Data Protection Bill legitimises surveillance, govt has no intent of reforms: stakeholders #NAMA

Key Takeaways

• The Bill might provide legitimate grounds for the government to carry out certain activities such as CCTV surveillance 
• Nothing in the Bill to prevent the creation of databases like NATGRID or the internal sharing of data within the government 
• The Bill doesn’t get into the question of surveillance law reform at all
• Odds of challenge on Puttaswamy grounds are just as favourable as current surveillance challenges
• Ideally, we should revert back to the 2018 Bill for protection from the government

“Surveillance law reform was never the intent of the bill, even from its very first iteration. I don’t think that the government is going to stick its neck out and say this is a cat that we want to bell right now,” Nehaa Chaudhari, Partner at Ikigai Law, remarked at the Government Access to Data session at MediaNama’s Reworking the Data Protection Bill event held on December 14 in Bangalore. Chaudhari and Udbhav Tiwari, Head of Global Product Policy at Mozilla, were addressing multiple questions on how the Data Protection Bill, 2022 might be doing nothing to prevent surveillance by the government, and might, in fact, be legitimising some of these surveillance activities.

The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until January 2, 2023. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Does this law enable CCTV surveillance and facial recognition by the government?  “One of the things that I’ve been thinking about is the deployment of CCTVs across different states. There are also facial recognition requirements that are being placed. If you go back to Puttaswamy, there was a requirement of a law for any further intrusion of privacy. So does this law then effectively enable some of those ambient data collections and facial recognition that’s being done at the backend,” MediaNama’s Nikhil Pahwa asked.

Advertisement. Scroll to continue reading.

• This law would legitimise such activities: “I think it would legitimize certain forms of actions that currently take place in a vacuum. […] The large reason why everything that happens in surveillance in India happens is because there is no law that governs it. Agencies exist on executive orders. When you pass a law that says it can exist and then you pass a notification under that that’s saying you are exempt, that’s when you’re actually creating a legal justification for its existence, which is deeply concerning. Because right now it’s the lacuna that is being used to justify its existence but this [Bill] will create a way in which you can see that it can exist, and it’s okay for it to exist,” Udbhav Tiwari remarked. But this doesn’t mean it cannot be challenged in court. “The existence of a law and legal grounds is just one thing. There has to be a legal justification. It has to be necessary, it has to be proportionate,” Nehaa Chaudhari added.
• Would depend on the nature of the exemption: “That would depend again on what is the nature of the exemption. […] It will depend on the judge. It’ll depend on the bench that you’re likely to get. But if you want to read this generously, I would still think that despite having the kind of exemption notification, you would still need some level of detail in it. I don’t think a blanket exemption for example, that says we can do whatever we want to and we are going to deploy facial recognition technology across the board [will work]. I do think that you will have to have some element of specificity in whatever exemption you were prescribing for yourself, for you to be able to meet the Puttaswamy standard otherwise it doesn’t make sense,” Nehaa Chaudhari said.

How does the law address the mass scraping of call detail records (CDRs)? 

“How does this law address the mass scraping of CDRs from telecom companies? […] Off late I know that they’ve been doing 10,000, 20,000, 30,000 requests a month. […] They also get quite a lot of CDR records in bulk. […] Does it [the Bill] say it’s legit now,” one of the attendees asked.

• Nothing here to address such activities or surveillance reform in general: “There is pretty much nothing here but I also think that there is something to be said for the history of how we arrived at this iteration of the bill itself. I don’t think the kind of situation that you’re envisaging was necessarily addressed, even by the Srikrishna draft going back to 2018. […] The committee even back then was very clear that it was focusing on other aspects of data protection and wasn’t getting into the question of surveillance law reform at all.

Is there any protection from the government from building large databases like NATGRID?

“My favourite question on this particular aspect is the idea of privatization of surveillance from a slightly different perspective. The fact is that companies are collecting all sorts of data about us. There is a plan under NATGRID to build dashboards with real-time data access, initially from 21 databases, then with 915 odd databases, and then with 1600 databases, both public and private. Is there any protection that I have from the government building dashboards from 1600 odd public and private databases and taking real-time information through APIs, under this bill,” MediaNama’s Nikhil Pahwa asked speakers Udbhav Tiwari and Nehaa Chaudhari.

• Nothing in the Bill to prevent the creation of such databases: “I don’t think that there’s anything in the Bill that will prevent that from happening” because an instrumentality of state can be wide range of things, Tiwari replied. “It can be like a private entity that gets most of its contracts only from the government” and “the government will just say that the law doesn’t apply to you, which I think is a little worse than the government saying there is no law that prevents us from doing this.”

What does this law do to empower me against the internal sharing of data within the government?

“Historically, if you remember, maybe five years ago, the UIDAI went and said in court that for police investigation purposes we cannot give data. There are silos that exist in government where one agency cannot take data from another agency, those protections are built in, but more in the process rather than law. Does this [Bill] protect from data sharing and profiling within the government,” Nikhil Pahwa asked.

• Depends on what kind of exemption the government exercises: “That really depends on what is the kind of exemption that they come up with because the government may at any given point of time decide to exempt instrumentalities,” Nehaa Chaudhari replied.
• DPDP Bill might override other laws: “If they say UIDAI and everything to do with the UIDAI is exempt [under another Act], then potentially what the DPDP Bill says will override or supersede any protection that you might have under another different statute like the Aadhaar Act,” Nehaa Chaudhari said.

Can this Bill be challenged on Puttaswamy grounds?

• Odds are as successful as current surveillance challenges in SC: “I think that your odds are as successful as the current surveillance challenge that’s ongoing in the Supreme Court because the grounds on which they challenge the new law doesn’t change,” Udbhav Tiwari said.

Which version of the data protection bill offers the best protection from the government?

• Would revert to the 2018 version: Referring to the slides showing how the Bill has evolved from the 2018 version with respect to government access to data, both speakers commented on how it has gotten worse with each successive version. Both also indicated that they would prefer to revert to the safeguards provided in the 2018 version ideally. The 2018 Bill only allows the government to access personal data without consent for welfare purposes or for security purposes if “necessary and proportionate” and if there is a separate law describing the procedure the government has to follow.
• Can improve the 2018 Bill by adding due process: When asked if the 2018 Bill could be improved in any way, Udbhav Tiwari recommended that he would add due process and judicial oversight/review along with the “necessary and proportionate” safeguard.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
• A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
• Summary: India’s Digital Personal Data Protection Bill, 2022
• DPDP Bill, 2022: Government Once Again Given Broad Powers To Exempt Itself From Provisions Of Law
• Deep Dive: How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data