FYI.

This story is over 5 years old.

News

India’s new data protection law could create a massive surveillance state

“India's intelligence agencies are already some of the least regulated in the world, a data protection law should not be making government invasions of privacy even easier.”

Last month the head of India’s telecoms regulator, RS Sharma, decided to prove just how secure the country’s much vaunted Aadhaar biometric database is — by publishing his Aadhaar number on Twitter.

“Now I give this challenge to you: Show me one concrete example where you can do any harm to me,” Sharma said.

Within hours, Sharma’s cell phone number, home address, date of birth, and even a frequent flyer number had been posted online.

Advertisement

Sharma’s experience was indicative of India's continued struggle to secure its landmark biometric database, Aadhaar, and underlined the government’s inability to secure the data being collected from India’s fast-growing, internet-connected population.

Part of the problem is that India has no data protection laws. That is about to change with the Personal Data Protection Bill 2018 that promises to give Indian citizens a fundamental right to privacy for the first time. And much like Aadhaar, the bill raises just as many questions as it does answers.

Proponents have hailed the legislation as a positive step forward in ensuring companies don’t misuse citizen’s data. But legal experts and activists say it carries an alarming undercurrent: unconstrained mass surveillance of 500 million people, a number that is rapidly increasing as more of India's estimated 1.3 billion population get online.

The source of their worry rests in the bill's stipulation that all companies collecting personal information (Facebook and Google, for example) would have to store that data locally, giving the government potentially unlimited access to a much bigger trove of data than it currently does.

“Once the government has access to servers full of personal data located in India, it would not be unreasonable to imagine that it would be able to access the data more or less freely.” Chinmayi Arun, executive director of the Centre for Communication Governance at the National Law University in Delhi, told VICE News.

Advertisement

”This is powerful and long overdue”

Governments demanding tech companies store data locally is hardly unique to India — numerous countries have enacted or proposed similar bills in recent years. But legal experts worry that with this bill India is following in the footsteps of Russia and China, which have notoriously harsh internet censorship practices. Those concerns are further amplified by India's well-documented shortcomings in relation to how government and intelligence agencies collect, process, and store personal data.

They point to the current government's failure to secure the Aadhaar database, containing the biometric information of more than 1 billion people, as proof of the encroaching data disaster.

“The report presents the first comprehensive attempt to articulate what might comprise data protections in a country that has never had a legal privacy framework.”

The bill demands companies collect personal data in “a fair and reasonable manner,” respect people’s privacy and limit how they process that information. It also demands that companies seek explicit consent for sensitive personal data, such as the biometric information stored in the Aadhaar database.

“The report presents the first comprehensive attempt to articulate what might comprise data protections in a country that has never had a legal privacy framework. This is powerful and long overdue,” Thenmozhi Soundararajan, the executive director of Equality Labs, a South Asian community technology organization, told VICE News.

Advertisement

“However, the report fails to clearly set and define the government’s jurisdictions around citizens’ data especially around surveillance and that is troubling to say the least,” Soundararajan added.

Read: India's biometric database is a massive achievement and a dystopian nightmare

The bill arrives roughly a year after the Supreme Court ruled all Indians have a fundamental right to privacy. It was drafted by a committee chaired by former Supreme Court Judge BN Srikrishna, but even before the bill was published the group was criticized for not having representatives from civil-society groups on the committee and its lack of transparency.

Now the committee’s draft proposal, which will be subject to further review in parliament before becoming law, is coming under fire.

“This seems to be a proxy to enable the government to conduct large scale, mass surveillance.”

The main concerns among experts is that the bill lacks any judicial or government oversight on how intelligence agencies conduct surveillance or interception. There is no requirement for law enforcement to submit reports to parliament about their activities, and they don’t even have to obtain prior judicial authorization to conduct surveillance.

“This seems to be a proxy to enable the government to conduct large scale, mass surveillance,” Vrinda Bhandari, a lawyer and public policy expert, told VICE News.

The other major concern among activists is that the new bill will make it much easier for government officials to get their hands on personal information.

Advertisement

“The weaponization of data is something that the BJP has cultivated expertise both inside and outside the central government.”

“Less friction for enforcement also means less friction for security and intelligence agencies to access data,” Amba Kak a policy advisor at Mozilla, told VICE News. “India's intelligence agencies are already some of the least regulated in the world, a data protection law should not be making government invasions of privacy even easier.”

Proponents of the bill claim that a new Data Protection Authority will be an independent authority who will oversee all data collection and ensure both companies and state agencies don’t misuse that data.

But critics say the group will be anything but independent, pointing out that the draft bill states “the chairperson and the members of the Authority shall be appointed by the Central Government.”

Read: Modi might be the only world leader whose Twitter use is more problematic than Trump's

Analysts like Soundararajan say the bill could quickly be weaponized ahead of next year's high-stakes election. The ruling BJP party is notorious for its canny and controversial use of social media to activate voters.

Modi and the BJP government claim these concerns are simply fear-mongering, but experts say there is already evidence that the party has plans to mine social media data ahead of next year’s elections.

In May, the Ministry of Information and Broadcasting issued a document outlining a proposal for a new “social media analytical tool” that would give the government the ability to monitor a range of digital platforms — including Facebook and Twitter — before creating “a 360 degree view of the people who are creating buzz across various topics” and targeting those citizens with “personalized responses.”

“The weaponization of data is something that the BJP has cultivated expertise both inside and outside the central government,” Soundararajan said. “They know the power of data and have used it to win campaigns and target audiences.”

Cover image: India's Prime Minister Narendra Modi gestures as he speaks during a rally, before state assembly elections in Mumbai October 9, 2014.