Today a broad umbrella of technologies fall under AI or Artificial Intelligence and India’s current data protection laws are terribly outdated and do not offer adequate protection from the looming threat. AI includes the use of companies and governments to leverage the personal data of individuals and use elaborate modelling techniques to derive certain insights or results that are then used by a host of entities namely Insurance companies, Banks, governments and even Healthcare providers. Algorithmic systems are routinely deployed to determine who might be an ideal candidate for a job and what person may exhibit undesirable qualities. These companies use ‘Big Data’ to make certain assumptions about future behavioural patterns and this information is sold to companies who can target their marketing campaigns to get better results or banks or allow healthcare providers to determine what an insurance premium should look like etc. There have been a host of alternative credit scoring companies who leverage this data from social media to movement tracking and with the emergence of AI technologies like Deep Learning, they can make certain derivations from that data to judge the creditworthiness of a loan applicant. The algorithm automatically processes the data and assigns a rank to a candidate based on a weighted score across several parameters and this determines their access to a loan. Furthermore, there is insurmountable evidence to show that these technologies are being employed for certain nefarious designs of the government with regards to surveillance notably in China and this technology has also been used to identify protesters in the recent Black Lives Matter riots. These technologies are often shrouded in secrecy which means that it’s difficult to gauge how accurate, precise and comprehensive the algorithms are. Recent examples, particularly in the BLM movement have shown that they cannot easily differentiate between members of the black population resulting in the wrongful arrest of several innocent individuals. In China, desirable behaviour is moulded and shaped so that the people stay in line and any deviation results in a lower score on their ‘social credit system’ which has a bearing on access to resources and also negatively impacts the reputation of the person concerned. The recent Personal Data Protection Bill has sought to address some of these issues.
Personal Data Protection Bill, 2019 and AI
The Bill is a step in the right direction as it allows people to control their data and categorizes data so that people can have a say when it comes to automated decisions. More importantly, the Bill targets those entities that have access to large volumes of data and how they process that data and where they process that data. The Bill seeks to make long term structural changes in how companies use data and allow users to make changes to their data especially when it comes to profiling. Automated decisions, however, need to take into consideration the users preferences and allow how the user can control that data and how that decision was reached and what information formed the basis of that decision and there should definitely be an appeals process. There must be routine audits of the data collection infrastructure and the decision making technique to ensure there is no foul play. The right to privacy is one that has been enshrined in our Constitution but these automated decisions undermine that by profiling us and placing us into certain categories of persons which is based on their algorithmic designs. In that same vein, it is being increasingly seen that the government may employ the services of a third party to monitor the data of certain persons of interest. This is best evidenced by the recent explosive Pegasus scandal wherein the government was caught red-handed when prominent Journalists, Social Activists, Professors and other eminent citizens realised that their Whatsapp chats and data were being illegally monitored. The links pointed to an Israeli firm who in turn confessed that they only offer their services to governments.
Legal Safeguards in the Bill
There are several legal safeguards contained in the bill to protect citizens from state surveillance. These include:
- Section 4 which states that “No personal data shall be processed by anyone except for any specific, clear and lawful purpose.” Now Section 36 will have to be read with Section 4 as Sections 35 and 36 exempts government agencies from the provisions of the act citing National Security, Public Order or law enforcement etc. But Section 4 will still prevail despite these two sections.
- Section 92 relates to the guidelines for processing biometric information and the only other legislation to have a similar procedure is the Aadhaar legislation. The section bars processing of biometric information unless permitted by law.
- The role of the Data Protection Authority or DPA is of paramount importance when it comes to surveillance because the government is also technically a data fiduciary and more importantly many of its legal constraints are removed due to the provisions contained in Sections 35 and 36. The DPA must then ascertain whether or not the data can be used and what constitutes reasonable cause for such collection, dissemination and perusal by government agencies and whether or not its within the mandate of the legislation. The DPA has no judicial members in the latest draft and is to be an executive committee which will certainly affect its autonomy. Sometimes the government simply doesn’t appoint more members and the post is kept vacant as was seen in the case of the Cyber Appellate Tribunal. As we can see the DPA holds the reins and therefore must be given complete autonomy without any governmental or external interference in his daily workings.
Recommendations to Curb Excessive Government Oversight and Counter Exemptions
- Judicial review of data access by government agencies: There must be greater control over misuse and abuse of personal data. To that end, there must be judicial oversight and any and all data that the government is meant to scrutinize should have a valid and legitimate purpose in accordance with the requirements of a bench of judges or an independent judge or a designated court for this express purpose or through judicial members in the DPA. There must be several mechanisms in place such as an appeals mechanism against the judgement and there must also be accurate, fair and unbiased reporting and notice both before and after the data is to be scrutinized. This is one of the recommendations of the Srikrishna committee report.
- The statement of Objectives and Preamble of the Bill must be unequivocal: There must be clear and unequivocal support for administration and public order and for the right to privacy of all citizens. The aforementioned parts must clearly specify the bonafide use of such data and it must inspire confidence in critics and stakeholders of the current bill.
- Bodies to monitor the functioning of these State agencies: There must be oversight bodies to monitor the functioning and the inner workings of the agencies as far as is permissible and doesn’t constitute a threat to public safety or national security. These bodies must release reports and give statements as to the work that is being done by the agencies, what kind of data is being collected and for what purpose, which data fiduciaries are especially targeted and whether or not the norms for such collection and subsequent scrutiny are being held to the highest ethical standards. The oversight should also extend to reportage on independent and fair-minded members of the DPA who should not have any ties to the government or well-founded allegations of bias against them.
