India's New Data Protection Law: Censorship and Snooping Via Backdoor?
As a precursor to the Indian Telecommunication Bill, 2022, and the forthcoming Digital India Act, India's new Data Law, despite its pro-citizen provisions, has raised many red flags.
New Data Protection Law: Censorship and Surveillance Concerns
India's new data protection law, which the government claims has been enacted to protect the data and privacy of its citizens, might open a backdoor to surveillance and censorship. This apprehension is expressed not only by journalists and legal experts but also by civil society proponents. Piloted in the Ministry of Electronics and Information Technology (MEITY) by bureaucrat-turned-technocrat-turned-politician Ashwini Vaishnaw, the new law is awaiting the formalisation of the rules and regulations. As a precursor to the Indian Telecommunication Bill, 2022, and the forthcoming Digital India Act, India's new data law, despite its pro-citizen provisions, has raised many red flags.
In this article, we examine both sides of the coin and suggest a middle path.
Introduction to the Digital Personal Data Protection Act, 2023 (DPDPA)
a.) Overview of the DPDPA
The Digital Personal Data Protection Act, 2023 (DPDPA), which received the Presidential assent on August 11, 2023, marks India's first comprehensive cross-sectoral data protection legislation. Its primary purpose is to establish a legal framework for safeguarding personal data while balancing individuals' right to privacy with the necessity of processing data for lawful purposes.
b.) Key Objectives of the DPDPA
The DPDPA aims to protect personal data from unauthorized access, use, and dissemination by regulating its processing and ensuring data is handled securely and transparently.
c.) Establishing a Privacy Framework
The Act seeks to create a coherent and comprehensive legal structure for data protection in the digital economy, acknowledging the significance of personal data protection in the digital age.
d.) Promoting Trust and Innovation
By protecting privacy, the DPDPA aims to foster trust in digital services and promote responsible data processing practices across sectors, which is crucial for enabling digital innovation and economic growth.
e.) Empowering Individuals
The Act grants individuals rights over their personal data, including the right to access, correct, and erase their information, giving people greater control over their data.
f.) Ensuring Accountability
The DPDPA imposes obligations on entities processing personal data regarding lawful basis, consent, purpose limitation, data security, and breach notification, establishing clear responsibilities for data handlers.
Statement of Intent
The statement of intent for the DPDPA underscores its mission to balance the protection of individual privacy with the facilitation of lawful data processing, benefiting both society and the economy.
Summary of the DPDPA's Goals
In summary, the DPDPA aims to provide a robust legal framework for data protection, enhance trust and innovation in the digital economy, empower individuals, and ensure accountability among data handlers. It strives to create a balanced ecosystem where personal data is safeguarded while still allowing its use for lawful purposes that benefit society and the economy.
Power of Government to Exempt
Introduction
Despite the stated objectives of the Digital Personal Data Protection Act, 2023 (DPDPA) to establish a comprehensive framework for data protection in India, one of its most contentious stipulations is the power to grant broad exemptions to government organisations. These exemptions allow the Central Government to essentially bypass the law on various grounds such as national security and public order, raising significant privacy concerns. The power to grant exemptions, which we discuss in the following section, fundamentally contradicts the spirit of data privacy.
Although the enactment has been passed by both houses of Parliament and received presidential consent, it is expected to come into force sometime this year, on a specific date to be notified in the Official Gazette. Industry observers expect this to coincide with the framing of the statutory rules under this law, which are currently being prepared and awaiting wider consultation once the draft is officially released.
Scope of Exemptions
The DPDPA permits the Central Government to exempt its agencies from the law's application for reasons including national security, public order, and sovereignty. Critics argue that these broad and vaguely defined grounds could lead to misuse, facilitating mass surveillance and potentially identifying, profiling, and targeting individuals based on race, gender, religion, domicile, or caste, apart from otherwise infringing on the fundamental right to privacy.
