Civil Society Members Write to MPs Regarding Proposed Data Protection Bill

Courtesy: The Leaflet

On Friday, several retired judges and bureaucrats, and prominent academics, activists, journalists and other members of the civil society endorsed a letter addressed to all Parliamentarians of India regarding concerns with the proposed Data Protection Bill, urging them, among other things, not to amend the Right to Information Act.

The letter is reproduced in full below.

❈ ❈ ❈

16 December 2022

Respected Member of Parliament,

We write to you to express our concern regarding the proposed Digital Personal Data Protection Bill (DPDPB), 2022 and the undemocratic manner in which public consultation on the bill has been invited, in violation of procedural requirements as per the Pre- Legislative Consultative Policy (PLCP), 2014.

1. On 18th November 2022, the Ministry of Electronics and Information Technology (MeitY) published the draft DPDPB, 2022 and explanatory note on their website along with a notice inviting feedback on the bill from the public within 30 days. While the PLCP clearly stipulates that any Department/ Ministry must take proactive steps necessary to ensure that the draft legislation has wide reach and publicity – the draft DPDPB, 2022 has only been made available in the English language on the MeitY website. To ensure a transparent and robust consultative process as envisaged by the PLCP, 2014 – the time period for the consultation must be extended and MeitY ought to release the draft Bill in multiple Indian languages, and facilitate physical platforms other than their website to provide wider publicity and engagement with the consultative process.
2. The process to submit comments is only through the MyGov website which is convoluted and difficult to navigate – allowing only submissions and feedback that are made chapter-wise. Additionally, the notice issued by MeitY further states that the submissions invited from the public will not be disclosed in the public domain and ‘held in fiduciary capacity, to enable persons submitting feedback to provide the same freely’. The non-disclosure of comments received from the public and the status of its consideration by the Government, goes against the basic tenets of a public consultation process.

The Digital Personal Data Protection Bill is a legislation that will impact all citizens of India, and any consultative process must remain transparent, open and inclusive and in line with the Pre-Legislative Consultation Policy, 2014.

1. The Data Protection Board is the principal authority that has been set up to determine non-compliance with the provisions of the Act and for adjudicating compliance and redressing grievances. Section 19 of the DPDPB, 2022 confers discretionary powers to the Central Government which is responsible for determining the selection and compositions, terms of conditions, and removal of the Chairperson of the Data Protection Board. The lack of independence of the Data Protection Board is extremely worrying and it is imperative that such a board function without the interference of the Central Government to enable the protection of the interest of citizens, specifically qua violations of the DPDPB carried out by the Central Government. Additionally, the draft Bill stipulates that the functions of this Board will be digital in design, making the complaints and redress process exclusionary.
2. The draft Bill which seeks to create a legal framework for the governing of personal digital data in India contains several problematic formulations within it that fail to protect the right to privacy of individuals and seriously undermine transparency and accountability through the proposed amendments to Section 8 (i) (j) of the Right to Information in Section 30 of the draft Bill. Section 8(i)(j) of the RTI law contains within it privacy protections which have been settled positions of law while the proposed amendments render both the right to privacy and the RTI ineffective. Through this amendment, all personal information can be denied, even if disclosure of that information is relevant to the larger part of public activity or in public interest as provided for in Section 8 of the RTI Act. It unjustifiably removes the proviso to Section 8 that equates the citizens right to not be unjustifiably denied information with that of the elected representative and the legislature This gives legal sanction for government entities, government functionaries and political executives to remain opaque in their functioning. This will also result in regression of legal victories consolidated thus far that have ensured the declaration of information in the public domain in the public interest of entities enjoying power and privilege.
3. The proposed Bill has the potential to place restrictions on public disclosures mandated by various welfare laws and schemes like the National Food Security, 2013, National Rural Employment Guarantee Act, 2005, and the National Social Assistance Programme that are vital to maintaining transparency and accountability. These mandates of information disclosure have been hard won gains through decades of struggle and advocacy. However, disregard of this hard won right and principle, the non-obstante clause Section 29 (2) of the DPDPB, 2022 reads “In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.”

