India's digital personal-data protection bill puts privacy at risk
November 23, 2022
The Digital Personal Data Protection Bill is a more forceful attempt to legislate a Chinese-style surveillance state in the world's largest democracy
India’s previous attempt at framing a law on personal-data protection had made 21 references to “privacy,” starting by acknowledging it as a fundamental right. Not only was that legislation unceremoniously dumped in August after five years of negotiations, but the government of Prime Minister Narendra Modi has dropped even the lip service to freedom from intrusion in the new version that has replaced it.
The Digital Personal Data Protection Bill that’s open to public comments is much shorter than its now-abandoned predecessor. It’s also a more forceful attempt to legislate a Chinese-style surveillance state in the world’s largest democracy — something that will disappoint the country’s liberals, upset trading partners by turning data into a potential tool of foreign policy, and cause the West and India to drift further apart ideologically.
Critics who were dismayed by the carte blanche handed to the government in the previous draft have little to cheer in the new version. Any “instrumentality” of the state may be exempted by the federal government and put beyond the purview of the law. Government agencies can ask for whatever personal data catches their fancy, keep it as long as they want, use it as they deem fit, and share it with anyone in the name of “sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.” What privacy can exist in such conditions?
The New Delhi-based advocacy group Internet Freedom Foundation is right to say that “if the law is not applied to government instrumentalities, data collection and processing in the absence of any data-protection standards could result in mass surveillance.”
But then, that might be the intention. A section of India’s political establishment is fascinated by how China has kept every aspect of its internet economy homegrown — and processors of data under the state’s thumb — to fashion a 24x7 surveillance society.
There’s no Great Internet Firewall in India. But the state’s growing desire for informational dominance is starting to rattle firms of all sizes and hues. After Twitter Inc. and Meta Platforms Inc.’s WhatsApp separately sued the government, SnTHostings, a Pune-based company, also took New Delhi to court. The provider of virtual private networks is arguing that being asked to “pervasively monitor user activity and store this data for arbitrarily and unreasonably long periods under the guise of security measures is nothing short of treating the entire class of people who use VPN services as suspects for crimes that have not even been identified yet.”
The new data-protection law is likely to be of little help in laying down the limits of legitimate government intervention. It does, however, remove one of the industry’s major bugbears — mandatory data localization rules that would force them to store “critical” personal data solely in India. But then it proposes something more problematic: New Delhi will “notify such countries or territories outside India to which a data fiduciary may transfer personal data.” Since the law doesn’t specify how these countries will be selected, one can only surmise that this restriction may be employed as a foreign-policy tool, with the digital footprints of 1.4 billion people utilized as a lever.
That’s just going to drive a wedge between India and Western democracies. The US Clarifying Lawful Overseas Use of Data Act, or the so-called Cloud Law, allows foreign enforcement authorities to source evidence in serious crimes directly from American service providers, but for that Washington needs to be satisfied that the requesting jurisdiction offers safeguards against surveillance and limits the state’s access to data. As long as any police officer can issue an order asking for personal data of donors to a fact-checking website critical of the ruling party, India is unlikely to be considered for such an executive agreement under the Cloud Act.
It’s the relatively richer sections of the population that have vocally campaigned for strong privacy protection in the country. However, the less affluent also put a value on it. In surveys, low- and moderate-income Indians have succumbed to offers of money for some of them to part with their data. Still, even during the pandemic, when many were in acute financial distress, not everyone was willing to trade personal information for a meal. It seems the concerns of the poor, too, will get left behind now. An independent data protection board that could have boosted users’ confidence in the new law will likely be a toothless bureaucracy, beholden to the government. This could “weigh against India’s adequacy assessments in the European Union” under its framework for deciding if supervisory authorities in another country are strong enough for transfer of personal data, says Beni Chugh of Dvara Research, a Chennai-based policy research institution.
A different future was well within the country’s reach. Back in 2017, the Indian Supreme Court held privacy to be a fundamental right and insisted on proportionality of state action: In any infringement, authorities must show that there isn’t a less intrusive way for them to achieve their legitimate goals. Five years later, all that remains is the label on the bottle. It still reads “data protection,” though the pill inside has changed to legalized mass surveillance.