July 10, 2020
Security agencies can easily spy on personal online information. Source: GOI Monitor

The draft data protection bill comes without any judicial oversight and independent authority

AROUND 22 human rights activists, lawyers and journalists were targeted by a spyware on the messaging platform WhatsApp in 2019.

This created a furore with the opposition accusing the Narendra Modi government of spying on those critical of its policies and actions.

Recently, over 1 lakh scanned copies of Indians' national IDs, including Aadhaar, PAN card and passport, were found to be on sale online. While technology is helping us streamline workflows and meet communication needs, it is also exposing us to security and psychological threats.

Government surveillance and corporate control over our lives can strengthen as we increasingly hand over personal data to avail their services. The government considers collection of personal data important for delivery of its services and to weed out duplicates.

India conceived unique identification or the Aadhaar with the initial objective of making government subsidies reach the poor and to plug pilfering by fake and undeserving beneficiaries.

The mandate was, however, expanded to cover security issues and use of data by private companies thus making the biometric identification mandatory. This led to activists raising concerns about surveillance, commercialisation of personal information and right to privacy.

The Indian government promised that it will come up with a robust data protection regime but the draft Personal Data Protection (PDP) Bill tabled in Lok Sabha in December 2019 did not instill confidence.

Experts pointed out that the bill grants exemptions to the government to collect personal data on grounds of prevention and detection of crimes, without any judicial oversight. 

The bill also proposes a government-controlled Data Protection Authority which was expected to be an independent regulator besides allowing government to access any anonymous/non-personal data held by private companies.

Amid protests by the Opposition, the bill was referred to a joint select committee of the Parliament.

Right to Privacy and Data

The personal data protection bill is a result of the Supreme Court upholding the ‘Right to Privacy’ in August 2017 while hearing a petition against the Aadhaar scheme of biometrics-based identity.

The judges said that Right to Privacy, though not defined in the Constitution, is protected under Article 14, 19 and 21. It includes autonomy over personal decisions (e.g. consumption of beef), bodily integrity (e.g. reproductive rights) as well as the protection of personal information (e.g. privacy of health records).

“... this opinion stated that privacy was not surrendered entirely when an individual is in the public sphere. Further, it found that the right to privacy included the negative right against State interference, as in the case of criminalisation of homosexuality, as well as the positive right to be protected by the State. On this basis, the Judges held that there was a need to introduce a data protection regime in India.”

Judgement by J. Chandrachud (on behalf of himself, C.J. Kehar, J. Agrawal and J. Nazeer)

Following the judgement, the government formed a committee chaired by Justice B.N. Srikrishna to examine the grounds of data protection in India. The committee submitted the draft of a data protection bill in 2018.

When the final draft bill was tabled, however, in the Parliament it had undergone many changes and Justice Srikrishna termed this new version “very dangerous”.

Govt Surveillance and Control

The draft bill 2019 provides exemptions for the government to collect personal data of individuals on the grounds of prevention and detection of any unlawful activity, including fraud, whistleblowing, mergers and acquisitions, network and information security, credit scoring, and recovery of debt.

“The safeguards have been removed in the revised version of the bill and the government accessing personal data or government agency data based on the reasoning of the sovereignty or public order can have serious consequences,” Justice Srikrishna said. “There should be judicial oversight over government access of such data.”

The Internet Freedom Foundation, an advocacy on digital rights and liberties, also called for a comprehensive framework overhauling surveillance and interception in India. “It should be in consonance with the international standards on necessary and proportionate principles, along with providing proper judicial scrutiny,” it said in a statement about the data protection bill.

The principle of proportionality states that actions should be proportional to the good that can be achieved and the harm that may be caused. When applied to data protection, it can be used to weigh, for example, risk to individual liberty versus benefit to national security.

Data protection law should be in consonance with the international standards on necessary and proportionate principles, along with providing proper judicial scrutiny

The original 2018 draft bill had also proposed an independent data protection authority to oversee implementation of the law. The selection committee for choosing the authority’s board members was to consist of the Chief Justice of India or a representative judge of the Supreme Court, the Cabinet Secretary and an expert from the field.

