The long-awaited data protection bill tabled by the Bharatiya Janata Party-led government in Parliament on Wednesday begins on a promising note: “The provisions of this Act,” reads the bill, “shall apply to the processing of personal data by the State, any Indian company, any citizen of India” and goes on to list rules that empower individuals to take control of their information.
But halfway through the 56-page bill, the story changes and the intent becomes clear: “All or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data,” it says. Wide-ranging exemptions allow the government to grab the data of its citizens, ostensibly to fulfil governance responsibilities but effectively giving it the licence to perpetually snoop on them.
That contradiction lies at the heart of the proposed “Personal Data Protection Act, 2019”: a step forward to protect an individual’s data from private corporations but two steps backwards in placing safeguards from government surveillance—fundamentally hurting the premise of citizens’ privacy protection.
The bill is a data governance framework that forces organizations dealing with people’s personal data to relook at data management, and regulates practices to protect individual privacy and personal data. It defines what they can and can’t do. It defines personal data as any information, collected online or offline, that can be used to identify you: name, address, phone number, location, shopping history, photographs, telephone records, social media activity, the food you eat, movies you watch, online searches, messages you exchange, devices you own.
The bill also defines “sensitive personal data”, which has additional safeguards. This includes your health data (like private information you share with a doctor or healthcare apps), financial data (banking and payments information), sexual orientation, biometrics (facial images, fingerprints, iris scans), caste or tribe, religious and political beliefs.
How do the provisions of the bill change things for various stakeholders? And how does it protect your data? Let’s break it down.
The impact on individuals
This opaque system is open for abuse. Your personal data is exploited to manipulate behaviour. It may determine the products you see, the prices you pay and services you can access. Increasingly, automated decisions systems are used to decide if you should get a loan or not, and even your chances of being a criminal. People have little idea who has access to their information, when and how it was collected, what they do with it and how it impacts their everyday life.
That is the problem India’s data protection bill aims to tackle. Largely inspired by European Union’s General Data Protection Regulation (GDPR)—adopted in 2016 and enforced in 2018—the proposed bill places individual rights at the centre of data protection. According to the bill, your personal information can’t be collected, processed or shared without your consent. Your personal data can be used for clearly and pre-defined purposes and only necessary data can be collected.
To give consent a fair chance, companies will have to tweak their privacy agreements. It needs to be clear and concise: a plain language description of what data is collected, its purpose, how it is used and the duration for which the data will be retained. It will be made available in multiple languages. You can also move your data from one provider to another; ask organizations what all data they hold on you and request it to be deleted; and even withdraw your consent at any time.
Importantly, if you believe your personal data is outdated or incorrect, you can request to get it fixed, especially when inaccurate data can have harmful consequences. For example, if a recruiting firm has stored incorrect details about your educational and occupational history, it can hurt your employment prospects.
Then, in most cases, you may not know who can access the data you have shared with one organization. For example, has the doctor shared your private medical records with a health insurance provider, which impacts the premium you pay? You can know it under the provisions of the proposed bill, which allows you to request the list of entities with whom your data is being shared. To be sure, companies like Google and Facebook already offer many of these options to Indians.
The impact on organizations
Private organizations will have a lot to do, from making technical changes in engineering architecture to modifying business processes. At the core, they need to place limits on data collection, processing and storage, but there’s a lot more. For instance, organizations need to prepare and adopt “privacy by design” policy, meaning user privacy should be at the centre of engineering design throughout the product development life cycle—not retroactively. The regulator will certify and approve the policy based on defined standards.
Technical security safeguards, including de-identification—preventing an individual’s identity to be inadvertently revealed—and encryption needs to be built in. Any instance of data breach needs to be reported to the regulator.
Larger organizations—depending on the volume of data, annual turnover and other factors—and social media companies with users above a defined threshold will have additional responsibilities. This includes conducting data protection impact assessments for specific tasks defined by the regulator, periodic security audits and appointing a data protection officer. Additionally, social media platforms would be required to enable users to voluntarily verify their accounts, similar to the “blue tick” on Twitter.
A few restrictions have been imposed on data localization requirements. Personal data can cross borders without any restrictions. But some constraints remain: limits are placed on “sensitive personal data” which needs to be stored in India but can be processed outside after approval from the regulator. Processing refers to any operation on personal data. For “critical personal data”, which the central government can notify on its own, there are hard restrictions: it needs to be both stored and processed within India.
In terms of data sharing, the bill says that the government can ask companies to provide “anonymised” or “non-personal data” for policymaking or other public goods. The idea is to use aggregated data to derive meaningful insights and spot unknown trends. For instance, aggregated data from cab-riding services can help in traffic planning.
