top of page
The Legal Journal On Technology

INDIA’S UPCOMING DATA PROTECTION BILL AND ITS LOOPHOLES WITH BLOCKCHAIN

ABOUT THE AUTHOR: Musa Saidu is a second year law student at Ahmadu Bello University, Zaria, Nigeria.



While European policy makers were debating and finalizing aspects of GDPR, blockchain wasn’t on most people’s radar.[i]


Right to privacy is a fundamental human right of every individual. This is a universally recognized right that every individual is guaranteed with limitation in some exceptional and necessary situations. Before the internet boom, people were largely in charge of their privacy and information about them; they chose what the information could be shared publicly what couldn’t, The responsibility lies solely on the individual’s shoulder. After institutions and organizations that operate by gathering and processing personal data of people, (such as names, address, religion, financial information etc.,) emerged, be it a government institution or company that holds and process data of their employees or any company in which personal data collection and processing is necessary for its operation, such as online gaming companies, this responsibility is somehow divided between the individual and the institution storing his data. And as a consequence, the notion of individuals having a total control over their data begins to take a different dimension. The notion gets more complex when technology, inventions and automation became the order of the day and data collection and processing is done by automation technologies.


This calls for the need for legislators to amend or even make fresh laws that will incorporate and guide the operations of the institutions holding personal data of individuals. A lot of steps have been taken to ensure that people’s right to privacy is realized in this era of technology. But technological inventions are growing exponentially leaving the laws meant to address them lagging behind; making the laws to play catch-up. The reason for this disproportionately inverse relationship between the laws and technology is that “…technology shifts, pivots and morphs at a speed much greater than laws and regulations are designed to move.”[ii] An example of such laws that regulates the processing of data by institutions is the EU’s General Data Protection Regulation (GDPR) from which many countries made their own data protection laws. The India’s Personal Data Protection Bill, 2019 was also made out of the GDPR to reflect their domestic concerns on personal data.


India’s Personal Data Protection (PDP) Bill, 2019 was introduced on 11 December 2019 by Mr. Ravi Shankar Prasad, the minister of Electronics and IT as an amendment to the Information Technology Act, 2000 which proved to be largely ineffective with the increasing number of privacy breaches and data compromise cases in the country. The Information Technology Act was ineffective due to the loopholes found in the Act which fails to put restrictions on the conduct of data trustees (fiduciaries) who are found to be unethically processing personal data of people to their detriment. Another major failure of the current Information Technology Act is that even when a limitations in the Act can be easily breached through contracts.[iii] Although the bill flawlessly addressed certain issues, it has missed another important factor: blockchain. The PDP Bill came along with 89 Amendments and new clause in its final draft. The PDP Bill seeks to, inter alia, provide protection for the privacy of individuals, accountability of entities processing personal data and remedies for unauthorized and harmful processing of their data. Although the committee has had close to 800 representations from a cross-section of industry, lawyers, associations, non-profits and public representatives with sixty-six meetings and close to 160 hours spent on deliberations,[iv] it is surprising that the mystery of blockchain technology and the loopholes it creates in the new bill remains unresolved.


Blockchain is a decentralized, distributed ledger of transactions which records information in a way that is difficult or impossible to change. The records are duplicated and distributed across the entire network of computers that holds the system. One of the most outstanding feature of blockchain is that it is a decentralized system which means it is not controlled by a single system and therefore difficult to hack. The decentralization also makes it impossible for the system to be monitored under a government as there is literally no one person to be held accountable for whatever happened during its operation.


THE PDP BILL LOOPHOLES WITH BLOCKCHAIN


The word “blockchain” was never mentioned in the PDP Bill but there are provisions in the bill that prohibit data fiduciaries from operating or processing personal data in a way that blockchain does. Blockchain can be categorized as data processors under the PDP Act because of the similarities in their function with the “data processor” mentioned in clause 3(15) of the bill. As such, all of the obligations conferred on data processor must fall on blockchain too, but the reverse is the case.


