It’s 2021, and everything is data.
Your conversations on social media. Your name and number and gender and beliefs. The contours of your face and the ridges of your fingertips. Data is everything you can see, and everything that you can’t.
So maybe you know that India is finally getting a law that seeks to protect your data from hackers, harassers, creeps, criminals, and powerful people who want to exploit it for profit. Of course, the rest of the world has had these laws forever, and it’s shocking that India has simply been functioning without one. But it’s being done now, right? This is imminent and it will become a reality within this year!
Maybe you also know that this incoming Data law, which seeks to provide the entire blueprint of how your data will be dealt with in India, and which gives you rights surrounding your own personal information, has been in the works for a while. Maybe you know that this law has to prioritise you because it’s being made for you. And then, maybe you know that a lot of people are very worried because it is going to fail spectacularly in doing this, benefiting large corporations and government powers way more than it ever even tried to benefit you.
Maybe you even know the grave seriousness of this situation.
Regardless of where you are in your journey with the Personal Data Protection Bill - as a newbie, an intermediate, an expert, or a curious learner, a student or startup owner or homemaker or professor - we invite you on a journey where we #StartFromScratch, hashing it out alongside you with the end goal of your empowerment.
Over the span of 4 blog posts and 4 videos, we will talk about the need for a data law, the current bill’s provisions and loopholes, what good data bills actually look like, where accountability from authorities is needed, and what you can do to advocate for your rights. After this 2-week conversation, you will know the ins and outs of India’s incoming data law, and the exact ways in which it affects you. We hope that you will pay attention and spread the word to other concerned (and not-so-concerned) citizens!
Why do we need a data law? #SaveOurPrivacy
The world is advancing technologically at the speed of light. Every single day, people come up with new and fascinating ways to use your personal information - to make your favourite app run more smoothly, to let you switch your lights off at the clap of two hands, or even to steal your identity or engage in terrorism! For a fun explanation, here’s our video that explains the need for data protection in India:
So we’ve known for a while that a legislation that seeks to protect your rights is the bare minimum requirement to live safely in today’s world. Infact we at IFF have been working on this for a long time. Take the SaveOurPrivacy.in campaign through which we crafted a set of privacy principles, drafted a model law -- versions of which have been introduced as private member bills by two different members of parliament!
Such legislations help maintain a sense of accountability from the government’s end, and they formalize measures for your safety in a way that allows you to seek recourse if your rights are violated. They’re the key to having control over your life, guaranteed to you by the democracy we live in.
Many places in the world already have data protection regulations. The EU has the GDPR, and California has the CCPA (both are really great examples that have set high standards). Countries like China, Brazil, Singapore, and Australia all have their own data protection legislations which evolve with changing times.
For a taste of what a good data protection legislation can do, sample this: Facebook, whose data processing practices have long been criticised, was forced to leave out the Instagram photos of its EU users from its AI training database because of the ban against the large scale scraping of data without informed consent under the GDPR. Such incidents perfectly illustrate why India needs a data protection legislation - and not just any legislation, but a damn strong one.More and more Indians are going online, and so we’re pretty much at the peak of our need for data protection in the country right now. People like you - concerned citizens - are beginning to become aware of big tech companies that hoard our data and sometimes misuse it, and their business models that care more about profit than user protection. Our increased use of tech has brought with it an increased amount of data breaches, malicious hacks, and governmental and corporate surveillance. So to protect citizens, the Indian government has realised the need for our very own legislation that will govern the storage and processing of data.
That’s where the Personal Data Protection Bill comes in
The Personal Data Protection Bill, 2019 provides a framework for public authorities to govern our personal data. Here’s some vocab: As citizens and users, we are called ‘data principals’, and the proposed Act gives us certain rights. It also lays down some obligations for the processing of data by both governments and corporations. It also says that a “Data Protection Authority” has to be set up, which will regulate the processing of data in India to make sure that your interests and needs are being met, and that no one has excessive power or control over your data.The preamble of the Bill states that the right to privacy is a fundamental right which is necessary to protect our personal data and create a culture that fosters a free and fair digital economy, respects people’s privacy, and ensures empowerment, progress and innovation.
