• The CAA and the Surveillance State

    The implications of the Data Protection Bill, 2019

    ICF Team

    January 15, 2020

    The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha by Ravi Shankar Prasad, union minister of electronics and information technology, on December 11, the same day that CAB cleared the Rajya Sabha. The Bill may bear a reassuring name, but the government’s access to the personal lives of citizens and its oversight of them are about to increase dramatically.

    In this video of December 12, Sanjay Pugalia (editorial director, The Quint) red flags what he calls “one extraordinary bill”. Speaking in Hindi, he explains that the government has now awarded itself the right to collect information on Indians from any Internet company. This data may be demanded in pursuance of criminal investigations, information on whistleblowers, merger-acquisitions, network security, credit scoring or debt repayment. The government may also require search engines to hand over their data. In a nutshell, no part of your life on the Internet is out of the government’s reach.

    Worse, in its present form the Bill does not envisage any autonomous process — one with checks and balances — to clear the applications for data filed by the government’s investigative and intelligence agencies. Their demands for information will be processed by a regulatory agency called the Data Protection Authority (DPA), but the DPA’s members will be appointed by the government. Normally, any regulatory authority would include a few part-time independent directors, figures drawn from outside government, with experience and technical expertise in the field. But this component is given the go-by here. In effect, the executive will apply to itself for permission to snoop on citizens and harvest their data. The DPA is just as cruelly misnamed as the Data Protection Bill.

    A word on the lead-up to the legislation. The B.N. Srikrishna Committee, set up to draft the Bill in August 2017, submitted its inputs to Ravi Shankar Prasad in July 2018. According to a report in The Economic Times (July 28, 2018), the minister promised that the government would "apply its mind, take stakeholder comments along with taking Cabinet approval before finalising the legislation. “The entire parliamentary process will be followed,” he said, without setting a timeline for it." Sanjay Pugalia points out that not only were no public consultations held by the government, even normal parliamentary procedure was bypassed. Ordinarily, such a bill would have been referred to the Standing Committee on Information and Technology before being tabled in the Lok Sabha. In this instance, the government decided to set up a Joint Select Committee instead. Why the hurry? Is the recourse to a Joint Select Committee a bid to disable scrutiny? Did the Standing Committee become inconvenient because it is chaired not by a ruling party MP, but by opposition leader Shashi Tharoor?


    Also Read: A round-up of news reports from Uttar Pradesh


    The government’s sleight of hand continued with the presentation of the Bill before a thinly attended Lok Sabha on December 11, when media and public attention were fixed on the Rajya Sabha’s CAB debate. In this snippet of the proceedings uploaded by the BJP we see Ravi Shankar Prasad extracting rhetorical mileage out of the “widest consultations in the entire country” held by Justice B.N. Srikrishna — to whose committee “two thousand recommendations came” — but Prasad does not mention his own earlier promise to “take stakeholder comments”. He swats down objections from the opposition — especially those of Adhir Ranjan Chowdhary — by saying that his questioners are “not briefed well”. He admits that the Supreme Court has established privacy as a fundamental right, but cites the authority of the Court to add that the corrupt may expect no privacy.

    The Data Protection Bill does indeed set up a framework based on increased transparency between the “data principal” (individual subscriber) and the “fiduciary” (entrusted authority, such as, say, a service provider): this bit is quite as envisaged by the Srikrishna Committee. The Bill also establishes a distinction between “personal data” (such as business transactions on the Internet) and “sensitive personal data” (biometric, health, caste, sexual orientation, sex life, gender status, etc.), with certain protocols of confidentiality to be maintained in the latter case; for instance, such data must be stored within the country. The fourteen chapters and forty-two pages of the Bill may be read here. But, more controversially, the regulatory framework proposed by the Bill is one that the government may override at will, since it can exempt any of its agencies from the provisions of the new law. The central government may also direct the data-holding entities (or, fiduciary) to share with it anonymised personal data “to enable better targeting of delivery of services” [XII. 91(2)].

    Megha Mandavia (The Economic Times, December 12) reported on B.N. Srikrishna’s reaction to Prasad’s performance in the Lok Sabha: “They have removed the safeguards. This is dangerous.” He added, “The Select Committee has the right to change this. If they call me, I will tell them this is nonsense…. It will weaken the Bill and turn India into an Orwellian state.”

