Policy | The good and bad of the Data Protection Bill

Living in a constitutional democracy such as India entitles you to some presumptions of innocence. First, and foremost, the presumption that you are a peaceful citizen minding your own business, and not indulging in crime. This means that a police officer cannot check your belongings while walking on the road, force you to hand over your mobile phone, or enter your house to conduct a search, without a judicial warrant for the same (subject to generalised exceptions, of course, such as when they suspect a crime has, or is about to be, committed). In fact, a ‘search’ without following due process can be challenged in the courts.

The relevant question here is not what you might be hiding. You may have nothing to hide from the State, at least not anything criminal. It is simply an assurance that you will not be treated with suspicion in your own country.

However, now, the Union government is seeking to give itself much more invasive and pervasive powers over your life than a mere search of your body or house, and Parliament looks likely to assent. The new Personal Data Protection Bill, 2019 grants governmental agencies sweeping exemptions from the rigours of compliance as well as the restrictions on accessing or processing personal data of private citizens. So much so that Justice (Rtd) BN Srikrishna, who headed the committee that formulated the original draft of the Bill, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.

There is no point in mincing words here. There can be simply no scenario in which allowing the government to intercept, access, and process personal data without strict safeguards can be good for a democracy. Such large powers are inevitably bound to be misused, as we have repeatedly seen. This comes on the back of the December 2018 order by the Ministry of Home Affairs that gave 10 central agencies the power to intercept, decrypt, and monitor information in any computer.

The challenge to this order in the Supreme Court just joined the long list of critically-important cases on which the court has dragged his feet, without any order of consequence having been passed. Followed by the disturbing reports of the surveillance of the mobile phones of prominent activists and lawyers, by some agency which most likely appears to be aligned with the government, Justice Srikrishna’s fears of Orwellian surveillance is not in the least bit exaggerated.

Leaving aside the exemptions granted to government agencies, the proposed law has much to offer and couldn’t come any sooner. In short, all personal data (characteristic, trait, attribute or other feature of the person) online or offline, shall require the explicit and informed consent of the individual to whom it belongs before such data can be collected or subjected to any form of analysis.

Take for example, the recent controversy involving the employment of facial recognition by beverage chain Chaayos. While the company denied that the collection of data was involuntary, there doesn’t seem any record of anybody having been asked for their consent. Without getting into the obvious fragility of the company’s explanation that facial recognition will help them process customer orders faster, it can be underlined that the new law would require Chaayos (or Facebook, for that matter) to explicitly tell customers the purposes for which they would be using the facial data.

Section 6 of the Bill provides that any data collected should only be to the extent necessary for the processing of such personal data. Section 7 mandates that a notice be given to the person whose data is being collected of the nature and categories of personal data, and the purposes for which the data is to be processed, among other things. This should put a huge spoke in the wheels of organisations that thrive on processing and monetising data collected from individuals.

Where the Bill comes short is perhaps not limiting the scope of data collection itself. For example, at a service such as Facebook, it is practically a fait accompli. Perhaps the law could have prevented service providers from making omnibus ‘take it or leave it’ rules that shut you out if you refuse to consent to your personal data being processed.

Abraham C Mathews is an advocate based in Delhi. Twitter: @ebbruz. Views are personal.