Data Protection Bill 2022 focuses on enabling govt access to data and surveillance, not citizens’ privacy #NAMA

Key Takeaways

•  The 2022 Data Protection Bill allows the government to carry out surveillance, despite the surveillance architecture in the country being very weak
• Activists and journalists will be targeted because of the exemptions given to government
• There are no limitations on what personal data the government can ask private companies to share
• The Bill can be challenged in court because of the blanket exemptions to the government
• Government should be a model data fiduciary
• There needs to be a review system to ensure surveillance powers are not misused

“[Compared to] the 2018 version of the bill, the focus has become from privacy protection to business protection. And now, as it has progressed, it is sort of the protection of the government from this onslaught of this right to privacy,” Prasanna S. of Article 21 Trust remarked at the Government Access to Data session at MediaNama’s Reworking the Data Protection Bill event held on December 8 in Delhi. “Every time I drive my car, go through FastTag, now I’ve completed my journey, why should my data be retained? I walk through an airport, now GMR is a private entity, they would be recording and keeping my video recordings for ages,” another attendee remarked.

 “There are many heartbreaks in many of the previous bills that we had. But at least the net-net was that something was better than nothing. But here nothing is better than this thing.” — Prasanna S, Article 21 Trust

The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

How the Bill enables surveillance?

Surveillance has been part of the equation since 2012: “Let’s remember that this entire process started in 2012 when the Right to Privacy Bill was being discussed by the DoPT and at that time itself there was a conversation that interception of communication, which is basically surveillance, needs to be included in the bill. This was also echoed by the group of experts headed by Justice AP Shah in 2012. However, over the years, we’ve seen that consistently there has been a dilution of protection,” Anushka Jain, Policy Counsel at Internet Freedom Foundation (IFF), remarked. 

You are allowing exempted agencies to do whatever they want: “If you completely exempt certain agencies, then you’re allowing them to do whatever they want. So there is no review. There’s no safeguard in place to stop them from doing it,” Anushka Jain remarked when asked if the Bill allows Pegasus-like surveillance. “It is exempting government agencies. And it is also allowing for essentially the creation of 360-degree profiles,” Jain added.

Mostly activists and journalists who are targeted: “While the government claims that we need all of this [data] to compete with other countries, what actually is happening is that mostly it’s human rights activists, politicians, and journalists who are targeted by surveillance in the country and not terrorist elements or competing national interests,” one of the speakers said.

Surveillance architecture in India is very weak: “What I want to point out specifically here is that, first of all, the surveillance architecture in India is already very weak. 5(2) of the Indian Telegraph Act and 69 of the Information Technology Act and the rules that are under the two provisions, they do not meaningfully define the grounds under which or the manner in which surveillance can be conducted. There are no ex-ante or ex post facto independent reviews of the interception directions, and it concentrates all the power with the executive,” Jain explained. There has been constant conversation about the need for surveillance reform in India. And this is what the right to privacy decision also, to some extent, talks about. […] However, even after the 2017 judgement, and a conversation around data protection building up, surveillance was one thing that the government refused to take up,” Jain added.

Presumption of criminality is the norm: “One person on Twitter said that the Chennai police stopped me and took a photo. So Chennai Police replied to them and said that we were just running them through facial recognition to make sure that people who are out at night are not like criminal elements, and there is nothing to worry about. So basically, the presumption of innocence is gone for a toss and the presumption of criminality is how we’re moving forward with this government. Everybody has to be in the database and all information about everyone has to be accessible at the tips,” Jain said.

Can government demand data from private companies?

Are there any limitations on government access to private companies’ data: “Are we now in a situation where private parties are collecting data, which the government can call upon whenever they want without any restrictions, through their agencies? There is no limitation to what they can ask a private party to give to them. Also goes back to what’s happening with NATGRID. NATGRID’s been in the works for about 12 years now. The idea was initially to connect 21 public and private databases to a real-time dashboard. Phase II was about 900 plus public and private databases with real-time information on a dashboard. Phase III was about 1600 public and private databases, which included everything from airlines to banks to OTAs to credit card companies. So is there any limitation, any restriction on the government asking a FinTech company or an email service provider saying, hey, I want all the data,” MediaNama’s Nikhil Pahwa asked.

Don’t think there are any limitations: “I don’t think there is. CMS is already there and the ISPs and the TSPs have been complaining about everything that’s happening. Airtel in its submission for the Telecom Bill has said that we have so many surveillance requests that we want them to share the cost of complying with their surveillance orders. Just imagine how many surveillance orders they’re getting, that’s just Airtel,” Anushka Jain replied.

“Purpose limitation is a principle to tie any sort of collection to a purpose. What the government does is, saying the collection is the purpose. So, that is the inversion. By not applying the purpose limitation principle for itself what it has done is made data basing itself a purpose. So, it is not data basing for a function it is data basing as a function.Every provision in this bill kind of screams of not just enabling it, but effectively encouraging, exhorting the government to do that.” — Prasanna S from Article 21 Trust

Nothing to prevent government agencies from sharing data with each other: “If you have agencies which are exempted, and they take the data, is there anything that prevents one agency from sharing the data with another agency or within the government,” MediaNama’s Nikhil Pahwa asked. “In fact, the national data accessibility and news policy that came in 2022 actively said that we want to create these kinds of databases, which will have all of the information in searchable databases for any government agency to access. So it’s not that they are trying to keep it separate. They’re actively trying to create these databases, which will be searchable within the government so that they can access this kind of information,” Jain replied.

