Ugly Sides of Data Protection Bill and Fallacies of JPC Report

The much-awaited Joint Parliamentary Committee’s report on the country's first comprehensive data protection law has been tabled in the Parliament. After two years of intense deliberation and consultation, the report was finalised and adopted. The law, if passed, would regulate data collection, processing, and storage by data fiduciaries. 

The Bill, now being called the Data Protection Bill instead of the Personal Data Protection Bill, is likely to be re-introduced for debate along with the committee's report. Since the recommendations of parliamentary committees are not binding, only the bill would be taken up for a vote.

On several counts, the Bill and the JPC’s recommendations are riddled with a myriad of problems. There are several pitfalls and ugly dimensions of the committee’s recommendations.

For one, the social media platforms are to be treated as publishers and be regulated for the content they host.

Till now, the social media platforms have enjoyed a legal immunity called the ‘safe harbour’ through a  provision contained in the Information Technology Act. However, the Committee seems to be stringently pushing to lift this protection by proposing to treat some “platforms” as “publishers” and hence, taking away their legal immunity. 

If this proposed recommendation seeps into the bills, it will dilute the protections guaranteed under Section 79 of the IT Act, which shields all intermediaries from liability for content third-party users “post” on their platform, provided they observe due diligence. By a plain reading of the bill, it is unclear which social media platforms will remain intermediaries and which ones will be treated as content publishers.

The Committee believes that these “platforms” can review the content, select the receiver of the content, and exercise control over the access to any such content hosted by them. What escaped the minds of the honourable members of the panel was the degree of control that these platforms can practically exercise to regulate the content hosted by them, considering the enormous volume of content on these platforms. 

Further, the Committee proposes that all social media platforms notified as significant data fiduciary shall implement a mechanism to enable their users to voluntarily verify their accounts by submitting necessary documents. Such verified accounts shall be provided with a visible mark of verification. 

In the same breath, the committee wants the government to penalise these platforms for the third-party content from unverified accounts hosted on their platforms. This ironically translates to platforms forcing all of their users to mandatorily verify their accounts and not “voluntarily” as contained in the latest intermediary guidelines. 

Unarguably, divulging sensitive documents to social media giants would lead to characteristic profiling of users by them, which fundamentally violates the very objective of the proposed law.

The recommendation also mentions that all social media platforms need a physical office in India. This requirement was only applicable to significant social media intermediaries with more than five lakh registered users, according to the New Intermediary Guideline rules notified in February 2021. 

Anonymity is a double-edged sword. On one side, anonymity is used to troll, abuse and spread disinformation; at the same, it also ensures safety to those experiencing abuse and disinformation. Can we imagine a successful movement like #Metoo, which was grounded on the victims’ recourse to anonymity in India, at least? It is also a vital safeguard for whistleblowers and victims of hate crimes.

If this legal framework comes into play and the government puts its foot down to force social media platforms to regulate content hosted by them and verify their users, it would only result in the stifling of critical voices in the free space on the Internet. 

We have witnessed how a top-down government approach to regulate free speech on social media has only led to the criminalising of dissent. The arrest of 21-year-old climate activist, Disha Ravi for sharing a "toolkit" on social media related to the farmers' protest, is still afresh in our minds. The same government had requested Twitter to take down tweets carrying the hashtag #ModiMadeDisaster in wake of the second wave of Covid-19. Consequently, the platform withheld from public viewing around 50 tweets critical of the government’s handling of the pandemic; even tweets by officially verified accounts of opposition party leaders were not spared.

This unwarranted social media regulation in a bill seeking to protect data breaches seems highly misplaced. Also, it appears that the committee did not deal with the technical challenges of automatic hate speech detection and reasonable steps taken by the platforms to curb “unlawful” content while making such unrealistic recommendations.

All the while, the major concern of privacy advocates and other stakeholders around overarching powers of the State to exempt any government agency from the purview of the Bill continues to persist and remains untouched in the panel’s report. 

Data Localisation

The Committee has again rallied for data localisation, contrary to civil society’s advice to drop it from the legislation. Localisation refers to the physical storage of data within a country’s territorial boundaries and a barrier to cross-border data transfers. The JPC, in unclear terms, has proposed mandatory “mirroring” of “sensitive” and “critical” data stored overseas. To keep the chaos afloat, the committee did not bother to recommend defining what constitutes “critical personal data” in the bill while also leaving some scope for the central government to categorise any personal data as sensitive personal data under clauses 15 and 3(36)(xii).

The committee believes that localisation will equip the government with greater control over the data fiduciaries with respect to securing domestic legal compliance. However, civil societies and privacy advocates believe otherwise. They argue that the localisation would trigger enhanced and inevitable state-sponsored surveillance. 

Prasanth Sugathan, legal director at SFLC.in, says that "Data localisation could affect the principles of the open internet and the way the Internet functions. If every country starts coming up with data localisation requirements, the promise of a borderless digital space will be lost. Moreover, unless there are stringent safeguards protecting citizens from digital surveillance, localisation could lead to large scale surveillance by governments."

The committee has also proposed sweeping powers to the government to exempt any law enforcement from the bill’s purview. A combined reading of the two recommendations of the report makes the committee’s intention clear that it wants the Indian law enforcement agencies to have unbridled powers to access data concerning its citizens. What makes it worse is that small foreign entities, MSMEs, and non-governmental organisations engaged in the development sector and working directly or with partner organisations would be forced to bear the increased cost of storing their data in India. The heavy financial burden may run these organisations out of business. 

