Terms and Conditions May Apply—The Personal Data Protection Bill, 2019
While technology has evolved leaps and bounds in recent years, the problem of privacy and data protection is one that has yet to be properly addressed. The newly revised Personal Data Protection Bill offers some respite to this problem. However, it has come under much scrutiny by the public and the press alike for a variety of reasons.
The step towards India’s first concrete law on personal data protection was initiated in August of 2017 with the formation of an expert committee, headed by retired Supreme Court Judge, Justice B. N. Srikrishna. With inputs from the members of the government, academia, and industry, they were able to provide a comprehensive draft of what was to be the Personal Data Protection Bill (PDP). Oddly enough, when the bill was approved by the Cabinet and presented before the Lok Sabha, it was tweaked and laid bare of the safeguards that the Srikrishna Committee had proposed against exploitation of personal data by the government. Among these being the removal of the explicit mention that such exemptions must adhere to the Supreme Court’s privacy judgement of 2017. The judgement mandates that the government declare specific objectives for collecting and using private data according to the procedure laid down. In an interview with The Economic Times, Justice Srikrishna criticised the bill, calling it the “most dangerous” act and a footstep towards an Orwellian society, which is characterised by a brutal policy of draconian control exerted by propaganda, surveillance, disinformation, and political doublespeak.
The Government’s Perspective
The data generated by Indians has increased exponentially over the years. India’s smartphone revolution has turned it into a market with over 500 million active internet users, making it second only to China. This bill intends to make individuals the owners of their data and aims to keep consumer data protected.
Introduced in the Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad on 11th December 2019, the bill seeks to provide protection of the personal data of individuals and establishes a Data Protection Authority for the same. The bill compels the government and companies dealing with personal data of individuals in India to be accountable to the said authority. The bill also allows the government to direct the companies to provide it with non-personal data for better targeting of services.
The government propounds its belief that intelligence agencies can be more effective in their work if surveillance is centralised and automated rather than distributed, federal, and manual. India has seen a steady proliferation of surveillance technology. In December 2019, Delhi’s police officers used facial recognition devices to screen individuals entering a protest venue. In Chennai, surveillance drones circled above a protest march, and in Hyderabad, police have used fingerprints to check past criminal activities of individuals. Electronic databases of intercepted telecommunications, in particular, had begun to proliferate after the 2008 terrorist attacks in Mumbai. The Central Monitoring System (CMS), a centralised telephone interception system that automates the wiretapping of criminal suspects and Netra, a system that intercepts voice-over-the-Internet platforms to pick up words such as ‘attack’, ‘bomb’, ‘blast’, ‘kill’ etc. have been in operation since quite some time, but the government now plans to build a more centralised network of India’s intelligence operations.
The Companies’ Perspective
To understand the perspective of various companies, there are two terms that one has to keep in mind. Data fiduciary and data processor. Any companies that a user interacts with, and provides data to, is a data fiduciary, because the user is entrusting his/her data to the company. This company, in turn, has to process this data to draw certain conclusions. This is where the data processor comes in. A data processor takes the data collected by a data fiduciary and further dissects it to obtain relevant information that can benefit the company in some way.
This law has a clause of Data Localisation, which states that sensitive personal data cannot be stored and processed outside the borders of India, which prevents data fiduciaries from processing it in foreign countries without prior permission of the user. This is seen as a welcome law to the public in a place like India, where there have not been prior laws related to the location of the data. This clause would give the government and public more control over the data fiduciaries and would prevent foreign organisations and governments from the misuse of data. However, many experts believe the location will have no bearing on the ownership of the data, or decisions about the data, which will effectively make this law useless.
Apart from this, companies will have to bear the added burden of employing skilled technicians, who will have to transfer data stored overseas within Indian borders. Another positive consequence of this bill would be the rise of homegrown data processing companies to assist data fiduciaries with the processing of relevant data, which follows in the footsteps of the current governments’ ‘Make In India’ model.
However, this law is not without flaws, proving especially dangerous to the country regarding the business perspective. Granting access to sensitive data to the government can make the customer base lose trust with the company, something that most multi-national corporations spend a considerable amount of time and effort building. Another disadvantage is that the inner trade secrets of the business world would be out in the open to the government, which can discourage foreign investment into the country. This in turn can have severe repercussions on the economy of the nation.
The People’s Perspective
Starting off with the positives, there are a few clauses in the bill, shown below, that ensure the protection of the owner’s personal data from commercial enterprises.
Due to this bill being introduced in the Parliament at a time when the NRC/CAA issue was at its most aggressive peak, it hasn’t received as much attention from the public as it should have, which explains the minimal discussion and debate on this topic over the internet and in the news. Nevertheless, while some have come out in support of this act due to the increased restrictions it places over companies’ misuse of data, many are still wary of the negative impacts this bill can have on the privacy of the user. Since the bill is very vague over what it considers to be “critical sensitive data” and data that can be used in matters of national security, it can enable the government to gain access to any specifics user’s credentials through this law.
Another example is that of access to aggregate data. While sensitive individual data, like information on caste and finances, can be out in the open through this law, the expose of aggregated data can be equally as terrifying. For example, government organisations, of the present and future, can find out statistics on the religion, or political leanings of a group of people in a particular area, which can then be a target of an aggressive political campaign.
Data Protection Bills in Other Countries
In developed countries like the United States and most countries in Europe, instead of having a singular Bill laying down the framework for data protection laws across the country, there are data regulations in place, drafted with the consultation of experts who have spent a long time in this field. States (in the US) or countries (in the EU) can either draft their own legislation or direct companies to follow these regulations, with most of them opting for the latter due to the standardisation of laws they provide. The most prominent of these regulations are California Consumer Privacy Act (CCPA) and General Data Protection Regulation EU (GDPR), which is also referred by several countries around the world to draft their own legislation around data protection.
In the world, 107 countries have a Data Protection legislation in place, India being one of the 66 developing or transition economies among them. This still doesn’t mean there’s no work to be done. The General Data Protection Regulation (EU) is a regulation on data protection laws in the European Union that also acts as a yardstick for comparing data protection laws in other countries. While most countries in Europe, Canada, and the USA ensure an adequate or partially adequate level of data protection recognised by the EU, India still does not. Further, if the clauses in the Bill that give the government leeway on what they consider to be “matter of national security” aren’t amended, this status is unlikely to change soon, in spite of the many positive consequences of this bill. Given the social turmoil and the volley of aggressive new laws in present-day India, it would seem quite out of place to direct thought and discussion towards an issue such as data protection. However, this piece of legislation that promises to return power and dignity to our digital society is more connected to the very same fundamental rights and constitutional principles that are being defended on the streets today.
Featured Image Credits: Swara Singh