Privacy has been recognised as a fundamental right by the Supreme Court and with that clear, a data protection law is the need of the hour. It is widely expected that a version of the Personal Data Protection Bill, 2018 (“bill”) in India, as proposed by the Justice Srikrishna Committee, will soon be tabled before the parliament.
The bill will clearly cement the position of the individual (i.e. data principal) as the owner of their personal data. But more fundamentally, it will introduce the concept of data processing entities as “data fiduciaries”. This trust-based language implies that responsibility of data fiduciaries would not end with compliance to prescriptive rules (such as notice and consent, purpose specification, data minimisation etc.) They will also be required to ensure that the interest of the data principal is accounted for at every stage of processing of personal data.
For example, a data fiduciary, may, while seeking personal data for providing a specific service (say home loans), also give separate notice and seek consent for processing such data for an unrelated activity (for example marketing for other financial products such as insurance or portfolio management).
In such a situation, the notice and consent may, by itself, not be considered as sufficient as the data principal may not read the notice, or not understand it, or may not be able to contemplate how her data can be used or combined with other collected data to have consequences for her. Therefore, a data fiduciary, while seeking consent for the primary purpose, may also have to evaluate whether it is fair and reasonable to seek consent for the processing of personal data for a separate and incompatible purpose.
Identification Of Personal Data
Even the identification of “personal data” as defined under the Indian Data Protection Bill, will be an exercise in evaluation by the data fiduciary. Any data by which a natural person can be identified, including by combining such data with other data, would be classified as personal data under the bill. Identification of personal data is trickier than it appears in the first instance, as the definition is not qualified by the requirement that the individual should be “reasonably identifiable” through the data under consideration.
Even pseudonymised data, where specific personal details are excluded, may qualify as personal data if it can be used with any other available data to identify the individual, under the personal data protection bill in India. The anonymised Netflix Prize dataset, which was used by researchers in combination with IMDb user ratings to demonstrate re-identification risks, is a case in point. Therefore, data fiduciaries will need to relook at their entire data set to evaluate whether any data, which is currently not identified as personal, can be treated as such under the new law and reset their processes to comply with the bill.
Challenges Under India Data Protection Bill
Fintech companies will also need to address the challenges arising from the classification of “financial data” (including any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history) and data relating to behavioural characteristics — which is included in “biometric data” — as “sensitive personal data” (SPD) under the bill.
The term “behavioural characteristics” can encompass a wide gamut of personal data. Behavioural and financial data is often processed not only to offer existing products and services, but to innovate, design or customise new products and services as well, some of which may not even be identifiable at the stage of data collection. However, as SPD, such data will be subject to stringent requirements relating to explicit consent and restrictions on storage and processing outside India.
Therefore, fintech companies will have to establish processes to ensure that the processing of such data complies with the requirements of “explicit consent” at all stages and for different purposes.
Burden Of Proving Consent
The draft for the data protection bill in India also shifts the burden of proving the existence of consent from the data principal on the data fiduciary. This is significant as consent is the principal ground for the processing of personal data under the bill. The consent must be “free”, “informed”, “clear” and “specific”. Consent can be considered “informed” only if it is based on clear and understandable disclosure of information as prescribed in the bill, such as for purposes of the processing, categories of personal data being collected, individuals or entities with whom such personal data may be shared, to the data principal.
Therefore, data fiduciaries need to design their user interfaces to provide clear disclosure. They will also have to determine whether, based on linguistic, class and other social differences in their customer base, the same interface can be considered as sufficient and compliant for all their target audience. For example, would the user interface have to be available in different languages for different audiences? Can notice and consent which is designed for processing personal data for education loans, be replicated and be compliant with law, where the loan is targeted at low-income customers whose education status may be very different?
Another aspect of valid consent is that it must be “free” and “specific”. Therefore, bundling of consent for divergent and non-dependent purposes would need to be avoided. Consent has to be designed in a manner that it allows the data principal to pick and choose different purposes for which consent is being sought if such purposes can be fulfilled or achieved independent of each other. A consent design, which is based on consent for all or none, may run the risk of not being considered free, as denying consent for one purpose would result in denial of other desired service or goods which are unrelated. For example, a data principal while giving consent to process personal data for providing a home loan should be able to deny consent for the processing of the same data for marketing other financial products, without running the risk of not being able to proceed with the home loan procedure on account of such refusal.
Providing A Framework For Data Sharing
Clearly, India’s personal data protection bill seeks to create a culture of “privacy by design” for data fiduciaries. However, despite being put at the centre of the privacy compliance regime, such a law should be welcomed by businesses which are data driven. The explosion of data-based businesses, which create efficiency and value for consumers, underscores the fact that the real value of personal data, even for the data principal, lies in the ability to share personal data without losing control over it.
Personal data protection law can provide the framework to enable such sharing. In the absence of a statutory data protection law, data exchanges could increasingly become subject to regulation through judicial interpretations, which would determine rights based on the contest between competing interests, rather than rules evolved for collaborative co-existence of rights and interests of different stakeholders.
For example, it is arguable that the Supreme Court may have taken a more tempered view of the use of Aadhaar by private parties if a robust data protection law has already been in place.
Therefore, rather than becoming a speed breaker for growth industries such as fintech, the existence of such a law can, in fact, provide greater certainty and validation for such businesses and can prevent extreme adverse regulatory or judicial impact in the long term.