By Udbhav Tiwari
More than two years ago, the Supreme Court ruled that privacy is a fundamental right guaranteed to all Indians. With the Cabinet clearing a data protection bill this past week, the Government of India is making progress on delivering on that promise. Since that judgment, Indians have faced numerous threats to their privacy from the Automated Facial Recognition System, mandatory FastTag car registration, and continuing breaches of Aadhaar demographic data.
Yet, the process to develop a data protection law has been slow and opaque, and the rumours coming out of the government are not encouraging that the bill, which will likely be introduced next week, will deliver the privacy protections that Indians need and deserve. It is vital that the Parliament’s Standing Committee on IT have a chance to review the law and recommend any changes needed to ensure that the privacy of Indian citizens is protected.
Since the Justice BN Srikrishna committee draft was released in 2018, there have been multiple consultations conducted by the IT Ministry, but the public is yet to see a new draft in over 18 months. Thanks to this build up, the changes between the 2018 draft and the upcoming law will be closely studied to measure the extent to which the government has responded to the industry and civil society calls for improving the law.
As details of the final bill begin to leak out, not all of the signs are encouraging. While the public still has yet to see the actual text of the bill, several government sources have been cited detailing new provisions which would undermine, not protect, Indians’ privacy. For example, an official was quoted as saying that social media companies will have to verify the identities of social media users to fight fake news.
They also said that the bill will require the forced transfer of non-personal data to the government. These are serious threats to privacy, which should be carefully reviewed by the Standing Committee on IT of the Parliament.
If rumours are to be believed, the bill contains a provision requiring social media companies to provide an option for users to verify their identities using Know Your Customer (KYC) like processes and requires the companies report accounts that choose to opt-out of this verification to the government. People should not be reported to the government for wanting to protect their privacy. There are many reasons why someone would want to use a pseudonym that have nothing to do with fake news — for example, a woman who doesn’t want her stalker to find her online posts or location.
Social media companies can just as easily also exploit the sensitive data harvested from the government IDs submitted for such verification to target and profile users. Both Facebook and Twitter have been heavily criticised for using phone numbers submitted by users for two factor authentication (a security measure) to target ads on its platforms.
Apart from harming user privacy, this will also increase the risk from data breaches and further entrench large players in the social media space who can afford to build and maintain such systems. There is no evidence to suggest that such moves will help in fighting fake news works in any form. The government is also considering tackling the issue of misinformation through amendments to India’s intermediary liability regime, which is a better venue to debate issues of content regulation.
Another concerning provision is the rumoured mandatory sharing of non-personal data for public policy and planning with the government. Allowing the government to force companies to transfer non-personal data raises serious intellectual property concerns, and can still threaten users even if they’re not individually identified. For example, would we want the government knowing which housing colonies in a city have a propensity to buy pro-LGBTQIA+ posters, books about a specific caste, or religious objects? This data may not contain any identifying information about a specific individual but can be used by malicious actors with disastrous consequences.
The law should retain its focus on protecting personal data and not attempt to solve everything from misinformation to data sharing concerns in one law. This will lead to neither of these problems being solved in a sustainable way while actively harming the privacy of Indian users, defeating the entire point of this legislation.
The details on how the law implements these provisions and accounts for other concerns such as its applicability to the government’s use of data will only be clear once the law is made public. We urge the Standing Committee to properly review the bill and the Government to implement recommendations to ensure the final law is an example to the world.
Udbhav Tiwari is Policy Advisor for Mozilla in India