India’s personal data protection bill should aim to do much more for the end user

17 August 2018

Almost exactly a year ago the Supreme Court of India declared pri­vacy a fun­da­men­tal right, open­ing the doors to the country’s Aad­haar pro­gramme becom­ing a breach of pri­vacy. This was a blow to the pro­gramme which was orig­i­nally (during its intro­duc­tion in the Man­mo­han Singh era) intended as a one-shot proof of iden­tity for Indi­ans but which the ruling BJP gov­ern­ment decided to use as an access point to track an individual’s use of sev­eral ser­vices, from shop­ping to tele­phony to per­sonal bank­ing to taxes. Nat­u­rally a lot of pri­vacy con­scious people, includ­ing myself, were against this, a move that was slowed down only by the Supreme Court step­ping in and declar­ing Aad­haar optional until it delib­er­ated over the value and strength of the set-up that the cen­tral gov­ern­ment was propos­ing.

Until the court takes a formal stance on Aad­haar both the cen­tral gov­ern­ment, which is propos­ing its use in every corner of our lives, and pri­vacy watch­dogs, who have appar­ently learnt more from his­tory than the gov­ern­ment itself, can both pro­duce evi­dence in sup­port of their argu­ments in the Supreme Court. Such is the cur­rent state of affairs.I am par­tic­u­larly impressed by the Indian Supreme Court’s track record over the past couple of years, from declar­ing pri­vacy a fun­da­men­tal right to declar­ing the prac­tise of triple talaq’ uncon­sti­tu­tional to uphold­ing free­dom of speech by refus­ing to ban Prof. Kancha Ilaiah’s book etc. Before look­ing at the bill itself, though, it helps to under­stand the cir­cum­stances around which this bill arose and the reason why the cen­tral gov­ern­ment would want such a bill in the first place.

Vested inter­ests

If a con­ser­v­a­tive, Hindu nation­al­ist party in power intro­duc­ing a bill in sup­port of indi­vid­ual pri­vacy sounds too good to be true, it, in fact, is: the Shrikr­ishna com­mit­tee draft bill pro­posed for argu­ment in the par­lia­ment is a wolf in sheep’s cloth­ing. And the bill becomes clearer when you read it keep­ing the government’s inten­tions in mind. The entire pri­vacy bill was dressed to pass Aad­haar off as a secure, trust­wor­thy solu­tion that respected indi­vid­ual pri­vacy. But there are some points worth noting: the mem­bers of the Shrikr­ishna com­mit­tee can likely have vested inter­ests because four of them work for the cen­tral gov­ern­ment (two from IIT/​IIMs, one from the tele­com depart­ment, one from the Min­istry of Elec­tron­ics and IT) and only two rep­re­sent pri­vate firms, the clos­est we get to actual indi­vid­u­als having a say in these rec­om­men­da­tions. More inter­est­ing is that right on top of the mem­bers’ list — after the chair­man, the former Supreme Court judge B.N. Shrikr­ishna — is Mr Ajay Bhushan Pandey, the head of UIDAI, an author­ity whose only pur­pose is to pro­mote the use of Aad­haar cards in the coun­try.

This draft bill is a strong start, but to truly pro­tect the pri­vacy of all Indi­ans, we can’t afford loop­holes such as the bill’s broad excep­tions for gov­ern­ment use of data and data local­iza­tion require­ments.

Know­ing all this it was no sur­prise that soon after the Shrikr­ishna com­mit­tee report was released Attor­ney Gen­eral K.K. Venu­gopal, argu­ing for the cen­tral gov­ern­ment, pro­duced it before the Supreme Court as evi­dence of the trust­wor­thi­ness of Aad­haar. The committee’s rec­om­men­da­tions had served their pur­pose. The court was, how­ever, clear in its refusal to accept the report in favour of Aad­haar simply stat­ing, I do not think that it is required’. And that brings us to the report itself because — despite its being unsur­pris­ingly exploited in favour of Aad­haar at the apex court — the report will play a key role in shap­ing the upcom­ing pri­vacy and data pro­tec­tion leg­is­la­tion in India. In that capac­ity too the bill can do better; there is hope in this regard, though, because the Shrikr­ishna com­mit­tee report is only a draft. But there is rarely a guar­an­tee than a draft can only ever get better.

