‘Data Protection Bill can reduce the state’s surveillance powers'4 min read . Updated: 15 Aug 2020, 08:00 AM IST
A cyber security expert says the Bill, in its current form, balances the citizens rights to privacy and internet security
The Data Protection Bill, 2019 was introduced in the winter session of the Parliament last December. Considered the Indian equivalent of European Union’s landmark General Data Protection Regulation (GDPR), the bill lists the rules for data storage and sharing, and defines the rights citizens have on their personal information.
Some of the prominent features of the bill include the citizens’ ‘right to be forgotten’ online, categorises users’ personal data as ‘non-sensitive’, ‘sensitive’ and ‘critical’, and asks for websites take user consent before processing the data. The bill also gives powers to the government to allow for surveillance on grounds of “security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states," a provision much criticised by the privacy activists.
After the bill was introduced, the Indian Express quoted government sources saying they were open to the “widest debate on the bill". A joint parliamentary committee (JPC) was set up, and stakeholders were invited to send feedback. The final report is expected to be submitted in the upcoming monsoon session of Parliament.
Vijayshankara Nagaraja Rao is among the board of directors at the Foundation of Data Protection Professionals in India (FDPPI), a Bengaluru-based non-profit consisting of over 100 members from the IT sector and the legal fraternity. A cyber security expert, Rao made a presentation before the JPC earlier this week on the FDPPI’s concerns and recommendations on the bill.
In an interview with Mint, he explained how the bill balances the demands of citizen privacy. The provisions in the bill, he said, if implemented in the right spirit, can help limit state overreach.
What’s your take on the provisions in the bill?
Privacy legislation is always a complicated legislation. You have to balance the interest of privacy activists who want their rights protected, business people who want total freedom so they can exploit, and the government that wants as much control as possible. The preamble of the bill recognizes these three stakeholders. Whatever you do, someone will be happy and someone won’t be. That’s what is playing out here. But overall, I think they’ve done reasonably well.
How does this bill compare with its counterparts in the West, like the General Data Protection Regulation (GDPR) in the European Union?
GDPR has principles of processing. So do we. GDPR has rights [for citizens]. So do we. Except that, in the ‘right to forget’, we are a little more circumspect than the EU. In EU, it’s more or less automatic. In India, we say it is subject to adjudicator’s decision, which is a quasi judicial authority that can take decision on this. This reduces the burden on the judiciary. If the adjudicator’s decision is not acceptable, one can approach an appellate tribunal. If that’s not acceptable, one can approach the courts.
There are concerns that some of the provisions in the bill allow for significant state surveillance.
The Bill will empower government for certain things. Section 35 and 36 allows certain security agencies to process data for surveillance. They are, however, not allowed to misuse this data.
Article 19 of the Constitution also provides reasonable restrictions, where the government allows itself similar exemptions in cases of ‘decency’, ‘morality’, ‘defamation’. Based on the constitution, the government can use ‘incitement to offence’ and ‘public order’ for surveillance. These terms are generic and can be misused.
As per this Bill, the offence has to be related to matters of ‘national security, sovereignty, integrity of the state’, not things like ‘decency’. So in my view, this reduces the surveillance powers of the government.
One of the reasons for concern is the possible broad interpretation of ‘integrity of state’.
I understand. But some parts in the Indian Penal Code also give draconian power to the police. Even they misuse it many times. This is more reflective of persons in charge of the legislation. We can only have deterrence. Likewise, you can’t omit this law on speculative grounds, saying the government might misuse it. The law can provide a framework. If someone wants to misuse it, punish them separately.
How desirable do you think data localisation is, as mentioned in the Bill?
Right now, there is no data localization in the legislation. ‘Non-sensitive personal information’ can be transferred, so can the ‘sensitive information’, subject to explicit consent. Only ‘critical information’ cannot be transferred but we don’t know what constitutes that. There is no restriction on transfer of data.
When we’re talking of having one data centre in India, it will act as a back-up data centre. There is an economic cost for businesses. But I don’t believe the industry will suffer.
Will having a data copy in India affect the way a law enforcement agency can access a person’s data?
For a law-enforcement agency to access someone’s data, it needs to be for law-enforcement reasons. They have to send a notice, identify investigating officer, identify the reasons for which it is done, and tomorrow if police officer is going beyond their normal duty and collect the information, there’s always a possibility that the written request will be questioned in court of law. But if someone wants to ignore the procedures, that is what the private sector – the data centre owner – has to resist. Agencies can’t come and directly take away data.
Is there a possibility of misuse by state agencies, with data being more accessible than earlier?
I have been working in field of cyber crime for 20 years. When we want information for investigation, Google and others don’t give data. If you get an abusive or obnoxious email, you’d need the IP address to find out who sent it. But they will often not reveal the address. In a way, they’re protecting the abuser. I don’t buy this idea that if data is in India, there will be a problem. I don’t trust Facebook or Google.The possibility of misuse exists but both arguments have to be considered on a case-by-case basis.