Why are we doing a series on it?
Well, the Parliamentary Committee which exists to deal with this Data Bill had until very recently to submit its report on the Bill to the Ministry of Electronics and IT. This is a step that will bring it much closer to actually becoming an Act that can be enforced on you (like when the Citizenship Amendment ‘Bill’ became the Citizenship Amendment ‘Act’).
Given the chance that this will actually happen very soon, we want to highlight the issue of the bill and the many reasons that activists and concerned citizens are saying - please don’t let this become a reality in our lives!
The point of the data bill is to empower you with rights relating to your own data. But in its current form, it provides large exemptions to government departments, prioritizes the interests of big corporations, and does not adequately respect your fundamental right to privacy. This move, when taken with the lack of literacy around data protection in India, may be dangerous on an individual level - where your everyday privacy is threatened - and on a collective level, given how it makes allowances for mass surveillance.
At this point, some people may feel that it’s too late to raise their voices against harmful provisions. But it’s not! In fact, right now is the most important time to raise awareness and to put public pressure on our MPs so that they can enact a much better data protection legislation that will safeguard our digital rights and prioritize the interests of everyday citizens like you.
We’ve been keeping a watchful eye on all things privacy in India for a while, and have been engaging deeply with the Personal Data Protection Bill. Find out more about our initiatives at saveourprivacy.in. If you would like to fast-track and read a detailed analysis instead of following the entire series, you can check out our public analysis here.
Here are 3 key points to get started
- The bill is intertwined with our Right to Privacy: In 2017, two very important things happened: first, The landmark Supreme Court judgement in Puttaswamy case. Our Right to Privacy was enshrined as a fundamental right, as a key component of the right to life and personal liberty under Article 21. The Supreme Court also directed the government to bring about a robust data protection regime. Second, the Ministry of Electronics and IT constituted the “Expert Committee on Data Protection” - a body that would strongly influence how we govern data in India. This Committee was criticised for being against the Right to Privacy judgement. However, these criticisms mostly fell on deaf ears, and so the Committee released its report in 2018.The current Data Bill is rooted in this.
- One of the key creators of the Bill fears that it has turned into something dangerous: The new Bill differed significantly from the previous draft and faced wide-ranging criticism, with Justice Srikrishna, the chair of the committee himself, calling it "dangerous" and with the potential for turning India into an “Orwellian State”. The Bill was then referred to a Joint Parliamentary Committee (JPC), which then initiated another round of consultations and hearings on the Bill. We also gave our comments on the latest draft and have been continuously and vigorously conducting public outreach on the Bill since. Along with others, we have also been pointing out the need to diversify the consultation process of the JPC.
- The Bill is not new - there have been a number of previous versions, each with their own unique challenges: This history of the bill includes versions through the Ministry of Personnel, Public Grievances and Pensions, a report by an Expert Committee on Privacy all the way back in 2012 which serves as an influential document on international & national privacy standards, several bills introduced in both Lok Sabha and the Rajya Sabha that put forth different models of privacy regulation, and more. A lot of these versions and criticisms are available over at the SaveOurPrivacy.in website.
What’s going on right now? When do we get this data law?
There have been some prior government versions of the bill, but it is likely now that the next version that comes through this JPC will become an Act, i.e. it will become a law. However, the government is running out of time if it wants to get it passed during the budget session of parliament. In their responses to questions asked in the Lok Sabha, the government effectively shrugged its shoulders and said that the Bill had been referred to the Joint Parliamentary Committee. It is unclear when the report of the JPC will be released.
This is the first blogpost in our series on the Personal Data Protection Bill, 2019, as we explain what the Bill is, what concerns have been raised about it, and what we can expect after its implementation. Do check out our social media to see the corresponding videos.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)