This privacy law needs public debate

By Amba Kak,​ lawyer and policy advisor at Mozilla, and CyberBRICS Associated Scholar.

Associated Scholar This article was originally ​published​ in the print edition of the Times of India on July 30, 2019.

The inaugural Parliament session of the government’s second term began with IT Minister RS Prasad proclaiming passing a data protection law as a top priority. This news was as encouraging as it was worrying. While the lack of a law safeguarding privacy is becoming ever more dangerous and untenable, it did not bode well that no one outside government has seen the current version of the bill. And with a complete majority in the lower house of Parliament, the Lok Sabha, there was justifiable cynicism that the Government would pass this bill without proper Parliamentary scrutiny.

The last public version of the Personal Data Protection Bill, ​made available last year, suffered from critical weaknesses around surveillance and the independence of the regulator. News reports suggest “changes” have been made, but we don’t even have an inkling which way the needle has moved.

The speculation doesn’t end there. Just last Friday we heard the government might even start “fresh consultations”​ on this law altogether. Citing disagreements within the government, news reports suggest this consultation will be exclusively with “Indians”. This caveat should be understood as part of the government’s evolving ​“data sovereignty” agenda​, which thinks of data as a national economic asset, and places emphasis on the uniquely “foreign” threats to Indians’ privacy from large Western tech companies. This development could be a set-back to progress on the data protection law. Perhaps more concerning, however, is that the issue seems reduced to a battleground between “national” and “foreign”; between big tech companies and the State – and where the rights of citizens that are threatened by both fall to the background.

Against the global backdrop of growing scepticism of Silicon Valley, it is easy to forget that the genesis of the data protection bill is, in fact, Indian in origin. In early 2018, faced with mounting privacy and security challenges to the Aadhaar project, the government was spurred into motion, committing to swiftly passing a data protection law on the pretext that it would salvage some of the risks emanating from the biometric ID project.

In the last month alone, we have had several new home-grown examples demonstrating the dangers of lawlessness around personal data.

Minister Nitin Gadkari’s Transport Department recently sold millions of vehicle registration and driver license records​ to private and government entities. The revenues from this sale earned the government a paltry Rs 65 crores (or roughly USD 9 million), but the costs to the privacy and security of Indians will be far greater. This data could have been shared with car insurance agencies, for example, who might hike premiums or even deny insurance to individuals based on information they had no ability to control. Under the “purpose limitation” rule in the government’s own draft Bill, the sharing of personal data collected in one specific context (vehicle registration) to countless third-party entities with no restrictions on what they might use it for, would have been patently illegal.

Under the new “Digi Yatra” program, airports at Hyderabad (and soon, Delhi) have introduced a trial facial recognition system for passengers. Digi Yatra cheerfully invites people to “volunteer” their faces to be entered into a centralized government database, despite the lack of any information or control on how this data might be used or shared. The government has in fact made multiple moves towards ramping up face-surveillance architecture in the country. On June 28th, the National Crime Records Bureau announced its plans to ​deploy an “automated facial recognition system” for use by law enforcement to track down criminals, using a combination of CCTV footage matched to existing (and unspecified) facial scan databases. Meanwhile, India is witnessing increasing deployment of CCTV cameras in public spaces and most recently, government classrooms in Delhi. Pervasive surveillance and facial recognition like this can turn all citizens into suspects. The threats created by these next-gen technologies are difficult to predict or control, even with a data protection law. Without one, Indians have even fewer legal avenues to question them.

Despite this urgent need for legal limits, the Personal Data Protection Bill requires proper scrutiny and consultation. The last few weeks of the Monsoon session have not inspired confidence. The Right to Information Act, ground-breaking in its impact on government transparency, has been significantly weakened, without any public consultation or even notice to the countless citizens and activists who have relied on this law for more than a decade. The ​ordinance amending the Aadhaar Act to allow for expanded private sector use had a similarly smooth journey through both houses. These are alarming precedents.

If there is any cause for optimism, it is that members of Parliament, across party lines, are standing up for data protection in increasing numbers and more vocally than ever before. During the Lok Sabha debates on the Aadhaar amendment in particular, multiple MPs called out the concerns with expanding private sector usage of Aadhaar before passing a law that would protect citizens against data misuse. The Trinamool Congress staged a protest outside Parliament on the lack of action on a data protection law outside Parliament. On Friday, Dr. Ravikumar of the DMK introduced his own Private Member’s Bill on data privacy which includes provisions on government surveillance and envisions a strong Privacy Commission for redressal.

These are all signs that privacy in India can no longer be relegated to an elitist concern. This law will fundamentally reshape the relationship between citizens and the companies and government entities they entrust with their data. The next steps for this Bill remain uncertain, but the key priority must be to ensure that the public is a part of the conversation. Rather than secret consultations and speculative reports, this law needs a public debate.