BackA good privacy law could fend off Chinese-style surveillance
India’s redrafted bill must not end up worse than the spiked version
PremiumAfter five years of negotiations involving the government, tech firms and civil society activists, India sent its privacy debate back to the drawing board. The government has junked the personal data protection bill and decided to replace it with “a comprehensive legal framework." Nobody knows what the revamped regime will contain—whether it will put individuals first, like in Europe, or promote vested interests, like in China.
Back in 2017, India’s liberals were hopeful. That July, New Delhi set up a panel under retired Justice B.N. Srikrishna to frame data protection norms. The very next month, the apex court held privacy to be a part of the constitutional right to life and liberty. But the optimism faded. The law introduced in Parliament in 2019 gave the government unfettered access to personal data in the name of sovereignty and public order—a move that will “turn India into an Orwellian State," Srikrishna cautioned.
Those fears are coming true even without a privacy law. Razorpay, a payment gateway, was compelled by the police recently to supply data on donors to fact-checker AltNews. Although the records were obtained legally, there was no safeguard against their misuse.
The debate’s backdrop has changed. Six years ago, most people had feature phones, but by 2026, India will have 1 billion smartphone users and the consumer digital economy is poised for a 10-fold surge this decade to $800 billion. To get a loan from the private sector or a subsidy from the state, citizens need to part with far too much personal data: Dodgy lending apps ask for access to contact lists. The Narendra Modi government manages the world’s largest repository of biometric data and has used it to distribute $300 billion in benefits directly to voters. Rapid digitization without a strong data protection framework is leaving the public vulnerable to exploitation.
Europe’s general data protection regulation isn’t perfect. But at least it holds natural persons to be the owners of their names, email addresses, location, ethnicity, gender, religious beliefs, biometric markers and political opinion. Instead of following that approach, India sought to give the state an upper hand against both individuals and private-sector data collectors. Large global tech firms were concerned about the now-dropped bill’s insistence on storing “critical" personal data only in India for national security reasons. Localization gets in the way of efficient cross-border data storage and processing.
Still, the scrapping of India’s bill will bring little cheer to Big Tech if its replacement turns out to be even more draconian. Both Twitter and WhatsApp have initiated legal proceedings against the government—the former against “arbitrary" directions to block handles or take down content and the latter against demands to make encrypted messages traceable.
For individuals, a risk is an authoritarian tilt in India’s politics. The revamped framework may accord even less protection to citizens from a [potential] mix of surveillance state and surveillance capitalism than the abandoned law. According to the government, it was the 81 amendments sought by a joint parliamentary panel that made the current bill untenable. One such demand was to exempt any government department from privacy regulations as long as New Delhi is satisfied and state agencies follow just, fair, reasonable and proportionate procedures. That’s too much of a carte blanche. To prove overreach, for instance in the AltNews donors case, citizens would have to mount expensive legal battles.
Minority groups in India have the most at stake. S.Q. Masood, an activist in Hyderabad, sued the state of Telangana after the police stopped him on the street during the covid lockdown, asked him to remove his mask and took a picture. “Being Muslim and having worked with minority groups that are frequently targeted by the police, I’m concerned that my photo could be matched wrongly and that I could be harassed," Masood was cited as saying. The zeal with which authorities are embracing technologies to profile individuals by pulling information scattered across databases suggests a hankering for command and control.
The abandoned data protection legislation also wanted to allow voluntary verification of social-media users, ostensibly to check fake news. But as researchers at the Internet Freedom Foundation have pointed out, collection of identity documents by platforms like Facebook would leave users vulnerable to more sophisticated surveillance and commercial exploitation. Worse, what starts out as voluntary may become mandatory if platforms start denying some services without identity checks, depriving whistle-blowers and political dissidents of the right to anonymity. Since that wasn’t exactly a bug in the rejected law, expect it to be a feature of India’s upcoming privacy regime as well.
Andy Mukherjee is a Bloomberg Opinion columnist covering industrial companies and financial services in Asia.
Unlock a world of Benefits! From insightful newsletters to real-time stock tracking, breaking news and a personalized newsfeed – it's all here, just a click away! Login Now!
