Though the draft rules for the Digital Personal Data Protection Act, 2023, released earlier in January are intended to protect persons with disabilities, disability groups say that a key provision is likely to do more harm than good.
Section 9(1) of the act mandates that consent for disclosing personal data of persons with disabilities must be routed through their lawful guardian, wherever appointed.
The law reflects a lack of understanding of lived realities, they say.
Section 9 of the act requires a data fiduciary – a person or institution collecting personal data – to obtain the verifiable consent of the legal guardian of the person with disability (where such guardian has been appointed) to gather their personal information.
Persons with disabilities worry that compliance with this means this would mean that data pertaining to a person’s disability and legal guardianship would be collected even when unnecessary.
There are no additional safeguards pertaining to sensitive personal data under the act. Persons with disabilities suspect that such practices could cause further digital exclusion.
Second, the Digital Personal Data Protection Act embodies an incomplete understanding of guardianship and the role of the guardian in relation to persons with disabilities.
Though the draft rules clarify that “legal guardians” are guardians appointed under the Rights of Persons with Disabilities Act, 2016, or National Trusts Act 1999, the rules overlook a crucial dichotomy.
Guardians for persons with cerebral palsy, intellectual disabilities or autism may be appointed under the National Trusts Act. Under this law, guardians are allowed to make decisions on behalf of the person with disabilities. This is called “substituted decision-making”.
But the Rights of Persons with Disabilities Act takes a diametrically opposite approach when it comes to the role of the legal guardian. It enables supported decision-making, which means that the guardian supports the person with disability to arrive at a decision and then execute the decision. The Rights of Persons with Disabilities Act upholds the principle that all persons with disabilities have legal capacity to make decisions, to enter into binding agreements and to undertake legal actions.
However, a survey of 100 respondents with disabilities and 100 respondents without disabilities to understand digital access and its challenges conducted by Pacta and Saksham last year shows that legal guardians manage all affairs of persons with disabilities, disregarding their legal capacity and acting in violation of the scope of authority of legal guardians under the Rights of Persons with Disabilities Act.
The Digital Personal Data Protection Act is proposed to be built on the shaky implementation of guardianship law in India, leaving persons with disabilities in the lurch.
Third, the act combines the provision on data protection pertaining to persons with disabilities with the section on children’s data. Disability groups and activists are offended by such an infantilisation of persons with disabilities.
Fourth, Section 9(1) compels persons with disabilities who have a guardian to provide consent through the guardian only. This would result in persons with disabilities being denied autonomy and personhood, contrary to the rights recognised under Rights of Persons with Disabilities Act and United Nations Convention on the Rights of Persons with Disabilities, notes Bengaluru’s Centre for Law and Policy Research.
Finally, exclusionary practices have been built on misinformed perceptions and interpretations of the term “legal capacity”, assuming persons with disabilities do not have legal capacity. For instance, persons with disabilities are often denied access to banking, and ATM cards even though the law endows them with the necessary legal capacity to contract and engage in commercial transactions. Similarly persons with disabilities are refused insurance even though they are earning and contributing members of the family and are sometimes not allowed to purchase property in their own names.
This creates practical impediments to the exercise of full decision-making capacity of persons with disabilities.
Rather than imposing the role of a guardian to determine data sharing preferences of persons with disabilities, the Digital Personal Data Protection Act should instead mandate that necessary support be made available to persons with reduced decision-making capacity such that they are able to act autonomously and not through any other person.
This is the approach that Australia takes in its data privacy law.
Finally, the rules should mandate compliance with the highest accessibility standards in respect of privacy notices, consent forms and dispute resolution mechanisms to ensure that all digital resources and consent processes are accessible to persons with disability.
The full text of the report and primer released by Pacta & Saksham can be accessed here.
Nivedita Krishna is the founder and director of Pacta, a law firm and research think tank committed to closing gaps between the intent and implementation of the law.
