Apar Gupta: 'There is no proposal within this data protection framework, to reform surveillance laws in India.'
'Bill on data gives little to citizens, too much to State'
Civil Society News, New Delhi
Right through the debate on Aadhaar, the absence of a law on data protection found repeated mention. When the Supreme Court weighed in, it set up the Justice B.N. Srikrishna Committee to this specific end.
Finally, the committee’s report and draft law and the government’s Bill in the Lok Sabha have arrived, but how much better off are ordinary folk who have to deal with the authorities on the one hand and powerful private businesses on the other?
Not much better off, says Apar Gupta, executive director of the Internet Freedom Foundation, who has put on hold his private practice as a lawyer to be an activist in the digital space.
The law is a welcome step forward but it does little to address many of the problems that exist because of the all-pervasive access to personal data, which is then open to misuse.
Gupta spoke to Civil Society at his office in Delhi from where the Internet Freedom Foundation currently operates till it shifts to its own premises in preparation for the many battles that lie ahead.
Recently we read about how the privacy of journalists and activists was violated by a spyware called Pegasus. Now a Data Protection Bill has been drafted by the Union government. How do you rate this Bill? Does it protect the personal data of individuals?
First of all, we need to understand the centrality of personal data. In an increasingly digitised society each element of our daily activity generates data since it intersects, in some way or the other, with a process that leads to the collection and creation of personal data. Secondly, the entitlements and disabilities which are, as a result, visited on us as individuals is then on the basis of personal data.
So data has become central to our welfare as human beings, to our mental health, physical entitlements, our bodies, and our relationships with other human beings, including family, friends and foes, and also in all professional settings, trade and commerce. Briefly, data is central to our existence today.
We need to look at whether the legal system by itself has adequate protection and what are the protections that are actually needed. The one central goal such protections should serve is to protect the individual and give you a sense of control over your own life, autonomy and dignity. So if your data is used in a way in which it classifies you as a person with certain attributes, does that violate your autonomy and ability to make choices that concern you?
These core features were articulated by the Supreme Court in 2017 by a nine-judge bench in the Right to Privacy judgment on August 24.
The Court noted that to provide a framework that can make the high principles of the Constitution actionable we need legislation that lists specific protections including restrictions on the government and private bodies. We also need a regulatory body which can come up, first, with ways to make such protections actionable; and secondly — since this is a large area — a great degree of specificity and guidance for different stakeholders such as corporations, small and midsize businesses, NGOs, non-profits or the government itself.
So you need practice guidelines on how these entities can use your data within these protections and limitations. There should also be a system of providing remedy to an individual. If limitations and protections are not respected by people using our personal data, it should be possible to
hold them to account and place deterrent mechanisms. Individuals should finally have proactive control, a place to complain and obtain remedy. This is a revolutionary act of legislation. Just like how labour and environmental standards followed industrialisation, data protection today grows out of digitisation.
And does the Draft Protection Bill do all this?
Yes, but only to a degree of insufficiency. It is a warm blanket that fails to cover the head and the limbs. The draft Bill made available recently has several core defects. It is a regressive departure from the base version, which was the output of the Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology late last year. Even this committee made grievous errors, which have now been compounded by the government draft that has been introduced in the Lok Sabha and is now before a joint parliamentary committee headed by Meenakshi Lekhi.
The Justice Srikrishna Committee gave two outcome documents. The first was an expert committee report and the second was a draft data protection Bill. There are specific omissions and conflicts within the Bill when you look at it from a rights-based perspective, which means protection of the individual.
First, the process. The draft version of the Bill has been baked in secret. So we lack a degree of transparency throughout its drafting process. After the Justice Srikrishna Committee submitted its version of the Bill the government opened up public consultation. Stakeholders sent in comments. Yet these comments, and the responses to them by the government, were not made public. It lacked any substantive transparency.
We also know through press leaks that the relevant government ministries invited private stakeholder meetings. Who met them, what submissions were made and how changes were carried out remain unanswered questions. Further, when the Data Protection Bill was introduced in Parliament it should have ideally gone to a Standing Committee that is constituted as a standing body that is already looking at the issue of personal data and citizens' privacy. However, in a peculiar departure from process, the government, within minutes of its introduction, formulated a separate joint parliamentary committee and proposed members. These moves do not inspire confidence.
