Why Data Protection Bill Doesn’t Actually Protect Your Data
The Data Protection Bill allows the govt to process citizen data for vague reasons such as “functions of the state”.
Video Editor: Abhishek Sharma | Camera: Shiv Kumar Maurya
Nearly 500 days after a draft Data Protection Bill was handed over to him, the Union Minister for Electronics and IT Ravi Shankar Prasad on Wednesday, 11 December, referred the Personal Data Protection Bill (2019) to a 30-member Joint Committee.
We live in an age where we are the sum of the data we generate, so how our data is collected, stored, shared and used directly affects our daily lives. From targeting ads at us, to potentially having loans denied or activities surveilled, data can be exploited in many ways.
At a time when data mediates our relationship with the government and private companies, the existence of a strong law is vital to ensure the state acts like a model data controller who ensures both data security and, more importantly, respects the privacy of citizens.
So, as the Bill makes its way to Parliament, let’s examine why it has been controversial, what the state thinks of privacy as a fundamental right, and how it treats data in today’s digital economy.
Why Is the Bill Controversial?
A committee of experts led by Justice BN Srikrishna had submitted a report and a draft Data Protection Bill. Here’s a quick look at the three most serious concerns just in this draft Bill.
1. Data Localisation: The requirement to store a copy of all citizen data in servers located within India has raised concerns of surveillance and could hamper innovation in blockchain and AI technologies.
2. Govt Processing of Data: While the draft Bill says consent would be at the centre of processing our personal data, it provides exemptions for the government. It can process even sensitive personal data without consent for “functions of the state” – a sweeping and broad power that could be prone to misuse.
3. Surveillance Reform: An overhaul of India’s surveillance framework with tougher oversight and scrutiny by the judiciary is absent. At a time when our smartphones are an extension of our identities, the Pegasus spyware controversy shows how easily our phone can be hijacked to spy on us.
What Has Govt Been Doing In The Absence of Law?
So, how has the Centre dealt with our data in the absence of a data protection Bill?
The Centre has been very active in implementing policies and bringing in laws that directly use our data and even sell our data without our knowledge or consent.
The Ministry of Road Transport and Highways under Nitin Gadkari came up with a “bulk data-sharing policy” where it sold about 25 crore vehicle registration and driving license data to over 140 entities including banks, insurance companies and financial institutions.
Add to this plans by the Home and other ministries that aim to use our data to monitor us – From the I&B Ministry’s plan for a social media monitoring hub, to the Home Ministry’s tender for a nationwide face recognition technology, to allowing 10 central agencies to intercept our communications.
Is Our Data a Private Good Or a Public Good?
Finally, a pattern that appears to be clear is that while the Centre appears to be in no hurry to ensure strong laws to protect the privacy of our personal data, it has moved with great urgency on policies related to capitalising on our personal data.
Why is this so and what is the Centre indicating by this?
What the Centre has done in no uncertain terms is signaled that it wishes to treat citizen data as a “public good” – as opposed to a “private” good – which can be monetised or exploited in whichever way the state thinks suitable as long as there is no breach of our data.
The Justice Srikrishna Committee also describes the Bill as working towards a “free and fair digital economy” as does the 2019 Economic Survey of India, which makes a spirited case for using the private data of citizens as a public commodity.
The Bill is expected to generate a lot of debate in Parliament and one hopes that the law will put citizens at the centre of a personal data protection law.
(This piece has been updated to reflect the latest developments on the subject)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.