    There is no abyss to which an Orwellian state won't descend, and the appropriation of overarching powers is a sure signal of abusive intent. But, instead of leaving the threat vague and open-ended, let us imagine in concrete terms what the government’s abuse of these powers might entail. The behaviour of the ruling party offers certain clear indications of where it may go with the new law.

    In August 2019, the government rammed through amendments to the Unlawful Activities (Prevention) Act, amendments that allow it to name individuals as terrorists if it “believe” so. Amit Shah assured the House that the Act would not be misused; the amendment was desperately needed, it seems, because the investigative agencies had to keep “four steps ahead” of the terrorists. A terrorist was defined as not merely someone who commits, participates in or plans an act of terrorism, but also anyone who “promotes” it. With this provision, the government gained considerable leeway in selecting what to regard as terrorism, and also became free to brand any individual a terrorist before a crime was proved against them in court. A person so named is ruined in terms of his/her professional life and reputation well before the question of their guilt is settled in evidentiary terms. Stigma, in other words, now enjoys legal standing. If we add to this a free pass in snooping on the private lives of targeted individuals, along with calculated leaks of unrelated but damaging information on them, the state can destroy them utterly.


    Also Read: Faizan Mustafa: Which documents will be required for the NRIC?


    This is no hypothetical scenario. In October 2019, the Canada-based Citizen Lab, working with WhatsApp (owned by Facebook) revealed that Pegasus spyware had been used to hack into the phones of at least fourteen civil rights activists in India, including Anand Teltumbde, Bela Bhatia, Nihalsingh Rathod and Degree Prasad Chouhan.

    The Israel-based retailer of Pegasus, the NSO Group, insists the spyware is sold only to government agencies. When WhatsApp revealed the hacking of phones in India, Ravi Shankar Prasad turned around to say that he had asked WhatsApp to explain the breach, along with measures that the messaging platform had taken to strengthen the privacy of Indian citizens. We, in turn, were asked (with a straight face) to believe that a foreign entity had a consuming interest in the private communications of a bunch of civil rights activists in India. If our government was scandalised by this hack into the phones of some of its critics, its indignation was kept under masterful control. Prasad has not been keen to raise this episode in the months since. Imagine him and his government unrestrained by any legal niceties, free to delve into the privacy of anyone they find inconvenient, and you’ll see the Data Protection Bill coming into its own. Add to this the BJP’s frequent reliance on bogus terms such as love jehad, urban naxalism, and a tukdé-tukdé conspiracy to muddy the waters and target citizens, or consider that baroque excess called the Elgaar Parishad case, and the scope for misuse of the new data bill becomes limitless.

    What works to subdue individuals will also work as an instrument of crowd control. The Indian Express reported (December 28, 2019) that the Delhi Police was filming protests against the CAA and running the images through facial recognition software to screen crowds. If you have attended an anti-CAA protest, especially in a Muslim-dominated area, you may recall seeing drones overhead. (Or, view this NDTV video of Chandrashekhar Azad’s December 20 protest at the Jama Masjid of Delhi to get the picture.) To collect such footage, match it to a person’s digital exchanges, form a composite profile and use that against a dissenting citizen would be all in a day's work for a police state. China has gone way further, with a system of points to reward compliant citizens and punish the insubordinate. The Data Protection Bill will make such projects viable.

    Citizens are not just political beings, but economic ones too. In India, we already have evidence of the government using citizens’ information without their consent to market them as a product. On July 8, 2019, Nitin Gadkari, union minister of road transport and highways, revealed in the Rajya Sabha that the government had monetised its vehicle register by selling the data of some 25 crore vehicle registrations and 15 crore driving licences, to earn Rs 65 crore for itself. He added that 87 private companies and 32 government agencies had been granted access to this data. The scale on which the government may turn citizens into a natural resource to be mined for profit is virtually limitless. The Data Protection Bill includes a clause, cited earlier, which empowers the government to compel data-holding entities to share anonymised information, a kind of macro data, “to enable the better delivery of services”. Here, it may be worthwhile to remember that the Aadhaar card began life as a welfare scheme, too, before it turned into a snare and surveillance tool.


    Donate to the Indian Writers' Forum, a public trust that belongs to all of us.