The draft Personal Data Protection Bill, 2018 (PDP Bill) has arrived at an opportune moment – at a time when the collection and use of our personal data have become a ubiquitous aspect of day-to-day life.
The Bill’s focus on securing informed user consent for the processing of all personal data marks a step forward from the framework under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (IT Rules). Under the IT Rules, user consent was required only for the collection, use or disclosure of sensitive personal data, unlike the new Bill.
In order for user consent to be valid under the Bill, it must be freely given, specific, clear, capable of being withdrawn and perhaps most importantly — informed through a clear and detailed notice which is provided at the time of collection. While providing comprehensive notices to secure consent for the use of data at every stage is a good guiding principle, in theory, it may be tricky to enforce in practice.
This is particularly so for users that rely on the Internet of Things (IoT) deviceswhich operate in a highly interconnected environment. For notice to be considered meaningful, a user of an IoT device should be able to understand how and why their personal data is being used and in the case of sensitive personal data, the consequences of the use of that data.
Inundating users with multiple lengthy notices to gain their consent at each instance of the collection will likely lead to consent fatigue and may not be the best way to secure meaningful consent.
Additionally, providing notices for devices that lack interactive user interfaces or display screens will prove to be a challenge as well. IoT developers in India will need to coordinate with the Data Protection Authority to develop practical guidelines to work around these issues.
The Consent For Collection Is Not As Easy As It’s Defined
The Bill’s provisions on purpose and collection limitation may throw up some operational challenges as well. Data fiduciaries under the Bill can only collect personal data for purposes that are clear, specific, lawful and communicated in advance.
While this limitation is necessary to protect individual privacy and prevent the misuse of data, it may not be practically enforceable for IoT enabled environments like smart homes, smart cars and smart cities that build on interconnected datasets to arrive at conclusions.
For instance, it may be difficult to determine the exact purpose of data collection beforehand in an environment where the uses for the same datasets are evolving constantly.
In fact, strict purpose and collection limitation may even work against the functionality of certain devices and applications, such as in the case of home security systems. For example, how will video-enabled smart doorbells that capture facial images of visitors ringing the doorbell, inform such visitors of their image being captured without defeating the purpose of installing such cameras in the first place? This problem is compounded in the case of sensor-based devices that operate without any user interface.
The Bill is certainly progressive in its adoption of high standards for the protection of individual privacy. However, businesses looking to comply with the Bill will find it challenging to adhere to its strict requirements in the absence of any practical guidance. Given that non-compliance with the Bill can attract harsh civil and criminal penalties, clarity on all aspects of the Bill is essential for data-heavy businesses.
What Is Purpose & Collection Limitation?
Section 5 of the draft Personal Data Protection Bill, 2018 (“Bill”) proposes that data shall only be processed for purposes which are clear, specific and lawful. However, the Bill allows processing of data for any other incidental purpose that the data principal would reasonably expect the personal data to be used for depending upon the circumstances and context in which the personal data was collected.
Section 6 of the Bill stipulates that data shall only be collected if the collection of such data is necessary for the purpose of processing.
What Is The Objective Behind Purpose And Collection Limitation?
Since there is a relationship of trust between the data fiduciary (the entity collecting and processing the data) and the data principal (the individual whose data is being collected and processed), the objective of purpose limitation is to ensure that the data which is collected is only used for the purpose for which it is collected and not for any other purpose which was not disclosed to the data principal at the time of collection. The objective of collection limitation is to ensure data minimisation.
What Is The Problem With Purpose And Collection Limitation?
Purpose and collection limitation are based on the assumption that for consent to be valid, vaguely mentioning the purpose for collection is not sufficient and therefore, the purpose needs to be specific. However, the problem with this assumption is that each purpose that the personal data may be used for in the future can be determined at the time of collection.
However, this is not so as the data may need to be used for certain purposes that could not be anticipated at the time of collection. Therefore, vague purpose specification in the form, “improving user experience” should suffice as it is a valid and lawful ground for the processing of personal data.
By using new Big Data technologies, organisations can answer questions in seconds rather than days, and in days rather than months. This acceleration allows businesses to enable the type of quick reactions to key business questions and challenges that can build competitive advantage and improve performance, and provide answers for complex problems or questions that have resisted analysis.