However, it can also lead to privacy concerns. Consider sales data from an e-commerce or food delivery service aggregated by locality. It doesn’t identify any particular individual per se. But it can identify localities which, say, mostly buy Bengali food or those that don’t order non-vegetarian food at all; those that order holy scriptures of a specific religion or clothes of a certain kind.
None of this reveals anything about an individual but the data points can say a lot about a community. The rules under the bill do not apply to processing of anonymized data, leaving it to the regulator to decide. This can be tricky. “The law should continue to focus on the protection of personal data and leave the regulation of non-personal data to an independent law,” Mozilla wrote in a blog post.
There are stiff penalties proposed: up to ₹15 crore or 4% of an organization’s total worldwide turnover. It can also land people in jail. That’s different from GDPR, where failure to abide by data protection requirements doesn’t lead to criminal sanctions.
The challenge for companies would vary depending on the scale of the organization, the GDPR experience tells us. For instance, Microsoft spent hundreds of millions of dollars and more than 300 full-time engineers for over 18 months to build new software architecture, the company’s president Brad Smith recounted in his book Tools and Weapons. On the other hand, reports suggest that smaller firms, who lacked the relevant resources and know-how, struggled to be compliant with the new norms.
The impact on government
The bill offers broad exceptions for government to access personal data of citizens and provides itself full discretion to exempt any of its agencies from the law citing public order, national security and friendly relations with foreign states.
This bill will “turn India into an Orwellian state”, Justice B.N. Srikrishna, who led the committee that drafted the 2018 Personal Data Protection Bill, told The Economic Times. “They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order.”
While private firms engaging in “surveillance capitalism” is a major issue, the primary problem is the need to restrict government access to information about individuals, and codify government surveillance into rule-of-law procedures, economists Vijay Kelkar and Ajay Shah argue in a new book, In Service of the Republic. That’s step number one.
Of course, private corporations can make money by using personal data for manipulating behaviour. But the government’s access to personal information is far more dangerous as it has significantly more powers. Governments have the ability to coerce individuals into certain behaviours by force. This distinction is essential.
Laws regarding government surveillance are largely a settled matter in mature democracies. For instance, most member states of the European Union have legal frameworks governing surveillance and ensure democratic oversight over intelligence authorities—none of which exists in India. No Indian intelligence agency was created under an Act of Parliament, and there are no clearly defined roles or limitations on powers.
After reigning in the powers of the government, Europe moved ahead to curb abuse by private actors. And GDPR also applies to both public and private sectors, unlike the proposed law in India. India took inspiration from Europe but has missed the historical context in which the privacy regulation had evolved.
The impact on regulators
The bill sets up a powerful new privacy regulator, the Data Protection Authority of India (DPA), to define standards, prevent misuse of personal data, monitor compliance and promote awareness about data protection. The authority can conduct inquiries based on its own complaints or those it receives. It has the power to penalize offenders—these range from financial payouts to criminal sanctions. DPA’s orders can be challenged in an appellate tribunal. Appeals from the tribunal will go to the Supreme Court.
DPA will consist of a chairperson and six members with at least 10 years of expertise in the field of data protection and information technology. However, there is one issue: the commission that will appoint the members will have no judicial or external representation. It is limited to members of the executive. This will make it “much harder for the DPA to be empowered and effective as the entire governing structure will be appointed exclusively by the government”, Mozilla explained in the blog post.
It is important to note that the law in itself doesn’t protect citizens’ data. The degree of protection would depend on the enforcement of the proposed rules. Here, India’s weak state capacity—the ability of the government to administer and its capacity to design and implement rules or policies—could affect enforcement. Strengthening the capacity of the new regulator will be crucial for the successful implementation of the proposed law.
Many issues that were raised when GDPR was implemented remain relevant for India. A lot will depend on how policies will be enforced and if that will help large companies take further edge over smaller firms. Providing adequate support to organizations to comply with the new rules will be crucial. They need to understand the meaning of informed consent, and translate legal specifications into technical implementation.
The data protection bill is not yet final. It has been referred to a joint select committee of both Houses of Parliament with 20 members from the Lok Sabha and 10 from the Rajya Sabha. They are expected to submit their report before the end of the forthcoming budget session. If the country’s parliamentarians genuinely want to protect the data and privacy of citizens, they must deliberate on the shortcomings of this bill. Crucially, if they want to empower individuals, they need to cede some of their own powers.
Samarth Bansal is a freelance journalist based in Delhi. He writes about technology, politics and policy.