The Shrikr­ishna Com­mit­tee draft pri­vacy bill

The good

All is not bad in the draft bill, though. As we pour over select parts of it you can read through the report your­self — a pdf was made pub­licly avail­able for down­load around the end of last month. Having been based on the Europe Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) model and having taken sev­eral cues from pri­vacy watch­dogs, the bill lays a strong foun­da­tion for how data ought to be han­dled between the user and a pri­vate com­pany or the gov­ern­ment, who­ever decides to col­lect said user’s data. This is the sheep’s cloth­ing, the good stuff. The wolf wear­ing it comes in the form of broad excep­tions that pro­vide innu­mer­able ways to cir­cum­vent the clauses pro­tect­ing the pri­vacy of a user.

As Mozilla’s chair­per­son Mitchell Baker noted, This draft bill is a strong start, but to truly pro­tect the pri­vacy of all Indi­ans, we can’t afford loop­holes such as the bill’s broad excep­tions for gov­ern­ment use of data and data local­iza­tion require­ments.’ Par­tic­u­larly strong are the require­ments for con­sent and pro­cess­ing. The bill ensures explicit con­sent rather than implicit con­sent (which Face­book etc. have been so fond of since it does not require the user to visu­ally accept some­thing before being sub­ject to it) and sets down more descrip­tive require­ments for pro­cess­ing (see scan below or p. 11 if you are read­ing along), doing better than Europe’s GDPR in the process, which is com­mend­able. The norm’ is data pro­tec­tion laws is that the clauses gov­ern­ments or firms should abide by circle around the end user whose data is being used or col­lected; that is pre­cisely why this web­site, although hosted in the US, car­ries a con­sent form for using pas­sive cook­ies because users in the EU visit it too.

Addi­tion­ally, as is the norm in such laws, the reg­u­la­tion applies to Indi­ans’ data wher­ever it may be processed. The bill is also pro­gres­sive in how it defines sen­si­tiv­ity of data. Par­tic­u­larly, in sec­tion 106, bio­met­ric iden­ti­fi­ca­tion, Aad­haar, reli­gious pref­er­ences, sexual ori­en­ta­tion, polit­i­cal choices and such are all clas­si­fied as sen­si­tive data and may not be processed unless per­mit­ted by law. How exactly the law can bend this rule to permit pro­cess­ing is hard to tell but that is only the first of many doors open to inter­pre­ta­tion and exploita­tion by data fidu­cia­ries.

The first of many flaws begins in sec­tion 27, mis­lead­ingly titled Right to be For­got­ten’. The GDPR and other such laws pro­vide users the right to be for­got­ten which allows them to demand that all their data be removed from the system and the data holder will have to comply. Although sim­i­larly titled there is no such pro­vi­sion in the pro­posed draft bill (see scan below or p. 16 if you are read­ing along). Indi­vid­u­als are given the right to demand that their data be cor­rected or updated but once it enters the system there is no way the data can be removed; there is no mech­a­nism the bill puts in place through which a user may get in touch with a data proces­sor or fidu­ciary and demand the com­plete removal of any data related to them.

This is wor­ry­ing for sev­eral rea­sons not the least of which is that once it enters the so-called system’ your data is com­pletely out of your con­trol. You can block­ade its public exhi­bi­tion but it will always remain in store and there is noth­ing you can do about it. When pri­vacy is con­cerned in the con­text of face­less cor­po­ra­tions and gov­ern­ments con­trol­ling your data having a safe exit is of para­mount impor­tance. This is some­thing any amend­ment of this draft must address.

