India’s efforts to protect the personal data of its citizens fall short of privacy requirements

India’s Personal Data Protection Bill, 2019 starts encouragingly, seeking to protect “the privacy of individuals relating to their personal data”. But by the end, it is clear it is not designed to deliver on the promise. For, even as it rightly requires handlers of data to abide by globally-accepted rules — about getting an individual’s consent first — it disappointingly gives wide powers to the Government to dilute any of these provisions for its agencies. The Bill, which was tabled in Parliament by the Electronics and IT Minister on December 11, has now been referred to a joint committee, to be headed by the BJP’s Meenakshi Lekhi. The committee is expected to table its report during the Budget session. Technically, therefore, this is not beyond redemption yet. But recent events have cast doubts about whether the Government is serious about delivering on the privacy promise. Recently, messaging platform WhatsApp said that some Indian journalists and rights activists were among those spied using technology by an Israeli company, which by its own admission only works for government agencies across the world. Google too had alerted 12,000 users, including 500 in India, regarding “government-backed” phishing attempts against them. The Indian Government has still not come out in the clear convincingly regarding these incidents.

Importantly, one of the first to raise a red flag about the Bill’s problematic clauses was Justice B.N. Srikrishna, whose committee’s report forms the basis of the Bill. He has used words such as “Orwellian” and “Big Brother” in reaction to the removal of safeguards for Government agencies. In its report last July, the committee noted that the dangers to privacy originate from state and non-state actors. It, therefore, called for exemptions to be “watertight”, “narrow”, and available for use in “limited circumstances”. It had also recommended that the Government bring in a law for the oversight of intelligence-gathering activities, the means by which non-consensual processing of data takes place. A related concern about the Bill is regarding the constitution of the Data Protection Authority of India, which is to monitor and enforce the provisions of the Act. It will be headed by a chairperson and have not more than six whole-time members, all of whom are to be selected by a panel filled with Government nominees. This completely disregards the fact that Government agencies are also regulated under the Act; they are major collectors and processors of data themselves. The sweeping powers the Bill gives to the Government renders meaningless the gains from the landmark K.S. Puttaswamy vs. Union of India case, which culminated in the recognition that privacy is intrinsic to life and liberty, and therefore a basic right. That idea of privacy is certainly not reflected in the Bill in its current form.