View: Data protection law must guard against internal and foreign threats to citizen privacy

By Amba Kak

The inaugural Parliament session of the government’s second term began with IT minister Ravi Shankar Prasad proclaiming passing a data protection law as a top priority. This news was as encouraging as it was worrying. While the lack of a law safeguarding privacy is becoming ever more dangerous and untenable, it did not bode well that no one outside government has seen the current version of the bill. And with a complete majority in Lok Sabha, there was justifiable cynicism that the government would pass this bill without proper parliamentary scrutiny.

The last public version of the Personal Data Protection Bill, made available last year, suffered from critical weaknesses around surveillance and the independence of the regulator. News reports suggest “changes” have been made, but we don’t even have an inkling which way the needle has moved.


The speculation doesn’t end there. Just last Friday we heard the government might even start “fresh consultations” on this law altogether. Citing disagreements within the government, news reports suggest this consultation will be exclusively with “Indians”. This caveat should be understood as part of the government’s evolving “data sovereignty” agenda, which thinks of data as a national economic asset, and places emphasis on the uniquely “foreign” threats to Indians’ privacy from large Western tech companies.

Against the global backdrop of growing scepticism of Silicon Valley, it is easy to forget that the genesis of the data protection bill is, in fact, Indian in origin. In early 2018, faced with mounting privacy and security challenges to the Aadhaar project, the government was spurred into motion, committing to swiftly passing a data protection law on the pretext that it would salvage some of the risks emanating from the biometric ID project.

In the last month alone, we’ve had several new home-grown examples demonstrating the dangers of lawlessness around personal data.

Minister Nitin Gadkari’s transport department recently sold millions of vehicle registration and driver licence records to private and government entities. The revenues from this sale earned the government a paltry Rs 65 crore, but the costs to the privacy and security of Indians will be far greater. This data could have been shared with car insurance agencies, for example, who might hike premiums or even deny insurance to individuals based on information they had no ability to control. Under the “purpose limitation” rule in the government’s own draft bill, the sharing of personal data collected in one specific context (vehicle registration) to countless third-party entities with no restrictions on what they might use it for, would have been patently illegal.

Under the new “Digi Yatra” programme, airports at Hyderabad (and soon, Delhi) have introduced a trial facial recognition system for passengers. Digi Yatra cheerfully invites people to “volunteer” their faces to be entered into a centralised government database, despite the lack of any information or control on how this data might be used or shared. The government has in fact made multiple moves towards ramping up face surveillance architecture in the country. On June 28, the National Crime Records Bureau announced its plans to deploy an “automated facial recognition system” for use by law enforcement to track down criminals, using a combination of CCTV footage matched to existing (and unspecified) facial scan databases.

Meanwhile, we see increasing deployment of CCTV cameras in public spaces and most recently, government classrooms in Delhi. Pervasive surveillance and facial recognition like this can turn all citizens into suspects. The threats created by these next-gen technologies are difficult to predict or control, even with a data protection law. Without one, Indians have even fewer legal avenues to question them.

Despite this urgent need for legal limits, the Personal Data Protection Bill requires proper scrutiny and consultation. The last few weeks of the monsoon session have not inspired confidence. The Right to Information Act, groundbreaking in its impact on government transparency, has been significantly weakened, without any public consultation or even notice to the countless citizens and activists who have relied on this law for more than a decade. The ordinance amending the Aadhaar Act to allow for expanded private sector use had a similarly smooth journey through both houses. These are alarming precedents.

If there is any cause for optimism, it is that MPs, across party lines, are standing up for data protection in increasing numbers and more vocally than ever before. During Lok Sabha debates on Aadhaar amendment in particular, multiple MPs called out the concerns with expanding private sector usage of Aadhaar before passing a law that would protect citizens against data misuse. TMC staged a protest outside Parliament on the lack of action on a data protection law outside Parliament. On Friday, Ravikumar of DMK introduced his own Private Member’s Bill on data privacy, which includes provisions on government surveillance and envisions a strong Privacy Commission for redressal.

These are all signs that privacy in India can no longer be relegated to an elitist concern. This law will fundamentally reshape the relationship between citizens and the companies and government entities they entrust with their data. The next steps for this bill remain uncertain, but the key priority must be to ensure that the public is a part of the conversation. Rather than secret consultations and speculative reports, this law needs a public debate.

(The writer is a lawyer and policy adviser at Mozilla)