Digital Data Protection Bill: An Eye on Whom?

TK Arun

It is welcome that the government has come out with a revised Digital Data Protection Bill 2022, which would help the industry carry on with business with some assurance as to the legality of their conduct, and help resolve disputes. Yet the bill needs to incorporate some accountability mechanism, to safeguard against misuse of the very powerful body, the Data Protection Board of India that the bill would create.

The Enforcement Directorate was not created to carry out witch-hunts, but that is what a special court for trying cases under the Prevention of Money Laundering Act accused the ED of doing when it arrested Shiv Sena Member of Parliament Sanjay Raut and kept him in jail for 90 days. It would be useful to rein in any tendency to go the way of the ED on the part of the new central agency with a mandate that spans the Centre-state divide and covers all of social life, thanks to the digitization of all aspects of life.

It is vital that digital data be protected, given the fundamental right to privacy deriving from multiple, enumerated fundamental rights, as pointed out by the Puttaswamy judgment of 2017. At the same time, in the current age, in which the competitiveness of economies and the ability to defend a nation’s strategic autonomy calls for complex capabilities in creating diverse artificial intelligence (AI), it is vital for large amounts of data to be available to train AI algorithms. For this, the right to erase one’s data, offered by the Bill is a hindrance.

We need to consider if, instead of erasing data, irretrievably anonymizing data is an option. India is in strategic competition with China, where civil rights are not a concern for companies in search of data on which to train their AI. Effective depersonalizing of data should be a worthy challenge for startups to take on, and for the government to promote.

An increasing number of Indians strap on a wearable device, available at ever-lower price points, that generates lots of data very useful to healthcare and insurance. Right now, we do not have in place any mechanism to harvest this data and build it into individual health profiles that could be used to keep people proactively healthy, instead of merely enriching that part of the healthcare industry that loves to have healthy people fall ill so that they can be cared for.

Wear your heart on your sleeve

Individuals would like their health data to be available to healthcare providers and to no one else. This calls for an enhanced role for consent managers, whose relevance the bill thankfully appreciates and provides for. The account aggregators who deal with financial data could possibly diversify into other kinds of data as well, to make data available to those chosen by the data principal in its unaltered version, and, along with matching clinical data but as part of a mass of anonymous data to those who can analyze the data to generate new insights and care tools.

Concerns remain about the state’s access to all kinds of personal data without any restraint or accountability, and the creation of a powerful new regulator with wide reach and the power of a civil court, which would include, presumably, the power to summon people and order cessation of business till further orders.

In an age of mounting ability to surveil citizens by ubiquitous security cameras and facial recognition software, track online activity, link discrete actions in unrelated areas to the same individual via unique IDs, and deploy ever more sophisticated AI tools for these purposes, the bill proposes to exempt every instrumentality of the state from any obligations of data protection or privacy.

Two, it creates a new powerful body, the Data Protection Board, as yet another instrumentality of the central government, which wields powers that cut across the federal divide, whose directions the police are obliged to carry out, can levy financial penalties and is accountable to no one other than the central government that appoints it. And, oh, its actions cannot be challenged in any court other than the high court.

Rahul Matthan of Trilegal, who spared time to discuss the bill, represents the optimistic view that misuse of the Board is unlikely, and that recourse to the high court and the norms of the Puttaswamy judgment is guaranteed against misuse.

The repeated assertion by the Supreme Court that the charge of sedition will subsist only with the express, proven intent to incite proximate violence has not prevented the police from arresting peaceful protesters and lower courts from framing charges of sedition against them. The legal remedy is available in theory but could be much delayed in practice, inflicting a heavy cost.

Undiplomatic Immunity

The state must be accountable to a committee of the legislature for each act of breach of constitutionally guaranteed privacy. Similarly, the Data Protection Board should be answerable to the same committee of Parliament.

Committees of the US Senate perform the function of holding the executive to account on such matters. It is time India’s Parliament also started using joint committees of Parliament to hold regulators as well as other arms of the executive to account.

In the absence of such safeguards, the data protection bill runs the risk of giving Indians an experience of Orwell’s 1984, minus the literary flair.

This article was first published in The Sanjaya Report as India’s Digital Data Protection Bill: Imperative to Watch the Watchers on November 23, 2022.

About the Author

tk arun

TK Arun is a Senior Journalist and Columnist based in Delhi.

Read more by the author at IMPRI Insights.