While these exemptions are intended to address exceptional circumstances, it is crucial that they are applied judiciously and with strict oversight to prevent any potential abuse. The concern is that exempted organisations will have virtually unfettered powers, lacking any meaningful supervision, to handle citizens' personal data as they see fit. Instead of being custodians and protectors, these organisations could, through rogue employees or otherwise, become sources of harassment of the very citizens for whose welfare the data is collected. This scenario underscores the need for stringent checks and balances to ensure that the power to grant exemptions does not undermine the fundamental right to privacy.
Power to Block Content
Section 37: An Overview
Section 37 of the DPDPA empowers the government to block content "in the interest of the general public." This provision extends beyond the already controversial Section 69A of the IT Act1, raising concerns over potential censorship. Although it is designed to be an exceptional measure, not a tool for routine intervention, legal experts opine that the language is very vague, creating a loophole waiting to be exploited. Furthermore, legal scrutiny would be impeded since the section is not clearly defined.
Impact on Free Speech
The Editors Guild of India and other press organisations have criticised this provision, suggesting it could be exploited to suppress dissent and censor online content arbitrarily. Such powers pose a threat to freedom of expression and the independence of the media. The government must ensure that these powers are exercised transparently and sparingly, with adequate checks and balances to protect free speech.
Unlimited Data Retention by Government
a.) Data Retention Concerns
Section 17(4) allows the government and its agencies to retain personal data indefinitely. When combined with the exemption powers, this provision could enable extensive data collection and storage without proper oversight or safeguards. This indefinite retention must be closely monitored to prevent potential overreach and to ensure data is handled responsibly.
b.) Implications for Privacy
Unlimited data retention raises significant privacy issues, as it could lead to the creation of extensive personal dossiers by the state, accessible indefinitely without due cause or consent from individuals. Ensuring robust oversight and clear regulations on data retention periods is essential to safeguard individual privacy rights.
Dilution of the Data Protection Board's Independence
a.) Structure and Appointments
The Data Protection Board, tasked with enforcing the DPDPA, is to be appointed by the central government. Members serve a short term of two years, with the possibility of reappointment. This structure has raised concerns about the Board's independence and its ability to function autonomously.
b.) Independence Concerns
Critics argue that this appointment structure undermines the Board's ability to act impartially and effectively hold the government accountable for data protection violations. Ensuring the Board's independence through longer terms and transparent appointment processes is vital for maintaining public trust and accountability.
Lack of Explicit User Rights
a.) Absence of Key Rights
Unlike other global data protection laws, the DPDPA does not explicitly grant users the right to data portability or the right to be forgotten. These omissions limit the control individuals have over their personal data.
b.) Impact on Users
Without these rights, individuals may find it challenging to manage their personal information, potentially leading to misuse or exploitation by data controllers. Providing explicit user rights is necessary to empower individuals and enhance their control over personal data.
Ambiguity Around Cross-Border Data Transfers
Provisions and Uncertainty
The DPDPA permits cross-border data transfers but gives the government the authority to restrict such transfers to certain countries. The lack of clear criteria for these restrictions creates uncertainty for businesses operating internationally.
Business Concerns
This ambiguity can complicate compliance efforts for businesses, leading to potential disruptions in global data flows and affecting international trade relations, if not the entire internet as an organic entity. Clear guidelines and criteria for cross-border data transfers are essential to provide businesses, within India and abroad, with the certainty they need to operate effectively.
Censorship Provisions?
a.) Section 37 and Media Freedom
Section 37's content-blocking powers are among the most direct censorship mechanisms within the DPDPA. The Press Club of India and other media bodies have expressed strong opposition, fearing these provisions could be used to silence the press and restrict free speech.
b.) Calls for Reform
There is a growing demand for the amendment or deletion of these provisions to protect press freedom and uphold democratic values. Ensuring that such powers are used only in exceptional and justified cases, with stringent oversight, is crucial for maintaining a healthy and democratic media environment.
A Step Forward with Caveats
The DPDPA represents a significant move towards a structured data protection regime in India. However, several provisions—related to government exemptions, censorship, data retention, and institutional independence—have raised serious concerns among stakeholders.
