August 13, 2023

On Digital Data Protection Bill

FOR those following the twists and turns of the Digital Data Protection Bill, the one submitted on August 3, 2023, is the third reincarnation of the draft bill. The first was the one drafted in 2019 by Justice BN Srikrishna based on the Supreme Court's Puttuswamy judgement, which held privacy as a fundamental right. Justice Srikrishna's draft protected this fundamental right: the individual's right to privacy in the digital age. The tests laid in the Puttuswamy judgment of conditions under which the right to privacy of the citizen can be intruded upon – necessity, reasonability and proportionality – have been completely ignored, both in the 2022 and the 2023 versions of the bills. Justice Srikrishna described that the 2022 incarnation of the bill "...drives a coach and horses through the fundamental right of privacy." This version of the bill is no different, only fleshing out some of the provisions even more. 

The August 3, 2023 version of the bill seeks only to dot the i's and cross the t's, fleshing out – for example – the terms of the new regulatory body envisaged in the 2022 Bill. In the 2022 version, it was left under rules and not defined in the Act, unlike any similar legislation setting up a regulatory body. This hole has been rectified in the 2023 version. Small changes in language and some tightening up of the language are also features of the 2023 Bill. Even after this, many clauses in the 2023 Bill end with stating that the actual working of the clause will be a part of subordinate legislation – or rules – that the government will decide later; or can change from time to time. 

The objective of the 2023 Bill remains the same as the earlier one: how to exempt the State from any restrictions on accessing the citizen's data and how to provide legal cover to the new behemoths in the world, eg, the Google, Facebook-Meta, Amazon, to own our data legally under the fiction of "deemed consent". We become "Data Principals" who now have even the obligation to supply "correct" data to the State or the digital monopolies, which are termed "Data Fiduciaries" in the Bill. And they, as well as the State, can do pretty much as they please with the data, using it for purposes well beyond what I may have given them consent for. 

Let us see how the provisions of the bill work for the two objectives of the bill, my surveillance by the State and the alienation of my data for the benefit of digital monopolies. Suppose I have consented to my data being used for a specific purpose by the State or a company. In that case, under the "deemed consent" clause, the company can use it for any other purpose as well. The "Fiduciary" does not need my consent to further alienate my data from the Fiduciary to others. Even if they are alter egos of the same company operating as a separate corporate structure. 

For example, suppose that I have given my data to a telecom company to provide me with telecom services. Under the "deemed consent" clause, the company may use my data for advertising or even selling this data to others. Technically, the 2023 Bill allows me to withdraw my consent. But since the Data Fiduciaries had the right, as long as I had given consent to share this data with others, including companies that are alter egos of the same company, in no way I can withdraw consent from all parties with whom my data has been shared. Nor is my consent required to share my data. Once alienated, the data virtually ceases to be my property and becomes the company's property. Or, as the bill puts it, virtually in the perpetual "custody" of the "fiduciary". 

No data protection bill I know of lays down duties for the citizen. This one does. It specifies that the data principal – the citizen – is legally obliged to provide the correct data. It means no person can use a pseudonym while using data services. People often use pseudonyms since identifying them by gender or religion might expose them to certain dangers. Women are trolled on many websites in a bid to silence or drive them out of digital spaces. Having a non-binary sexual orientation is another reason why people may not wish to disclose their real identity on certain websites. Disallowing pseudonyms can therefore cause serious harm to various minorities.

The 2023 Bill, like its 2022 version, significantly weakens data localisation. Data localisation would have meant that the data of Indian citizens are held and processed in India and subject to Indian laws. Companies like Visa, Google and Facebook had raised significant objections to the data localisation provisions in the earlier version of the Privacy Bill, as that would have meant significant investments in India and also bringing the output of processed data under Indian laws. In the 2023 Bill, the ability to process data outside India has been made much easier, as the government will treat all locations abroad as places data can be processed subject only to certain countries/locations that are blacklisted. Significantly, this also brings our data under foreign jurisdiction as the processed data will be deemed to be under the jurisdiction of the country where it has been processed. For example, under US law, while US citizens have certain protections for their data, foreign citizens have none!

The bill empowers the government to exempt its agencies from these provisions through a simple notification on national security grounds. This provision is in addition to government agencies' existing powers to intercept our telephone or data communications under the Information Technology Act.

The government's draft bill introduced in August 2022 and its 2023 version is not meant to protect the privacy of the citizen in line with the Puttuswamy judgement. It has a completely different intent. It is to allow Big Brother – the Indian State – an almost unfettered right to surveil its citizens, as well as allow the new age digital monopolies to freely own and use our data. Or legally usher in what Shoshana Zuboff called The Age of Surveillance Capitalism. And to rub salt into our wounds, all this is being done under the garb of a new privacy law for protecting our fundamental rights!