BY PRABIR PURKAYASTHA
The new avatar of the Indian Data Protection Bill 2022 is not simply the rebirth of the earlier 2019 one. The objective of the
earlier Data Protection Bill 2019 was to give a legal framework for the Supreme Court's Puttuswamy judgement of privacy
as a fundamental right. The 2022 Bill has a different purpose. This version proclaims the citizen's right to privacy but allows
the government to override this right at its will. The other objective of the new Bill is to enable big business—Indian and
foreign—to use our data for their benefit. In other words, the intent of the Bill is the opposite of what it claims: it is not to
protect privacy but create the architecture of a surveillance state and build surveillance capitalism.
I am not going to argue that the 2019 Bill was perfect. It was not. The Joint Parliamentary Committee also suggested 92
amendments to the Bill. But it had gone through extensive review, both publicly and in the parliament. After a series of
discussions—public and in the Joint Parliamentary Committee—was suddenly withdrawn, and a new Bill was released
without any explanation. The explanation can be seen when we examine the clauses that have been dropped and the
direction of the new Bill.
Let us look at the big picture first. To protect the citizen's privacy as a right, we need to define what that right is and
under what conditions the state can invade this right. For example, the right to life or liberty of a citizen can be taken away
by the state if he/she commits a heinous crime as judged by an independent judiciary. As we saw during the 1975
emergency, allowing the government to exercise this right without any judicial review led to the worst excess of the
emergency.
The need for a privacy law, therefore, needs at least two basic elements. One is to define under what conditions can this
fundamental right be curtailed. Or, as Puttuswamy judgement said that any such curtailment must meet the triple test of
necessity, have reasonable reasons for such an invasion, and should be proportionate to the need. The other element is
that to protect this right, there is a need for a relatively independent regulatory body. On both these counts, this version of
the Bill is overwhelmingly tilted in favour of the government and against the citizen.
Justice (retired) B N Srikrishna of the Supreme Court proposed a draft of the Personal Data Protection Bill in 2018. In a
recent interview with The Hindu, he says that the proposed 2022 Bill allows a coach and a horse to be driven through the
right of privacy of the citizens. According to him, the 2022 Bill has completely abandoned the Puttuswamy judgment's triple
test of necessity, reasonability, and proportionateness for any curtailment of the right to privacy.
Let us look at the regulatory authority envisaged in the 2022 Bill. The composition, qualifications, procedures of
appointment, and tenure have all been delegated to what is called subordinate legislation—called rules—to be decided by
the government and taken out of the purview of the parliament. The board's chairperson and the members will be
appointed, and their tenure will be decided solely by the government. This is why Justice Srikrishna says that it will be a
puppet of the government. The provision of an appellate tribunal specified in the 2019 version of the Bill has also been
dropped.
Overall, the 2022 Bill is shorter, containing only 30 sections compared to the 98 of the 2019 version. But even while it is
shorter, out of 30 clauses in the Bill, 18 have riders that “the government may prescribe” and are meaningless as they
stand.
The Bill also empowers the government to exempt its agencies from Bill's provisions through a simple notification on
national security grounds. This is in addition to the government agencies' existing power of intercepting our
communications— either telephone or data—by virtue of the IT Act.
The 2022 Bill starts, as does the older version, defining a data principal and a data fiduciary. For the purpose of this
article, I will focus on the citizen as the data principal; it is their data that will be my focus here. The data fiduciary is the one
who parts with her data while using an application or an activity on a platform. In most cases, it is a company or an agency
of the state. It is the citizens' data that the companies or government agencies use for their purpose. In the case of
companies such as Google and Facebook, it is for displaying ads to their users. Or acting as data brokers selling data to
other companies and entities.
Harm or loss may happen due to misuse of data, meaning its use beyond what I have permitted them to use and causing
me monetary, reputation, or any other loss, including my personal security. In the clauses defining what will be considered
as harm or loss by the citizen, the number of categories in the 2019 version has been reduced significantly in the 2022 Bill.
Also, a clause defining significant harm based on impact, continuity, persistence, or irreversibility of the harm has been
completely removed. The earlier Bill also had a clause defining what sensitive data is and how such sensitive data is to be
treated. In this version of the Bill, there is no definition of what is sensitive data and, therefore, no separate provision for
processing the same by the Big Data companies. All of these tilts the balance between the citizen and Big Data companies,
heavily favouring the companies.
No other Data Protection Bill that I know of lays down duties on the citizen. This one does. It specifies that the data
principal, or the citizen, has a legal obligation to provide correct data. This means that no person can use pseudonyms while
availing of any data services. The reason why pseudonyms are used quite often is identifying a person by gender or religion
may expose them to certain dangers. Women on various websites get trolled in order to silence them or drive them out of
digital spaces. Or if they have a non-binary sexual orientation, people may not want to disclose their real identities on
certain websites. Disallowing pseudonyms may help state agencies and Big Data companies but can cause serious harm to
different minorities.
This Bill attempts both. It has virtually exempted the State from any requirements regarding the privacy of the citizens.
Second, it has lowered the duties of the Big Data companies towards its users. It has also done away with the localisation of
data, under which the data of Indian citizens would be held in India and subject to Indian laws. By weakening data
localisation provisions, it is helping foreign capital, contrary to its nationalist claims. Data localisation was the major
objection to the earlier Privacy Bill of companies like Visa, Google, and Facebook.
A considerable part of this Bill is to allow Big Data companies to use our data. The concept of a data fiduciary is to
obfuscate that companies defined as fiduciaries are not storing data on our behalf but for their profits. They want to use our
data in order to sell us to advertisers. They use our data to sell us goods continuously and get a major share of the profits of
such sales. Google and Facebook are the biggest recipients of advertising revenue today.
Data also allows a whole range of software tools to be improved and optimised. For example, the success of artificial
intelligence tools depends on the amount and variety of data that it consumes. And, of course, government agencies want
more data to monitor and “orient” the citizens to their preferred mode of thinking. This is apart from the role that big money
plays today in elections. That is why the phrase ‘surveillance capitalism' describes the close marriage between the
surveillance State and big capital. This is the core of the 2022 Privacy Bill.
Courtesy: People's Democracy
