Digital data protection bill 2022: Big Brother meets big business
The new personal data protection bill is not about protecting user (read: citizen) data; it is a charter for ‘surveillance capitalism’
The newly minted data protection bill 2022 is a more bare-faced declaration of government intent than its predecessors, framed in 2019 and 2021. If the objective of the Personal Data Protection Bill 2019 was to give a legal framework to the Supreme Court’s Puttaswamy judgment (2017), which upheld privacy as a fundamental right, its new avatar, the draft Digital Personal Data Protection Bill 2022, allows the government to override this right at will.
The other objective of the new bill is to enable big business—both Indian and foreign—to mine our personal data to their advantage. So, the intent of the bill is the polar opposite of what it proclaims: while still invoking the citizen’s right to privacy, it is, in fact, granting the State unrestrained rights to violate that privacy at will. It is creating the architecture of an Orwellian surveillance state and promoting‘ surveillance capitalism’.
The 2019 bill was far from perfect. The Joint Parliamentary Committee had suggested 92 amendments to the proposed law. It went through extensive reviews, both in public and in Parliament. After all those consultations, in public and in the JPC, the bill was suddenly withdrawn, and a new draft bill is now in our midst for no apparent or clearly articulated reason. Those reasons, such as they are, become clear when you pore over the two bills side by side, see the pattern of additions and deletions, which show the direction of the new bill.
Let’s look at the big picture first. To protect the citizen’s privacy as a right, we need to first define what that right is and under what conditions the State may take away this right. The right to life or liberty of a citizen, for example, can be taken away by the State if s/he commits a heinous crime as judged by an independent judiciary. As we saw during the state of internal Emergency in 1975, allowing the government to exercise this right without any judicial review led to some of the worst excesses during the period.
A privacy law must, therefore, explicitly state under what conditions this fundamental right may be curtailed. Or, as the Puttaswamy judgment laid down, any such curtailment must meet the triple test of necessity, reasonability and proportionality. The other missing feature of the new bill is the provision for a sufficiently empowered regulatory body, which can independently assess if the grounds cited for a violation of the citizen’s right to privacy meets the triple test. On both these counts, the new Bill is overwhelmingly tilted in favour of the government and against the citizen.
Retired Supreme Court Justice B.N. Srikrishna had proposed a draft personal data protection bill in 2018. In a recent interview with The Hindu, he says that the draft 2022 bill allows ‘a coach and a horse to be driven through the right of privacy of the citizens’. According to him, the 2022 bill has completely abandoned the Puttaswamy judgment’s triple test.
Let us look at the regulatory authority envisaged in the 2022 Bill. The composition, qualifications, procedures of appointment, and tenure of the members of the Data Protection Board have all been delegated to subordinate legislation—called ‘rules’— to be decided by the government and taken out of the purview of Parliament. The board’s chairperson and members will be appointed and their tenures decided by the government. In other words, as Justice Srikrishna also points out, the Board will be a puppet of the government. The provision for an appellate tribunal, specified in the 2019 PDP bill, has also been dropped.
The 2022 bill is much shorter than its abandoned 2019 cousin: it contains only 30 sections against 98 in the 2019 version. Of these 30 clauses, as many as 18 have ‘the government may prescribe’ riders, which renders them meaningless as they stand today with nobody any wiser about what the government may prescribe.
The draft bill also empowers the government to exempt its agencies from the provisions of the bill whenever it pleases through a simple notification on grounds of ‘national security’. This is in addition to the powers government agencies already have to intercept our communications —telephone or data—via the IT Act.
The 2022 Bill starts, as did the older versions, by defining a ‘data principal’ and a ‘data fiduciary’. Let’s focus here on the citizen as data principal.
The draft bill empowers the govt to exempt its agencies from the provisions of the law on grounds of ‘national security’. This is in addition to the power the agencies already have to intercept our communications through the IT Act
The ‘data fiduciary’ is the entity that parts with the user data generated while using an application (or ‘app’, in common usage) or during an activity on a digital platform. In most cases, it is a company or an agency of the State. It is the citizen’s personal data that companies or government agencies mine. For companies such as Google or Facebook, the objective is mainly commercial: they are the intermediaries who pass on user data to other companies who want to advertise their products or services to users of these ubiquitous digital platforms.
Harm or loss may happen due to misuse of data, meaning its use beyond what citizens have explicitly consented to and causing individual or other ‘data principals’ monetary or reputational loss, and potentially putting at risk their personal security.
The number of clauses defining citizen harm or loss are far fewer in the 2022 bill than categories of harm specified in the 2019 version. Also notably, a clause defining significant harm based on impact, continuity, persistence or irreversibility of harm has been removed in the new draft bill.
The earlier bill also had a clause defining sensitive data and how such sensitive data is to be treated. In this version of the bill, there is no definition of sensitive data and, therefore, no separate provision for processing such data by ‘big data’ companies. All of these tilt the balance between citizens and big data companies, heavily favouring the companies.
No other data protection bill of note lays down the duties of the citizen. This one does. It specifies that the data principal, or the citizen, has a legal obligation to provide correct data. This means that no person can use pseudonyms while availing of any data services.
Fiduciaries are not really storing data on our behalf but for their own profits. They want our data to sell to advertisers. They use our data to sell us goods continuously and get a big share of the profits from such sales
The reason why citizens often use pseudonyms is that identifying themselves by gender or religion may expose them to threats, intimidation or worse. Women, for example, are often targeted online and trolled viciously, which can silence them or drive them out of the digital space. People of non-binary sexual orientation may also fear harms in a largely conservative society, and be reluctant, for good reason, to not disclose real identities online. Disallowing pseudonyms may help State agencies and big data companies but can cause serious harm to different minorities. The draft bill offers them no protection.
The 2022 personal data bill practically exempts the State from any obligations with respect to the privacy of citizens. It has also significantly lowered the bar of obligations for big data companies vis-avis users.
It has done away with provisions to localise data, under which the data of Indian citizens would be held in India and be subject to Indian laws. While the merits of data localisation provisions were contested even among the defenders of citizens’ right to privacy, it is worth remembering that multinationals such as VISA, Google and Facebook were at the vanguard of pressure groups that wanted it struck off the earlier draft (2019), which contained data localisation provisions.
One of the primary objectives of the new bill is to further loosen the restraints on big data companies visà-vis citizens’ personal data, or on how these companies may mine and use said data. The very concept of a ‘data fiduciary’, which implies data held in trust, tries to obfuscate the reason why these companies are interested in our personal data in the first place—for them, this data is a monetisable asset. So, the data they supposedly hold in trust is, in fact, data they trade for profit. How otherwise are Google and Facebook the biggest recipients of digital advertising revenue today?
Access to this data is also the means to improve and optimise a whole range of software tools. For example, the success of AI (artificial intelligence) tools depends on the amount and variety of data in the feed—algorithms get better with more data. To understand the new data ‘protection’ bill—the irony of its nomenclature is truly mind-boggling—you might even ask: who benefits more from more user data and better algorithms? Not only big businesses, who must profile their consumers better to target their rupees and dollars, but also Big Brother, who must keep tabs on its citizens to “reorient” them right—or else.