Now, coming to the substance, the text of the Bill has very severe lacunae. For instance, it doesn’t deal with any kind of surveillance reform. It only deals with data protection. Data protection conventionally deals only with issues arising when a data collector or processor takes your data with your consent. It does not apply to those circumstances where your data is collected, aggregated and utilised without your consent but is legally permitted. When data is utilised without your consent, but is legally permitted, it is called surveillance. When it is done with your consent then there are additional protections called ‘data protection’.
So, the Srikrishna Committee only looked at data protection. Although the report says surveillance, it does not deal with instances such as the NSO group Pegasus hack. It does not deal with instances when the government asks foreign platforms for our personal data for putting people under surveillance. It does not apply any kind of measures when the government may be surveilling us or even in cases where they may be seeking this information from a third party. This is why, according to us, that (Srikrishna draft) Bill is incomplete and deficient.
This problem is further compounded by the Data Protection Bill introduced by the government. It allows the government to exempt any government department from its application. This is incredible because here arguably even departments which are expected to obtain consent for collecting and processing personal data with consent can fall completely outside the Bill’s ambit.
The government is asking for sensitive personal data to be stored locally in India. Does this protect the individual?
The government wants data, which is classified as sensitive personal data, to be stored locally in India. Such data requires a higher degree of protection. The mere siting of this data will not automatically give a higher degree of protection.
Let us presume data can be nationally segregated and stored in servers in India. This presumes capacity for identification and then cost, where the data processor is able to, after identifying nationality, store it in India — then are there enough servers in India, and, further, security. A lot of all this is lacking. So if our data is kept here and we don’t have any surveillance reform, instances such as Pegasus can happen. There is no proposal, within this data protection framework, to reform surveillance laws in India. In fact, it contains a dangerous power for the government to exempt itself.
At best what this draft is doing is making the job of the government much easier in requesting our data because it can strong-arm and muscle its way since the data is being stored in India.
So it is the State versus the individual. How do you protect the citizen? The State also has the biggest database of citizens in the world in the Aadhaar database.
I think the way we look at personal data has to be from the perspective of theories of power, which place the individual at the centre. Digital rights groups have quite often drawn inspiration from the panopticon proposed by Jeremy Bentham — a central guard tower in the architecture of a prison. All the prisoners are visible at all times to a guard who sits in the tower. Even if the guard is unable to view all prisoners at all times, the prisoners cannot observe the guard and so they always presume that they are under watch. It causes a change in their behaviour. They believe they are being policed all the time. Of course, Foucault developed this much further.
So I think what is being created today are more and more digital panopticons in which people will be observed at all points of time. All elements of their behaviour, socially and digitally, will be catalogued, indexed, profiled, surveyed — leading to terrible outcomes. It can be associated with a degree of profiling which is already taking place for the availability of several services because there is a large amount of commercial interest attached to this kind of activity.
So surveillance won’t apply only to dissidents, activists or civil society actors who work on rights-based issues or challenge the over-breadth of government power. It will apply to every ordinary Indian citizen who seeks to avail of perhaps an insurance product that requires him or her to submit consent for their digital record. Or a request for their dietary habits and patterns which can be easily queried from the many food delivery apps which reside in our phones.
It can, and is already being used by algorithms, for micro-lending services which are offering credit on the basis of personal data. Even if they are not basing it only on personal data, it is one of the elements they use to assess risk. It will be used by political parties to spend immense amounts of money to micro-target specific messages based on your online profile to make you vote for them. In sum it will control your mind, body and wallet.
How do you address that?
You do that through legislative intervention. Whenever there are market failures, which happen in how our society operates on the basis of informational transactions, there needs to be an intervention to correct these imbalances. We often talk about incentives and law is an important measure to create a system or a framework to make a society work towards its constitutional goals. That is why data protection that protects the individual — not the State or a corporation — is so important.
