Data Protection Bill Proposes Voluntary Identification On Social Media Platforms
(This is the fifth part in the series of BloombergQuint’s coverage on Personal Data Protection Bill, 2019. The first part on obligations proposed for data fiduciaries can be found here, the second on rights of users here, the third on data localisation provisions, here, and the fourth on impact of wide exemptions to the government, here.)
A provision in the proposed data protection law could mean increased obligations for social media intermediaries like Facebook, WhatsApp, Twitter, YouTube, etc.
In discharging these obligations, experts fear intermediaries could mandate Know-Your-Customer requirements for users, though the bill proposes it as a voluntary requirement.
The Personal Data Protection Bill, 2019, categorises social media intermediaries as data fiduciaries. Platforms that enable online interaction and allow users to create, upload, share, disseminate, modify or access information will qualify as social media intermediaries.
Within social media intermediaries, those with users above the prescribed threshold or whose actions are likely to impact electoral democracy, security of the state, public order or the sovereignty and integrity of India can be notified by the government as a significant data fiduciary.
Such social media intermediaries will have to:
- Do a data protection impact assessment if it intends to process data, do large-scale profiling, or use sensitive personal data like biometrics, genetics, etc. The assessment would have to include details of processing operation, purpose, nature of personal data being processed, potential harm that it could cause to users, measures for managing, minimising such risk of harm.
- Engage a data auditor to undertake a data protection impact assessment if the data protection authority directs so.
- Maintain accurate and updated records of important operations—collection, transfers, erasure—in the data life cycle, review security safeguards, etc.
But the more worrying aspect is the requirement vis-à-vis the users. The provision said social media intermediaries, categorised as significant data fiduciaries, must enable users to voluntarily verify their accounts. The voluntary verification should be provided with a visible mark, and the manner of verification will be notified via rules.
This provision wasn’t there in the Justice Srikrishna committee draft bill, and the legislative objective of it isn’t clear, Apar Gupta, executive director at Internet Freedom Foundation, told BloombergQuint. In the absence of such reasoning, he said, one can infer it’s to curb disinformation.
But, as a principle, a data protection law must minimise the information available with a data fiduciary and this provision is in direct conflict with it, Gupta said, adding this might give intermediaries a legal basis to ask users to link their profiles with a government identification.
It’s also my suspicion that this law may be used with the pending intermediary guidelines. The guidelines could require platforms, categorised as significant data fiduciaries, to verify users. The verification is typically linked to KYC requirement which is usually done through some kind of government ID.Apar Gupta, Executive Director, Internet Freedom Foundation
With a legal backing to demand our Aadhaar or any other government ID, social media intermediaries will be able to gather greater information about users. In many ways, this will lead to greater and more accurate surveillance and profiling, Gupta said.
Sajan Poovayya, senior advocate at the Supreme Court, pointed out a conceptual problem with the provisions for social media intermediaries. He said the information technology law was best placed to regulate social media platforms and the data protection bill should’ve limited itself to manage data.
Further, the voluntary identification provision isn’t too much of a worry at this stage since the details will come in via regulations. As long as the regulations don’t insist on a government ID as a means of identification, it should be okay, Poovayya said.
To test if the regulations are excessive, the test laid down by the Supreme Court in various judgments will apply — what is the object that’s sought to be achieved? What’s the need of identification? If it is to ensure fake accounts are weeded out, which is a rational objective, then what’s that least restrictive methodology that must be adopted?Sajan Poovayya, Senior Advocate, Supreme Court
“The emphasis is on least restrictive and not best methodology which could be Aadhaar or DNA profiling but you don’t need that,” Poovayya said. Equally, it can’t be a local club card but an institutional ID can be accepted. So the regulations would need to achieve that balance, Poovayya said.
The Personal Data Protection Bill was approved by the Union Cabinet on Dec. 6, 2019. It was introduced in the Lok Sabha by Information and Technology Minister Ravi Shankar Prasad. The lower house decided to send the bill to a joint select committee, which will include members from both houses of Parliament.