Protection from indirect harms needs to be ex-ante rather than ex-post.
Data fiduciaries and data controllers need to have standards for ex-ante privacy protection and purpose limitation.
Effective data protection necessitates an accountability-based framework rather than one solely based on consent. This framework places the responsibility on data controllers and fiduciaries, regardless of the level of consent, rather than solely on individuals.