The Rise of Digital Payments and Associated Risks
a.) Increasing Exposure to Hackers
As India races towards digital payments and the delivery of services, consumers are increasingly exposed to the risk of hackers, who are becoming exceedingly sophisticated. In a country where "digital illiterates" number in the hundreds of millions, including those who are formally regarded as well-educated, there is a pressing need to educate consumers about the imminent dangers of hacking.
b.) Educating the Public
Consumers must be informed not to share their personal data, bank details, and credit card numbers, which many web-payment portals routinely request. Despite warnings and cautions issued by various ministries of the Government of India, the Reserve Bank of India (RBI), and the Securities and Exchange Board of India (SEBI), even tech-savvy youngsters can fall prey to such schemes.
c.) The Limitations of Data Protection Laws
No data protection law can fully safeguard consumers who are naive, ill-informed, or driven by greed to fall prey to hacking and phishing schemes. Effective consumer education and awareness are critical components in protecting against these digital threats.
Summing Up
a.) Procedural vs. Core Issues
While the statutory rules are still being drafted, stakeholders argue that the subordinate legislation can only address procedural requirements and cannot mitigate the questionable and contentious core provisions of the parent law. Minister Ashwini Vaishnaw has assured broad consultations, but it is crucial that the final framework ensures fair, just, and reasonable procedures in line with the Supreme Court's recent declaration of privacy as a fundamental right.
b.) Global Context and Stringency
It is pertinent to accentuate that India is not the only country grappling with these complex issues of data security, data integrity, and data privacy. However, the Indian law is considered far more stringent than those in most of the world’s liberal democracies.
c.) Stakeholder Concerns
The major stakeholders—especially the individual citizens—are not adequately heard, with the overall enactment being driven either by techno-bureaucrats of the Government of India or tech-czars, who undoubtedly favour a free hand in handling, processing, and disseminating data. The only voices of credible dissent come from press and journalist associations, who view the issue more from a censorship perspective rather than as a matter of data privacy that primarily concerns individual citizens.
d.) Ensuring Constitutionality and Public Trust
Failure to address these concerns could render the law unconstitutional and erode public trust in the data protection framework, and potentially lead to misuse and abuse, which would run contrary to the stated objectives of this enactment. To establish a balanced and effective data protection regime, India must, therefore, incorporate robust safeguards and address these contentious provisions.
Balancing Privacy and Security
In summary, the aforesaid approach will ensure that individual privacy is respected while simultaneously safeguarding national security and public safety. By doing so, India can set a precedent for a data protection framework that is both rigorous and fair, maintaining the delicate balance between state control and individual rights, including safeguards from unethical hackers.
If you believe this article would interest someone you know, please feel free to share it anonymously (for us), using any platform that you prefer.
Overview of Section 69A of the IT Act
Section 69A of the Information Technology Act, 2000, empowers the Central Government to block public access to online content on grounds related to national security, public order, and foreign relations. The grounds for invoking Section 69A include the sovereignty and integrity of India, the defense of India, security of the state, friendly relations with foreign states, public order, and preventing incitement to cognizable offenses. The blocking procedure and safeguards are detailed in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, requiring written reasons for blocking requests and maintaining confidentiality.
Constitutional Safeguards and Recent Usage
The Supreme Court upheld the constitutionality of Section 69A in the 2015 Shreya Singhal v. Union of India case, recognizing it as narrowly drawn with adequate safeguards. Blocking orders must be necessary, relate to subjects under Article 19(2) of the Constitution, be recorded in writing, and can be challenged through writ petitions. Recently, the government has used Section 69A to ban numerous mobile apps, mostly of Chinese origin, citing national security threats. High-profile bans include apps like PUBG and several loan apps. Twitter’s challenge of certain blocking orders in 2022-23 highlighted the tension between government powers and individual freedoms in the digital space.
Future of Section 69A Amidst Evolving Tech Laws
As India develops its tech law regime with new laws like the Digital Personal Data Protection Bill and Digital India Act, the provisions of Section 69A may evolve. Currently, Section 69A remains a powerful tool for the government to regulate online content in the interest of national security and public order, subject to the Supreme Court's safeguards.