Can the Bill be challenged on the basis of the Puttaswamy judgement?

Puttaswamy requires safeguards against abuse: “So Puttaswamy, people may recall, was a four-pronged test from any state action that infringes or I should say restricts privacy should have a valid legal basis, it should be necessary, it should be proportionate, and it should also be in pursuance of a legitimate state aim. Now a fifth prong has been added to say that the statute should within itself have safeguards against abuse. […] Now this newly articulated proportionality test, I hope, gives us the new tools that we need to test this. For example, if you have an exemption clause, and there is no guidance at all on how that discretion is exercised in notifying these exemptions of entire institutions, so now that’s certainly an absence of safeguards and it doesn’t pass the test,” Prasanna opined.

Not all actions taken by government agencies are justified enough to violate privacy: Arguing that it doesn’t meet the Puttaswamy test, Anushka Jain explained that “necessity and proportionality are something that have to be applied on a case by case basis whereas these clauses, especially clause 18, allows the entire agency or instrumentality to be exempted. So it’s not why the action has been taken, it’s based on who is taking the action. So in that situation, it’s definitely not complying with the safeguards of necessity and proportionality, because you can’t say that every action taken by the NIA or by RAW or by CBI is justified enough to violate privacy.”

How will the government be penalised for offences committed under the Act?

Aadhaar data sharing example: “How does the government get impacted if there is a breach or misuse of data in the hands of a government body? So you remember from Aadhaar that there were Excel sheets of citizens with their personal information, including Aadhaar numbers, name, father’s name, mother’s name, address, PIN code, gender, age, caste, what kind of subsidies they were getting, all of the government departments were actually publishing spreadsheets of this stuff. Does this bill address any of that stuff now?” Pahwa asked.

No impact on government because of the exemptions: “If there are a roomful of exemptions, there are many, many bodies that will not be impacted. They can carry on jolly well the way that they’ve been doing it. Having said that, if assuming there is a body that is not exempted, it is within the full rigours of this [Bill],” Prasanna replied.

How would you fix the Bill?

Government should be the model data fiduciary: “When we started, […] one of the principles that we said was the government was going to be the model data fiduciary. In fact, in jurisprudence, we have that, for example, when the government is the employer. That is why a government job is so secure because the government under the law has to be the model employer. So now it’s completely an inversion of history where the government says we’re going to bring this bill, we’re going to try and have everybody else comply with it, but we have this roomful of exemptions where we will not comply with it,” Prasanna explained.

Start by defining what national security is: Anushka Jain and Nikhil Pahwa suggested that defining national security is a good place to begin with for fixing the Bill. “Define national security, define public order, define the public interest, define all of those in a manner in which it’s not wide, it’s not vague. […] These have to be very specific definitions,” Jain recommended. State governments should not be able to use these provisions for political gain against oppositions, for example, Jain added, citing the recent Pegasus controversy in Andhra Pradesh.

There needs to be a review system: “I think the most important thing is that there have to be safeguards and these safeguards need to ensure that there is a review, actual review of what is happening. For example, I think there was a 2011 or 2012 RTI, which says that in a couple of months, they’re passing around 1100 to 1400 orders. How is a three-person committee actively reviewing those orders, like is there an actual application of mind that is happening when these orders are being passed? So that is the first thing that has to be there. There needs to be a judicial review or any other kind of review that they can come up with,” Anushka Jain suggested.

Need separate laws on government use and access of data: “For law enforcement, if they have to search or seize mobile devices and personal digital devices, there is generally a gradation of what is the nature of the offence, whether you are seizing it because the device itself is the site of a crime or are you seizing it for information in the device, which you want to use as evidence. So the guidelines will change depending on that. So, therefore, as to what purpose and whether that purpose, answers the Puttaswamy test, etc, all of that will come within other laws, not the general data protection law. There are other laws that have certain overriding effects for whatever reason for the state purposes that can be tested separately, but there can’t be an umbrella exemption for the state under this law,” Prasanna opined. However, Jain felt the need for reforms within this Bill addressing government access. “How will this be worked around with the CPI [Criminal Procedure Identification Act] which allows for 75 years of data collection?” Jain asked in response to Prasanna’s point about leaving government access to separate laws.

It may require a sectoral approach: “It may require a sectoral application. For different sectors you look at this is what really covers national security, this is what covers public order. And what is the instrumentality of the state? Are you an oil company? Are you the police force? It differs accordingly,” Prasanna added.

Is there any model jurisdiction we can follow: “What does or which jurisdiction can we look to, to understand what an alternative universe could look like? So where do we see checks and balances that actually work?” one of the attendees asked. “I can’t tell you like a good surveillance state it does not exist. […] So there are all these safeguards that I have said. They do exist in other countries in some form. […] For example, the UK has a tribunal, which goes through each and every surveillance order. The US has also a specific surveillance court, but if I tell you that the US is the one to emulate for surveillance, all of you are going to laugh at me. So it’s not like any, at least I don’t know, any country, which is doing surveillance, right,” Jain replied.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
• Summary: India’s Digital Personal Data Protection Bill, 2022
• DPDP Bill, 2022: Government Once Again Given Broad Powers To Exempt Itself From Provisions Of Law
• Deep Dive: How The Data Protection Bill Enables Govt Surveillance And Misuse Of Personal Data