Waiting for the Data Protection Bill

The JPC report on the draft Personal Data Protection Bill preserves a legislation beset with problems

It is open season on Big Tech, especially the American social media companies, though not entirely undeserved.
It is open season on Big Tech, especially the American social media companies, though not entirely undeserved.

By Mishi Choudhary

In Samuell Beckett’s Waiting for Godot, the two main characters engage in a variety of discussions, waiting for the titular Godot. India has also engaged, over the past four years, in a variety of discussions while awaiting the Data Protection Bill, a legislation to protect the data of its 1.3 billion. Like Godot, this Bill also never seems to arrive, though, recently, there is a spectre of the Bill that we can analyse.

In 2017, the Supreme Court, in Puttaswamy, held “the right to privacy is protected as an intrinsic part of the right to life and personal liberty”. The case called for formulation of a law that balances this right against legitimate concerns of the government. The Justice Srikrishna Committee, constituted by the Union government, submitted a report as well as a draft Bill on personal data protection in 2018. Despite grandiose declarations by the Executive on this one law addressing every concern on data collection and breach, we have only watched “serious discussion” carried out since. Recently, the report of the Joint Parliamentary Committee—tasked, in 2019, with scrutinising the Union government’s Personal Data Protection Bill—was adopted, albeit with several dissent notes from opposition-party members of the committee. Justice Srikrishna termed the current Bill “dangerous”, warning of an “Orwellian State”. Still, no law, like no Godot.

The usual problems plague this law. The Centre is still the powerful almighty, who can exempt any of its agencies from the Bill’s purview. The Executive is empowered to be exempted in the name of security of the state. India must be the only democracy with scant oversight of the State’s surveillance power. When a government reads every face, political dissent is subject to permanent intimidation. As Aadhaar becomes the link tying all chains of personal data together, we can expect our “data shadow” to follow us through every fiscal and administrative transaction. If government is allowed to put these two pieces together, it has “total information awareness”, with no check on its powers. Also, everything must always be done in consultation with the Centre. Government authorities routinely assure citizens that surveillance is conducted in accordance with law; yet, this remains a questionable claim. How does this Bill even pass this stench test?
Nobody was expecting any forward-looking step—a Lina-Khan-like appointment, drawing from the US context—but to require that the Data Protection Authority draw talent from the old pool of government officers, judges, professors of elite institutions, misses the opportunity to bring technically-sophisticated experts and civic-minded activists into the milieu.

Indian laws are notorious for meting out criminal punishments to companies and their executives, while the rest of the world uses contractual damages or fines. Such laws empower an SHO to threaten Twitter executives with jail time for user-generated content or arrest founders of companies. The JPC report recommends criminal punishment for offences under the law. In a country where basic investigation techniques are compromised by the police, we are yet again paving the road for harassment of young digital-company founders. How that eases the ability to carry on a business here is a question every investor must be asking.

It is open season on Big Tech, especially the American social media companies, though not entirely undeserved. But to have the entire kitchen-sink of issues in a Bill on Data Protection, including content moderation, is another sign of our legislators going through the motions without addressing the real problems. A recommendation saying, “A mechanism may be devised in which social media platforms , which do not act as intermediaries will be held responsible for the content from unverified accounts will be on their platforms” has no place in a Personal Data Protection law.

Recently, PM Modi made the profound comment, “We are in a time of change that happens once in an era, where technology and data are becoming new weapons.” Against the Pegasus surveillance backdrop, and the roll-out of Facial Recognition Technology to identify protesters, these comments may surely seem meta? No wonder, the spectre of a law that ensures that the Executive is further enabled has raised concerns across board. Not a week goes by when India’s billionaire-entrepreneurs don’t put a new spin on why Indians must control their own data, saying “data is the new oil”—while talking of Aadhaar and digital payments. If you open a newspaper, you would be struck by news of mind-boggling market valuations, unicorns,and fund-raising by companies essentially based on user data. American platform companies, the pioneers of data monetisation,are investing here and kowtowing to every demand of the Indian government lest they are thrown out of this burgeoning data market.

We all understand the power of data (power and money would not be fighting to control it otherwise!). A democratic country must prioritise people, not monetisation of data or illegitimate state action. People expect to use technology without their legitimate activities being spied on or their data stolen. The country needs a law that makes it simple for us to understand our rights, not dubiously create burdensome bureaucracy for everyone. All we have is a cacophony of legislators going through the motions for years in the name of protecting people.

The author is Legal director, Software Freedom Law Centre
Views are personal

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.

Most Read In Opinion