The bad and the ugly

Right about here is where the pos­i­tives of the bill end and the ugly stuff begins. For starters an absolutely huge breach of pri­vacy and a promis­ing door­way for a 1984 – style sur­veil­lance state to be set up in India is the require­ment that a copy of all data processed by a com­pany must be stored within India’s bor­ders. First of all this does nobody any good: it does not pro­vide com­pa­nies any added con­ve­nience; it does not pro­vide the user any added secu­rity (data col­lected by for­eign com­pa­nies will con­tinue to be stored wher­ever the company’s servers are based); and it does not pro­vide the user any addi­tional pri­vacy either. Mozilla wrote a help­ful overview of why demand­ing that data be stored locally is a bad move, an arti­cle worth read­ing to gain a better under­stand­ing of the impli­ca­tions of what this draft bill demands from data fidu­cia­ries. Indeed any pri­vacy related to such data is already ensured else­where in the same bill. What this require­ment does pro­vide is a trea­sure trove of data for the gov­ern­ment to poten­tially keep tabs on its cit­i­zens, some­thing no free, demo­c­ra­tic state should wish for and if the ruling gov­ern­ment does not have any such inten­tions it should simply scrap this require­ment because noth­ing except sur­veil­lance can come of it. And for any excuses they may make I have only two words: Murphy’s law.

Fur­ther sec­tion 12.5 is a little unclear. It puts the data provider, i.e. the user, respon­si­ble for all legal con­se­quences that arise from their with­drawal of con­sent. This can do with more pre­cise word­ing par­tic­u­larly if a case should arise where the adverse actions of the data fidu­ciary put the end user at risk. This is more common than one might realise, pro­voked by the atti­tude most cor­po­ra­tions have that once con­sent is with­drawn a user is no longer their cus­tomer and that they are con­se­quently not worthy of any eth­i­cally or morally rea­son­able treat­ment.

Sec­tion 8 does not require the data gath­erer to inti­mate the user as soon as the user has con­sented to shar­ing their data. Despite the demand on explicit con­sent should a user acci­den­tally agree’ to some­thing, per­haps even with an unin­ten­tional click, inti­ma­tion soon after con­sent will pro­vide the end user with a fair chance of revok­ing acci­den­tal con­sent right away. Although not a daily use case requir­ing fidu­cia­ries to inti­mate users on record soon after they pro­vide con­sent is simply pru­dent.

One break that would force us to side with data fidu­cia­ries, ser­vice providers etc. is the committee’s repeated men­tion of a data trust score’. Such a score is not manda­tory in the draft bill and hope­fully will not be made manda­tory over time or in any amend­ment. There is no reli­able means of assign­ing such a score and having such scores opens the door to bureau­cracy, cor­rup­tion and the like, while making things unnec­es­sar­ily hard for devel­op­ers and com­pa­nies. (The gov­ern­ment will simply give itself a score and duck away.) This may easily back­fire send­ing most of the web away from India, which is not at all wise. Like the local data stor­age demand this is some­thing that is extra­ne­ous and offers noth­ing to the table and there­fore ought to be done away with.

Arguably the stu­pid­est por­tions of the bill are those which deal with the rela­tion­ship between employ­ers and employ­ees. It pro­vides them large swathes of rights and ample vague­ness in leg­is­la­tion so they can bend things around and toy with employ­ees to no end. Any of your data that your employer col­lects (see scan above or pp. 10 and 11 if you are read­ing along) can be processed with­out your con­sent. That in itself is trou­bling. What is worse is that there is ample room for employ­ers to claim that pro­cess­ing employ­ees’ data is nec­es­sary’. The broad­est is 16.1 (d) which allows employ­ers to do what­ever they want with employee data for the assess­ment of the per­for­mance’ of the employee. That, hon­estly, could mean what­ever the employee wants it to mean.

