India’s previous attempt to draft a law on personal data protection had made 21 references to “privacy”, starting with its recognition as a fundamental right. Not only was that legislation unceremoniously dumped in August after five years of negotiations, but Prime Minister Narendra Modi’s government has even dropped lip service to be free of intruders in the new version that has replaced it.
The Digital Personal Data Protection Act, which is open to public comment, is much shorter than its now-abandoned predecessor. It’s also a bolder attempt to introduce a Chinese-style surveillance state in the world’s largest democracy — something that will disappoint the country’s liberals, upset trading partners by turning data into a potential tool for foreign exchange. policy, and will cause the West and India to drift. ideologically further apart.
Critics who were appalled at the carte blanche given to the government in the previous draft have little to cheer about in the new version. Any state “instrumentality” may be exempted by the federal government and beyond the scope of the law.
Government agencies can request any personal data they like, keep it for as long as they want, use it as they see fit and share it with anyone in the name of “sovereignty and integrity of India, security of the state, friendly relations”. with foreign states, maintaining law and order, or preventing incitement to a known crime with respect to any of these.” What privacy can exist in such circumstances?
The New Delhi-based advocacy group Internet Freedom Foundation is correct in saying that “if the law is not applied to government agencies, the collection and processing of data in the absence of data protection standards could lead to mass surveillance.”
But then maybe that’s the point. Part of India’s political establishment is fascinated by how China has kept every aspect of its domestic internet economy – and data processors under the thumb of the state – to form a society of 24×7 surveillance.
There is no great internet firewall in India. But the state’s growing desire for informational dominance is beginning to upset businesses of all sizes. After Twitter Inc. and WhatsApp from Meta Platforms Inc. had separately sued the government, SnTHostings, a Pune-based company, also sued New Delhi.
The virtual private network provider argues that the demand to “pervasively monitor user activities and store this data for arbitrary and unreasonably long periods under the guise of security measures is nothing short of treating the entire class of people who use VPN services as suspects of crimes that have not even been identified.”
The new data protection law is unlikely to be of much help in setting the limits of legitimate government intervention. However, it does remove one of the industry’s biggest bugbears: mandatory data localization rules that would force them to store “critical” personal data exclusively in India. But then it presents something more problematic: New Delhi will notify “such countries or territories outside India to which a data controller may transfer personal data”.
Since the law does not specify how these countries will be selected, one can only surmise that this restriction could be used as a foreign policy tool, leveraging the digital footprints of 1.4 billion people.
That is only going to drive a wedge between India and western democracies. The U.S. Clarifying Lawful Overseas Use of Data Act, or the so-called Cloud Law, allows foreign law enforcement authorities to obtain evidence of serious crimes directly from U.S. service providers, but to do so, Washington must be satisfied that the requesting jurisdiction has safeguards against surveillance and limited state access to data.
As long as a police officer can issue an order requesting donors’ personal data on a fact-checking website critical of the ruling party, India is unlikely to qualify for such an executive agreement under the Cloud Act.
It is the relatively wealthier segments of the population who have vocally campaigned for strong privacy protections in the country. But the less fortunate also value it. Surveys show that low- and middle-income Indians have succumbed to offers of cash for some of them to part with their data. But even during the pandemic, when many were in acute financial distress, not everyone was willing to trade personal information for a meal.
It seems that the concerns of the poor will now also be omitted. An independent data protection board that could have boosted users’ confidence in the new law is likely to be a toothless bureaucracy, which the government owes. According to Beni Chugh of Dvara Research, a policy research institution in Chennai, this “could weigh against assessments of India’s adequacy in the European Union” as part of the framework for deciding whether oversight authorities in another country are strongly are sufficient for the transfer of personal data.
Another future was well within the reach of the land. In 2017, India’s Supreme Court considered privacy a fundamental right and urged proportionality of government action: in any breach, authorities must demonstrate that there is no less intrusive way to achieve their legitimate goals. Five years later, all that remains is the label on the bottle. It still says “data protection”, although the pill inside has changed to legalized mass surveillance.
Disclaimer: These are the personal opinions of the author.
Featured video of the day
In Poll-Bound Gujarat, a struggle for basic necessities in this tribal village