The first problem in regards to the coexistence of PDP Bill and Blockchain is the very nature of blockchain; decentralized and not answerable to any government authority and the PDP Bill was meant to ensure that people have more control over their data and of course subject to government regulations contained in the PDP Bill. If blockchain is not answerable to any government authority, it automatically escapes all the provisions of chapter 10 which relates to penalties and compensations and skips responsibility under clause 10 which relates to compliance with the provisions of the bill. Blockchain is such a big loophole in the PDP Bill that its operation and consistency with the new bill was not even contemplated.


Another problem is that the records of blockchain operations are immutable and that is a direct violation of clause 18 of the bill which gave a data principal the right to correct and erase his personal data when such data is changed or when he thinks it is no longer necessary for the data fiduciaries to retain such information. A similar conflict is found in clause 9, which puts restriction on retention of personal data beyond what is necessary; that a data fiduciary shall delete the data at the end of the processing. But blockchain operations are neither mutable nor are they erasable. Associated with this violation is the provision of clause 20 which provides for the right to be forgotten; where a data principal has the right to restrict or prevent the continuing disclosure of his personal data by data fiduciaries while the entire system of blockchian is based on a “distributed ledger” which shares the records to many computers that the data principal do not even know who they are, and of course the records remain permanent.


Blockchain also exempts itself from the provisions of chapter VI which provides for transparency and accountability measures. Since it is a decentralized system, there is no one to be held accountable for any misconduct and that has rendered the provisions of chapter VI literally useless in regards to it. Individuals that suffer a breach of their personal data are on their own and they cannot be able to seek redress or compensation as provided in clause 32, whether from the blockchain network itself or from a court of law. This makes one to wonder whether chapter VI of the PDP Bill has done anything to protect individuals in this regard. And again, blockchain has defied the power given to data fiduciaries in clause 32 to “have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in speedy manner” because there is no one to call to account for violations in blockchain network.


CONCLUSION


Blockchain is security oriented, it ensures that personal data is kept as secure as possible during and after processing, while the PDP Bill is meant to give people more control over their data and to ensure minimal intrusion and breach of personal data either by the government itself or by cybercriminals and to hold intruders accountable and provide redress for data principals. Although both the two seek to protect the individuals, the coexistence of them is paradoxical as blockchain stands in clear contrast with the provisions of the PDP Bill.

Blockchain technology has its usage and importance in regards to guarding the privacy of individuals, perhaps the best so far, but when it has the potential to defy an existing law, its very existence could be regarded as illegal in relation to the country whose law it contradicts. It is either PDP Bill is amended to specifically address blockchain, or blockchain should be banned until appropriate law is made to regulate it.

[i] Anne Toth, Will GDPR Block Blockchin?, WORLD ECONOMIC FORUM (May 28, 2018), https://www.weforum.org/agenda/2018/05/will-gdpr-block-blockchain/ . [ii] Ibid. [iii] Parul Bhati & Aditya Gupta, The Personal Data Protection Bill, 2019 – Making Right to Privacy Fundamental, IPLEADERS ( accessed May 5, 2021, 12:38 PM) https://www.google.com/amp/s/blog.ipleaders.in/personal-data-protection-bill-2019-making-right-privacy-fundmental/amp/ [iv] Surabhi Agarwal, 89 Amendments, 1 New Clause in Final Draft of India Data Protection Bill, THE ECONOMIC TIMES (Jan. 07, 2021, 10:20 PM) https://www.google.com/amp/s/m.economictimes.com/tech/technology/89-amendments-1-new-clause-in-final-draft-of-india-data-protection-bill/amp_articleshow/80144191.cms .

76 views0 comments

Recent Posts

See All

Cross-Border Data Transfers in DPDP Act

By Uddhav Gupta (2nd Year MNLU , Nagpur) The DPDP Act  establishes a framework which safeguards digital personal data in India. It...

Comments


bottom of page