After seven months of public consultation, the Data Protection Bill 2018 was finally submitted by the Justice BN Srikrishna Committee to the IT Ministry on Friday. There were several expectations from the Bill, given the atmosphere of increasing alarm as to how personal data is being used. However, experts say that this isn’t the data protection law that we deserve but it is what we have, for now.
There are several problems with the draft – for starters, the ambit of what constitutes as data is limited; and the Bill could even pave way for the government to use personal data for surveillance.
No limits on how govt processes personal data
The Srikrishna Committee’s report defines personal data as on the basis of “identifiability”, meaning data from which an individual is identifiable or reasonably identifiable. The Bill also talks about bringing to life a Data Protection Authority (DPA), that has been given the responsibility of explaining the definitions applicable to various kinds of personal data as per the context.
Section 13 of the Bill deals with processing of personal data by the State. The major problem here is that the government is allowed to process your personal data if it deems it necessary for a function of the Parliament, State Legislature or to provide lawful services to citizens. Unlike private entities therefore, the government wouldn’t need your consent to do so.
Srinivas Kodali, an independent security researcher, says, ”In its present form, the only responsibility the government is that they should protect the data and not leak it.”
This isn’t the first time that the government has proposed processing citizens’ data for facilitating public sector schemes – it has already been happening, and the data has apparently been used for surveillance.
Andhra Pradesh, for instance, has a Real Time Governance Centre (RTGC) where data, ranging from GPS coordinates of houses, medical histories to social media accounts, a person's caste, religion to schemes or subsidies availed and their Aadhaar numbers can be called upon on request. All these data were aggregated through the AP government’s E-pragati initiative under their “Sunrise AP-2022” vision.
“Collected at various points of time for subsidy delivery, this data is now used for surveillance,” Srinivas says.
Redundant amendments to Aadhaar Act
The Bill also proposes amendments to the IT Act, RTI Act and the Aadhaar Act.
Taking into account reports about misuse of Aadhaar data, the Srikrishna Committee has proposed to empower the UIDAI in a regulatory role, to take action against companies which wrongly insist on Aadhaar, and those using this data for unauthorized purposes.
However, Srinivas points out that this is redundant because UIDAI is already an autonomous body. “Under the present Aadhaar Act, UIDAI is allowed to file cases on reports about Aadhaar data misuse, making them the sole authority on Aadhaar. What was needed was to bring make UIDAI accountable, given then performance history, but the amendments don’t do that,” he argues.
An ‘autonomous’ DPA?
The Bill also talks about setting up the DPA, which will be responsible for granting permissions for data usage, and dealing with complaints and redress. While this is supposed to be autonomous body, experts worry its autonomy may only be on paper.
The chairperson and the members of the DPA shall be appointed by the centre based on recommendations of a selection committee consisting of the Chief Justice of India or a Supreme Court Judge nominated by the CJI, the Cabinet Secretary, and one expert nominated by the judge or CJI in consultation with the Cabinet Secretary. However, the final decision to appoint members of the DPA rests with the centre.
“If Authority’s chairperson, being a government nominee, is complacent, they could easily give permission to the government to use sensitive data,” Srinivas cautions.
Right to be forgotten, conditions apply
What if you want Google or Facebook to forget something about you? This is where the ‘right to be forgotten’ comes in. However, it is not a fundamental right.
Only an adjudicating officer - a central government appointee - can determine the applicability of the right to be forgotten in a particular case. So, does this right extend to a corrupt public official or a known sex offender? The draft Bill does not answer this question.
“If a journalist writes about an official and that official exercises his right to be forgotten does it apply? What if the official being tasked with that decision is complacent?” Srinivas questions.
“The bill gives too much discretion to the government in deciding the selection of the adjudicating officer. This officer is responsible for levying penalties and so if the position is not sufficiently independent, how will it effectively regulate govt?,” argues Amba Kak, Public Policy Advisor with Mozilla.
Data localisation loophole
While the Bill does direct companies processing Indian user data to store a copy in servers within India, it does not prevent them for storing the data in foreign country servers either.
This clause was added to the Bill to aid Indian law enforcement agencies which increasingly struggle to solve cyber-crimes where data are stored in foreign servers outside their jurisdiction. At present, Indian law enforcement relies on the Mutual Legal Assistance Treaty (MLAT), signed between two or more countries to assist each other enforce public or criminal laws.
“The MLAT process has shortcomings. The goal should have been to make this process easier, not just make the access to the data easier for law enforcement as there is a potential for misuse,” Amba added.
A few positives
Amba says that a silver lining is that the Bill will now protect the Indian internet user’s data irrespective of the offending entity’s location or where the data is processed. This is similar to the European Union’s General Data Protection (GDPR) regulation law.
Even if the offending entity claims that they do not service or target Indian markets with ads, it would still be applicable to them if Indian user data is being processed, under Section 2 (a) and (b) of the Bill.
Further, under the GDPR regime, companies that processed data had to hire data protection officers, upgrade and audit cyber security etc. The Indian Data Protection Law is likely to have the same effect.
We have come a long way from the notion that privacy is a cost compliance issue. Businesses have a lot to do; and this law makes it clear that there are accountability and compliance that's non-negotiable. The law doesn't say don't process user data it just says do it responsibly,” says Amba.
“If we do have a strong data protection law and the EU considers our data protection system adequate, together we could have the largest addressable market in the world with levels of data protection. if companies will say this is too much compliance work for them,” she added.
The bill is expected to be tabled in the winter session of the parliament, later this year.