Still on the topic of employ­ers and employ­ees: sec­tion 17.2 (b) allows for data to be used for whis­tle blow­ers’. This is a sen­si­tive issue and is unclear: does it mean whis­tle blow­ers can prompt com­pa­nies or the gov­ern­ment to process or reveal data? (Which makes sense.) Or does it mean com­pa­nies or the gov­ern­ment can handle data as they want when faced with a whis­tle blower? (Which con­ve­niently sets com­pa­nies up with a solid defence and gov­ern­ments up with a blue­print for a sur­veil­lance state.) These are only some of what I felt were the most impor­tant points worth dis­cussing in the draft bill pro­duced by the Shrikr­ishna com­mit­tee. But we are yet to dis­cuss the ele­phant in the room.

The Data Pro­tec­tion Author­ity

One of the aims of this bill was to set up an inde­pen­dent body called the Data Pro­tec­tion Author­ity (DPA) to over­see how enti­ties are abid­ing by this new data pro­tec­tion leg­is­la­tion and any that may come over time. (See chap­ter X on p. 29 in the draft bill if you are read­ing along.) The DPA will have inves­ti­ga­tory, adju­di­ca­tory and puni­tive powers. It will also have an Adju­di­cat­ing Offi­cer’ to receive com­plaints, rule on com­pen­sa­tions for end users and penalise wrong­do­ers. This sounds good on paper, but the bill says little about how such an author­ity will be kept free from exter­nal influ­ence, some­thing that is not uncom­mon in coun­tries around the world — and India is unfor­tu­nately no excep­tion.

The gov­ern­ment is respon­si­ble for pick­ing offi­cers for the DPA which skews the entire system in the favour of the gov­ern­ment. The minu­tiae of the pro­ce­dures that the DPA will be fol­low­ing in its daily busi­ness will also be pre­scribed by the gov­ern­ment. There are pro­vi­sions for people to sue the DPA should they feel the need to but we would have to be naïve to imag­ine that would get us any­where at all. Most of sec­tions 51 to 68 address how the new body should per­form its most basic duties but the bill fails to put in place mea­sures to ensure its absolute inde­pen­dence.

Another curi­ous allowance made in favour of data fidu­cia­ries is that the DPA gets to choose (see sec­tion 32.5) whether or not a data breach is severe enough’ to be reported to the indi­vid­ual. This is at least silly and at best out­ra­geous. If indi­vid­u­als’ data have been com­pro­mised it should be manda­tory for the com­pany or gov­ern­ment to imme­di­ately inform said indi­vid­u­als about this regard­less of sever­ity or whether the indi­vid­ual can do any­thing to mit­i­gate any harm this can cause. Data breaches have cost people jobs and lives and are no joke. Data breaches are funny and harm­less until they happen to you. The fact is that breaches can and have cost people their lives whether it was in health­care or else­where so to anyone with a well-formed mind they are an extremely seri­ous threat. The least people can do is choose to revoke con­sent and take their inde­pen­dent deci­sion on pulling any future data from the system in ques­tion. To let the DPA choose whether or not a breach must be revealed makes way for more cor­rup­tion and more imbal­ance in the system; rich cor­po­ra­tions and gov­ern­ments can con­vince the DPA to have their way even though hiding any form of data breach for more than a week should, in prin­ci­ple, be no less than a crime.

A lot of the DPA’s estab­lish­ment and sur­vival lies in the hands of the cen­tral gov­ern­ment caus­ing a grave imbal­ance of power. For exam­ple the cen­tral gov­ern­ment is respon­si­ble for main­tain­ing a list of experts’ — who is to say this will not be a bunch of people who have vested inter­ests favour­ing who­ever the cur­rently ruling party is? — and the cen­tral gov­ern­ment has to not only appoint DPA offi­cers but is also allowed to search premises along with the DPA, which, fol­low­ing a pat­tern that has been set up by now, digs up enough space to set up a sur­veil­lance state with unfet­tered access to every nook and cranny of its cit­i­zens’ lives. If the DPA has to be inde­pen­dent all of these tasks — defin­ing qual­i­fi­ca­tions and pro­ce­dures, making appoint­ments, nom­i­nat­ing per­son­nel etc. — should be solely under the juris­dic­tion of the DPA with the cen­tral gov­ern­ment having no say in the matter.

