Reclaiming Data Rights

-- By NiveditaMukhija - 06 Dec 2019

The State and People's Data

Recently, the Personal Data Protection Bill, 2019, India’s first comprehensive data legislation, was introduced in the Parliament, and is now being considered by a Joint Parliamentary Committee. The Bill was introduced pursuant to the judgment of the Indian Supreme Court in Justice K. S. Puttaswamy v. Union of India, which upheld the right to privacy of an individual as a fundamental right under the Constitution. The Supreme Court in that case commended to the government to put in place a robust regime for data protection, to protect individuals’ privacy against encroachments over their data by the state and corporations. However, the proposed legislation de facto grants the state more power over individuals’ data than ever before.

For example, under Section 35, the Act in its entirety may not apply to any government agency when the government thinks it is necessary or expedient in the interest of the security of the State, public order, and other vague bases. Section 12 of the Act also allows the government an exemption from the requirement that an individual consent to his data being processed, for the provision of any service to the individual. Moreover, the sole oversight under the Act is provided by a regulatory authority (Data Protection Authority) that is to be composed of members from the executive.

Further, unlike GDPR, the Act requires certain categories of data to be stored and processed in India. Data localization is rampant in authoritarian countries such as Russia and China, and raises legitimate concerns regarding government access and surveillance over personal data, fragmentation of the internet, and economic and practical difficulties of enforcement.

Yet another contentious provision is Section 91(2), which allows the government to direct any data fiduciary to provide personal data after it has been anonymized, or any other non-personal data, in order to “enable better targeting of delivery of services or formulation of evidence-based policies.” This subjects large categories of non-personal data to government oversight, and ignores the dangers inherent in the possibility of de-anonymization of such data.

People and their Data

Through such provisions, the proposed legislation in effect grants the state something akin to an eminent domain power over all data, whereby it can access the data with minimal to no safeguards. Data is treated as a “national asset” and a “public good”, and the rhetoric of gaining autonomy over data and guarding against “data imperialism” is frequently employed. However, it is clear that the real beneficiary of the legislation is the government and not individuals, and the unbridled powers granted to the government serve its surveillance and economic interests. For example, Chapter IV of the Economic Survey 2018-2019, innocently titled Data "Of the People, By the People, For the People" speaks of how the government may grant the private sector access to select databases for commercial use for profit. Thus, the government becomes an “an active data trader for the generation of revenue to meet its fiscal goals”.

I submit that in order to honor the essence of the Puttaswamy judgment, and to put forth the protection of people’s privacy at the center of the legislation instead of commercial or state interests, people must be recognized as owners of their data.

There have been some objections to the use of such a term, rooted primarily in the fact that data should not be seen as a property right. However, the term ‘data owner’ is not necessarily rooted in property rights. Owning one’s own data should instead be seen through the prism of human rights, as reflecting the sense of autonomy one has over his or her data. Such an understanding safeguards against dangers of monetizing or alienating our data, as human rights too cannot be transacted away. This human rights-based understanding of ownership is also found in the context of ownership of our bodies and organs: it is important to us that we own our organs, but we do not have property rights in them as a matter of public policy.

In Justice K.S. Puttaswamy v. Union of India, the infamous Supreme Court decision which upheld the constitutionality of India’s biometric identification system, Justice Chandrachud’s passionate dissenting plea for privacy made it clear that a fundamental principle of data protection is that “ownership of the data must at all times vest with the individual.” Recommendations by the Telecom Regulatory Authority of India have also echoed the same rights-based view of data ownership, stating that acknowledging ownership in this context implies “that the individual must be the primary right holder qua his/ her data”, thus recognizing that “controllers of personal data are mere custodians without any primary rights over the same.”

A Protective Data Protection Act

A legislation acknowledging people as data owners would look very different, as it would assume that all primary as well as residual rights relating to an individual’s data vest with the individual, and any encroachment over the same needs to be specifically and narrowly culled out. The onus would thus be on the state to seek consent regarding usage of such data for any welfare purposes, as data would not be considered a state resource. There would also be a stark difference in the way the Courts interpret a legislation that starts with the presumption that individuals own their data, with any ambiguity interpreted in favor of the data owner.

Data ownership may not turn out to be the magic answer to resolve all of the Bill’s contentious issues, but the value of naming a right must not be underestimated. As Ujwala Uppaluri puts it, “…our rights are only as strong as our capacity to assert them. Recognizing the right is the first step in opening up the possibility of it trickling down into the people’s consciousness. As governments and technologies become increasingly intrusive, the people of this country must be empowered to safeguard their interests.” An acknowledgement that data indeed belongs to the people, as intrinsic components of our personhoods, thus assumes considerable importance.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.