India’s long-awaited national data protection law, the Personal Data Protection Bill, is under inspection by a joint parliamentary committee. The bill has yet to be adopted as a law, and could potentially change in form before it is, but at the moment looks to become one of the world’s strongest pieces of legislation of this nature. At least in terms of the way it regulates private companies; privacy advocates are voicing opposition to the fact that it makes broad exceptions for government agencies, such that they would have essentially unfettered access to personal data with little oversight. Private companies are also objecting to the terms, which stipulate fines and costs they feel are too high.
A privacy bill that doesn’t work for privacy advocates
Privacy advocates point out that lax government handling of personal data has been as much or more of a problem than its use by tech and marketing companies. In 2019, the Indian government sold the driver’s license and vehicle information of most of the population to 87 companies. This followed a 2018 breach of the country’s Aadhar national identification system, which exposed ID numbers and bank details of millions of citizens. Individuals began selling illicit access to some of this information for trivial amounts of money.
The country’s largest nuclear power plant (Kudankulam) and the Indian Space Research Organisation were also successfully phished by attackers, both believed to have been targeted by North Korean state-sponsored hacking groups.
The main problem that privacy advocates have with the new data protection law is that it allows the government to exempt itself from the requirements. Any government agency can be granted exemption from the data protection law for a variety of fairly vague reasons. These include “preventing incitement,” “in the interest of sovereignty and integrity of India,” “breakdown of public order” or “friendly relations with foreign states” among other examples. There is no judicial oversight of this exemption process, nor is any kind of independent organization included in the data protection law.
In addition to the possibility of future incidents of government corruption and sale of collected personal information to private parties, privacy advocates note the tensions over anti-Muslim sentiment that have erupted into violence and riots at times. Privacy advocates are concerned that these government exemptions will grant free license to agencies to create tracking and surveillance programs, something that the current Modi government has expressed support for to track the country’s Muslim population.
Another factor is the recent announcement that the Indian government is going to create a single centralized facial recognition database accessible to the country’s law enforcement agencies. The system would be the largest in the world of its type, and would pull its biometric information from a wide variety of online and offline sources. Facial recognition software was put to use in a controversial way in December, when New Delhi police used it to screen participants at an immigration law protest rally. Privacy advocates have raised concerns about similarities to the mass surveillance state created for the Muslim minority population in China, particularly given that equipment from state-run Chinese contractor Hikvision is being imported to India to create this system.
Businesses also unhappy with the data protection law
Some major technology companies have already spoken out against the new data protection law. Mozilla noted that privacy protection could be compromised by government access. The Software Alliance, a lobbying firm that represents information technology giants such as IBM and Microsoft, specifically criticized the bill’s requirement that companies keep sensitive personal information about users on servers located in India. And social media companies have objected to the data protection law’s requirement that “voluntary identity verification” of users be made available, claiming it will be a massive drain on resources.
The new data protection law is stronger than the European Union’s General Data Protection Regulation (GDPR) in some ways. For example the “right to be forgotten” provisions, which allow users to force companies to delete personal information they have stored, allow individuals to go directly to the proposed Data Protection Authority to have this done rather than first going through a request process with the company hosting the data.
The Internet and Mobile Association of India has come out in opposition of the new data protection law, citing unacceptable costs that would be particularly burdensome on smaller businesses. The group also believes that the proposed licensing and certification process required of any company handling personal data will stifle tech entrepreneurship. A particular issue is the categories of personal data that must be stored in India, where servers and cloud services cost more than options in a number of other countries but may not be as reliable. This would be an extra burden on foreign companies.
The parliamentary panel is currently taking feedback on the bill. There is no specific timeline, but it would eventually require a majority vote from both of India’s parliamentary houses to become law.