December 22, 2019
Array

New Data Protection Bill: From Protecting our Data to Creating a Surveillance State

Prabir Purkayastha

THE government has come out with a Draft Personal Data Protection Bill, 2019 which differs significantly from its earlier version drafted by Justice BN Sri Krishna in 2018. Justice Sri Krishna has called these changes as dangerous and with potential for creating a surveillance state. In another major change from the original Sri Krishna draft, the Data Protection Authority of India has been made entirely subservient to the government. The data localisation provisions for sensitive personal data have also been considerably weakened.

The entire exercise of protecting the privacy of citizens, particularly after the Supreme Court judgement declaring the right to privacy as a fundamental right, has now been subverted. Instead, the bill seeks to create a surveillance state, with unrestrained powers given to the government to gather or access any data of its citizens. This is without observing any due process, not even the weak ones now incorporated in the Telegraph Act after Supreme Court’s judgement in the PUCL case; or in the IT Act provisions which closely follows the Telegraph Act.

Before we get into analysing Act and its provisions, the government, true to its character of steamrollering the parliament, decided that the parliamentary standing committee on IT, headed by the Congress MP Shashi Tharoor would be bypassed. A separate standing committee has been expressly created for examining this bill. The government had suffered a defeat in the standing committee on IT, which had decided to examine the Pegasus spyware and its possible procurement by a government agency. The intent is obvious, if any standing committee disagrees with the government, it will create a new one where it can stack the numbers.  After the BJP’s defeat on the Pegasus issue, except for the IT standing committee, all other standing committees have met after the winter session.

The purpose of the Data Protection Bill is that people’s personal data has now become a valuable commodity, and property rights over this data need to be defined. The World Bank calls peoples personal data a new asset class, meaning that if any business “captures” people’s personal data, it can be used to make money. Since the amount of personal data is increasing rapidly as people expand their digital “foot prints” on the internet through their activities, the business world is salivating on the potential of making money out of this ever expanding pool of our data. 

In other words, this new commodity – people’s personal data – needs to be regulated and property rights over it need to be codified in law. The problem with this approach is that people’s data is not simply the property of individuals. Quite often, communities create data that is commercially valuable, for example traffic patterns, community activities of towns, localities and villages. Even when we think of our data as personal to us, it is often the data of our interaction with our friends, it is the data of our network. So the task of personal data protection laws – such as the Indian Private Data Protection Bill or the European Union’s General Data Protection Regulation – is accepting the digital monopolies property rights over our personal data, and the only issue now being the regulation of its use.

The Indian Bill does not even recognise that we as citizens own our data, and it only gives us certain rights over our data as data principal. The larger issue of community rights remains completely unaddressed in all such schemes.

Within this narrow boundary of the law itself, the current Data Protection Bill has some serious issues, particularly with the neofascist attitude of this government towards all dissent. Justice Sri Krishna, the former Supreme Court Judge and the author of the original draft of the bill, has termed the current version as “dangerous”, and can turn India into an Orwellian state. George Orwell wrote a dystopian novel, Nineteen Eighty-Four, which pictures a complete surveillance state, in which the government watches the people all the time.  Speaking to the press, Justice Sri Krishna said, “They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.”

Though our telephone calls can be tapped, as also our digital communications, procedures have been laid down that requires an authority at the level of a secretary of the government of India, to sign an explicit order that requires surveillance of a person. While we know the violations of this procedure and signing of bulk surveillance orders – there are at least some safeguards in these laws, even if grossly inadequate. The corresponding section of the Data Protection Bill is Chapter VIII, Exemptions under which Section 35 gives sweeping rights to the central government to access and process our personal data. The grounds for exercising this right is again omnibus – from friendly relations with foreign powers to public order – and extends to any personal data being held by any company, such as Google, Facebook, our phone company or our internet provider.

The original purpose of the bill was to define the relations between the company that held our personal data for providing some service to us, and us, the people whose data it holds. It also was to define what the right we have over this data and what are the obligations that the companies have towards us. To this end, Justice Sri Krishna had coined two terms, Data Principal, meaning us whose data it is, and Data Fiduciary, the company that holds or processes this data. In the European version, they are termed as data subjects and data controllers.

The original Sri Krishna Bill did try and codify the rights and obligations over this data, and had also tried to define similar rights and obligations between the government and the citizens. What the government has done is to dilute some of these provisions that are there for our protection in favour of the companies, and taken away all the protection that we had against the government accessing our personal data.

One of the big issues that the Data Protection Bill had to address was the localisation of personal data. This was the recognition that data is a high value resource and should be therefore kept in the country. The second is that keeping this data within the country would ensure that the government could access it any time it wanted without being told that, since the data is in the US (or any other foreign country), the government of India had to apply under the laws of that country even if it wanted the data of its citizens. While the data localisation provision was dressed up as a sovereignty issue, it always had government surveillance over our data as its purpose as well.

In the current version of the bill, the localisation proposal has been weakened. It now applies only to sensitive personal data that needs to be localised. In addition, the government has created a category called critical personal data – the only definition of this data is whatever the government calls is critical data from time to time – which again would need to be localised.

There are the discussions that are continuing with Indian big business and global digital monopolies. The data privacy bill has now become about data commercialisation, with the government acting as a broker between global and Indian big capital.

The Data Protection Authority is a new regulator that the bill seeks to create.  The members in the Data Protection Authority would wield enormous powers over this new world of data. In the original bill, they would be selected by a body that would have external members – people of independent standing, Chief Justice of India – to give it some autonomy. In the current version of the bill, there are none: the selection committee would consist entirely of government secretaries.

What is missing in this bill is privacy, or protection of the citizens’ data. Instead, we have a bill that gives rights to the companies and the government over our data, some protection for us against the companies, but none against the government. This is another measure that makes no bones about the direction we are headed: a surveillance state where any criticism of the government or protest against it would be equated with sedition. By definition, we are all seditious, unless proven otherwise after surveillance.