- Amendments in the Bill: There must be amendments in the bill especially under Section 35, wherein blanket exemptions are given to the state agencies vis-a-vis collection of data and there should be narrower and more specific definitions of ‘public order’ and ‘national security’. Furthermore, there should be a notification given to the data principal whose data has been collected and there should be a means for redressal and a mechanism to appeal. The Bombay High Court judgement is very clear as to evidence collected from disproportionate surveillance and any and all such evidence must be inadmissible in a court of law. These standards must be upheld and agencies must work within these broad parameters.
- Whistleblower Protection: There must be protection given to whistleblowers who blow the lid on the state agencies high-handedness and excessive control over data for unconstitutional and illegal purposes. All too often we have seen that whistleblowers who rightfully so speak out against undue government surveillance as in the case of the Pegasus scandal or the more controversial Edward Snowden scandal are punished by the State. There should also be Data Protection Officers who go through interception warrants and requests for data to ensure they conform to the proportionality standards of the Bill.
Present Role of the DPA and flaws in the Legislative Framework
The Bill calls for the establishment of a DPA and the DPA will have authority over the processing of data by both data fiduciaries that are private as well as the state. The DPA has a legal obligation to protect the interests of the Data principal and to ensure that legal compliance with the provisions of the bill takes place. So can the DPA take action against the state if it fails to comply? The DPA can either suo-motu take cognizance of misuse of data or it can receive a written complaint from a data principal alleging misuse of data or some other lapse. The DPA must then appoint an inquiry officer to investigate the allegations and prepare a report. If it is found that the complaint is well-founded, the DPA can reprimand the data fiduciary or it may even suspend the activities of the errant data fiduciary. The government, however, has been given extensive exemptions under Section 35. Furthermore, in the 2018 draft, the exemption was subject to the standards laid down in the Puttaswamy judgement but these have been done away within the present version. In the judgement, it was laid down that the agencies would be given sanction if a) authorised by the law; b) if it is in accordance with the law and c) necessary and proportionate. However, the present Bill has the opposite effect with the range of exemptions and no practical oversight. The data principal may never be notified of the processing of data under the present draft. Therefore, without effecting change the DPA cannot protect the data principal.
Recommendations to make the DPA more Transparent and Independent
- Part-time members and better structure: The Bill should retain the structure of the DPA contained in the 2018 draft version. The Bill must also make space for part-time members instead of only full-time members. India has regulators with both part-time and full-time members but the part-time members will encourage more debate and there will be some dissenting views. Furthermore, part-time members will not be too entrenched in the system and it will allow more voices to be heard. For example, academics and industry experts could become part time members. Furthermore, this model has definitely worked for TRAI and there should be space for it in the DPA as well.
- The problem of Delegated Legislation: The rules must be strengthened as much has been left to delegated legislation, wherein the Selection Committee for members, the procedure for meetings, the number of nominees, time spent on deliberations etc. are too important to be left to the DPA. These issues must be clearly embedded in the rules. Furthermore, the Selection Committee must have fewer government representatives and more independent voices in order to ensure a free and fair balance to the deliberations.
- Better Legislative framework: The Bill says that the processing of data must be ‘fair and reasonable’ which is far too vague and if it comes to litigation, the court proceedings would never There is no prescriptive idea or parameters within which this phrase is limited to. It doesn’t allow for any innovative mechanism or any measure to enhance privacy. It needs to clearly set the rules and make important considerations for the just collection and processing of data and clearly define what it is used for.
- It needs to realise the value of data: There must be strict punishments for any breach of data and there must be strict controls on cross-border data transfers. There should be heavy penalties on the data fiduciaries that breach these standards and these fines can be ploughed back and used to fund the activities of the DPA thus making it a self-sustaining body with minimal financial assistance from the government’s coffers.
- Transparency and Consultations: The DPA must be completely transparent in its functioning and whenever it has to put in place new legislation or advise on a certain matter that concerns the public interest it should hold consultations and meetings with all the stakeholders and take due note of any and all objections, suggestions, appeals and concerns and come to a conclusion that is acceptable to all stakeholders or at least a majority of the stakeholders. Instead of necessitating the use of RTI, the DPA must go one step further and allow users and concerned individuals to ask relevant questions on the site or via an email and answer all of these in an FAQ section on their website.
- Hiring Decisions and Top Management: The DPA should not consist solely of career bureaucrats and should recruit from a wider pool of candidates. The mid-level and lower-level recruits should not be confined to the government or a particular geographical area. It must be thrown open to all eligible candidates across the country and the DPA will need qualified researchers and lawyers especially when drafting new laws on privacy and guidelines for data collection and processing. The top official or officer can be a bureaucrat or a retired IAS officer but after some time it must transition into qualified and vocal persons with significant experience and expertise in the relevant domains.
There are several much-needed measures that need to be taken to improve the Bill, the government must come forth and clarify regarding the use of certain vague terminology in the Bill and must invite stakeholders to engage and address their concerns before moving forward to enact this legislation. It must do more to protect the rights of users and accommodate the interests of various stakeholders.