The much-awaited Personal Data Protection Bill of 2019 was introduced in the Lok Sabha last week and it has set the cat amongst the pigeons. One would think it seeks to protect the privacy of personal data, regulate the processing of sensitive personal data and establish a Data Protection Authority of India (DPAI) for regulations. Unfortunately as many feared, it grants governmental agencies sweeping exemptions from the rigours of compliance as well as the restrictions on accessing or processing personal data of private citizens. These powers can convert the world’s largest democracy into an “Orwellian state” especially in the light of the Citizenship Amendment Act that has triggered protests across the country. We dig deeper to understand the flaws and how they can be fixed.
Why do we need laws on data protection?
The European Union passed its own data protection law in 2017 called GDPR (General Data Protection Regulation) which came into action in 2018. It ensured that user data is collected with consent and that the collecting party is responsible for its safekeeping.
The Bill provides a preventive framework for the collection and use of personal data. No entity can collect a person’s data without their consent, and higher requirements apply for processing “sensitive personal data”. Its essence is to protect users from the data collection practices of tech behemoths like Facebook and Google. India has taken inspiration from GDPR.
The data protection bill should intend to make individuals the owners of their data, giving them the right to access and correct it, the right to data portability, and the right to be forgotten. One would think it is largely designed to impact how consumer data is protected and kept private.
However, the bill divides data into three categories — personal data, sensitive personal data, and critical data. Personal data generally includes all kinds of data, while sensitive personal data consists of financial data, health data, sexual data, and orientation. Unfortunately, critical data has not been defined and provides the Central Government with the power to declare any data as critical data which is frankly scary.
Data Protection Bill is filled with ambiguity and lacks clarity
The strange thing about the tabling of this bill is that it didn’t reach Shashi Tharoor, the Member of Parliament who chairs the IT Standing Committee in Lok Sabha. The Bill should’ve ideally reached him for debate, planning, and discussion. However, the bill was submitted in the Lok Sabha to a joint select committee of both Houses, led by Meenakshi Lekhi, BJP’s national spokesperson. It seems that the government is trying to skip the IT Standing Committee because it knows the opposition can point out vulnerabilities in the proposed law, in turn hindering its passage.
Interestingly, the first draft of the bill was introduced in 2018 and the Ministry of Electronics and Information Technology (MeiTY) received a lot of feedback for its improvement. Unfortunately, these suggestions were never made public and the bill was directly introduced in the Parliament.
Further, the previous bill called for a law under which the government could claim access to personal data in the interests of prevention or investigation of offences. This crucial provision is now missing from the final Bill.
A new term “social media intermediaries” has also been added and it lacks a proper definition. The bill has defined social media intermediaries as entities primarily or solely enabling online interaction between two or more users – that means messaging apps are being defined as social media. It’s a vague blanket term that can impact any service. Additionally, users have the option to voluntarily verify their account and marking their account with a verified tick.
Data is the new oil
A couple of years ago with the launch of the Jio telecom service, India’s richest man, Mukesh Ambani proclaimed, “data is the new oil” and indeed he was right. Advertising companies like Google and Facebook have milked user data to push relevant ads as well as target users.
India wants to ensure its citizens are safe from foreign snooping and that’s why it has already demanded localisation. WhatsApp, PayPal, and other foreign companies that want to start fin-tech operations in India must ensure that all data of Indian citizens is stored within the country’s border. This is a reasonable requirement because we’ve already seen how Huawei got badgered in a modern “Cold War” against the U.S.
Data sovereignty is a modern concept that ensures data is stored locally. Recently, the U.S. Senate raised concern over data of American users being handed to Chinese authorities via apps like TikTok. On the same lines, it’s essential that sensitive data of Indian users is stored locally.
This aspect has gained importance after a spate of lynchings across the country was linked to WhatsApp rumour. Revelations of social media giant Facebook sharing user data with Cambridge Analytica, which has influenced voting outcomes, have led to a global clamour by governments for data localisation.
Similarly, in India, with things like the DPAI, the government wants to have control over user data of the people in the country as these large corporations store data in data centres which are mostly outstation. With data centres being outstation, there is data sovereignty and the government can’t order a company to release user data.
India’s Data Protection Bill is draconian
Yes, data can be weaponized. And, this isn’t just limited to a state vs state scenario. A government could use the same data to suppress the opposition in a political environment. This is where things get interesting with the Data Protection Bill.
- After providing privacy safeguards, the bill empowers the central government (Section 35) to allow any government agency to bypass these same safeguards in the interest of the country’s sovereignty, integrity, the security of the state, friendly relations with foreign states or public order. So basically on a whim, any government agency can tap into your private data.
- According to Reuters, the Bill defines personal data as information that can help in the identification of an individual and has characteristics, traits and other features of a person’s identity. In other words, a security agency can cite an order to identify a terrorist or any kind of criminal to access your data.
- Further, the bill will grant New Delhi powers to ask any “data fiduciary or data processor” to hand over “anonymity non-personal data” for improved governance and provision of state services. This means a third party, like a Google or Facebook, could be liable to hand-over your anonymize information like metadata.
- The original bill was drafted by the Justice BN Srikrishna Committee, however, it had no mention of providing any such exemptions or powers to the government and its various wings. However, the current version of the bill does not mention any procedure that the government would have to follow to gain access to someone’s personal or non-personal data. This is fundamentally flawed and draconian.
- One implication of the new policy is that when the government demands its citizens’ data, in the case of foreign attacks and surveillance, digital companies would have to abide and assist the Indian government’s defence policy.
- Critics argue that data can be potentially misused by the government for unintended uses such as political surveillance. Others argue that anonymous data can be easily de-anonymized.
In a nutshell, if one takes a cynical view of things, considering the way this government has been acting — it wants to ensure that foreign powers aren’t able to access user data but at the same time, it wants to keep the privilege exclusively for itself.
Politically, this is a disaster with the backdrop of the situation in Kashmir, the Ayodhya Ram Mandir case and now the CAA protests. It’s also worth noting that in 2017, the Supreme Court of India ruled that privacy is a constitutional right of every Indian citizen and this bill seemingly breaks that ruling.
Ironically, the timing couldn’t get any better. The government is already under fire for blocking internet access to Kashmir for months and it has used the same tactic to suppress other regions like Assam. In addition, recently, WhatsApp was also recently compromised and spyware was able to snoop on journalists and activists. The new legislation is ambiguous and can be easily twisted. In the backdrop of all the anti-democratic movies by the government in 2019, it is doubly problematic.
Under the ruse of national security, the government has already cut-off millions of people from the Internet. Now, it appears, it intends to get “legal” access to private data, without a single speed bump.
The bill also makes it hard for the U.S. or China to spy on you, but easy for New Delhi. If Indians are to be truly protected, it is urgent that the Parliament reviews and addresses these dangerous provisions before they become law.