India’s personal data protection bill should aim to do much more for the end user

17 August 2018

Almost exactly a year ago the Supreme Court of India declared privacy a fundamental right, opening the doors to the country’s Aadhaar programme becoming a breach of privacy. This was a blow to the programme which was originally (during its introduction in the Manmohan Singh era) intended as a one-shot proof of identity for Indians but which the ruling BJP government decided to use as an access point to track an individual’s use of several services, from shopping to telephony to personal banking to taxes. Naturally a lot of privacy conscious people, including myself, were against this, a move that was slowed down only by the Supreme Court stepping in and declaring Aadhaar optional until it deliberated over the value and strength of the set-up that the central government was proposing.

Until the court takes a formal stance on Aadhaar both the central government, which is proposing its use in every corner of our lives, and privacy watchdogs, who have apparently learnt more from history than the government itself, can both produce evidence in support of their arguments in the Supreme Court. Such is the current state of affairs.I am particularly impressed by the Indian Supreme Court’s track record over the past couple of years, from declaring privacy a fundamental right to declaring the practise of ‘triple talaq’ unconstitutional to upholding freedom of speech by refusing to ban Prof. Kancha Ilaiah’s book etc. Before looking at the bill itself, though, it helps to understand the circumstances around which this bill arose and the reason why the central government would want such a bill in the first place.

Vested interests

If a conservative, Hindu nationalist party in power introducing a bill in support of individual privacy sounds too good to be true, it, in fact, is: the Shrikrishna committee draft bill proposed for argument in the parliament is a wolf in sheep’s clothing. And the bill becomes clearer when you read it keeping the government’s intentions in mind. The entire privacy bill was dressed to pass Aadhaar off as a secure, trustworthy solution that respected individual privacy. But there are some points worth noting: the members of the Shrikrishna committee can likely have vested interests because four of them work for the central government (two from IIT/IIMs, one from the telecom department, one from the Ministry of Electronics and IT) and only two represent private firms, the closest we get to actual individuals having a say in these recommendations. More interesting is that right on top of the members’ list—after the chairman, the former Supreme Court judge B.N. Shrikrishna—is Mr Ajay Bhushan Pandey, the head of UIDAI, an authority whose only purpose is to promote the use of Aadhaar cards in the country.

This draft bill is a strong start, but to truly protect the privacy of all Indians, we can’t afford loopholes such as the bill’s broad exceptions for government use of data and data localization requirements.

Knowing all this it was no surprise that soon after the Shrikrishna committee report was released Attorney General K.K. Venugopal, arguing for the central government, produced it before the Supreme Court as evidence of the trustworthiness of Aadhaar. The committee’s recommendations had served their purpose. The court was, however, clear in its refusal to accept the report in favour of Aadhaar simply stating, ‘I do not think that it is required’. And that brings us to the report itself because—despite its being unsurprisingly exploited in favour of Aadhaar at the apex court—the report will play a key role in shaping the upcoming privacy and data protection legislation in India. In that capacity too the bill can do better; there is hope in this regard, though, because the Shrikrishna committee report is only a draft. But there is rarely a guarantee than a draft can only ever get better.

The Shrikrishna Committee draft privacy bill

The good

All is not bad in the draft bill, though. As we pour over select parts of it you can read through the report yourself—a pdf was made publicly available for download around the end of last month. Having been based on the Europe Union’s General Data Protection Regulation (GDPR) model and having taken several cues from privacy watchdogs, the bill lays a strong foundation for how data ought to be handled between the user and a private company or the government, whoever decides to collect said user’s data. This is the sheep’s clothing, the good stuff. The wolf wearing it comes in the form of broad exceptions that provide innumerable ways to circumvent the clauses protecting the privacy of a user.

As Mozilla’s chairperson Mitchell Baker noted, ‘This draft bill is a strong start, but to truly protect the privacy of all Indians, we can’t afford loopholes such as the bill’s broad exceptions for government use of data and data localization requirements.’ Particularly strong are the requirements for consent and processing. The bill ensures explicit consent rather than implicit consent (which Facebook etc. have been so fond of since it does not require the user to visually accept something before being subject to it) and sets down more descriptive requirements for processing (see scan below or p. 11 if you are reading along), doing better than Europe’s GDPR in the process, which is commendable. The ‘norm’ is data protection laws is that the clauses governments or firms should abide by circle around the end user whose data is being used or collected; that is precisely why this website, although hosted in the US, carries a consent form for using passive cookies because users in the EU visit it too.

Additionally, as is the norm in such laws, the regulation applies to Indians’ data wherever it may be processed. The bill is also progressive in how it defines sensitivity of data. Particularly, in section 106, biometric identification, Aadhaar, religious preferences, sexual orientation, political choices and such are all classified as sensitive data and may not be processed unless permitted by law. How exactly the law can bend this rule to permit processing is hard to tell but that is only the first of many doors open to interpretation and exploitation by data fiduciaries.