In the context of the above, we make the following demands:

1. Transparent and Inclusive Public Consultation Process:

1.1. The DPDPB has only been released on the MyGov website in English with the deadline for submissions being 17th December 2022. The time for the submission of feedback must be extended. The draft Bill must be released in multiple Indian languages and widely publicised through electronic and print media for wider engagement in the consultation process as it impacts the fundamental rights of all citizens. In a similar case regarding the consultation process of the draft EIA notifications 2020, the Delhi High Court directed the MoEF&CC to publish the draft for public consultation in all languages mentioned in the 8th Schedule of the Indian Constitution, and take proactive steps for its dissemination.

1.2. As per the notice released by MeitY, the summary of feedback/submissions will not be made available in the public domain. The summary of feedback/comments received from the public/other stakeholders must be made available on the Ministry’s website in line with the PCLP, 2014 to facilitate and support a robust, transparent, and democratic consultative process.

1.3. MeitY is currently accepting only chapter-wise feedback on the online portal. The process for submission of feedback must be made easy and accessible to all citizens, including provisions for offline submission.

1.4. The DPDPB, 2022 is likely to have ramifications for many welfare legislations and policies. As per the procedure laid down in PCLP, 2014, the Ministry should organise open consultations with all stakeholders, including people’s movements and civil society organisations, and campaigns working on these issues.

2. Objection to proposed amendments to the RTI Act: No amendments should be made to Section 8 (i) (j) of the RTI Act. The RTI law is a critical legislation that empowers ordinary citizens to demand information and maintain accountability and transparency in government function. Any attempt to amend this critical section will lead to the dismantling of the RTI structure and a reversal of the transparency and accountability that it introduced in governance. The right to information and the right to privacy of all Indian citizens must be protected.

We seek your support and appeal to you and your party to raise these concerns in the on-going winter session of parliament and outside of parliament. The draft Digital Personal Data Protection Bill, 2022 poses a serious challenge to the processes of democratic engagement and threatens the very foundations of the transparency and accountability regime in the country.

Signatories:

Justice AP Shah (former judge, Supreme Court of India), Justice AK Patnaik (former judge, Supreme Court of India), Wajahat Habibullah (former Chief Information Commission, CIC), and many others.

(Courtesy: The Leaflet, an independent platform for cutting-edge, progressive, legal & political opinion.)

❈ ❈ ❈

Is Revised Data Protection Bill a Charter of Surveillance Capitalism?

Prabir Purkayastha

The 2019 version of the bill was flawed. But in 2022, the government has gone all-out to protect the interests of Big Data, Big Capital, and the powers of the State at the cost of citizens’ privacy.

The new avatar of the Indian Data Protection Bill 2022 is not simply a rebirth of its 2019 version. Its earlier objective was to provide a legal framework to the Supreme Court’s Puttaswamy judgement that privacy is a fundamental right. The purpose of the 2022 bill is different. It proclaims the citizen’s right to privacy but allows the government to override it. Its other objective is to enable Big Businesses—Indian or foreign—to use our data for their benefit. In other words, the 2022 bill intends to do the opposite of what it claims: not protect privacy but create the architecture of a surveillance state and build surveillance capitalism.

I don’t argue the 2019 bill was perfect. It was not. The Joint Parliamentary Committee suggested 92 amendments in it. But after extensive reviews in Parliament, public discussions and deliberations in the JPC, the government suddenly withdrew the bill and released a new one without explanation. The answer materialises when we examine the clauses dropped in the new bill and its overall direction.

Let us look at the big picture first. To protect the citizen’s privacy as a right, we must define what that right is and under what conditions the State can invade it. For example, the right to life or liberty of a citizen can be taken away by the State if an independent judiciary judges they committed a heinous crime. As we saw in 1975, allowing the government to exercise this right without judicial review led to the worst excesses of the Emergency.

A privacy law, therefore, must have at least two basic elements. One is defining under what conditions the State can curtail these fundamental rights. Or, as Puttaswamy says, any curtailment must meet the triple test of necessity, the invasion of privacy being reasonable and proportionate to the need. Another element is a relatively independent regulatory body must exist to protect the right to life and liberty. The 2022 version of the bill overwhelmingly tilts in favour of the government and against citizens on both counts.

