In an episode of the sci-fi series Star Trek, the crew of the spaceship ‘The USS Enterprise’ chance upon the planet of a horrendously scary alien: Balok. The anticipation of encountering Balok, driving most of the crew into frenzy. It is only much later divulged that Balok’s ghoulish appearance, is a rouse and the actual Balok is timid, and infantile. The rouse had been to scare intruders away from his home planet.
It wasn’t too long ago, that previous versions of privacy legislation with severe restrictions on cross border transfer and intermediary obligations, drove Indian corporates in a similar frenzy, and yet the latest version, much like Balok’s true form, appears much less scary.
The current version, which interestingly includes ‘Digital’ in the title, is a bare bone version of a necessary privacy legislation. Gone are the previous mentions of ‘Non-Personal Data’, and the attempt to categorise around various categories of data (sensitive, critical). Also gone are the restrictions around cross border data transfer. Anticipated Rules (under this Act) and an upcoming ‘Digital India Act’, are assumed to elaborate over what has been left out.
The removal of categories of personal information, would seem to imply that all personal information would require the same degree of consent, protection, and restrictions. Readers will know European privacy legislation, the General Data Protection Regulation (GDPR)’s segregation of health data, biometric data, etc. An obligation to treat all categories of data with the same level of care (e.g. a database of cell phone numbers with say that of medical records), is unreasonable, and will add dramatically to compliance costs.
Unlike the GDPR, which prescribes six different grounds for processing data, the Indian version relies on an ambiguous ‘lawful purpose’ to be followed by the data fiduciary (processor) as required grounds for processing. The draft Act, requires express consent of the data subject to allow their data to be processed, but also seemingly allows for the above ‘lawful purpose’ to constitute ‘deemed consent’.
The world over, ‘legitimate interest’, which allows usage of subject data for purposes similar to what consent was previously collected for, or is co-related to the original purpose (emailing a customer for renewal of the membership, when such customer has previously provided email for membership purposes) is replacing ‘consent’ as primary rationale for processing, and the absence of ‘legitimate interest’ in the proposed draft, specifically mentioned as an enablement for data controllers to use data, will throw up challenges for Indian corporates who will have to resort to ensuring digital records of consent of their vast consumer database for each use of their data; resulting in steep compliance costs.