The first of many flaws begins in section 27, misleadingly titled ‘Right to be Forgotten’. The GDPR and other such laws provide users the right to be forgotten which allows them to demand that all their data be removed from the system and the data holder will have to comply. Although similarly titled there is no such provision in the proposed draft bill (see scan below or p. 16 if you are reading along). Individuals are given the right to demand that their data be corrected or updated but once it enters the system there is no way the data can be removed; there is no mechanism the bill puts in place through which a user may get in touch with a data processor or fiduciary and demand the complete removal of any data related to them.

This is worrying for several reasons not the least of which is that once it enters the so-called ‘system’ your data is completely out of your control. You can blockade its public exhibition but it will always remain in store and there is nothing you can do about it. When privacy is concerned in the context of faceless corporations and governments controlling your data having a safe exit is of paramount importance. This is something any amendment of this draft must address.

The bad and the ugly

Right about here is where the positives of the bill end and the ugly stuff begins. For starters an absolutely huge breach of privacy and a promising doorway for a 1984–style surveillance state to be set up in India is the requirement that a copy of all data processed by a company must be stored within India’s borders. First of all this does nobody any good: it does not provide companies any added convenience; it does not provide the user any added security (data collected by foreign companies will continue to be stored wherever the company’s servers are based); and it does not provide the user any additional privacy either. Mozilla wrote a helpful overview of why demanding that data be stored locally is a bad move, an article worth reading to gain a better understanding of the implications of what this draft bill demands from data fiduciaries. Indeed any privacy related to such data is already ensured elsewhere in the same bill. What this requirement does provide is a treasure trove of data for the government to potentially keep tabs on its citizens, something no free, democratic state should wish for and if the ruling government does not have any such intentions it should simply scrap this requirement because nothing except surveillance can come of it. And for any excuses they may make I have only two words: Murphy’s law.

Further section 12.5 is a little unclear. It puts the data provider, i.e. the user, responsible for all legal consequences that arise from their withdrawal of consent. This can do with more precise wording particularly if a case should arise where the adverse actions of the data fiduciary put the end user at risk. This is more common than one might realise, provoked by the attitude most corporations have that once consent is withdrawn a user is no longer their customer and that they are consequently not worthy of any ethically or morally reasonable treatment.

Section 8 does not require the data gatherer to intimate the user as soon as the user has consented to sharing their data. Despite the demand on explicit consent should a user accidentally ‘agree’ to something, perhaps even with an unintentional click, intimation soon after consent will provide the end user with a fair chance of revoking accidental consent right away. Although not a daily use case requiring fiduciaries to intimate users on record soon after they provide consent is simply prudent.

One break that would force us to side with data fiduciaries, service providers etc. is the committee’s repeated mention of a ‘data trust score’. Such a score is not mandatory in the draft bill and hopefully will not be made mandatory over time or in any amendment. There is no reliable means of assigning such a score and having such scores opens the door to bureaucracy, corruption and the like, while making things unnecessarily hard for developers and companies. (The government will simply give itself a score and duck away.) This may easily backfire sending most of the web away from India, which is not at all wise. Like the local data storage demand this is something that is extraneous and offers nothing to the table and therefore ought to be done away with.

Arguably the stupidest portions of the bill are those which deal with the relationship between employers and employees. It provides them large swathes of rights and ample vagueness in legislation so they can bend things around and toy with employees to no end. Any of your data that your employer collects (see scan above or pp. 10 and 11 if you are reading along) can be processed without your consent. That in itself is troubling. What is worse is that there is ample room for employers to claim that processing employees’ data is ‘necessary’. The broadest is 16.1 (d) which allows employers to do whatever they want with employee data for the ‘assessment of the performance’ of the employee. That, honestly, could mean whatever the employee wants it to mean.

Still on the topic of employers and employees: section 17.2 (b) allows for data to be used for ‘whistle blowers’. This is a sensitive issue and is unclear: does it mean whistle blowers can prompt companies or the government to process or reveal data? (Which makes sense.) Or does it mean companies or the government can handle data as they want when faced with a whistle blower? (Which conveniently sets companies up with a solid defence and governments up with a blueprint for a surveillance state.) These are only some of what I felt were the most important points worth discussing in the draft bill produced by the Shrikrishna committee. But we are yet to discuss the elephant in the room.

The Data Protection Authority

One of the aims of this bill was to set up an independent body called the Data Protection Authority (DPA) to oversee how entities are abiding by this new data protection legislation and any that may come over time. (See chapter X on p. 29 in the draft bill if you are reading along.) The DPA will have investigatory, adjudicatory and punitive powers. It will also have an ‘Adjudicating Officer’ to receive complaints, rule on compensations for end users and penalise wrongdoers. This sounds good on paper, but the bill says little about how such an authority will be kept free from external influence, something that is not uncommon in countries around the world—and India is unfortunately no exception.

