November 24, 2022
  • November 24, 2022

India’s Data Protection Bill Poses Privacy Concern

By on November 23, 2022 0

Comment

India’s previous attempt to craft a personal data protection law made 21 references to “privacy”, starting with recognizing it as a fundamental right. Not only was this legislation unceremoniously scrapped in August after five years of negotiations, but Prime Minister Narendra Modi’s government even gave up the lip service to the lack of intrusion in the new version that replaced it. .

The Digital Personal Data Protection Bill which is open for public comment is much shorter than its now abandoned predecessor. It’s also a more forceful attempt to legislate a Chinese-style surveillance state in the world’s largest democracy – something that will disappoint the country’s liberals, upset trading partners by turning data into a potential foreign policy tool. and will cause the West and India to drift. more distant ideologically.

Critics who were appalled by the carte blanche given to the government in the previous draft have little to cheer about the new version. Any “instrumentality” of the state can be exempted by the federal government and placed outside the scope of the law. Government agencies can request any personal data they please, retain it for as long as they wish, use it as they see fit, and share it with anyone in the name of “the sovereignty and integrity of the India, state security, friendly relations”. with foreign states, the maintenance of public order or the prevention of incitement to any recognizable offense relating to any of them”. What intimacy can exist in such conditions?

The New Delhi-based Internet advocacy group Freedom Foundation is right to say that “if the law is not applied to government instruments, the collection and processing of data in the absence of any data protection standard could lead to mass surveillance”.

But then, maybe that’s the intention. Part of India’s political establishment is fascinated by how China has kept all aspects of its internet economy – and data processors under state control – to fashion a 24-hour surveillance society, 7 days on 7.

There is no major internet firewall in India. But the state’s growing desire to dominate information is beginning to rattle businesses of all sizes and colors. After Twitter Inc. and Meta Platforms Inc.’s WhatsApp separately sued the government, SnTHostings, a Pune-based company, also sued New Delhi. The VPN provider argues that being asked to “pervasively monitor user activity and store that data for arbitrarily and unreasonably long periods of time under the guise of security measures is nothing short of treating the whole category of people who use VPN services as suspects for crimes that have not even been identified yet.

The new data protection law is unlikely to be helpful in setting the limits of legitimate state intervention. However, it removes one of the major industry bugbears – mandatory data localization rules that would require them to store “critical” personal data only in India. But then it offers something more problematic: New Delhi “notifies countries or territories outside India to which a data trustee may transfer personal data.” Since the law does not specify how these countries will be selected, one can only assume that this restriction can be used as a foreign policy tool, with the digital footprints of 1.4 billion people used as leverage.

This will only drive a wedge between India and Western democracies. The US Clarifying Lawful Overseas Use of Data Act, or so-called Cloud Act, allows foreign law enforcement authorities to obtain evidence of serious crimes directly from US service providers, but for that, Washington must be satisfied that the requesting jurisdiction offers safeguards against surveillance. and limits state access to data. As long as a police officer can issue an order requesting personal donor data from a fact-checking website critical of the ruling party, India is unlikely to be considered for such an executive deal under the Cloud Act.

It is the relatively wealthier sections of the population who have campaigned for strong privacy protection in the country. However, the less well-off also place value on it. In surveys, low and middle income Indians have succumbed to offers of money for some of them to part with their data. Yet even during the pandemic, when many were in dire financial straits, not everyone was willing to trade personal information for a meal. It seems that the concerns of the poor too will be left behind now. An independent data protection board that could have bolstered user confidence in the new law is likely to be a toothless bureaucracy, beholden to the government. According to Beni Chugh of Dvara Research, a Chennai-based policy research institution, this could “weigh in on assessments of India’s suitability for the European Union” in its framework to decide whether regulators of a another country are strong enough for the transfer of personal data.

A different future was within reach for the country. In 2017, the Supreme Court of India considered privacy a fundamental right and insisted on the proportionality of state action: in any offense, the authorities must show that there is no less intrusive means. for them to achieve their legitimate objectives. Five years later, only the label remains on the bottle. It still reads “data protection”, although the pill inside has become legalized mass surveillance.

More from Bloomberg Opinion:

• India’s desire for Chinese internet is risky: Andy Mukherjee

• When data privacy became a startup’s nightmare: Andy Mukherjee

• A little epoxy can loosen India’s welfare system: Andy Mukherjee

This column does not necessarily reflect the opinion of the Editorial Board or of Bloomberg LP and its owners.

Andy Mukherjee is a Bloomberg Opinion columnist covering industrial companies and financial services in Asia. Previously, he worked for Reuters, the Straits Times and Bloomberg News.

More stories like this are available at bloomberg.com/opinion