Digital Personal Data Protection Bill – How It Fails to Check Abuse of Data in Data Driven Businesses

Data is widely acknowledged as the new oil and new gold, for the immense value it holds. The World Economic Forum declared that big data is an asset class like gold or oil. India houses about 17% of the world’s population. For a country that is likely to contribute to one-fifth of the world’s data, the benevolence allowed to private data fiduciaries under the recently released draft Digital Personal Data Protection Bill, is rather disturbing.

Unlike earlier versions of the Bill, “deemed consent” is presumed in respect of digital personal data collected for any legitimate purpose. There are no provisions for withdrawing deemed consent, once given. Neither does the Bill place any restraints on the data fiduciary against transfer of data (collected by the data fiduciary) to third parties. Further, it is unclear from the Bill that when a request for erasure of data is made, whether the personal data would need to be prospectively deleted from metadata records of all third-party transferees of the personal data. This is poignant since no other laws in India regulate the abuse of data by data driven businesses. 

In other countries, laws adjacent to data privacy legislations like the California Consumer Privacy Act (CCPA) regulates digital personal data collected by businesses. The CCPA casts a duty on the data fiduciary to initiate processes for erasure of personal data transferred by it to any third parties, when a request for erasure is made by a data principal. In the same vein, the recently released Digital Markets Act of the European Union restrains big-tech gatekeepers from combining customer data collected from one service offered by it (eg. Google Pay) with customer data from another service it offers (eg. Google mail) without the explicit prior consent of the customer.

Unlike the United States, India’s consumer protection law does not explicitly lay down guard rails pertaining to processing of personal data of consumers. India does not yet have the equivalent of the European Union’s Digital Market’s Act. In India, the Competition Commission of India did recognize that abuse of data is likely to occur by virtue of data-driven business models, while it considered anti-trust practices by Google in the matter filed by Matrimony.com against Google. But the CCI did not order an investigation into whether Google abused the access to large-scale data of users. 

An ominous lack of regulation of use and abuse of personal data of customers/users in data driven business models turns into a weak link in India’s legal infrastructure for protection of digitized personal data. This has multi-fold impacts, not just to an individual’s data privacy, but also extends to harming competition in India.

Take for instance, the 9000 orders received per minute by Swiggy on New Year’s Eve last year. This translates into about 6 million orders in a single day (12 noon to 12 midnight). Swiggy uses the data insights from its customer orders to dangle the “discoverability” carrot and get more restaurants on-board its platform. But it does not stop at that, Swiggy also runs its own cloud-kitchen (eg. The Bowl Company) presumably informed by the big-data insights it has on customer behaviour, price and popular products purchased from its platform. By doing so Swiggy cannibalizes the market, making it hard for new entrants to the food/restaurant industry to thrive, without listing themselves on Swiggy. Once these restaurants do list themselves on the platform, they are subject to high commissions, deep discounting and non-transparent preferencing of vendors, making it even harder to compete and stay in the market.

The previous example of data being used to stifle competition can be applied equally to all digital marketplaces including consumer goods marketplaces, ride-hailing platforms, and food delivery platforms. Despite this, India has a vibrant e-commerce landscape with more than 300 funded marketplaces across multiple categories (retail, education, healthcare, travel, financial services, etc). As of today, in India, around 20 marketplaces have achieved more than $1 billion in Gross Merchandise Value (GMV), and many players have turned profitable. In the future, India will leverage e-commerce and move towards an increasingly digitised base of online shoppers and small businesses. But how to do this without compromising the right to data privacy of individual users and stifling competition by using data to cannibalize the market?

The answer lies in a robust data privacy law, which must delineate the user data from sensitive personal data and give clear notice to the data principal regarding the purpose for which the data is being collected, how it will be processed, third party transfers and the period for which it is likely to be retained. The scope of deemed consent must also be significantly reduced to cover only instances where collecting consent is either impractical or unnecessary. Lastly, India also needs to amend its Consumer Protection Law and Competition Law to regulate data collected by businesses from users to avoid abuse of access to data in data driven businesses. Without guardrails on preventing abuse of data, the promise of digital commerce is likely to be just a flash in the pan.