A Joint Parliamentary Committee has finalised and finally tabled the Data Protection Bill from 2019 in the winter session of the parliament this year. The bill clearly has gone through several changes in the two years but has still has not really addressed the original criticisms that were raised. As the year comes to an end and the bill gets ready to be passed, this seems to be a good time to get a primer on what exactly personal data is, why it needs to be secure, and how the government right now is merely trying to harvest, surveil, and even help sell it.
Everything we do, live, buy, move, is all data. Your details, ID, addresses, sexuality, history, location, politics, medical records, friends (and their information), is all data; and it is very valuable. This was why an editorial in the economist famously had referred to data as the new oil. The NSA files leaked by Edward Snowden would be the biggest expose on data collection through mass surveillance something which is done by governments all over. The logic behind governments accessing is often cited as cybercrime and terrorism. In reality, however, this is almost always used to target dissent. But data collection is done in other ways through a lot of other entities.
In the digital age, it's easier to collect, access, analyse and use data. Who gets to do these? The internet as a business works when people share their personal data instead of the services you get. As once mentioned: If you are not paying for the service, you need to see if you are the product. You consent to this by using platforms like Facebook or WhatsApp.
From the UN Declaration of Human Rights, Article 12 on the right to privacy:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Privacy is a broad concept. Data protection is more specific. That has to do with how the information about us is handled- from the collection, processing, sharing, storage and usage. Data Protection meanwhile is a part of the larger issue of privacy.
We'll go through a quick recap of some of the important landmarks that got us to the present state of debate on privacy. While the 1948 UN Declaration of Human Rights had privacy as one of the rights, it wasn’t really until 1974 in the US that a serious Act was passed codifying a lot of this.
The 1974 Privacy Act, USA:
Enacted December 31, 1974, the Privacy Act of 1974 is a U.S. federal law establishing a Code of Fair Information Practice on federal agencies’ collection, maintenance, use, and dissemination of personally identifiable information.
And then, the 1995 EU Data Protection Directive, Europe:
Adopted by the European Union in 1995, the Data Protection Directive regulates the processing of personal data within the EU. In comparison to the United States, the right to privacy is a more highly developed field of law in the EU. The Data Protection Directive was superseded by the General Data Protection Regulation (GDPR) in 2018.
In California in 2003, the State Data Breach Notification Laws were passed.
In 2003, California was the first state to implement data breach notification laws. The new legislation required businesses and state agencies to disclose when Californian’s personal information was exposed in a security breach. Most other states in the U.S. and some jurisdictions abroad have modeled their data breach disclosure laws after this legislation.
But the most important landmark globally was in 2018 in Europe:
The General Data Protection Regulation (GDPR) is a law dealing with data protection and privacy that went into effect in the European Union (EU) and the European Economic Area EEA) on May 25, 2018. It also applies to the transfer of personal data outside of the EU and EEA.
The EU laws are considered one of the best drafted and strongest in terms of benefits to citizens, and penalties for whoever violates them. Many places, including India, looks up to the GDPR to frame their own laws on data protection. So, what happens in the EU?
As the website mentions, any entity that processes user data has to follow the seven principles according to article 5.1-2
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
There have already been instances of the penalties. France is investigating into Clearview AI, and the dating app Grindr has already been slapped with $7M worth of fines for breaching Articles 6(1) and 9(1).
It was only in 2017 that the Puttuswamy judgement in the Indian Supreme Court defined the right to privacy as a fundamental right, and asked the government to draft a data protection law. In 2019, the Personal Data Protection Bill was introduced in the Lok Sabha. Although it did take hints from the EU's GDPR, it was severely limited in scope and handed over sweeping powers to the state. It was severely criticised by civil society, digital rights activists and organisations, and academia.
Basically what has been pointed out are the following: The data has to be kept in servers in India. It can be processed by the government for ‘functions of the state.’ Under Nitin Gadkari's ministry, for example the Ministry sold 25 Cr vehicle registration and license data to private companies. There’s also a plan in works for a national facial recognition program. Mass surveillance is nothing new to the country, it is soon feared to be used against the minorities and he marginalised. If the data is being used for a digital economy, isn’t our data still being a good that is used?
Our friends at the IFF has done a detailed analysis already on the bill that has just been tabled in the winter session. It’s always worth reading the full report here, but these are the key takeaways:
There are no changes to the emphasis on economic interests as opposed to protecting privacy. If anything, the preamble makes the digital economy part stronger than ever. Ensuring the interest of the state is given more emphasis than earlier. The very notable deletion of 'Personal' from the new bill, to just 'Data Protection Bill' itself is giving a lot of free hand for the state. Dissent notes have already been registered in the Lok Sabha.
The Indian Express' piece on how the Indian and European laws compare will give a clearer picture.
The new bill has mostly paved the way to set up a framework that legitimises a 'data economy' which might sell personal data, allow the state several levels of surveillance, while also giving immunity to state agencies under the name of security.
In other news:
Continuing on the issue of privacy, surveillance and data, this week will also see the government tabling a bill in the Lok Sabha seeking to lin Aadhaar and Electoral IDs. Already facing heavy criticism, this issue needs analysis of its own.
The Pegasus Spyware was confirmed on activist Rona WIlson's phone, says a forensic analysis report. Wilson has been in jail with 15 others, accused of 'Maoist links' and the Bhima Koregaon'violence' of 2018, but the case is controversial and suspected to be the government's crackdown on lawyers, activists and public intellectuals. An earlier report also mentioned how his computer was hacked and files planted for evidence.
But even as such reports come, India's remains one of the governments that has done close to nothing on the pegasus expose. Recently, the SC stayed the Bengal state government's panel as well.
Twenty Years of DEF
December 15th marked the twentieth foundation day of DEF. We were established 20 years ago, aiming to achieve digital revolution and ending social backwardness, poverty and discrimination by connecting all people to the the internet and digitally empowering them.
The full stream of the event is available here on facebook.
Even as event went on at Hyderabad, the team at DEF never stopped working: two more digital centres were opened on December 16th, one in Rajasthan, and one in Delhi-NCR.
We have also published our report from an ethnographic study conducted on migrant workers displaced and affected during last year's crisis. What we basically found out was this:
74% employers stopped paying wages.
80% landlords didn’t waive the rent.
35% took more than a week to reach back home.
25% faced police brutality.
65% hadn’t found employment when the study was conducted.
You can read the full report here.
It's been a busy week at DEF surrounding the 20th Foundation Day, but we're committed more than ever and pledge to connect the unconnected population at the margins, until the last mile.
Merry Christmas to all our readers; see you again next week.