But in the new 2019 draft, the committee’s composition has been changed to comprise the cabinet secretary and two secretaries from government ministries and departments. An authority which is supposed to regulate government departments and agencies, will thus be appointed by the government itself thus raising a serious conflict of interest.

“The bill falls back on terms like ‘fair usage’ which leave a wide room for interpretation further creating anomalies or points that have to be resolved,” says Talish Ray, managing partner at TRS Law Offices. “There is a clear lack of checks and balances for the boundaries of violation by the State into the lives of the people.”

Recently, Mitchell Baker, the CEO of Mozilla Foundation, said that India’s draft data protection law contains broad exceptions for the government that increases the risk to the average user’s data. “We have been advocating for Indian internet users’’ privacy to be protected no matter who processes their data, and have also pushed back against the weakening of encryption under the proposed IT Act amendments,” she added.

India had proposed new rules asking intermediaries like whatsapp to proactively monitor and filter their users’ content. This would not be possible with the current end-to-end encryption for personal messages on these platforms.

Rights to People

The draft Personal Data Protection Bill majorly concerns itself with the person who owns the data and the Data fiduciary (State, company, organisation or individual who uses or processes it).

The bill allows people to exercise the right to erasure of data which is no longer necessary for the purpose it was collected.and the right to be forgotten. The current lack of public awareness about breach of privacy besides misuse and commercialisation of personal data, however, raises a question why the consent can’t be time-based or data erased on its own when the purpose gets solved.

The mechanisms devised for exercising right to erasure or right to be forgotten are not simple to follow for a common citizen. The problem with India’s digital rights and data protection domain is that of accountability.

Lack of educated consent is a cost adding up to the implementation of partially thought out policies. An extension of this led to mass installation of Aarogya Setu, a contact tracing app for Covid-19 launched by the Indian government, which triggered privacy and security concerns.

“We need a mechanism that responds fast especially in a country like India. Suppose someone finds out that the data has been leaked, what are the options? Where do they go,” asks Ray, “Right to be forgotten also lacks a comprehensive framework in the current bill.”

Mechanisms devised for exercising right to erasure or right to be forgotten are not simple to follow for a common citizen. The problem with India’s digital rights and data protection domain is that of accountability

According to the current bill, an adjudicating officer will decide whether the right to be forgotten should be granted on the basis of sensitivity of the personal data involved, its scale and relevance to public, role of data owner in public life, nature of data and activities of data-holding entity.

“The bill emphasises more on the collection and aggregation front of data of the citizens as compared to its protection, thus focussing on the data economy,” says Anivar Aravind, a technologist and digital rights advocate. “The provision on criminalisation of re-Identification i.e. tracing back of data closes a door for security researchers to warn the audience of cyber threats. In the present times, Data assimilation lacks the granularity i.e. time-based consent.”

Industry body ASSOCHAM has also asked the government to introduce a clause ensuring time-based consent for use of data, instead of blanket approval for an infinite period of time.

Local Storage of Data: Pros and Cons

The Personal Data Protection Bill stresses on data localisation, meaning sensitive and critical personal data needs to be stored in India. There are certain conditions for transfer of sensitive data overseas but critical personal data has to be processed locally. 

While this provision reduces risk of foreign surveillance, it does take away the rights of individuals to store their personal data wherever they want. Some of the locations, like the European Union or California, offer stronger data protection laws and advanced technology.

The preference for data localisation may also pave a way for domestic surveillance over citizens. The 2019 draft bill is an improvement over the previous version on this aspect as the 2018 bill called for copying of all data, not just sensitive and critical data, in India.

Two members of the Justice SriKrishna committee, Rishikesha T. Krishnan and Rama Vedashree, had dissented against this provision.

“The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection,” read the dissent note by Prof. Rishikesha T. Krishnan, director, IIM Indore.

Liked this story? GoI Monitor is an independent, ads-free platform, and we depend on readers like you to Support Our Efforts