In 2018, former Supreme Court Justice BN Srikrishna proposed a draft Personal Data Protection Bill. In a recent interview with The Hindu, he said the government’s 2022 version “drives a coach and horses through the privacy right of individuals”. According to him, it completely abandons Puttaswamy’s triple test of necessity, reasonableness and proportion.

For example, the composition, qualifications, procedures of appointment and tenure in the regulatory authority envisaged in the 2022 bill have all been delegated to what is called subordinate legislation—or rules—that the government will decide. Hence, these critical functions have been taken out of the purview of Parliament. The new version says a chairperson and the members of a Data Protection Board of India will be appointed, and their tenures fixed, solely by the government. This is why Justice Srikrishna said it would be a government “puppet”. The provision of an appellate tribunal specified in the 2019 version of the Bill has also been dropped.

The 2022 bill is much shorter, containing only 30 sections compared to 98 in the 2019 version. While shorter, at least 12 of its 30 sections carry the rider that the government “may prescribe” on those issues, making those sections meaningless.

The bill empowers the government to exempt its agencies from these provisions through a simple notification on national security grounds. This provision is in addition to government agencies’ existing powers to intercept our telephone or data communications under the Information Technology Act.

The 2022 bill starts, like the older version, by defining the data principal and fiduciary. Let us focus on the citizen as the data principal—that is, on what happens to their data. The data fiduciary is the one who parts with their data while using an application or performing an activity on a platform. In most cases, the fiduciary is a company or State agency which uses citizens’ data for their purposes. For instance, companies like Google and Facebook use citizens’ data to display ads to their users. Or they act as data brokers, selling their data to companies and other entities.

The misuse of data, when used beyond what a citizen has permitted an entity to use it for, can cause harm or loss to the data principal. That harm could be monetary or hurt their reputation or another loss, including personal security. But in the clauses that define what citizens can consider harm or loss, the categories have been reduced significantly in the 2022 version compared with the 2019 bill. A clause that defines significant harm based on impact, continuity, persistence or irreversibility has been completely removed. The earlier bill also had a provision that defined sensitive data and how to treat it. This version of the bill has no such definition and, therefore, no provision for when Big Data processes such data. All these tilts the balance between the citizen and Big Data companies, heavily favouring the latter.

No data protection bill I know of lays down duties for the citizen. This one does. It specifies that the data principal—the citizen—is legally obliged to provide the correct data. It means no person can use a pseudonym while using data services. People often use pseudonyms since identifying them by gender or religion might expose them to danger. Women are trolled on many websites in a bid to silence or drive them out of digital spaces. Having a non-binary sexual orientation is another reason why people may not wish to disclose their real identity on certain websites. Disallowing pseudonyms may help State agencies and Big Data, but it can cause serious harm to various minorities.

This bill virtually exempts the State from requirements regarding citizen privacy. It lowers the duties of Big Data towards its users. It does away with data localisation, which would have meant that the data of Indian citizens are held in India and subject to Indian laws. Contrary to the government’s nationalist claims, it is weakening provisions related to data localisation, which will help foreign capital. Companies like Visa, Google and Facebook had raised significant objections to the data localisation provisions in the earlier version of the Privacy Bill.

A considerable part of this bill is geared toward allowing Big Data to use our data. The concept of a data fiduciary obfuscates that companies defined as fiduciaries do not store data on our behalf but for their profits. They want to use our data to sell us to advertisers. They use our data to sell us goods continuously, and they get a significant share of the profits from such sales. Google and Facebook are the biggest recipients of advertising revenue today.

Data also allows improvements in and optimisation of a vast range of software tools. For example, the successes of Artificial Intelligence tools depend on the amount and variety of data it consumes. And, of course, government agencies want more data to monitor and “orient” citizens to their preferred mode of thinking. These concerns are apart from the role big money plays in elections. That is why the phrase Surveillance Capitalism describes the marriage between the surveillance state and big capital. And this marriage is at the core of the 2022 privacy bill.

(Prabir Purkayastha is an activist for science and the Free Software movement. Courtesy: Newsclick.)