Data protection concerns

India's first privacy legislation has too many holes

The government has taken extraordinary measures to reduce public scrutiny, and even Parliamentary examination of the Personal Data Protection Bill. The draft was not circulated well in advance of its presentation in Parliament and comments and submissions made during the drafting process were not made public. Communications, Electronics & Information Technology Minister Ravi Shankar Prasad requested that the Bill should be examined by a select committee chosen for the purpose and not by the Standing Parliamentary Committee on IT (which is chaired by an Opposition member). This lack of scrutiny makes it more likely that multiple areas of concern will not be addressed.

 
On the positive side, there is good protection against data misuse by companies. There is also a provision for a Right to Erasure (the so-called right to forget) and Right to Correction, which allows individuals to request deletion or correction of data, once it is no longer necessary for the specific purpose for which it was collected. However, this has been nullified by massive exemptions for government surveillance, data-handling and other disturbing provisions. Social media platforms will be asked to provide a process for voluntary verification of users. The government claims the right to demand “non-personal” data. There were some exemptions for government handling of data in the original 2018 draft by the Justice Srikrishna Committee but these have been expanded. The Srikrishna Committee’s suggestion that government data-processing be “necessary and proportionate” has been erased. An additional provision has been inserted to grant discretion to exempt any government entity, or department, to collect data without consent. This means zero checks and balances against state surveillance.

 
The independence of the proposed Data Protection Authority (DPA) has been weakened as all members must be from the executive arm of government. This contrasts with the Srikrishna Committee’s suggestion that the DPA induct individuals with executive, judicial, and external expertise. The draft also avoids setting any timeline for setting up the DPA. If social media platforms are forced to provide processes for “voluntary” user-verification, this would chill freedom of expression, and impinge on the privacy of those who chose to be verified. Any user who does not submit “voluntary” verification and remains anonymous could also be specifically targeted by government agencies. Moreover, it would increase the risk of profiling, and data breaches as more data would flow to social media platforms. 

 

The mandate for enforced transfer of “non-personal” data to government could also lead to abuse and misuse. The definition of “non-personal” data is very broad. Even anonymised information about e-commerce sales patterns can, for example, be used to infer personal details like caste, religion, medical conditions, sexuality, reading habits and so on. Tying non-personal data to personal data, such as electoral rolls, income tax records, mobile call and internet-usage patterns and social media usage is possible since government has access to such data and a free hand with surveillance. Using that data for malign purposes, such as influencing voters, or threatening them, is possible. It is a pity that India’s first privacy legislation has so many holes. It is also ironical that an attempt is being made to pass this Bill with minimum transparency. It may lead to flawed legislation that fails to protect individuals unless the Opposition insists on vigorous debate and amendments to strengthen the protection of privacy.