In several respects the present Bill does not do that. For example, there is no provision within the Bill to ensure that legal impacts on the basis of data collection and processing are assessed by a data impact assessment — how data collection and processing will impact rights. This is a provision in Europe’s General Data Protection Regulation.
It was absent in the draft that was proposed by Justice Srikrishna. Legal impacts cannot disqualify people, who are otherwise qualified, to avail of a government subsidy or benefit such as their monthly rations, cooking fuel, or an education entitlement. These would be core deficiencies which would manifest in communities that are disadvantaged and already lack social power and education to negotiate once the system fails them. They don’t have systems to even seek formal legal remedy.
There is no grievance redressal system.
Yes and that’s why this provision is very important. This is lacking right now in the Bill. Also, the Internet Freedom Foundation, along with civil society actors, has actually put together a draft which has been filed as a private member’s Bill first by Dr Shashi Tharoor in the (monsoon) session of Parliament and been introduced in this session of Parliament, and the second is by Dr Ravi Kumar of the DMK, which is a much more developed draft with the same level of political principles to provide this level of protection. So our parliamentarians have been engaging quite actively on this issue and are keenly aware of the impact of the Data Protection Bill.
Another provision, which has been missing from the government’s proposals till date, has been to notify the individual in case data and security are breached in an unauthorised manner. Rather, the government wants such notification to be given to the Data Protection Authority. This is a repeated theme in the structure of the government Bill, which reduces the accountability of those who hold our personal data and our rights over them.
If your login details are stolen from your bank account, at present, the bank is under no level of obligation to inform you because there is no regulatory requirement. Such a system is certainly inequitable. It is in the interest of the bank to maintain its credibility and trust with all its customers by disclosing such a breach to its customers.
We are living in a society where people who view data in a very transactional manner call it the new oil, an analogy that equates it to commerce. So not to have protection or even notify a person, whose data is leaked or breached or runs the immense risk of identity theft and financial frauds, is symptomatic of a deeply inequitable and shortsighted system. Data, in many ways, is the extension and a catalogue of our personality. Each individual has an inherent and natural right over it. This is primarily valuable not because it is an item of commerce, but because it holds immense power and control over the people to whom it relates.
We tend to worry about the State. But if you see the number of companies doing surveillance on you and me, in a continuous flow, this requires a concept of governance to which we haven’t managed to evolve.
We need data protection. Quite often the argument being made is that because there are large platforms in Silicon Valley companies, which are gathering our data pervasively, let the government gather more data and create a public database of individuals, which will then be available for Indian companies. Such reasoning is absurd and is an expression of a competitive race to the bottom. A democratic republic should not take lessons from exploitative foreign companies, but instead construct its own constitutional values.
Unfortunately, there is a fundamental disconnect to this in the present policy pronouncements. India’s response has been to make a tepid data protection law, which does not rein in pervasive data collection. The question is how do we still use these platforms and get back control and choice? That conversation is not happening. I completely agree that the private sector is actually profiling us much more than the government. They need to be held to account. Finally, who do I look to in terms of a remedy? Who do I pay my taxes to? Who do I look towards to govern and correct these malpractices? I am a citizen of India. I am not a citizen of Google.
What would you say about the creators of this system, all of whom come out of the private sector?
The private sector is deeply aware of this argument and more introspective than it was even a few months ago. The first reason is that there is a great deal of criticism of this model of pervasive personal data collection.
Founders have a desire to create companies and products, which will be trusted by their users. These are largely people who are very well educated with a high degree of ambition. They want to be remembered as people who created something of value, of use and convenience and provided employment to a large number of people and were thereby recognised by society as creators. I think it is this status that is under stress today.
The challenge for them is to take a system which has commoditised personal data and shift it to alternative systems of value creation in which they can discover and sustain these large businesses. If you see some of their Twitter feeds they are quite open to criticism and respectful of individual privacy. Silicon Valley founders and even our local founders in Bangalore are having introspective conversations with each other. It’s not an amoral industry. They don’t want to be seen as tobacco companies in the larger course of history but as innovators and value providers to society.
The second and more immediate criticism which is leading to introspection is the fracture of trust between users and the platform that gathers their data. If users lose trust in you they will shift to another platform as soon as they can.