To further complicate the matter, the committee has placed undue reliance on the economic aspect as one of the reasons for mandatory data localisation. The concerns of privacy and the compelling concern of unchecked State surveillance have taken a backseat. It is silly that the Committee wants data about Indians to be protected from foreign entities; hence, it must be brought to India only to be surveilled by the government. Not long ago, the Indian state was alleged to be illegally snooping on its citizens using Pegasus spyware. There have been multiple other serious allegations against the current ambitious regime of spying and carrying out political surveillance in the name of national security. 

 Age of Consent

Concerning the age of consent, the Committee has accepted the definition of a child as anyone under the age of 18 despite civil society and child right activist expressing their dismay over it. The Committee argued that the age of consent in the bill should be consistent with the age of majority in the Indian Contract Act. No doubt that the safety of children is paramount. However, the blanket age to consent to access all Internet-based services is unjustified.  

The Committee has unnecessarily mixed up the legal age to enter into a valid contract and age to consent to access Internet-based services. On one side, the parliament has legislated the Child Labour Amendment (Prohibition and Regulation) Act, 2016 which diverges from the India Contract Act, wherein children below the age of 18 can be employed in non-hazardous occupations and processes. Neither legal age to contract with employer nor consent of guardian finds any mention in the Act which attempts to legalise child labour. On the other side, the government wants to take away the agency of the children to access the internet and entrust it to the parents assuming that the latter would understand well what they are consenting, ignoring the social, cultural and educational realities of the county.

The Internet has provided an avenue for children, especially girls, to express themselves in a way that may not be acceptable to many parents. In much simpler words, privacy is a myth in classical Indian families. Asking a parent to consent on behalf of children in a patriarchal setup would not only be adversarial for the privacy of women but also result in gender disparity when it comes to access to the Internet. Woes of Edtech companies and NGOs over restricting the processing of data with one umbrella legislation that covers both the educational and non-educational, and child welfare institutions is another major concern.

Processing of Personal Data without Consent

It was unanticipated that a highly contentious provision laid in Clause 12 of the draft bill that provides for data processing without the consent of individuals would not be deliberated upon by the committee.

An equally notable flaw of the committee’s report is not deliberating Clause 35 in the light of allegations of illegal snooping by the government using Israeli software Pegasus. Clause 35 of the bill provides blanket exemptions to the government to access personal data. If both the clauses are read together, it would mean that any government agency can be kept out of the purview of the law to have unrestricted access to personal data, and thus creating a powerful surveillance state. In other words, surveillance projects like the national facial program would be no more a dream project for the government, rather a reality. 

The government is provided with unbridled powers to infringe on the privacy of citizens based on its personal satisfaction and interpretation of the words “public order”, "national sovereignty”, “integrity and security of the nation".

Even the Srikrishna Committee Report acknowledged that unfettered access to the government of personal data, without any judicial or parliamentary overweight or robust safeguard mechanisms as propounded in the landmark Puttuswamy judgment of the Supreme Court, is against the constitutional values. 

Further, the power to exempt any government agency from applying the Bill is not entrusted with the Data Protection Authority (whose membership and composition of selection committee forming it is also contentious), the body tasked with enforcement of the proposed law. Instead, the Centre has the power to notify such agencies for the reasons to be recorded in writing.  

The unanimous verdict of the nine-judge bench in the Puttuswamy case that reaffirmed the fundamental right of privacy, laid down four conditions that are to be met by the State while impinging on its subject’s privacy; these are, namely, the action of the state must be sanctioned by law, it must be necessary, it must be proportionate to the necessity, and it must have procedural guarantees against abuse of such interference. 

If the report is to be read liberally, without applying critical mind, it can be said that the draft bill meets only three of the four and misses out on the major condition, i.e., a procedural mechanism to check the abuse of power. The political aspiration of the state has subsumed concerns of the privacy of its subjects. It seems the committee wants the government to do, by means of legislation meant for the protection of personal data, exactly opposite of what it seeks to prevent private entities from doing.

Further, the report stays silent on the period of the exemption as if it wants the government to have the power to exempt enforcement agencies in perpetuity. Such indefinite exemptions do not seem to go well with the Puttuswamy judgment, which declared privacy as a fundamental right.

It cannot be stressed enough that the biggest threat to individual privacy is within the geographical boundaries of our nation.An indefinite blanket exemption under Clause 35 and unrestricted access to personal data without data principal's consent for maintaining "public order" under clause 12 needs a rethink.

Independence and Accountability of Data Protection Authority 

No one should be a judge in his/her own cause, is a fundamental and pervasive part of natural law, however, it seems to be in tatters in the present law. The Data Protection Authority (DPA), a body that would be created under the proposed law for its enforcement, is not independent of the State. The DPA, in its formation and membership, forms part of the government, which is one of the possible offenders under the proposed law. 

The draft bill proposes a seven-member Data Protection Authority headed by a Chairperson. The Chairperson and the members would be nominated by a seven-member selection committee to the Centre. The selection committee is lopsided towards the Centre in its formation as six out of seven members are officers either appointed by the Centre or serving at its pleasure. The long-pending demand of the civil society that at least one member in the Committee should either be a law expert or from the judiciary was met by the Committee by including the Attorney General of India, who is a law officer of the Centre itself. 

To create a solid and accountable data protection authority, the diversity and independence of members are indispensable. Further, there is no mention of representation from civil society in both authority and its selection committee in clear terms. Thus, for effective implementation of the proposed data protection law and to make it abundantly independent, the composition of the authority must have been defined in the draft bill, rather than leaving it to the selection committee, which itself has been proposed in a manner to make it an extended arm of the government.

Several civil societies, including the Software Freedom Law Center, India, had written to the committee chairperson requesting them to have a wider consultation process which includes civil societies.