Two days after the government handed over to the Central Bureau of Investigation the Cambridge Analytica case — where social media giant Facebook was accused of snooping on personal data of some 50 million users — the final touches on a draft data protection bill has stopped short of ticking all the boxes.
The bill does not do enough to protect evolving privacy rights of you and I, policy wonks and lawyers say. Other areas that have been flagged are cross-border data flows, withdrawal of consent, making all offences cognisable and non-bailable and a section allowing processing of personal data for functions of the state.
The Personal Data Protection Bill, 2008, and a report were submitted by a committee led by former judge BN Srikrishna on July 27. The submission was keenly awaited by all for its implications on data privacy. But the bill, a year in the making, hasn’t done enough, say privacy advocates.
“The bill fails to hold the state accountable in any meaningful way for the processing of personal data or sensitive personal data,” says Nayantara Ranganathan of the Internet Democracy Project. “The government has been given some excuses to process personal data, and some of these are under weak standards of ‘necessity’ and ‘any breakdown of public order’.”
While the draft bill gives individuals greater control of their data, it still gives the government enough leeway to access this personal information. This kind of power makes some people worried about the leverage given to the state.
While some changes are welcome — such as the push to amend the Aadhaar Act — there’s plenty of scope for dialogue and improvement, says Mishi Choudhary, a lawyer specialising in technology and intellectual property law in India and the US.
“I think it’s a good start. But several parts are screaming for further deliberation. These include cross-border data flows, withdrawal of consent, making all offences cognisable and non-bailable and punishable with imprisonment, and the burdensome process of the right to be forgotten.” A 2017 judgement laid much of the groundwork for an over-arching privacy legislation in India.
Former Karnataka HC judge, KS Puttaswamy, had filed a petition in 2012 challenging the Aadhaar scheme, saying it violates fundamental rights to privacy and equality. The Supreme Court had linked all the 20-plus Aadhaar cases to this main case.
Petitioners included activists Bezwada Wilson, Aruna Roy and Nikhil Dey. Respondents to this case went as far back as 1954 and 1962 (MP Sharma and Kharak Singh cases) to argue that privacy wasn’t a fundamental right.
However, a nine-judge bench held privacy was in fact a fundamental right. “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the bench held. “Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation…
While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being.”
To be sure, legal experts say the Srikrishna commission report and draft bill have several progressive steps. The proposed law recognises the importance of control of data but also accounts for the business realities in today’s world of technology. It attempts to strike a balance. For instance, the bill deals with the requirement of valid consent clearly (it must be free, informed, specific, clear) and seems to provide the requisite control in the hands of the data principal, or the person whose personal data is being processed. However, it also provides for other legitimate basis for processing of personal information.
An exception given to processing of anonymised data will be useful for companies involved in big-data analytics, though this process requires that the personal data be converted into anonymised data through an “irreversible process.”
This draft law also makes improvements on previous legislation. “Unlike the stop-gap data protection régime in India emerging out of the Information Technology Act, the bill provides teeth to the enforcement authority by providing for considerable penalties and by also establishing a data protection authority,” says Nirupam Lodha, a partner with Luthra and Luthra. The bill has also sharpened enforcement, allowing data principals legal recourse for violation.
However, much more needed to be done, say critics. Experts such as Choudhary contend the judicial system has in the past struggled with the issue of criminal punishment with the outdated IT Act. Policy wonks argue that enforcement officials tend to arbitrarily enforce these rules without a proper understanding of the law and technology. This causes disquiet among companies. “Sections are slapped with little understanding of technology, forcing companies and executives to deal with (an often ill-informed) machinery,” Choudhary says.
The challenge for a privacy legislation in India is keeping pace with a rapidly changing technology landscape, while at the same time worrying about the rights of its citizens. The awareness of rights and data privacy is increasing due to high-voltage issues such as perceived misuse of private data with government-run schemes such as Aadhaar.
Just over a year ago, a ninemember bench of the Supreme Court had ruled that the right to privacy was a fundamental right. This judgement posed tough questions to the unique ID programme that has over a billion users and counting. This scheme is now expected to see a retooling of its privacy rules.
India’s changing digital demographics is a difficult challenge to lawmakers, especially with much data going online. To add to that burden, some 200 million users from the hinterlands are expected to come online in the next few years. These users would have scant understanding of technology and of privacy rights. An under-cooked privacy law makes them sitting ducks for government agencies and businesses.
There is growing concern that India’s privacy laws could lead to a surveillance state. While the bill brings some value in recognising and requiring privacy, the provision seems to be like an add-on. It lists encryption as one of the suggested methods of security safeguards. But the proposed rules relating to collection and use of data might face limitations due to lack of reform on who can access private or confidential data and for what purpose. Ranganathan says: “It is valuable that the report recognises consent has normative value in a data protection framework, although practically it can be challenging to enforce. However, creating different degrees of consent (Sections 12 and 18) undermines that very norm.”
One of the proposed steps making lawyers uneasy is that of data localisation, which they contend is impractical to implement in the age of internet. “For businesses, the data localisation provision, which requires a copy of all personal data to be physically stored on a server in India, is a highly disruptive step,” says Vinay Kesari, a lawyer specialising in technology law in Bengaluru. “It could have major technical and commercial repercussions for global internet companies and smaller businesses with an online presence.”
Privacy watchers like him think this could be a key sticking point as the draft law goes into the next round of consultations.
This issue was already a cause of disagreement before the report was finalised. The Telecom Regulatory Authority of India had earlier this month suggested that ownership of personal data lies with the individuals in question and entities processing or controlling such data are mere custodians. Kesari says: “While there were indications that data localisation had been a keenly contested point within the committee, I don’t think anyone expected such a blanket localisation provision in the draft law, which honestly does not take into account the way the global internet and businesses function.” Choudhary, the lawyer, explains some provisions are potentially burdensome for you and I.
Similarly, some potential changes can hamstrung companies too. “Data storage and computing power are becoming utilities available on the net without regard to location. The requirement that every data fiduciary should store one live, serving copy of personal data in India will burden smaller players. Such localisation requirements radically distort that market. It is a form of protectionism that will raise prices and reduce productivity throughout our economy.”
Lodha, the lawyer from Luthra and Luthra, says various concepts in the bill need further consideration — including the aspect of broad permissions provided for the processing of data by the government for functions of the state. This may effectively dilute the intent of the bill. “The right to be forgotten is more in the nature of right to prevent further disclosure of personal data, as it does not require the data fiduciary to erase the data but requires him to ensure erasure of data by data processors,” he adds.
As India’s push to build a strong data privacy law reaches a critical point, experts say this move should be seen as the first step of an exhaustive, consultative process. “The draft concentrates power with the government,” says Chinmayi Arun, executive director of the Centre for Communication Governance at the National Law University, Delhi. “There are many interesting ideas in it if we treat it as a consultation draft.”
Compared to the European Unions’ General Data Protection Regulation, she says, India is just getting started. “We should remember that the GDPR took over five years, and should be humble about the time and effort that it takes to get such a complex exercise right.”