This is the third report in our series of events coverage from Delhi and Bangalore on India’s Data Protection Law. Click here to read the rest.
The Personal Data Protection Bill, 2018, drafted by the (Retd) Justice Srikrishna Committee was handed over to the government in August 2018, along with the committee’s report. At MediaNama’s #NAMAprivacy discussions on the bill in Delhi and Bangalore, it was argued that the bill has shortcomings when it comes to surveillance reform and governance of government data. Panelists and participants also highlighted that the bill does not do enough to address mass state surveillance and allows for wide exemptions to the state for collection of data.
It has also been argued that the Indian state already practices surveillance by way of DRDO’s NEtwork TRaffic Analysis (NETRA) and Central Monitoring System (CMS). These systems came into place through executive orders, as well as by way of legislation such as the IT Act, among others, which allow for state surveillance of citizens.
Finally, there are concerns over how the UIDAI, the governing body of Aadhaar, and the Data Protection Authority, as envisaged in the current bill, will interact with one another.
The following key points were made on surveillance at both the discussions:
Data privacy bill: Is surveillance legal or illegal?
India already allows surveillance
- In India, legislation such as the Telegraph Act, Post Office Act, and the IT Act enable large-scale surveillance and interception.
- The centre runs eight programmes including the CMS, real-time surveillance software NETRA, NATGRID, and others.
- The Monitoring and Decryption Rules under IT Act (Section 69) have provisions allowing the state to collect data about a class of persons. When the rule was brought in, we were not capable of collecting too much data — that has now changed. Now, NETRA allows for keyword searches to capture voice data.
(Bedavyasa Mohanty, Associate Fellow, Observer Researcher Foundation)
The bill does not safeguard against surveillance – The Personal Data Protection Bill has not introduced the expected safeguards — which have been missing for years — against collection of data for surveillance.
- The state has wide exemptions when it comes to data collection and processing under Section 42. The only restriction against surveillance available in the bill is that it be in pursuance of a law passed by the Parliament.
- As the law stands currently, mass surveillance can perhaps be considered legal.
But it still subjects surveillance to Puttuswamy standards: While Mohanty argued that the Data Protection Bill does not do enough to safeguard against surveillance, lawyer Vrinda Bhandari, was of the opinion that although Section 42 authourizes surveillance under a law passed by Parliament, the bill is subject to Puttuswamy standards of proportionality and necessity. According to her, one could argue mass surveillance is not proportionate and therefore illegal.
- “What the bill will then imply is that, something like CMS and NETRA are not authorized by law because they are executive action, and further, you could argue that mass surveillance conducted by them is not permissible.” she said.
- “In fact, Justice DY Chandrachud said during the Social Media Monitoring hearing that this is akin to mass surveillance. I would argue that mass surveillance under Personal Data Protection Bill is not permitted.”
(Vrinda Bhandari, Independent Lawyer)
42. Security of the State.
(1) Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.
(2) Any processing authorised by a law referred to in sub-section (1) shall be exempted from the following provisions of the Act—
(a) Chapter II, except section 4
(b) Chapter III;
(c) Chapter IV;
(d) Chapter V;
(e) Chapter VI;
(f) Chapter VII, except section 31; and
(g) Chapter VIII.
The gap between the bill and the report: There is disconnect between the bill and the report; the report says surveillance law as it stands may be unconstitutional, but does nothing in the bill to correct the problem. (Bedavyasa Mohanty)
On Aadhaar and privatization of surveillance
Surveillance spillover to private sector:
- Private companies have access to and are using our personal data and it is being integrated into the how the Aadhaar system has been built and is evolving.
- Surveillance, which was thought of as one massive tool like the NETRA or the NATGRID, has been outsourced to commercial private companies from being a state-mandated objective.
- The rationale being that if you must access services, then you must ready to give up or allow for the collection of your data. We are underestimating the surveillance aspect of the Data Protection Bill.
(Jyoti Panday, Independent researcher)
The ongoing extent of profiling in the Aadhaar ecosystem:
- The Aadhaar project has grown bigger and faster exponentially — in Andhra Pradesh and Telangana, they have built databases in which you type in an Aadhaar, get to know who bought Viagra and when a woman got her last menstrual period.
- You can enter a village name and figure out caste data and how many Muslims reside there. The police have access to this data on these two states.
- They have also built State Resident Data Hubs (SRDH) with Know Your Resident Plus (KYR Plus) for which the states actually took ground survey — they GPS-located the houses, clocked in caste data. You type in an Aadhaar number, and you will know everything about the person.
(Anand Venkatnarayanan, Independent security researcher)
On allegations that the SRDH data was deleted:
- Deleting data is not a simple as burning a hard disk; it cannot be thought of as a physical ownership. If you have hundreds of thousands of copies, how do you even have any idea where the copies are.
- If you give me your data, which you haven’t encrypted using your own encryption key, how do you even know whom I have given it to? In the entire bill, the word ‘encryption’ occurs only once.
On Aadhaar and private companies’ access to data:
- Private companies such as Accenture, Ernst & Young, L1 Identity Solutions, helped build the Aadhaar ecosystem.
- Private companies can download some of your demographic data — your name, gender, date of birth, etc — using eKYC. They have integrated Aadhaar into their services which has allowed them to build databases of their own.
