The Narendra Modi government has been aggressively pushing a digital agenda, which is noble in intent but flawed in purpose. Digital records of citizens enable the poorest of the poor to gain access to a trove of social welfare benefits. But they also open the back door to an intrusive Big Brother who is able to scrape information collected by a wide variety of data aggregators that could circumvent the Supreme Court’s verdict that upheld the right to privacy. The personal data protection bill, which has been introduced in the Lok Sabha for the second time in as many years, has already set alarm bells ringing. The disturbing element is Clause 35 of the bill which empowers the government to declare that none of the provisions of the legislation will apply to any of its agencies if it is necessary or expedient to provide such an exception in the interests of sovereignty and integrity of India, the security of the State, public order and the need to maintain friendly relations with foreign nations. This blanket exception, which is not circumscribed by any rule of procedure, strikes at the very heart of the concept of privacy and potentially furthers the ambitions of a totalitarian State. In the original draft of the bill prepared by the B.N. Srikrishna Committee and introduced in Parliament last year, there was a provision that sandbagged such exceptions. “Processing of personal data in the interests of the security of the State,” it read, “shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”
The latest bill requires businesses to protect personal data that they gather from users of their services. Data fiduciaries — entities that collect personal information and determine the purpose and means of processing it — must secure the consent of the individual before any kind of processing. Consent must be freely obtained and can be withdrawn at any time. The data fiduciary cannot make the provision of any goods or services conditional to consent to process personal data.
In principle, this sounds fine. In practice, there could be problems. Clause 20 provides for the right to be forgotten, which entitles an individual to restrict or prevent continued disclosure of personal data. But even this right can be exercised only on the basis of an order of an adjudicating officer to whom an application will have to be made. The bill also mandates tough data localization rules that could severely limit access to a range of services provided by global technology players, creating a situation where narrow-minded regulations overwhelm the advantages of innovation in a digital world.