December 04, 2022

The 2022 Data Privacy Bill: A New Version or the Charter of Surveillance Capitalism?

Prabir Purkayastha

THE new avatar of the Indian Data Protection Bill 2022 is not simply the rebirth of the earlier 2019 one. The objective of the earlier Data Protection Bill 2019 was to give a legal framework for the Supreme Court's Puttuswamy judgement of privacy as a fundamental right. The 2022 Bill has a different purpose. This version proclaims the citizen's right to privacy but allows the government to override this right at its will. The other objective of the new Bill is to enable big business—Indian and foreign—to use our data for their benefit. In other words, the intent of the Bill is the opposite of what it claims: it is not to protect privacy but create the architecture of a surveillance state and build surveillance capitalism.

I am not going to argue that the 2019 Bill was perfect. It was not. The Joint Parliamentary Committee also suggested 92 amendments to the Bill. But it had gone through extensive review, both publicly and in the parliament. After a series of discussions—public and in the Joint Parliamentary Committee—was suddenly withdrawn, and a new Bill was released without any explanation. The explanation can be seen when we examine the clauses that have been dropped and the direction of the new Bill.

Let us look at the big picture first. To protect the citizen's privacy as a right, we need to define what that right is and under what conditions the state can invade this right. For example, the right to life or liberty of a citizen can be taken away by the state if he/she commits a heinous crime as judged by an independent judiciary. As we saw during the 1975 emergency, allowing the government to exercise this right without any judicial review led to the worst excess of the emergency.

The need for a privacy law, therefore, needs at least two basic elements. One is to define under what conditions can this fundamental right be curtailed. Or, as Puttuswamy judgement said that any such curtailment must meet the triple test of necessity, have reasonable reasons for such an invasion, and should be proportionate to the need. The other element is that to protect this right, there is a need for a relatively independent regulatory body. On both these counts, this version of the Bill is overwhelmingly tilted in favour of the government and against the citizen.

Justice (retired) B N Srikrishna of the Supreme Court proposed a draft of the Personal Data Protection Bill in 2018. In a recent interview with The Hindu, he says that the proposed 2022 Bill allows a coach and a horse to be driven through the right of privacy of the citizens. According to him, the 2022 Bill has completely abandoned the Puttuswamy judgment's triple test of necessity, reasonability, and proportionateness for any curtailment of the right to privacy.

Let us look at the regulatory authority envisaged in the 2022 Bill. The composition, qualifications, procedures of appointment, and tenure have all been delegated to what is called subordinate legislation—called rules—to be decided by the government and taken out of the purview of the parliament. The board's chairperson and the members will be appointed, and their tenure will be decided solely by the government. This is why Justice Srikrishna says that it will be a puppet of the government. The provision of an appellate tribunal specified in the 2019 version of the Bill has also been dropped.

Overall, the 2022 Bill is shorter, containing only 30 sections compared to the 98 of the 2019 version. But even while it is shorter, out of 30 clauses in the Bill, 18 have riders that "the government may prescribe" and are meaningless as they stand.

The Bill also empowers the government to exempt its agencies from Bill's provisions through a simple notification on national security grounds. This is in addition to the government agencies' existing power of intercepting our communications—either telephone or data—by virtue of the IT Act.


The 2022 Bill starts, as does the older version, defining a data principal and a data fiduciary. For the purpose of this article, I will focus on the citizen as the data principal; it is their data that will be my focus here. The data fiduciary is the one who parts with her data while using an application or an activity on a platform. In most cases, it is a company or an agency of the state. It is the citizens' data that the companies or government agencies use for their purpose. In the case of companies such as Google and Facebook, it is for displaying ads to their users. Or acting as data brokers selling data to other companies and entities.

Harm or loss may happen due to misuse of data, meaning its use beyond what I have permitted them to use and causing me monetary, reputation, or any other loss, including my personal security. In the clauses defining what will be considered as harm or loss by the citizen, the number of categories in the 2019 version has been reduced significantly in the 2022 Bill. Also, a clause defining significant harm based on impact, continuity, persistence, or irreversibility of the harm has been completely removed. The earlier Bill also had a clause defining what sensitive data is and how such sensitive data is to be treated. In this version of the Bill, there is no definition of what is sensitive data and, therefore, no separate provision for processing the same by the Big Data companies. All of these tilts the balance between the citizen and Big Data companies, heavily favouring the companies.

No other Data Protection Bill that I know of lays down duties on the citizen. This one does. It specifies that the data principal, or the citizen, has a legal obligation to provide correct data. This means that no person can use pseudonyms while availing of any data services. The reason why pseudonyms are used quite often is identifying a person by gender or religion may expose them to certain dangers. Women on various websites get trolled in order to silence them or drive them out of digital spaces. Or if they have a non-binary sexual orientation, people may not want to disclose their real identities on certain websites. Disallowing pseudonyms may help state agencies and Big Data companies but can cause serious harm to different minorities.

This Bill attempts both. It has virtually exempted the State from any requirements regarding the privacy of the citizens. Second, it has lowered the duties of the Big Data companies towards its users. It has also done away with the localisation of data, under which the data of Indian citizens would be held in India and subject to Indian laws. By weakening data localisation provisions, it is helping foreign capital, contrary to its nationalist claims. Data localisation was the major objection to the earlier Privacy Bill of companies like Visa, Google, and Facebook.

A considerable part of this Bill is to allow Big Data companies to use our data. The concept of a data fiduciary is to obfuscate that companies defined as fiduciaries are not storing data on our behalf but for their profits. They want to use our data in order to sell us to advertisers. They use our data to sell us goods continuously and get a major share of the profits of such sales. Google and Facebook are the biggest recipients of advertising revenue today.

Data also allows a whole range of software tools to be improved and optimised. For example, the success of artificial intelligence tools depends on the amount and variety of data that it consumes. And, of course, government agencies want more data to monitor and "orient" the citizens to their preferred mode of thinking. This is apart from the role that big money plays today in elections. That is why the phrase ‘surveillance capitalism’ describes the close marriage between the surveillance State and big capital. This is the core of the 2022 Privacy Bill.