Money bill wor­ries

The draft bill has its good sides and its bad sides, but the bad sides are undo­ing the good which is why they are more prob­lem­atic than usual. Unlike in a generic argu­ment there is needs to be no dis­cus­sion here about whom this bill must ben­e­fit: the end user, the indi­vid­ual, the person the con­sti­tu­tion is writ­ten to pro­tect, the likes of you and me. But, while it does some good for the user, the bill goes out of its way to set up an all-access envi­ron­ment for the gov­ern­ment allow­ing for it to pos­sess and exer­cise unchecked powers of sur­veil­lance, spying and intru­sion into per­sonal choices, deci­sions, leniences and activ­i­ties. For exam­ple, all through the bill, the gov­ern­ment is allowed to process all sorts of data, both sen­si­tive and non-sen­si­tive, with­out an individual’s con­sent. This is a per­fect set-up for misuse. All the gov­ern­ment has to show was that pro­cess­ing was nec­es­sary’ to pro­vide a ben­e­fit or ser­vice. This is a require­ment that will likely receive only one val­i­da­tion, that per­sonal data had to be processed keep­ing the best inter­ests of the nation in mind, which would make any­body who ques­tions it anti-national’ — what­ever that means. The court has no say in what counts as nec­es­sary’, nor does any inde­pen­dent body, just the gov­ern­ment.

Sep­a­rat­ing the state and pri­vate indi­vid­u­als is as impor­tant as sep­a­rat­ing church and state.

In its cur­rent form should the bill come to the Supreme Court they may not let it pass with­out some amend­ments, hence its draft status: a show can be made about how the bill was improved’. Only time can tell how things will go from here on but the prob­lem is not the court — the bill may never reach the Supreme Court at all — the prob­lem is that the upper house of par­lia­ment may be excluded from dis­cussing the bill alto­gether.

In India the upper house of par­lia­ment, the Rajya Sabha, com­prises of indi­rectly elected mem­bers from across the coun­try and 12 nom­i­nated by the pres­i­dent for their con­tri­bu­tions to sci­ence, art, cul­ture and other such fields. Cur­rently the ruling party has 89 seats out of 245, making the oppo­si­tion and other par­ties (which may or may not side with the oppo­si­tion) capa­ble of voting out this bill or forc­ing vast improve­ments.

In the lower house, the Lok Sabha, though, things are dif­fer­ent: the ruling party con­trols 314 of the 545 seats with the oppo­si­tion con­trol­ling 217 (the rest being unaligned par­ties, inde­pen­dents and vacan­cies) ensur­ing that the bill will pass because the party intro­duc­ing it already has a major­ity. An old trick in every parliamentarian’s book is the money bill: if the pres­i­dent (put in place by the cur­rently ruling BJP) rec­om­mends this draft bill to be intro­duced in the Lok Sabha as a money bill the upper house will have no say in it. Sure, the bill will be sent to them for a couple of weeks’ worth of delib­er­a­tion fol­low­ing which they may make rec­om­men­da­tions, none of which are bind­ing, plus, the bill will pass just from the lower house anyway even if the Rajya Sabha mem­bers do not see the bill during the two weeks that they have it.

Does this give the ruling party too much power? Of course it does. Although the system was not put in place for this pur­pose it has his­tor­i­cally been exploited by ruling par­ties to pass their bills both in India and else­where (Aus­tralia, the UK, Ire­land etc.) where the West­min­ster system is fol­lowed. So this is noth­ing new, but that does not make it right. Activ­i­ties on the inter­net, any per­sonal data, any records of an individual’s daily habits of spend­ing and saving are of per­sonal inter­est, not state con­cerns. Sep­a­rat­ing the state and pri­vate indi­vid­u­als is as impor­tant as sep­a­rat­ing church and state and while this bill has an excel­lent oppor­tu­nity to ensure indi­vid­ual pri­vacy while also secur­ing the nation as a whole it does a lot less than it poten­tially can for the indi­vid­ual and does far too much for the state. That is a recipe for dis­as­ter if there ever was one.