The new avatar of the Indian Data Protection Bill 2022 is not simply a rebirth of its 2019 version. Its earlier objective was to provide a legal framework to the Supreme Court’s Puttaswamy judgement that privacy is a fundamental right. The purpose of the 2022 bill is different. It proclaims the citizen’s right to privacy but allows the government to override it. Its other objective is to enable Big Businesses—Indian or foreign—to use our data for their benefit. In other words, the 2022 bill intends to do the opposite of what it claims: not protect privacy but create the architecture of a surveillance state and build surveillance capitalism.
I don’t argue the 2019 bill was perfect. It was not. The Joint Parliamentary Committee suggested 92 amendments in it. But after extensive reviews in Parliament, public discussions and deliberations in the JPC, the government suddenly withdrew the bill and released a new one without explanation. The answer materialises when we examine the clauses dropped in the new bill and its overall direction.
Let us look at the big picture first. To protect the citizen’s privacy as a right, we must define what that right is and under what conditions the State can invade it. For example, the right to life or liberty of a citizen can be taken away by the State if an independent judiciary judges they committed a heinous crime. As we saw in 1975, allowing the government to exercise this right without judicial review led to the worst excesses of the Emergency.
A privacy law, therefore, must have at least two basic elements. One is defining under what conditions the State can curtail these fundamental rights. Or, as Puttaswamy says, any curtailment must meet the triple test of necessity, the invasion of privacy being reasonable and proportionate to the need. Another element is a relatively independent regulatory body must exist to protect the right to life and liberty. The 2022 version of the bill overwhelmingly tilts in favour of the government and against citizens on both counts.
In 2018, former Supreme Court Justice BN Srikrishna proposed a draft Personal Data Protection Bill. In a recent interview with The Hindu, he said the government’s 2022 version “drives a coach and horses through the privacy right of individuals”. According to him, it completely abandons Puttaswamy’s triple test of necessity, reasonableness and proportion.
For example, the composition, qualifications, procedures of appointment and tenure in the regulatory authority envisaged in the 2022 bill have all been delegated to what is called subordinate legislation—or rules—that the government will decide. Hence, these critical functions have been taken out of the purview of Parliament. The new version says a chairperson and the members of a Data Protection Board of India will be appointed, and their tenures fixed, solely by the government. This is why Justice Srikrishna said it would be a government “puppet”. The provision of an appellate tribunal specified in the 2019 version of the Bill has also been dropped.
The 2022 bill is much shorter, containing only 30 sections compared to 98 in the 2019 version. While shorter, at least 12 of its 30 sections carry the rider that the government “may prescribe” on those issues, making those sections meaningless.
The bill empowers the government to exempt its agencies from these provisions through a simple notification on national security grounds. This provision is in addition to government agencies’ existing powers to intercept our telephone or data communications under the Information Technology Act.
The 2022 bill starts, like the older version, by defining the data principal and fiduciary. Let us focus on the citizen as the data principal—that is, on what happens to their data. The data fiduciary is the one who parts with their data while using an application or performing an activity on a platform. In most cases, the fiduciary is a company or State agency which uses citizens’ data for their purposes. For instance, companies like Google and Facebook use citizens’ data to display ads to their users. Or they act as data brokers, selling their data to companies and other entities.
The misuse of data, when used beyond what a citizen has permitted an entity to use it for, can cause harm or loss to the data principal. That harm could be monetary or hurt their reputation or another loss, including personal security. But in the clauses that define what citizens can consider harm or loss, the categories have been reduced significantly in the 2022 version compared with the 2019 bill. A clause that defines significant harm based on impact, continuity, persistence or irreversibility has been completely removed. The earlier bill also had a provision that defined sensitive data and how to treat it. This version of the bill has no such definition and, therefore, no provision for when Big Data processes such data. All these tilts the balance between the citizen and Big Data companies, heavily favouring the latter.
No data protection bill I know of lays down duties for the citizen. This one does. It specifies that the data principal—the citizen—is legally obliged to provide the correct data. It means no person can use a pseudonym while using data services. People often use pseudonyms since identifying them by gender or religion might expose them to danger. Women are trolled on many websites in a bid to silence or drive them out of digital spaces. Having a non-binary sexual orientation is another reason why people may not wish to disclose their real identity on certain websites. Disallowing pseudonyms may help State agencies and Big Data, but it can cause serious harm to various minorities.
This bill virtually exempts the State from requirements regarding citizen privacy. It lowers the duties of Big Data towards its users. It does away with data localisation, which would have meant that the data of Indian citizens are held in India and subject to Indian laws. Contrary to the government’s nationalist claims, it is weakening provisions related to data localisation, which will help foreign capital. Companies like Visa, Google and Facebook had raised significant objections to the data localisation provisions in the earlier version of the Privacy Bill.
A considerable part of this bill is geared toward allowing Big Data to use our data. The concept of a data fiduciary obfuscates that companies defined as fiduciaries do not store data on our behalf but for their profits. They want to use our data to sell us to advertisers. They use our data to sell us goods continuously, and they get a significant share of the profits from such sales. Google and Facebook are the biggest recipients of advertising revenue today.
Data also allows improvements in and optimisation of a vast range of software tools. For example, the successes of Artificial Intelligence tools depend on the amount and variety of data it consumes. And, of course, government agencies want more data to monitor and “orient” citizens to their preferred mode of thinking. These concerns are apart from the role big money plays in elections. That is why the phrase Surveillance Capitalism describes the marriage between the surveillance state and big capital. And this marriage is at the core of the 2022 privacy bill.