Data Bill feared to facilitate unbridled state surveillance

The Indian government should amend its proposed data protection law to protect people's privacy instead of enabling unchecked state surveillance, Human Rights Watch said after an evaluation of the draft Digital Personal Data Protection Bill, 2022, for public consultation. It felt the need to incorporate feedback from civil society groups and digital rights experts.

The Digital Personal Data Protection Bill is the latest attempt by the Bharatiya Janata Party (BJP)-led central government to enact India's first data privacy law, after a previous version, introduced in parliament in December 2019, was dropped in August 2022. Opposition lawmakers, technology companies, and advocacy groups criticised the earlier data protection bill, but the current draft also fails to address their key concerns, including not providing adequate protections for children. "India's proposed data protection law undermines everyone's, including children's, fundamental rights to privacy and security by enhancing the power of the state to conduct surveillance," said Meenakshi Ganguly, South Asia director at Human Rights Watch. "With more and more data becoming available on digital platforms, the Indian government needs to make protecting people's privacy and security a priority."

The fear is that the current bill, like the 2019 draft, would grant sweeping powers to the government beyond reasonable exceptions to exempt itself from compliance with the bill's data protection provisions for vague and overbroad reasons. These include the "interests of sovereignty and integrity of India, security of the state, friendly relations with foreign states, [or] maintenance of public order." The bill does not elaborate on its interpretations of security and public order. The anti-Modi constellation of forces feels that these are the terms that the government has long abused to violate the freedom of expression and due process rights of critics of the government.

These questions sound more political than genuine concerns as they demand a redefinition of standards for sovereignty, integrity, or friendly relations with foreign states which no State would ever agree to do. The broad-based concerns of any State would not yield to such utopian concepts due to the hard realities on the ground.

This lack of specificity does not meet the standard for invasions of the right to privacy under the 2017 Supreme Court ruling in Puttaswamy v. Union of India, Human Rights Watch said. It is also inconsistent with international human rights law, which requires any privacy restrictions to be necessary and proportional to address a legitimate aim.

The data protection bill proposes a Data Protection Board whose members would be appointed and removed, and whose terms and conditions of service would be prescribed by the government and this could be a contesting point in future. There is another aspect that is at loggerheads with the interests of the organizations like HRW in this bill. The absence of checks would facilitate surveillance and possible mass violations of people's privacy, it is said. But, the security concerns are genuine and more and more governments in the world are drawn towards intense surveillance of their subjects due to lone wolf attacks and sleeper cell operations.

Though there is severe criticism of the surveillance concerns under the BJP government, the efforts to monitor online content are bound to continue. In fact, the debate should centre around security and the right to privacy more and not stop at the level of levelling allegations alone.

In India, surveillance is governed by the 1885 Telegraph Act, along with the 2000 Information Technology Act. Even though the Supreme Court has twice stated, in 1997 and in 2017, that an order of surveillance can be passed only when strictly necessary and if there is no alternative, the lack of independent scrutiny and effective reporting mechanisms results in a lack of accountability. However, it is not just the Centre that is using surveillance methods, but the States too for various reasons including political, it is now being alleged.

Anyway, it is not going to be a rights-affirming data protection law that provides independent scrutiny of government surveillance to ensure any interference with the right to privacy is necessary and proportionate, Human Rights Watch says, but it will not be in the interest of the governments.

It would be more useful to discuss whether the draft law proposed to protect children online instead of concentrating merely on physical harm etc. Does it protect children from the many forms of exploitation that they may face through the misuse of their data, such as discrimination, mental injury, or economic or sexual exploitation? Does it provide specific legal remedies for children seeking justice and redress for the violation of their rights in the digital environment? This is a real sensitive question rightly being asked. The government has to take care of this aspect.

Protecting a child's best interests encompasses more than protecting them from harm. Consistent with the United Nations Convention on the Rights of the Child, children are entitled to special safeguards and care, including legal protections, at all stages of their lives. The government should recognize and protect children's data and their use of technology to empower children to realize the full range of their rights, including those to privacy, expression, thought, association, and access to information. HRW is right in demanding the same.

As the Rights group says if the government amends the bill to require that all actors apply the highest levels of privacy protections to children's data, it would be better. The government should also require any processing of children's data to meet strict requirements of necessity and proportionality, regardless of consent. Digital surveillance or automated processing of children's data should not be routine, indiscriminate, or without the child's knowledge or right to refuse. The law should also establish effective remedial judicial and nonjudicial mechanisms specifically for the violations of children's rights relating to the digital environment.

Anyway, the debate shall continue on what is right and what is wrong in the fast-paced world. The concerns expressed by such groups could be genuine, yet when terrorism is also making use of technology as never before and devising new ways to attack humanity, governments tend to close in. Rights become the first casualty in such an environment. Mutual trust and cooperation between the government and the civil groups alone would lead to course-correction in the best interest of the nation. The governments too must listen to the people's voices in allaying their fears and apprehensions. Data protection and Rights protection could go hand in hand if only some sensitivity is displayed in evolving systems in the country.