The proposed Data Protection Bill 2019 seems to both a Dr. Jekyll and a Mr. Hyde. On the one hand it moots tough measures against private firms over storage of data and its leakage for pecuniary gains, while on the other it gives the government the right to break all these rules as and when it feels like.
The Bill proposes tough measures against private companies in terms of storing of personal information, stipulating that it must be within India and also states that explicit consent must be taken for the data to be moved out of the country. The proposed bill also, rightfully, imposes stringent measures of checks and balances and imposes stiff penalties on private companies for violation of individual data being leaked out.
Was this necessary? Absolutely. Many of us have seen the video that was circulating on WhatsApp about how a photocopy shop owner was claiming that his major source of income came from selling data related to copies of PAN, Aadhar and other important personal information to a whole host of private parties. I personally have witnessed it in Delhi’s Dwarka, where the Internet café owner told me that more than the income from the users of the systems, his actual income came from selling the personal details of his users, including their browsing history etc. to eager private buyers.
Let’s be clear. Our browsing history is not private, no matter how secure our corporate networks are. Nor are our cellphones. There are enough anecdotal incidents where, the cell phone listens to our conversation and then serves us an ad that roughly corresponds to our supposedly private discussion. It is also no secret that while cell phone and internet users are generally lax with their personal data, the people who collect it – Insurance companies, banks, other service providers, utilities are even so. They end up selling it, officially or not, to multiple bidders of that data.
So, yeah, we need a data protection bill and more importantly, we need to enforce it.
On the other hand, the real problem appears to be the government itself. A quick reading of the Bill suggests that while the government has bared its fangs against the private parties, it has given itself the virtual carte blanche in deciding how, when and to what extent, it can violate the proposed law.
According to a report in Business Line, the bill proposes that “The central government may, in consultation with the (proposed data protection) authority direct any data fiduciary or any data processor to provide any personal data anonymized or other non-personal data to enable better targeting of delivery of services …. in such manner as may be prescribed”. In other sections, the bill also allows the government to invoke the issues of national security, sovereignty and integrity of the state, the government has assumed sweeping powers to exempt itself from the provisions of the bill.
This is problematic. Consider that around 4% of the warnings by Google’s Threat Analysis group were due to government snooping in on its own citizens. And, this is across 149 countries and 12,000 warnings sent by the group. Essentially, all this means is that while government is sabre rattling to private parties, it is allowing itself the means to continue to snoop on fellow Indians, simply by invoking ‘national security’ concerns.
The second problem is one of definitions. The bill says that ‘critical personal data’ cannot be taken out of the country. Great! However, if you wish to dig further to find out exactly what defines the ‘critical personal data’, you are faced with a deafening silence. The government will determine, at some possible time in the future, or from time to time, what defines ‘critical data’.
Much as we welcome the data protection bill, this cannot be allowed to be used by the current government as an opportunity to legitimize their surveillance on their own citizens. There must be some oversight mechanism to ensure that no government is allowed to spy on its people, without any form of control or specific reason, which again needs to be permitted by an agency outside the government. The bill in its current form, allows the government to specify the reasons, approve it and execute it without any such oversight.
Given the current state of the bill and polity, one cannot but recall Lord Acton’s famous lines “Power tends to corrupt and absolute power corrupts absolutely”. In its attempt to ring fence the individual’s private data, the government seems to be intent on misusing what it seeks to protect. Absolute tragedy that.
