Personal Data Protection Bill: The Consent Black Hole
If the Personal Data Protection Bill was meant to be a shield for citizens, Clause 14 is the self-destruct button.
The bedrock of the Personal Data Protection Bill, 2019, which is currently being scrutinised by a Joint Parliamentary Committee, was supposed to be ‘informed consent’ – that no data would be collected from a citizen unless their consent was taken in a manner prescribed by the law.
The consent requirement flows from the fact that privacy is a fundamental right meant to protect the autonomy of a citizen. The stringent requirements for taking consent in Clause 11 of the Bill include the requirement that the consent be free, informed, specific, clear as to its scope and capable of being withdrawn. All of these requirements are lovely, except the Bill then proceeds to carve out a massive exception to the consent requirement if data is being processed for ‘reasonable purposes’.
In pertinent part, Clause 14 of the Bill defines ‘reasonable purposes’ to include three particularly contentious categories: credit scoring, recovery of debt and the operation of search engines. The first two existed in the draft version of the bill as drafted by the Justice BN Srikrishna Committee while the last was added by the government to the version introduced in Parliament.
Each of these three categories is problematic for the reasons that follow.
Credit Scoring
Credit scoring agencies are some of the oldest data brokers in the world. They collect credit information, such as repayment rates of individuals, from banks and financial institutions, and use that data to give scores to each individual. That score determines the credit-worthiness of a person i.e. whether the person is likely to repay loans on time. This score then affects the rate of interest that a person has to pay for loans. Poorer the credit score, higher the interest rate. A bad credit score could also mean that a person will not be given a loan by any financial institution.
While relatively new to India, credit scoring has existed in countries like the United States for many decades. In India, there is a law called the Credit Information Companies (Regulation) Act, 2005 which allows the Reserve Bank of India to regulate how credit information companies operate in India, and how banks and other financial institutions share data with these and other companies.
However, there is also the emerging fintech industry that operates in a legal grey zone. Many of these companies collect credit information from non-traditional sources and are not really regulated by the RBI under the Credit Information Companies Act, 2005. A few months ago the RBI had cut off banks from sharing credit data with these emerging fintech companies because they are unregulated. But the fintech companies can collect data from other sources. In one case reported by Huffpost, a well-known fintech company called Credit Vidya was allegedly collecting credit information through a music app that it had launched. This app would allegedly scan text messages to collect information from messages sent by a bank to the customer and use the data to evolve its own credit scores. Whether the users were giving ‘informed consent’ to the app in question is not clear, which is why having statutory protections such as Clause 11 is important.
When it is well-known that the fintech industry is operating in the grey area of the law, it makes little sense to exclude the industry from the consent requirement.
Debt Recovery
The other controversial exemption from the consent requirement is debt recovery. This again is a surprising exemption given how nasty the debt recovery business has been in India. There is a whole range of specialised debt recovery agencies that are commissioned by banks to recover bad loans or credit card payments. These agencies are known to have engaged in abusive practices, and banks themselves are known to have adopted public shaming tactics such as publishing photographs of defaulters etc. in the press.
Given the nature of the debt recovery ecosystem in India, banks should be required to ask consumers for informed consent as per Clause 11 before they are allowed to share information with any third party. The PDP Bill may just turn out to be the law that protects borrowers from thuggish debt recovery agencies. Yet for reasons not clear the government has exempted the entire industry from the requirement of informed consent.
The Operation Of Search Engines
This exemption for search engines from the consent requirement was added by the government to the Srikrishna’s committee’s existing list of exemptions. It is astounding to stay the least. We may as well call this the ‘Google exemption’ because of its overwhelming domination of the search engine market.
It is no secret that search engines like Google collect a whole range of user information, even if the user is not ‘signed in’ while operating its search engine. The data then goes to fuel Google’s algorithms that run its advertising business. The fact that search engines like Duckduckgo are marketing themselves as the antithesis to Google’s practices—in that it guarantees privacy—is evidence that the data collected by search engines is exceptionally valuable. So why then did the government exempt search engines from the consent requirement? Hopefully, the Joint Parliamentary Committee will pose that question to the government during its review of the bill.
Safeguards In The Absence Of A Consent Requirement
Clause 14 of the PDP Bill uses language to indicate that the proposed Data Protection Authority will lay down, through regulations, such safeguards as may be appropriate to ensure the protection of the rights of citizens in case information is being collected for reasonable purposes without the consent of citizens. It is not clear as to why these safeguards are not being made clear in the Bill itself instead of delegating the same to the DPA. Since the nature of the credit-scoring, debt recovery industries, and the manner of operation of search engines are known to the government it makes no sense for the government to not specify the safeguards in the law.
The same clause also states that it will be up to the DPA to decide whether these entities exempted from the informed consent requirements have to comply with the provisions of Clause 7 of the DPA, which has an extensive list of information that must be disclosed to the citizen by companies processing data at the time they collect data. This includes the purpose of collection, the nature and categories of data being collected, the basis of such processing, the source of such collection, the procedure for grievance redressal, the existence of a right to file a complaint etc. This notice requirement is all the more important at a time when consent is being taken from citizens. Once again, it makes no sense to vest in the DPA the discretion to do away with this requirement.
If the PDP Bill was meant to be a shield for the protection of citizens, Clause 14 is the self-destruct button for that shield. Hopefully the Joint Parliamentary Committee will ask the government some difficult questions on these clauses.
T Prashant Reddy is a Bengaluru-based advocate and co-author of ‘Create, Copy, Disrupt: India’s Intellectual Property Dilemmas’.
The views expressed here are those of the author, and do not necessarily represent the views of BloombergQuint or its editorial team.