The Pulse | Security | South Asia

India’s Controversial Data Protection Bill

Among its contentious clauses is one that grants blanket exemption to central investigative agencies on the grounds of national security.

India’s Controversial Data Protection Bill
Credit: Depositphotos

India’s Supreme Court is currently deliberating a petition challenging social media giant WhatsApp’s privacy policy in India, which provides uninhibited access to data including calls, photos, messages, and videos shared by users to its parent company, Meta (formerly Facebook).

The government counsel said that the government is aware that the case involves vital issues of violation of a citizen’s right to privacy and free speech. He informed the apex court that Parliament is at present drafting a bill on data privacy and protection. The bill will put in place a comprehensive law governing digital personal data protection in the country.

Incidentally, it was highlighted in the petition before the court that Meta and WhatsApp have far more stringent rules for data privacy in Europe than in India. That’s in large part because Europe has passed one of the world’s most stringent laws on data privacy.

India’s Digital Personal Data Protection Bill 2022 has had a long and controversy-ridden history in Parliament. In August this year, the Narendra Modi-led Bharatiya Janata Party (BJP) government withdrew the data protection bill it had introduced in 2019.

The Ministry of Electronics and Information Technology has now circulated the draft of a new bill and has extended the deadline, inviting feedback from the public on the bill.

The draft bill, according to its preface, is aimed at recognizing the “right of individuals to protect their digital personal data” as well as the need to process personal data for “lawful purposes.”

Last week, Rajeev Chandrasekhar, a junior minister in the IT ministry, said that while the European General Data Protection Regulation is considered the “gold standard” for privacy and data protection, India, with 820 million internet users, would chart its “own course.” We will “build a framework suitable for us,” he said.

This is the third draft of the data protection bill. In 2017, the Supreme Court recognized the right to privacy as part of the fundamental rights of citizens. The first avatar came out the following year. The second draft was placed before Parliament in 2019 but due to strong objections from opposition parties to several clauses, the bill was sent to the Joint Parliamentary Committee. After a delay brought on by the pandemic, the JPC presented its report with 81 changes and 12 “major recommendations.”

Opposition members of the JPC like Mahua Moitra critiqued the bill as being Orwellian in nature. Moitra slammed the Modi government for giving sweeping “exemptions to the Government of India, without proper safeguards in place” and also for empowering itself with unbridled powers.

For instance, the data protection bill exempted central government agencies like the Enforcement Directorate (ED) and the Central Bureau of Investigation (CBI) from the bill’s purview on the rationale of protecting “national interests,” state security, and public order.

Incidentally, critics say agencies like the ED and the CBI have routinely been “misused” by the Modi government against its political opponents, critics, and activists.

Faced with the prospect of making 81 changes as recommended by the parliamentary panel, the government withdrew the bill in August this year. It then brought in the revamped 2022 version.

IT experts are not impressed. The contentious clauses granting blanket exemption to central investigative agencies on the grounds of “national security” have been largely retained in the 2022 draft, they point out.

Cyber law experts have also pointed to “red flags” in the draft bill, including the provision for setting up the Data Protection Board, which is mandated to oversee the implementation of the data privacy legislation. While an earlier version of the bill envisaged the board as a statutory authority, in the new draft, the Data Protection Board will primarily be set up by the central government. The government has refuted this criticism, insisting that the board will “function independently.”

South Indian superstar-turned-politico Kamal Haasan described the new draft bill as “draconian” and condemned it for rendering the Right to Information (RTI) Act “toothless.”

In a letter to IT Minister Ashwini Vaishnaw, Haasan pointed out that the RTI Act, which was enacted by the previous Congress-led government, made Indian democracy truly participative. On the pretext of protecting data privacy, the government is planning to amend the RTI Act, he said, urging it not to do so as this legislation enables citizens to access public information and hold the state accountable for its actions.

Several others, including former information commissioners and RTI activists, have lashed out at the dilution of the RTI Act to deny the disclosure of information to citizens. Since it came to power in 2014, the Modi government has been chipping away at the RTI Act, undermining transparency in government functioning.

The data protection bill, which brings under its ambit only the “personal data” of Indian citizens, whom it refers to as Digital Nagrik, gives citizens the right to erasure or “to be forgotten.” Citizens will have the right to have their data corrected or even deleted.

Big tech companies will be required by law to ensure the privacy of citizen data. Significantly, big tech companies like Amazon had objected to the earlier draft, which required localization of data storage. The new bill, in fact, “eases cross border data flows” outside the country, which comes as a big relief for big tech companies like Google and Amazon. Indian start-ups too have welcomed this revised clause.

“Data fiduciaries” (i.e., businesses) are now subjected to only financial penalties ranging from $6 million to $60 million for violations. They will not be liable for any criminal convictions as was proposed in the previous draft. Cyber law analysts have criticized this weakening of the penalty clauses, since they apprehend that data breaches can be bought and sold by giant firms.

Countries like China have stringent clauses for cross-border data transfer and for imposing financial penalties. Penalties are imposed after taking into account the size of the firm and its turnover.

While Modi has been upbeat about pushing through his vision of Digital India, critics say that its main intention is to usher in a surveillance state at the cost of individual citizen data privacy.

The Modi government has repeatedly tried to set up a Big Brother state framework through proposals like linking Aadhar cards with voter IDs or linking social media accounts of citizens with government identification proofs. Such moves have been thwarted by alert opposition parliamentarians like Moitra, who has moved the court on several occasions against such attempts.

The Parliamentary Committee on Information Technology, which is headed by Congress parliamentarian Shashi Tharoor, recently summoned Twitter over data security and privacy concerns. Social media giants like Twitter have been under a cloud over allegations of favoring the ruling party.

Critics of the draft bill say it enables the emergence of a surveillance state and they are calling for the latest draft of the bill to be discarded too.

After the public consultation process is completed, the government is likely to table the new bill in Parliament next year.

With data becoming the new oil, authoritarian regimes increasingly want to control personal data as a means to leveraging power over citizens. Over the past eight years, the Modi government has repeatedly encroached on individual liberties and privacy, all in the name of “national interest.” The draft personal data bill is the latest attempt to chip at individual rights. Will it succeed?