Data Privacy Bill: Commercialising Our Data And Weakening Our Privacy
Prabir Purkayastha
THE world is far more interconnected than ever before, with 60 per cent of the world’s population connecting to the internet. With wireless connectivity and cheap smartphones, the number of Indians connecting to the internet today is more than 70 per cent of the population. While most people may believe that they connect to the internet, in reality, they connect to either Google or Facebook and to each other via these digital monopolies. People may remember the attempt by Facebook in India to introduce a truncated internet calling it free basics, which failed due to the collective resistance of the people. In 65 countries, unfortunately, Facebook succeeded in introducing free basics. Most who are on it believe that the Facebook world is the internet.
It is this ability to access the users and collect their data that gives Google and Facebook the dominant position they enjoy in the advertising world. Already, digital ad revenues are poised to overtake all other forms: television, print and radio combined. And Google and Facebook have emerged as duopolies in the digital advertising space. Google and Facebook can convert their monopoly power over search engines and social media into dominance over all other advertising players. This is a threat to all other media organisations that depend on advertisements. This is the reason that in the US, the UK and the EU, regulatory and legal action has been initiated to break Google and Facebook’s monopolies in advertising.
In India, the Modi government has been unwilling to confront the US duopoly of Google and Facebook. With the revelations from Facebook whistleblowers Sophie Zhang and Frances Haugen, it is clear that such digital monopolies have been courting ruling parties and allowing them to run divisive and dangerous hate campaigns against minorities and others. This and the Modi government’s aligning with the US may explain its softness in regulating the market power of Google and Facebook in India.
Instead, the BJP government wants to club the commercial use of people’s data with the protection of personal data, and create structures that allow the commercialisation of our personal data collected by the government. The government collects such data for providing either welfare benefits, services from the state, or civic compliances that we as citizens are required to file. The commercialisation of our data that the government collects has been added to the Personal Data Protection Bill.
Despite Supreme Court judgements declaring that privacy is a fundamental right and that a law is mandatory to issue any digital IDs, the Modi government is pushing mandatory digital IDs to access various government and other public services. The government’s plan appears to be to let private players access the data the government is collecting, and use it for their business purposes. We have already seen how our Aadhaar infrastructure is available to big business. Telecom companies, banks, and other businesses can use the Aadhaar infrastructure. Similarly, there is an attempt to make the Aarogya Setu app and Health ID mandatory for travel, and to avail public health services. If we used the Co-WIN app for vaccination, a Health ID was created without our consent. The plan appears to be to link all our health records to this ID, which would then be available to other private players like insurance companies and health service providers. In other words, the government would collect our data as it did for Aadhaar, and hand it over to private parties for their commercial activities. For example, private insurance companies can then access our health data without our consent and deny us insurance benefits claiming pre-existing conditions; or employers could deny jobs to people based on their health data.
The BJP government is using the Act not only to commercialise our data, but also to exempt the State agencies, including the 10 investigating agencies that are allowed to access our data from the provisions of the proposed Privacy Act. We still have the right to privacy, but this right will not be protected, under the proposed Privacy Bill, from the State agencies misusing their powers and accessing our data. This brings to mind the “famous” argument of Niren De’s on the Habeas Corpus petition of MISA detenues: citizens have a fundamental right to life and liberty but it cannot be exercised during emergency. The citizens may have a right to privacy but they cannot exercise this right against State agencies.
An example of such misuse, revealed through an RTI query, is that the chief medical officer in Kulgam, J&K, violated users’ privacy by sharing users’ data from Aarogya Setu with the local police authorities. Would the government’s blanket exemption from the privacy law then allow government agencies to freely use all data provided by citizens for completely different purposes and create a surveillance State?
In India, a number of law enforcement agencies have access to our digital data, through the existing digital surveillance infrastructure. This infrastructure consists of the Central Monitoring System for telecom surveillance, NETRA for analysis of the internet, NATGRID: a National Grid of Surveillance Databases, and the Integrated Criminal Justice System (ICJS), which has DNA, Facial Recognition, Biometrics and Identity Data.
While all these agencies can “lawfully” access all our data, the BJP government seems to have also used Israel’s NSO supplied military-grade spying tools to illegally hack into the personal mobile phones of journalists, public figures, opposition leaders, and even judges. A number of those whose phones were hacked have gone to the Supreme Court on a Habeas Corpus petition using the right to privacy, which an earlier Supreme Court Judgement has held is a part of the right to life and liberty. By refusing to deny the allegations and furnish any information on this count to the Supreme Court, the government seems to have virtually accepted that some agency did access the mobile phones of a number of Indian citizens. Is the government now going to advance the Niren De defence, that these persons have a right to privacy, but it cannot be enforced against the government agencies?
Already, workers are being asked to install apps on their phones, apps that monitor their activities. An example is Anganwadi workers in Haryana, who have been asked to install such an app that monitors their locations continuously. The other is municipal workers in Panchkula, who are asked to wear monitors equipped with GPS location tracking, camera and voice recorder. These are clear violations of workers’ right to privacy. Through the blanket exemption provided to government agencies, the proposed Bill will allow such actions of the government that not only violate the workers’ privacy, a fundamental right, but also endanger their safety.
Subsequent to the Puttuswamy Judgement, in which the Supreme Court held that privacy is a fundamental right, the Srikrishna Commission’s Report provided a legal framework to protect citizens from governmental overreach, and also enforce privacy rules on private parties who hold our personal data.
In 2019, the government produced the Draft Personal Data Protection Bill, 2019, currently being finalised by the joint parliamentary committee. Unfortunately, this bill fails in its task: it does not protect citizens from illegal surveillance and the wrongful use of data collected by State or private parties. Legal experts, including Justice Srikrishna, have condemned the sweeping power that the bill provides government agencies – who are exempted from all the provisions of the proposed Act. Members of the JPC have also registered their dissent on this count. Such sweeping powers make a complete mockery of data privacy.
The draft bill does not provide for any judicial or parliamentary oversight over government surveillance. Justice Srikrishna, whose 2018 report is supposedly the basis of the current privacy bill, has stated that the 2019 bill introduced by the government, differs significantly from what was proposed by him. He adds that if enacted, it will be the instrument of an Orwellian State.
The opposition members in the joint parliamentary committee have already registered their protests on substantive portions of the proposed privacy bill. It is now up to the larger democratic processes in the country – to register opposition to a bill that seeks to create a surveillance State and privatise our data.