The government is responsible for picking officers for the DPA which skews the entire system in the favour of the government. The minutiae of the procedures that the DPA will be following in its daily business will also be prescribed by the government. There are provisions for people to sue the DPA should they feel the need to but we would have to be naïve to imagine that would get us anywhere at all. Most of sections 51 to 68 address how the new body should perform its most basic duties but the bill fails to put in place measures to ensure its absolute independence.

Another curious allowance made in favour of data fiduciaries is that the DPA gets to choose (see section 32.5) whether or not a data breach is ‘severe enough’ to be reported to the individual. This is at least silly and at best outrageous. If individuals’ data have been compromised it should be mandatory for the company or government to immediately inform said individuals about this regardless of severity or whether the individual can do anything to mitigate any harm this can cause. Data breaches have cost people jobs and lives and are no joke. Data breaches are funny and harmless until they happen to you. The fact is that breaches can and have cost people their lives whether it was in healthcare or elsewhere so to anyone with a well-formed mind they are an extremely serious threat. The least people can do is choose to revoke consent and take their independent decision on pulling any future data from the system in question. To let the DPA choose whether or not a breach must be revealed makes way for more corruption and more imbalance in the system; rich corporations and governments can convince the DPA to have their way even though hiding any form of data breach for more than a week should, in principle, be no less than a crime.

A lot of the DPA’s establishment and survival lies in the hands of the central government causing a grave imbalance of power. For example the central government is responsible for maintaining a list of ‘experts’—who is to say this will not be a bunch of people who have vested interests favouring whoever the currently ruling party is?—and the central government has to not only appoint DPA officers but is also allowed to search premises along with the DPA, which, following a pattern that has been set up by now, digs up enough space to set up a surveillance state with unfettered access to every nook and cranny of its citizens’ lives. If the DPA has to be independent all of these tasks—defining qualifications and procedures, making appointments, nominating personnel etc.—should be solely under the jurisdiction of the DPA with the central government having no say in the matter.

Money bill worries

The draft bill has its good sides and its bad sides, but the bad sides are undoing the good which is why they are more problematic than usual. Unlike in a generic argument there is needs to be no discussion here about whom this bill must benefit: the end user, the individual, the person the constitution is written to protect, the likes of you and me. But, while it does some good for the user, the bill goes out of its way to set up an all-access environment for the government allowing for it to possess and exercise unchecked powers of surveillance, spying and intrusion into personal choices, decisions, leniences and activities. For example, all through the bill, the government is allowed to process all sorts of data, both sensitive and non-sensitive, without an individual’s consent. This is a perfect set-up for misuse. All the government has to show was that processing was ‘necessary’ to provide a benefit or service. This is a requirement that will likely receive only one validation, that personal data had to be processed keeping the best interests of the nation in mind, which would make anybody who questions it ‘anti-national’—whatever that means. The court has no say in what counts as ‘necessary’, nor does any independent body, just the government.

Separating the state and private individuals is as important as separating church and state.

In its current form should the bill come to the Supreme Court they may not let it pass without some amendments, hence its draft status: a show can be made about how the bill was ‘improved’. Only time can tell how things will go from here on but the problem is not the court—the bill may never reach the Supreme Court at all—the problem is that the upper house of parliament may be excluded from discussing the bill altogether.

In India the upper house of parliament, the Rajya Sabha, comprises of indirectly elected members from across the country and 12 nominated by the president for their contributions to science, art, culture and other such fields. Currently the ruling party has 89 seats out of 245, making the opposition and other parties (which may or may not side with the opposition) capable of voting out this bill or forcing vast improvements.

In the lower house, the Lok Sabha, though, things are different: the ruling party controls 314 of the 545 seats with the opposition controlling 217 (the rest being unaligned parties, independents and vacancies) ensuring that the bill will pass because the party introducing it already has a majority. An old trick in every parliamentarian’s book is the money bill: if the president (put in place by the currently ruling BJP) recommends this draft bill to be introduced in the Lok Sabha as a money bill the upper house will have no say in it. Sure, the bill will be sent to them for a couple of weeks’ worth of deliberation following which they may make recommendations, none of which are binding, plus, the bill will pass just from the lower house anyway even if the Rajya Sabha members do not see the bill during the two weeks that they have it.

Does this give the ruling party too much power? Of course it does. Although the system was not put in place for this purpose it has historically been exploited by ruling parties to pass their bills both in India and elsewhere (Australia, the UK, Ireland etc.) where the Westminster system is followed. So this is nothing new, but that does not make it right. Activities on the internet, any personal data, any records of an individual’s daily habits of spending and saving are of personal interest, not state concerns. Separating the state and private individuals is as important as separating church and state and while this bill has an excellent opportunity to ensure individual privacy while also securing the nation as a whole it does a lot less than it potentially can for the individual and does far too much for the state. That is a recipe for disaster if there ever was one.