Indranil Banerjie | A Law to Protect Citizens, Or To Help in State Snooping?

In today’s digital age, privacy is a chimera -- the reality is that every intimate detail of our lives, from our eating and spending patterns to medical and financial details, are digitally recorded in some computer somewhere in the vast cloud and can therefore be potentially exposed. In these circumstances, it is vital that citizens are protected in cases of any breach of privacy or the abuse of personal digital data.

The idea of a digital data protection law had become imperative given the increasing unauthorised collation, misuse and processing of personal digital data.
Information, as they say, is power; and power misused is catastrophe. The individual today is not only exposed to predatory practices by criminals but also by commercial and government entities determined to flout the fundamental principles of the right to privacy.

Most civilised nations in the world today have laws to protect this growing vulnerability of citizens. In India, till date, there was no such law and hence the Digital Personal Data Protection Bill 2023, that was tabled in Parliament by the ministry of electronics and information technology. The bill was passed by voice vote in the Lok Sabha on Monday, with the Opposition walking out in protest. It is headed for the Rajya Sabha where it is expected to sail through and become law.

The intention of this piece of legislation is noble, or at least was in the beginning. The basic aim was to protect ordinary citizens from unseen enemies lurking in the dark digital world. The bill in its current form is mainly geared to protect individuals from unscrupulous or negligent commercial entities. Fines as high as Rs 250 crores could be imposed for data breaches and a digital platform could even be blocked if it continues to leak data. It also requires consent from users whose data is to be used and processed, and allows that consent to be revoked.

All this is very good and it is true, as Rajeev Chandrashekhar, minister of state for electronics and information technology, declared that the “practice of misusing and exploiting personal data must be put on a break”. This bill will certainly introduce accountability in the wider digital world dominated by non-government and commercial organisations. But even here there are questions of whether it will do enough.

The most absurd part of this bill is that while it purports to protect the individual from the misuse of digital data, there are no provisions aimed at preventing the risk of harm caused to individuals through the misuse of digital data by any agency, commercial or otherwise. In earlier drafts of the bill, there were specific clauses addressed to dealing with harm arising from digital data misuse or negligence. Even the 2019 version had defined harm to include mental injury, identity theft, financial loss, reputational loss, discriminatory treatment, and unnecessary surveillance; it required entities collecting data to take measures to prevent, minimise and mitigate risks of harm. Every one of these clauses have mysteriously been junked in the version passed by the Lok Sabha.

The present law endeavours to make private data more secure but falls woefully short when it comes to governmental misuse of individual data. There are absolutely no safeguards to prevent abuse of data by official entities, nor are there any checks or balances. Even the body (Data Protection Board of India) which is proposed to be set up to adjudicate on issues arising from the application of this law will not be an independent body, but one set up and controlled by the government. All this constitutes a fatal and wholly unacceptable flaw. The State cannot have unfettered rights to access personal data.

Not surprisingly, the Editors’ Guild of India has criticised the provisions of this bill, arguing that its “shortcomings could have a chilling effect on journalistic activities in the country”. The guild added that the bill “fails to address the urgent need for surveillance reform and, instead, appears to enable surveillance of citizens, including journalists and their sources”.

The editors have specifically objected to certain clauses in the bill that fly against the notion of a free and open press. This includes Section 36 of the bill “which permits the government to request personal information, including that of journalists and their sources, from any public or private entity acting as a data fiduciary”.

Worst are the clauses that entirely exempt government entities from any restraint in the matter of collecting, storing and processing personal data. The Editors’ Guild has also voiced concern about Section 17(4), which allows “the government and its instrumentalities to retain personal data indefinitely”.

Significantly, these dubious provisions were added in the latest version of the bill. The original 2018 version had, for instance, provided for some restraint on official agencies by stating that they must process personal data in a legal manner and in accordance with lawful procedure. This important restriction has been struck off. So has the provision of the right of an individual to demand that their personal data be deleted once its use is over. Now personal data can be retained indefinitely by governmental agencies.

In other words, these are atrocious provisions that challenge an individual’s right to privacy. Once enacted, these provisions are certain to be challenged in court as the Supreme Court has already ruled that the privacy of individuals is a fundamental right.   

In other more accountable democracies, the State’s rights to access personal data are circumscribed in manifold ways. For instance, in the United Kingdom, a 2018 data protection law allows national security organisations to access personal data but under specific safeguards and regulations as defined in the Investigatory Powers Act 2016.  A government official cannot access personal data without a warrant and must delete the data once it is acted upon. Most important, the British Parliament has regulatory oversight over such processes and the government is not free to act with impunity.

In the United States, a law was passed as far back as in 1974 specifically to protect citizens from the unauthorised use of personal data by the government. The Privacy Act of 1974 prohibited agencies from disclosing personal information without written consent from the individuals, except for statistical purposes. US citizens can request or change their records, and are protected against unwarranted invasion of their privacy.

The core idea of India’s digital data protection law was to protect the citizen. Instead, the present bill which will soon become law primarily seeks to protect official agencies seeking to breach individual privacy without restrictions, safeguards or accountability. This is nothing but the gross perversion of a noble intent.