Data Protection Bill Helps Transition to Credit Economy, Says Researcher
Image Courtesy: Needpix.com
The Free Software Movement Karnataka (FSMK) organised a public meeting on the Digital Personal Data Protection Bill, 2022, on February 12. A small crowd of mostly techies gathered at the YWCA in Bengaluru to exchange their views on privacy, surveillance, data security and the new bill. Srinivas Kodali, a technology researcher, was invited to lead the discussion on the subject. The bill was placed in the public domain in November last year.
BRIEF HISTORY OF PRIVACY LAWS
Kodali says that in the aftermath of the Radia Tapes scandal, a committee was set up (by the UPA government) in 2011 headed by Justice AP Shah to look into aspects of privacy.
The Radia Tapes involved the phone tapping of a Public Relations (PR) executive called Niira Radia. Her conversations with senior journalists and her clients were subsequently leaked and published by Open Magazine and Outlook. Ratan Tata was one of those clients.
"The surveillance of industrialists was authorised with the due provision under the existing telecommunication laws. Tata challenged this and argued that even though the state could surveil him, leaking those conversations to the media was an invasion of his privacy."
With the Supreme Court looking into the fundamental right to privacy of citizens, the NDA government in 2017, set up the Justice Srikrishna Committee to submit a detailed report on privacy protections and draft the Personal Data Protection Bill.
Kodali says that the landmark Supreme Court judgement on privacy, i.e. Justice K.S. Puttaswamy(Retd) vs Union Of India And Ors (2017), was a guiding document for the Srikrishna committee. He opines that while the draft bill (of the Srikrishna committee) was good, it had drawbacks.
Addressing the audience, he said, "The problem there was that they confined themselves to data protection and did not look into surveillance reforms. When we talk about the fundamental right to privacy, it's not limited to data protection, which is one aspect of privacy. There can be non-data-invasive ways of invading your privacy. (Digital) Information is one aspect. This bill looks at privacy from a technology (oriented) data protection lens. In that sense, it was incomplete. However, private companies opposed the (2018) draft. They argued that it was too complicated. So a new draft was drawn up. And the present bill is exactly what the private sector wants."
ISSUES WITH THE PRESENT BILL
The 'Data Principal' is the individual who shares data or about whom the data pertains to. At the same time, a 'Data Fiduciary' is the person who determines the purpose and means of processing data, i.e. the person or entity that collects data. Kodali identifies certain key issues of the bill, including the concepts of 'deemed consent' and 'duties of data principal'.
Deemed consent means that even without explicitly signing a consent form, it is assumed that you have given consent to process personal data. Addressing this aspect, Kodali says, "The most concerning aspect of deemed consent is a subsection called 'in the public interest', which includes - 'for prevention and detection of fraud'. For example - an insurance company may want to know if you intend to commit fraud. So under this section, they can collect health data from a hospital about you and deny you insurance. You cannot even access what data has been obtained by them."
He further said, "'Recovery of debt' is also mentioned as 'Public interest' per this bill. We see loan apps following certain practices now where if you take a loan through a mobile app, they can access your contacts and private information and harass you to repay loans. They have full exemptions to collect this data now. They don't even need to ask your permission to collect this. Similarly, the bill cites credit scoring as public interest. Every aspect of your life is linked to your credit scores in the US. Aadhar intended to replicate this. There is now credit scoring for farmers as well. The (Indian) economy is being transformed from a debit economy to a credit economy. And how do you create those credit profiles? You create a unique ID, collect data and do credit scoring. Deemed consent allows them to collect anything now."
Further, the Central and state governments are exempted from any obligations listed in the bill.
DUTIES OF DATA PRINCIPAL
Kodali continues, "The duties section of the bill comes with penalties. Let's say your data was misused. You can file a complaint as per the provisions of this bill. However, if the data protection board deems that you have filed a false or frivolous complaint, you can be fined. We faced something similar in 2021. The Free Software Movement of India (FSMI) brought to the attention of the Indian Computer Emergency Response Team (CERT-IN) of multiple data breaches at private and public companies. There were breaches at Dominoes, Air India, Big Basket and Mobikwik. We asked CERT-In to act. They didn't respond. So we sent them a legal notice. They responded that we don't have any right to tell them what they should be doing."
EXCLUSION OF OFFLINE DATA
As the name suggests, the Digital Personal Data Protection Bill 2022 pertains only to digital data and offline data is still not regulated in India.
Speaking to NewsClick, Naveen Mudunuru, General Secretary of FSMK, says, "Only the Supreme court's 2017 judgement on privacy and the Information Technology Act, 2000 defines what data is. However, offline data is still not protected. In Bengaluru, we saw an organisation called Chilume going door to door collecting voter data from the public. This was a breach. There were many such scenarios. During the pandemic, the BBMP created a portal for covid patient data. This was accessible to the general public. You could access the addresses and phone numbers of patients. FSMI had filed a complaint against the BBMP."
END OF ANONYMITY ON THE INTERNET
In a press release, FSMK says that the new bill penalises users if they sign up for digital platforms like Facebook, Twitter and Whatsapp with false information. It effectively ends anonymity on the internet.
Mudunuru elaborates on the objectives of the public meeting.
"We want to sensitise people on the importance of privacy and explain how the personal data of citizens is being kept under the ownership of the central government." Naveen also announced that FSMK would soon host a hackathon on 're-engineering digital India' to advocate for inclusive digital platforms.
Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.