Arshad Shaikh looks at the reasons for the withdrawal of the Data Privacy Bill in Parliament. The bill was first introduced amidst much fanfare in 2019 but could not see the light of the day as no stakeholder was satisfied with its final shape. Understanding this ‘back to square one’ episode is important as it is symptomatic of the lack of consensus on the issue of privacy of data. Big Tech and the government remain polar opposites in the debate for data privacy and yet both want to grab and own as much personal data as possible. The government promises to replace the junked bill with a new comprehensive legal framework. Will another law defend our data privacy? Only time will tell.
The government has withdrawn the proposed Personal Data Protection (PDP) Bill, 2019. Announcing the withdrawal, the Union Minister of Electronics and Information Technology (MeitY) Ashwini Vaishnaw messaged members of Parliament: “Considering the report of the Joint Parliamentary Committee (JPC), a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw the Personal Data Protection Bill, 2019 and present a new bill that fits into the comprehensive legal framework.”
The stated aim of the bill was to protect the data privacy of citizens, establish a Data Protection Authority (DPA) and develop a legal framework for data usage by Big Tech (Google, Meta, Amazon, Apple, and Microsoft). Is everyone happy with the junking of the bill? Was the bill strong enough to protect our data? What were the concerns of the JPC? How does Big Tech look at the issue? Why did Indian startups welcome the withdrawal? Will the new comprehensive legal framework achieve what the PDP Bill (2019) could not? The issue is grave and requires educating the public on its importance. Else, data privacy will be respected only in letter but never in spirit.
WHY WAS THE BILL WITHDRAWN?
The bill was scrutinised by the JPC. It put forth 81 amendments and 12 recommendations for a comprehensive legal framework. Some of the recommendations were to expand the scope of data from personal to non-personal data, use of trusted hardware on mobile phones and treating social media companies as content publishers and not merely intermediaries (making them responsible for the content they hosted).
Certain clauses in the bill restricted the usage of critical data by foreign companies. This was unpalatable to Big Tech. The Indian startup industry too expressed reservations against the bill. They felt that it is too ‘compliance intensive’ and diminished their ‘ease of doing business’. Both Big Tech and Indian startups had issues with the provision of ‘data localization’ in the bill.
Data localisation or data residency law necessitates data about a nation’s citizens or residents to be collected, processed, and/or stored inside the country, before being transferred outside its borders. If foreign companies faced restrictions to pull data out of India, there would be similar restraints on Indian IT companies. They would also not be allowed to import and store the personal data that belonged to their “foreign” customers.
Under the PDP Bill (2019), this data transfer would be permitted only to “trusted geographies”. This proviso had implications to upset delicately crafted foreign policy. Even public interest groups and civil society activists resented the data localisation provision as it gave the state blanket power to hoard citizens’ personal data.
With nearly all stakeholders unhappy with the bill, the easy way out for the government was to withdraw the bill. However, the downside of this withdrawal was correctly pointed out by the Internet Freedom Foundation, which issued a statement saying: “The withdrawal of the draft Data Protection Bill, 2021 marks the unsatisfactory end of a long and arduous consultation and review process for the legislation. While the 2021 version was certainly not perfect, we are concerned that this withdrawal has now brought us closer to where we started in 2018 instead of where we should be in 2022.”
CONTOURS OF THE NEW COMPREHENSIVE LEGAL FRAMEWORK
Some experts opine that India is trying to combine the protection of data privacy of personal, and non-personal data as well as regulation of Big Tech under one umbrella. It is trying to build a comprehensive legal framework that resembles a blend of the European Union’s GDPR and DMA. GDPR (General Data Protection Regulation) is the “toughest privacy and security law in the world” that imposes fines of up to 20 million euros or 4% of global revenues (whichever is higher) in case of a breach of any of its data protection principles. The EU’s DMA (Digital Markets Act) is a mechanism for regulating the digital space by qualifying Big Tech as gatekeepers, which then have to adhere to requirements that will prevent them from monopolising the market through their hardware, software, and data protocols.
Constructing such a massive framework will not be easy, as exceptions will have to be made repeatedly for government agencies that are trying to enter the digital space hunting for information on economic offenders or potential security threats to the state. Others say that the government will have to compromise its data localisation requirement, as it is not in a position to upset Big Tech and the Indian startup lobby. It may accept mirrored copies of data instead of their physical storage within the country.
Given the track record of the government, it is unlikely for the new framework to stop state agencies from accessing the personal data of any citizen for security purposes. Naturally, this model will then resemble the Chinese model rather than the European one.
ONUS ON CITIZENS
We must understand that data is like currency. If somebody (be it Big Tech or the government) takes your personal data, they do not own it. It is your data and you must get it back. They cannot sell it for commercial purposes nor abuse it in the name of security and public order.
Secondly, we must realise the importance of what the Supreme Court of India has said regarding data privacy. The apex court has held that the ‘Right to Privacy’ is a fundamental right for all citizens. It noted: “The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well.”
Citizens have to resolve and decide that they will not accept surveillance capitalism or a surveillance state. The author of “The Age of Surveillance Capitalism”, Shoshana Zuboff correctly suggests: “Awareness requires a rupture with the world we take for granted; then old categories of experience are called into question and revised.”
We need to educate the public on a massive scale as was accomplished for awareness of climate change and the need for going ‘green’. As Bruce Schneier told us, “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.”