India’s data protection bill: from protecting data to a surveillance state

India’s Personal Data Protection bill provides some protection against big digital companies, but none against big government. The objective is a surveillance state where any criticism of the government would be considered sedition

December 22, 2019 by Prabir Purkayastha

The Indian government has released the draft of a Personal Data Protection Bill, 2019 which differs significantly from the earlier version drafted by Justice B.N. Sri Krishna in 2018. Justice Sri Krishna has said the changes are dangerous and can potentially create a surveillance state. In a major change from the original Sri Krishna draft, the Data Protection Authority of India has been made entirely subservient to the government. The data localization provisions for sensitive personal data have also been considerably weakened.

The entire exercise of protecting the privacy of citizens, particularly after the Supreme Court judgement declaring privacy as a fundamental right, has now been subverted. Instead, the bill seeks to create a surveillance state, with the government given unrestrained powers to gather or access any data of citizens. No due process has been observed in the government’s draft bill, not the weak ones incorporated in the Telegraph Act after the Supreme Court judgment in the PUCL case nor even those in the Information Technology (IT) Act, which closely follows the Telegraph Act.

Before we get into analyzing the draft, the government, true to its character of steam-rolling parliament, decided that the Parliamentary Standing Committee on IT, headed by Congress Member of Parliament Shashi Tharoor, would be bypassed. A separate Standing Committee has expressly creating for examining this bill. The government had suffered a defeat in the Standing Committee on IT, which had decided to examine the Pegasus spyware and the possibility that it had been procured by an Indian government agency.

The intent is obvious. If any Standing Committee disagrees with the government, it will create a new one where it can stack the numbers in its favor. After the Bharatiya Janata Party’s defeat on the Pegasus issue, except the Standing Committee on IT, all other Standing Committees have met after the Winter Session.

The purpose of a data protection bill is to define the property rights of people over their personal data. This needs to be done because data has now become a valuable commodity. The World Bank calls people’s personal data a new asset class, meaning that if any business “captures” such data, it can be used to make money. As people expand their digital footprint through their activities on the internet, the amount of personal data is increasing rapidly. The business world is salivating over the potential of making money out of this ever-expanding pool of our data.

In other words, this new commodity—people’s personal data—needs to be regulated and property rights over it needs to be codified in law. The problem with this approach is that people’s data is not simply the property of individuals. Quite often, communities create data that is commercially valuable. For example, traffic patterns, community activities in towns, localities and villages. Even when we think of our data as personal to us, it is often the data of our interaction with our friends, it is the data of our network. So the task of personal data protection laws—such as the Indian Private Data Protection Bill or the European Union’s General Data Protection Regulation—is accepting the property rights of digital monopolies over our personal data. The only issue now remaining is the regulation of its use.

The Indian bill goes much further down this road: it does not even recognize that we, as citizens, own our data. It only gives us certain rights over our data as data principal [the natural person whom the personal data relates to]. The larger issue of community rights remains completely unaddressed in all such schemes.

Within this narrow boundary of the law itself, the current data protection bill has some serious issues, particularly with the neo-fascist attitude of this government towards all dissent. Justice Sri Krishna has warned that such a law can turn India into an Orwellian state, or replicate the kind of state George Orwell pictured in his dystopian novel, Nineteen Eighty-Four, in which the government watches the people all the time.

Justice Sri Krishna told the press that the government has removed the safeguards that his committee had put into their draft. The government, according to him, can access private data on grounds of protecting state sovereignty or public order at any time. This has dangerous implications.

Though our telephone calls can be tapped, as also our digital communications, procedures have been laid down that require an authority at the level of a Secretary of the government of India, to sign an explicit order that clears the surveillance of any person. While we know that this procedure has been violated and of bulk surveillance orders being signed—but at least there are some safeguards in the existing laws, even if they are grossly inadequate. Section 35 of the current draft, which corresponds to the existing safeguard provisions, are in Chapter VIII, relating to “exemptions”. The section gives the central government sweeping rights to access and process our personal data. The grounds to exercise this right is again omnibus—from friendly relations with foreign powers to public order—and they extend to any personal data being held by any company, such as Google, Facebook, our phone company or internet provider.

The original purpose of the bill was to define the relations between us and the company that holds our personal data so as to provide us a service. It was also supposed to define what rights we have over this data and the obligations the companies have towards us. To this end, Justice Sri Krishna had coined two terms, “data principal”, which is us, whose data it is, and “data fiduciary”, or the company that holds or processes this data. In the European version, the terms are data subjects and data controllers.

The original Sri Krishna draft did try and codify the rights and obligations over this data, and had also tried to define similar rights and obligations between the government and citizens. What the government’s new draft does is dilute some of these provisions that were put there for our protection in favor of the companies, while taking away all the protection that we had against government access to our personal data.

One of the big issues that the Data Protection Bill had to address was the localization of personal data. This recognised the fact that data is a high-value resource and should therefore be kept in the country. Keeping this data within the country would ensure that the government could access it any time it wanted: it would never be told that since some data is in the United States or any other foreign country, therefore, the government of India had to apply under the laws of that country even to access the data of Indian citizens. The provision for data localization was dressed up as a sovereignty issue, but government surveillance over our data was always its purpose as well.

The current version has weakened the localization proposal. Localization now applies only to sensitive personal data. In addition, the government has created a category called critical personal data—the only definition of which is whatever the government calls “critical”. Such “critical” data would, again, need to be localized.

Discussions are still ongoing with big Indian businesses and global digital monopolies. The data privacy bill has now become all about data commercialization, and the government is acting as the broker between global and Indian big capital.

The bill seeks to create a new regulator, the Data Protection Authority, whose members would wield enormous powers over this new world of data. In the original bill, the members were to be selected by a body that would have had external members—people of independent standing, the Chief Justice of India, and so on—which gave it some autonomy. In the current version, there are no provisions for autonomy: the selection committee would consist entirely of secretaries to the government.

What is missing in this draft is privacy, or the protection of citizen’s data. Instead, we have a bill that gives companies and the government rights over our data, some protection for us against the companies, but none against the government. This is another measure that makes no bones about the direction we are headed in: a surveillance state where any criticism of the government or protest against it would be equated with sedition. By definition, we are all seditious, unless proven otherwise after surveillance.