The Personal Data Protection Bill, 2019 is here. The arrival of such a Bill is definitely needed, however, those terrible parts we were concerned about still haven't undergone much change and now a few more terrible parts have been added. Just to bring you up to speed, we've listed five areas that are pretty concerning. Want to go into some more detail? We will soon put out detailed explanations but till then we've added a bunch of links of various other places that have dissected the Bill.
5 issues to watch out in the Data Protection Bill
On December 4, 2019, the Personal Data Protection Bill, 2019 was finally approved by the Cabinet. However, as has been the case throughout this year, the current form of the Bill was unknown until December 10, 2019. The Bill was circulated amongst Members of Parliament and of course everyone managed to grab themselves a copy. The Bill made its first public appearance in 2018 but was the subject of much deliberation by the Government ever since and had been rumoured to have undergone substantial additions over this period of time.
As we presently possess the Bill in all its supposed glory, the disappointment we feel is ofcourse much less glorious. A large portion of the concerns we had with the Bill still remain and continue to occupy a significant need that India’s data protection law should ideally fulfil. We list out five of our major worries, some of which will refresh your memories of the previous Bill but also provide titbits of how new provisions only adds to these concerns.
Issue 1: Super broad exemptions
- Exemptions: The 2018 Bill provided the State with leeway to obtaining consent for certain aspects such as for the provision of services/benefits and for the issuing of licences, certificates or permits. This has received a further seal of approval with this 2019 Bill clearly stating that consent is not required by the State which can exempt any government department by an order. Now imagine the Data Protection Bill being made inapplicable to the UIDAI which holds all our Aadhaar data? Does that make sense? Therefore, the State continues to maintain the same massive control over an individual’s personal data and we continue to fear the extent to which it might be pushed.
Issue 2: Muddled priorities
- Preamble: While the Bill's preamble resembles a rights respecting data protection law, a closer look shows its true intentions to benefit from the use of this data. This confused approach in which data protection of individuals is placed on the same level as promoting business and governance interests is not the proper role of a data protection legislation. Such a law is to protect individual people like, you, and me, not promote bussiness or ensure better governance for which other independent policies can be formed. This results in confusion and muddled thinking which reflects in several contradictory provisions in the bill.
- The Govt wants all the data: The new Bill introduces a provision that exempts processing of anonymised data or broadly 'non-personal data'. This provision also allows the Government to direct Data Fiduciaries to provide such data. Why? Oh, because it wants to promote for framing of digital policies. Every time we ask what is, "non-personal" data we are given the example of traffic data from Uber or Ola which can be shared for road design and real time traffic management. But surely we cannot approach and build such a broad exemption based of one use case. Can we?
- Sandbox provisions: The new bill creates what has been widely considered as a 'sandbox' provision; while it hasn't been defined, the provision aims to encourage innovation in AI, Machine-Learning or other developing technology so it provides Data Fiduciaries with the option to fall within the Sandbox provision in order for it to retain data collected by it for 3 years. This ability to, "play around with personal data to build businesses" is done without consent. To us this is really concerning!
Issue 3: Legitimising unregulated surveillance
- New additions: While the bill does nothing to address surveillance reforms, it makes a bad situation even worse. Now this is something we’ve been harping about for ages; neither did the previous Bill or the redraft make an attempt to address the very real threat of surveillance India is currently facing. Instead what does the 2019 Bill do? It weakened already existing safeguards that were even slightly applicable to surveillance through additional exemptions.
- A deeper well: Earlier in order for law enforcement agencies to collect and process data, it needed to be necessary and proportionate to its interest in the data. However, with Section 35 and 36(a) of the new Bill, it now excludes these law enforcement agencies from the application of the Bill. This is for data which is gathered with consent by users whose data now can be easily requisitioned by Government offices in real time. Why? Because the Data Protection Bill will not apply to them.
Issue 4: The Sarkaari Data Protection Authority (DPA)
- No changes: We bring this up because the previous Bill was pretty worrying but without a doubt the new Bill found a way to make it worse. The new Bill maintains the composition of the DPA (considered the regulator) which essentially appears to be under the absolute control of the Central Government as it lacks diverse representation.
- No good additions: This control is now accentuated as a Selection Committee that selects the Chairperson (known as the Selection Committee) and the members of the DPA have been replaced by individuals of the Executive as opposed to the earlier Bill, where they were members of the judiciary were part of the Selection Committee.
Issue 5: "Voluntary" Social Media Verification
- Everyone gets a blue tick: This entirely fresh provision creates a whole new class of data fiduciaries called social media intermediaries. This requires these intermediaries to provide users with the option of getting verified voluntarily. While this is being done in an attempt to battle disinformation and fake news, which is frequently spread by pseudonymous or fake accounts, there is no clarity as to how this verification intends to crub misinformation. What's dangerous about it? We all know how social media companies thrive on retaining our attention and then make money by profiling and selling our personal data. With legal backing to demand our Aadhaar or any other government ID to be linked to social media they will be able to gather greater information about us. In many ways this will lead to greater and more accurate survelliance and profiling. This directly conflicts with the rule of data minimisation. It goes against Data Protection.
Read what others have to say
While we bring to the surface these major issues, a plethora of new problems have propped up since the Bill was made public. A few other places like slfc.in and mozilla have listed some of the changes that have been made (Click on the links to read what they've said). But that’s not all of our worries, not only was the Bill introduced in Parliament on December 11, 2019 but it has now been referred, NOT to the existing Standing Committee on Information Technology but to a newly formed Joint Select Committee.
To understand why we're this worried, you might want to take a look at these private member's Bills based on SaveOurPrivacy's 7 Privacy Principles that provide a semblance of what a Data Protection law should be. Here is the Bill by Dr. Shashi Tharoor (link) and a recent one by Dr. Ravikumar (link).
Our continued actions
We intend to do a detailed analysis of these five issues and other linked concerns over the next week; we've decided to combine our explainers with an added element in an attempt to keep in real/interesting. So, definitely watch this space! In terms of engagement and pushing for policy change, we intend to pick up a range of advocacy actions and will keep you updated. If you have any ideas on how we can do this more effectively please do reach out!
We run on donations rather than commodifying your personal data. You can support digital rights and nostalgia. Become an IFF member today!