Data surveillance and the Digital Personal Data Protection Bill

Why in News?

  • Ministry of Electronics and Information Technology released the Digital Personal data Protection Bill, 2022, on November 18.

Background: Demand for the data surveillance reforms:

  • The journey towards a data protection legislation began in 2011 when the department of Personnel and Training initiated discussions on the Right to Privacy Bill, 2011.
  • As per an Office Memorandum dated September 29, 2011, the then attorney General, Goolam Vahanvati, opined that conditions under which the government can carry out “interception of communication” should be spelt out in the Bill.
  • The report of the group emphasized the need to examine the impact of the increased collection of citizen information by the government on the right to privacy. Since then, civil society organizations, lawyers and politicians have consistently demanded surveillance reform, highlighting how personal data can only be protected when the government’s power to conduct surveillance of citizens is meaningfully regulated.

Revoked version of Digital Personal data Protection Bill, 2022

  • Eases cross-border data flows but wide-ranging powers to state agencies: The reworked version of the data protection Bill, released three months after the Govt withdrew an earlier draft, eases cross-border data flows and increases penalties for breaches. But it gives the Centre wide-ranging powers and prescribes very few safeguards.
  • Delicate balance on privacy and restrictions: Officials at the Ministry of Electronics and IT (MeitY) have said the new draft strikes a delicate balance and factors in learning from global approaches, while staying aligned to the Supreme Court’s ruling on privacy as a fundamental right, but within reasonable restrictions.
  • Seven principles of the Bill: The explanatory note accompanying the Bill elaborates on the seven principles it seeks to promote, including transparency, purpose limitation, data minimization, and preventing the unauthorized collection of personal data.

The surveillance architecture In India:

  • Main components: The surveillance architecture in India comprises mainly of Section 5(2) of the Indian Telegraph Act, 1885; Section 69 of the Information Technology Act, 2000; and the procedural rules promulgated under them.
  • No clearly defined ground: No But this architecture does not meaningfully define the grounds under which, or the manner in which, surveillance may be conducted.
  • No safeguards: It also does not contain safeguards such as ex-ante or ex-post facto independent review of interception directions.
  • Lack of accountability: The concentration of power with the executive thus creates a lack of accountability and enables abuse. Evidence for this emerges not only from instances of political surveillance, but also from the slivers of transparency that accidentally emerge from telecom companies.
  • Excessive surveillance: For instance, submissions by Airtel to the Telecommunications Department, as part of the public consultation process for the Indian Telecommunication Bill, reveal that excessive data collection requests are already a reality. Airtel has asked the government to share the costs it incurs to comply with the increasing demands from law enforcement agencies to carry out surveillance.
  • Concerns over citizen data processing: Apart from outright surveillance, unfettered collection and processing of citizen data for other purposes, such as digital governance, raise concerns.

What are the concerns over the revoked version of the bill?

  • No proposals for surveillance reform: All iterations of the data protection legislation since the draft Personal Data Protection Bill, 2019, the draft Data Protection Bill, 2021 and the 2022 Bill have no proposals for surveillance reform.
  • Data processing without consent: Personal data can be processed even without the person’s consent. Blanket exemptions Like previous iterations, Clause 18(2) of the 2022 Bill allows the Union government to provide blanket exemptions for selected government agencies.
  • Permits exemption to private entities: However, this Bill is more egregious than previous iterations as it permits exemption to private sector entities that may include individual companies or a class of them, by assessing the volume and nature of personal data under Clause 18(3).
  • Exemptions without the purview of data protection: Under the new Bill in India, exempted state agencies and private entities will not be within the purview of the Data Protection Board, the body responsible for imposing penalties in case fiduciaries infringe privacy.

Data processing in other countries:

  • Comparative legal regimes, which, as per the explanatory note, were considered before proposing the Bill, do not contain comparable provisions.
  • Such blanket exemptions to state agencies, let alone private corporations, are absent in foreign legislations.
  • Exemptions on case by case and the rationale behind it: While the existing or proposed legislations in the European Union and in the U.S. permit security agencies to claim exemptions on a case-by-case basis, depending on why they are collecting personal data, they do not contain blanket exemption powers to an entire government entity.
  • Meaningful state surveillance: Other jurisdictions exercise meaningful oversight over state surveillance. For instance, the Investigatory Powers Tribunal in the U.K. is authorized to hear complaints against misuse of surveillance powers and can impose monetary penalties in case of a breach.

Conclusion:

  • The preamble to the 2022 Bill states that the purpose is to protect the personal data of individuals and to ensure that personal data is processed only for lawful purposes. However, blanket exemptions for state agencies alongside private entities raise untold concerns, which need to be addressed on a war footing.
Share Socially