- The registration and enrolment agencies, and third-party agents which came in to bring people onboard Aadhaar also have downloaded biometric data and created their own databases.
There is little clarity on what provisions, if any, govern these private companies. Although the Srikrishna Bill addresses some of these issues, the fear is that some of the uses of Aadhaar are so ingrained that opting out and relying on purely consent mechanisms is going to be difficult. (Jyoti Panday)
On the UIDAI’s interaction with the Data Protection Bill:
- The kind of MoUs and contracts the UIDAI has entered into with enrollment agencies and registrars would be illegal if the bill comes into effect in its current form.
- UIDAI built the Aadhaar as a central database, with the CIDR which reasonably secure and protected central repository. But we also have State Residents’ Data Hub (SRDH) which is in effect states building biometric databases.
We are moving towards a regime that says that the value of data is economic and you must give up data to access services. Should we have to give up our data when there are multiple parties involved collection and processing of data? How do we limit data collection at every point when the liabilities are not clearly spelled out? Are there actual purposes or collection limitations that have been imposed on the state through this bill, or are they simply clauses?
Law enforcement access to data
Law enforcement and their access to data: One of the primary central considerations for how the Srikrishna Committee has justified the localization mandate was that law enforcement should be able to access data that they require easily. (Bedavyasa Mohanty)
Another approach to law enforcement access to data — the CLOUD Act:
- The CLOUD Act enables foreign governments, which have entered into an agreement with the US Attorney-General, to treat American companies as if they were based out of India. Currently, they share only metadata and not content data.
- However, to be able to sign on the CLOUD Act, India would have had to introduce substantiative and procedural protections of privacy, which it hasn’t done. For example, collection limitation and purpose limitation that would have curbed certain powers with the state have not been introduced in the bill.
- Therefore, we would not even qualify for signing an agreement under a law such as the CLOUD Act.
On the government’s obligations to protect data
The government will circumvent consent even though a service provision function is a less serious function then security of the state — it seems like we are giving something [our data] away too easily.
—Manasa Venkataraman, Research Associate, Takshashila Institution
Is the government exempted from consent?
- Exemptions under Sections 13 and 19: Certain purposes of collection under Section 13 and 19 say that the government does not require consent. The purposes can be parliamentary, for provision of welfare services, or for provision of other services in a competitive market.
- The wording in the law is currently ambiguous as to whether the government does or does not required consent for this purposes which is problematic. For all practical purposes, the government is a data fiduciary, but the wording of Sections 13 & 19 say they don’t necessarily need consent all the time to collect data.
- Section 19(b) says that if the government wishes to provide a service, which it is authorized to, and it is strictly necessary to collect data for this purpose, then the government entity need not go through the whole rigmarole of asking for consent.
- Which also means the government is exempt from certain chapters of the act and it does not necessarily have to comply with processing requirements and impact assessment requirements.
- The government will circumvent consent even though a service provision function is a less serious function then security of the state — it seems like we are giving something [our data] away too easily.
On the government being exempt to protection obligations:
- The Data Protection Bill has said that government data is excluded. If the government collects 60-70% of all data and the law does not apply to them, it is problematic.
- We have to remember that compared to private sector, the government is the least capable of safeguarding our data.
Surveillance as a larger issue
“The data protection bill is not a privacy law”
Data protection is not the sum total of privacy law — there are provisions in the IT Act and the Code of Criminal Procedure (CrPC) which have sections related to privacy. A privacy law would be much more larger in ambit. Therefore, when it comes to government access to data, we have to look at the sum total of 20 other laws when you talk about informational privacy.
(Alok Prasanna Kumar, Senior Resident Fellow, Vidhi Centre for Legal Policy)
Another approach: “We need a separate legislation against mass surveillance”
- This bill is intended for a clear economic purpose, this is self-evident from the tone and the Preamble of the bill — that it is primarily to ensure the protection of data principles in transactional contexts, whether these transactions are between a principal principal and a private or state data fiduciary.
- There has to be a separate act for surveillance altogether because if you introduce stray provisions pertaining to surveillance in an act which deals with something else entirely, then it is an injustice to both surveillance law and data protection law (in a transactional context).
On surveillance being a larger issue of reforms
- Surveillance as a real problem requires different laws, different institutions and a larger conversation on police reforms. Issues such as internet shutdowns, Section 66A and surveillance cannot be looked at from a pure internet and privacy perspective.
- We are not even scratching the surface and the conversation will always and be a dead-end — all of these are manifestations of a certain pathology within our police force. We still have colonial police force from the the 21st century, it won’t be fixed by fixing laws related to internet and privacy.
(Alok Prasanna Kumar)
There has to be a separate act for surveillance altogether because if you introduce stray provisions pertaining to surveillance in an act which deals with something else entirely, then it is an injustice to both surveillance law and data protection law (in a transactional context).
—Manasa Venkataraman, Research Associate, Takshashila Institution
Does this bill prevent profiling of citizens?
- If the state wants to profile people and collect data, this law is not going to stop them — no law is going to stop them. We cannot rely on one legislation or institution created under it, we have to be aware that there is a wider context to this.
- Our challenge will come from constitutional provisions and constitutional institutions; judicial review by High Courts and the Supreme Court, along with the Puttuswamy judgement.
(Alok Prasanna Kumar)
Disclaimer: These points are not verbatim excerpts of the speakers’ remarks, and are edited for clarity.