India’s Data Protection Bill, 2019 – The beginning of an Orwellian Era
Shreya is a qualified Indian lawyer, currently pursuing an L.L.M at the London School of Economics and Political Science with a specialization in Information Technology, Media and Communication Laws. She is a researcher for the Columbia University’s Center for Global Freedom of Expression and takes keen interest in the intersection of digital rights with civil liberties. In the past, she has collaborated with organizations such as the Digital Freedom Fund and the Commonwealth Enterprise and Investment Council, among others, to develop jurisprudence on issues of Data Protection, Freedom of Speech and Intermediary liabilities.
India’s Data Protection Bill, 2019 – The beginning of an Orwellian Era
In an era where data has become the most crucial commodity, its economization has to be seen through the lens of the user’s right to privacy. In countries such as India, where data usage is widespread, the right to privacy is a crucial component of both the law, and societal wellbeing. When compared to other democracies, India has the most number of Internet users. Likewise, India has the most number of smart phone users, most number of people on Facebook, and the second highest number of twitter users in the world. Unsurprisingly therefore, the fundamental right to privacy for all citizens was recognized by India’s Supreme Court in 2018 through a historical judgment. At the direction of the Supreme Court, the Government set up a committee headed by retired Indian Supreme Court Judge, Justice B.N. Srikrishna to draft a comprehensive data protection bill. The resultant bill (herein the “2018 Bill”) was published in July 2018 for public comments. It was heavily influenced by the European Union’s General Data Protection Regulation and carved important limitations to collection and processing of personal data. However, several legal scholars and organisations raised issues relating to the lack of adequate safeguards and the over-burdening requirement of data localisation.
In December 2019, the Ministry of Electronics and Information Technology released a revised bill (herein the “2019 Bill”). The 2019 Bill takes a more relaxed stance on data localization, and also introduces the right to erasure. Despite these mindful modifications, the 2019 Bill is a disappointing step down from even the previous draft because of the overbroad exemptions granted to the state and lack of safeguards to assess the proportionality of it’s actions. Justice Srikrishna has himself stated that the 2019 Bill can turn India into an “Orwellian State with big brother snooping on us”. This article takes Justice Srikrishna’s thought forward, by providing a critique of the 2019 Bill. It highlights the three major ways in which the 2019 Bill has completely overlooked issues of government-attempted data breaches. Ultimately, this article will suggest that the 2019 Bill is an elaborate attempt to exonerate India’s government from future mass privacy breaches.
The first issue relating to the 2019 Bill involves unchecked biases. To illustrate the dangers of unchecked bias, imagine for instance that an employee, during the workday, realizes that their journal has been stolen from their office. The employee is aware of rumors alleging that the CEO of the company has instructed certain office personnel members to steal workers journals in an effort to ensure that no one is speaking against him. Pursuant to company policy, the only available recourse is for employees to bring complaints before the branch manager, whose responsibility it will be to decide if the CEO has indeed stolen the journal. Since branch managers are hired directly by the CEO it is unlikely the branch manager will decide in the employees favor – this is because the manager is biased, and the company policy lacks safeguards against such bias.
In exactly the same way, the 2019 Bill has appointed the government as the sole authority responsible for selecting the Data Protection Authority of India (DPA) – pursuant to the 2019 Bill, the DPA is entrusted with the task of redressing grievances in cases of data breaches. Since, the intention of a data protection legislation is to prevent misuse of personal data by both non-state actors, and state actors, it is problematic that DPA members are selected by government officials, rather than an independent diverse committee. If the composition of the DPA is not independent and unbiased, who is to say how effective and efficient it will be in cases where data breaches are caused by the government rather than an independent actor.
Secondly, both the 2018 and the 2019 Bill contain provisions providing the central government authority to bypass the provisions of the data protection bills when necessary to preserve ‘public order’ (among other more serious grounds, such as security of the state, sovereign interest, etc.). Noticeably, while the 2018 Bill had laid out a two-part test of necessity and proportionality, there are no such safeguards contained within the 2019 Bill. For a government that holds a world record for the highest number of Internet shutdowns ordered on the ground of maintaining ‘public order and tranquility,’ one can only imagine the creative ways in which it may violate the privacy of its citizens by utilizing the 2019 Bills’ ‘public order’ exception. For instance, during the recent protests over the Citizenship Amendment Act, 2019, police personnel have been caught making video recordings that assist in them in catching protestors by enabling them to run zoomed-in snapshots of protestors, taken from the videos, through a facial recognition software that allegedly has only 2% accuracy. Such acts may seem like blatant invasions into citizens privacy, however under the 2019 Bill, the government can be exempted for such invasive acts without having to prove that their actions were necessary or proportionate – legal safeguards that have been internationally recognized.
Finally, the most concerning drawback of the 2019 Bill can again be illustrated via the workplace example provided in problem one. In this case, imagine that an employee has consensually given the CEO of the company access to a copy of their health data when requesting long-term medical leave. After submitting the request, the employee’s file, including the health data, is stolen from the office where it was stored. While the employee may reasonably expect the CEO to inform them that their personal data has been stolen, the procedural requirements established at the employees workplace requires that the CEO inform the branch manager only if he believes that the theft of the employees data will cause the employee harm. In addition, should the CEO choose to inform the branch manager of the personal data theft, it is then left to the sole discretion of the manager to decide whether an employee needs to be informed of the privacy violation.
This again is precisely how the 2019 bill deals with privacy breaches. It creates a number of hurdles relating to data owners being informed about data breaches or misuse. For instance, the organization/institution storing user’s personal data can choose to inform the DPA of breaches if it considers them harmful. After receiving a report, the DPA is left with the authority to decide whether it will inform the user that his/her personal information has been stolen. This is concerning since India has already seen its share of state-sponsored phishing, most recently through the warnings issued by Google to over 500 of its users. If these data breaches go unreported, and the victims remain uninformed, the government could use the data in whatever way it pleases, even in anti-democratic ways such as manipulating citizen’s choices through targeted political advertising. Notably, Cambridge Analytica has already leveraged people’s data in the USA, Kenya, Malaysia and Brazil to offer psychological profiles in ways that would reveal the kinds of political messages that the user might respond to.
At a time like this, what purpose does a Data Protection Law serve if it has provisions stating, “the decision of the Central Government will be final on all matters?” What purpose does it serve if the adjudicatory wing of the Data Protection Authority is not independent from its enforcement wing? The immediate solution is that the 2019 Bill, and any future drafts, be made open to deliberation and comment by the general public so that organizations in India working for internet rights can better recommend balanced legal solutions. The position that the 2019 Bill has taken on surveillance reforms – or the lack thereof – and government exemptions, has far reaching consequences for the digital rights of the citizens of India. Hopefully, the Data Protection Bill that is ultimately passed by the Parliament will include amendments aimed at ensuring that the economic and political motives, and objectives, of the state do not interfere with the more expansive societal right to privacy.