What India Could Gain—And Lose—From Personal Data Privacy Bill 2018

Earlier this year, a committee chaired by government-appointed Justice B.N Srikrishna, published its final report. The proposed bill would establish how citizens’ personal data should be collected, processed and stored, and would lay the groundwork for India’s first data protection laws. The Personal Data Privacy Bill, 2018  presents the first comprehensive attempt to articulate what might comprise data protections in a country that has never had a legal privacy framework. We sat down with our ED Thenmozhi Soundararajan, an expert on digital stewardship, security and tech equity, for a quick discussion around the bill.  

With this data protection bill, India is finally taking steps towards enacting privacy protections. Isn’t this a good thing?

To get to this draft phase is a huge step for India as the country has not historically had a constitutional right to privacy.  This is powerful and long overdue. From this frame, the draft bill, as presented, should be examined first and foremost for its core purpose: to protect the private and personal data of Indian Citizens.

A bill like this can’t be done in isolation. The 10-member panel that drafted the bill mostly consisted of industry executives and government officials.  It should be done with more rigorous consultation with civil society, platforms and other stakeholders across the information ecosystem because those different stakeholders’ additions are really going to point out the flaws of this law which doesn’t do enough to protect the right of citizens.

For instance, Sections 13 and 15, which cover the processing of personal data for the purpose of the State.

Section 13.1

Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.

Section 15(c)

Personal data may be processed if such processing is necessary to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.

This section does not define what could be ‘necessary for any function of Parliament or any State Legislature” or what is meant by a “breakdown of public order”. By failing to clarify these terms properly, the bill leaves room for the government to process personal and sensitive (Sections 19 and 21) data on the basis of poorly defined reasons, which in practice could justify varying degrees of surveillance.

India’s transition to digital governance means that everyone’s private information is going to be under the stewardship of the government institutions that collect them. Potentially, this means information about one’s financial status, property, family and health would be held by these institutions.

While the bill offers clear guidelines for the collection and use of private user data by technology companies, the report fails to clearly set and define the government’s jurisdictions around citizens’ data. Information collected by the State should be afforded the same protection as the data that is held by technology platforms like Facebook and Google, and the bill needs to reflect that.

Section 40 of the bill calls for imposing data localization and data mirroring requirements. What makes the data localization piece problematic?

Section 40 (1)

Every data fiduciary shall ensure the storage, on a server or data centre located in India,of at least one serving copy of personal data to which this Act applies.

The bill introduced a new entity, a data fiduciary. A data fiduciary is bound by law to ensure that the best interest of the client (or user) whose data they hold is used ethically. Any company or institution that collects user data (say Facebook, Google, Twitter,  or Practo) is a data fiduciary, and these entities are regulated to ensure that the data they collect is used for designated purposes only.

While the creation of this entity is in itself a great step, what this draft bill is now requiring is that every data fiduciary is required to store one live copy of any personal data collected in data centers located in India. (Currently, both international and Indian companies store their user data in servers across the globe).

This does not solve the problem of data security; it simply creates more problems. Instead of focusing on clear guidelines for corporate accountability, this bill opens up a new point of vulnerability for our data by creating a large  new pot of data for the government to surveil.

Right now, there is a degree of oversight that takes place from the platforms’ end when governments request data. Where most platforms share through transparency records government request for user data. With this provision, it is unclear what safety measure can be had when the mirrored data is governed by entities connected to the Indian central government. As the statement from Mozilla Foundation puts it, it’s “hard to see that this provision is anything but a proxy for enabling surveillance”.

Additionally this will create a high barrier for new platforms that want to come up in India because they will have to have the funds to create local and global servers. This means that a young Bangalore-based start-up which is currently at liberty to make use of the most efficient, cost-effective service from the digital cloud will be required to maintain servers in India.

Chapter 10 details the establishment of  The Data Protection Authority(DPA). Wouldn’t it be the DPA’s job to provide this oversight and hold both private actors and the State accountable?

Not quite. Sections 49 to 68 does lay out the details for the establishment of the DPA and sets it up as an independent authority with certain powers but if you take a look at Section 98, you’ll see that it is anything but.

Section 98

Power of Central Government to issue directions in certain circumstances. —

(1) The Central Government may, from time to time, issue to the Authority such directions as

it may think necessary in the interest of the sovereignty and integrity of India, the security

of the State, friendly relations with foreign States or public order.

(2) Without prejudice to the foregoing provisions of this Act, the Authority shall, in exercise

of its powers or the performance of its functions under this Act, be bound by such

directions on questions of policy as the Central Government may give in writing to it

from time to time:

(3) Any direction issued by the Central Government shall, as far as practicable, be given,

after providing an opportunity to the Authority to express its views in this regard.

(4) The decision of the Central Government on whether a question is one of policy or not,

shall be final.

Section 98 not only states that the Central Government can issue directions to the DPA but also that the authority shall be bound by these directions when it comes to questions of policy and governance  in which the decision of the Central Government is final. Additionally, Section 50(1) also states that the Chairperson and the members of the DPA will b appointed by the Central Government.

In India top-level appointments and implementation of laws are all subject to interventions depending on who is in power.

Narendra Modi’s  appointment of historian Yellapragada Sudershan Rao as the chairman of the Indian Council of Historical Research (ICHR) only a few months after her came into power  is a case in point. Rao’s lack of qualifications for the role was widely discussed in the media, as was his membership and proximity to the Rashtriya Swayamsevak Sangh or the RSS, a Hindu fundamentalist organization with close links to the Bharatiya Janata Party (BJP) and his previous position as president of the Akhil Bharatiya Itihas Sankalan Yojana, an RSS subsidiary with the stated mission of rewriting history from a Hindu nationalist perspective. In the months following his appointment, Rao recruited three RSS officers into the ICHR. The ICHR has since been involved several efforts to rewrite Indian history including proving that Hindu mythology—the Ramayana and Mahabharata— are fact.

If the larger issues of impunity hold, this does not bode well for the independence and autonomy of the DPA as we’ve previously seen similarly with autonomous bodies being hijacked by political agendas.

The bill, borrowing from General Data Protection Regulation(GDPR) the European Union  law on data protection and privacy for all individuals within the European Union and the European Economic Area, sets a fairly high standard for consent. How do you see this being implemented?

In terms of consent, this bill is a poor copy of the GDPR. While it creates opportunities for the data principals to withdraw consent and ask companies to delete data they have shared, it takes a minor but consequential detour when it comes to the process of deletion.

Article 7.3

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Section 12 (2) (c)

For the consent of the data principal to be valid, it must be capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

Section 12.5

Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

Article 7 of the GDPR states that consent withdrawal is an easy and seamless process. While Section 12.2(e) of the Personal Data Privacy bill says that consent is valid only if it can be withdrawn easily, Section 12.5 requires that the cost of this deletion process needs to be borne entirely by the data principal themselves. Withdrawal of consent—and by extension, privacy— can hence be seen as a luxury extended to those who can afford it, further deepening existing inequalities in the Indian internet space. Further, while issues of consent are laid out for private actors, government seems to be immune to some of these requirements, despite the fact that they are allowed access to the same pools of data.

In conclusion, the bill is a good starting point for recognizing the inherent right of citizens’ to their private data, but, as many privacy lawyers and advocates have pointed out, it has severe limitations. The next steps must involve us who would be affected by this bill having discussions and putting appropriate pressure on the ongoing consultation  process to ensure that these loopholes are accounted for. Community input and consultation must be heard, especially around the lack of any language related to oversight over government-collected data that is at parity with corporate-collected data and the issue of data localization and data mirroring.