Fresh accusations have been made against the latest draft of India’s data protection bill, alleging that it continues to facilitate state surveillance.
India’s Internet Freedom Foundation (IFF), an Indian digital liberties organisation, said that the new draft retains the wide and vague exemptions that were present in previous interactions of the Bill - key clauses that would provide the government powers that could violate the privacy of its citizens.
“This is because these standards are excessively vague and broad, therefore open to misinterpretation and misuse,” said the IFF. “If the law is not applied to government instrumentalities, data collection and processing in the absence of any data protection standards could result in mass surveillance.”
The IFF said that it’s essential for government collection and processing of citizen data to be regulated as well, to avoid any misuse.
Additionally, the data protection board (DPB), which is set to be formed through the Bill, will not have the independence needed to protect the data laws. This is because the government has the power to prescribe the composition of the board, the selection process, and remove its chair and other members.
The IFF said that this may result in the board reflecting the hierarchies of government, and since it’s meant to oversee the compliance of the legislation by the private sector as well as government agencies, it’s important for it to be fully independent.
The Indian government released the draft of its Digital Personal Data Protection Bill 2022 on 18 November and has made it available for public feedback until 17 December. This comes after it decided to withdraw the Bill’s predecessor in August 2022, the Personal Data Protection Bill that was first proposed in 2019, to develop a new law instead.
The IFF highlighted how the latest draft eliminated many of the clauses that were in the previous version of the Bill. It now contains around 30 clauses, reduced from more than 90 in previous versions.
The Indian government said this was to draft it in simple and plain language so that more people could understand its provisions. The IFF argued this has removed key information, adding that since the public consultation accompanying the Bill will not be disclosed it will also weaken public trust in the development of the Bill.
One of the biggest changes of the Bill is that it removes data localisation requirements, opening the path to cross-border data transfers. However, the IFF said that data fiduciaries, similar to data controllers under GDPR, are only able to transfer personal data to countries that the government selects, meaning that data transfer to any other country is not allowed. The clause also doesn’t define how the government should decide which countries can be chosen to allow data transfers to.
“This enables arbitrary exercise of power where countries may be selected or not selected based on considerations other than protection of personal data of Indians,” said the IFF. “This is in contrast with Articles 44 to 50 of the General Data Protection Regime which permits the transfer of personal data of Europeans only to such countries which provide a minimum level of protection to such data.”
The IFF also outlined some positive changes in the new Bill. Data fiduciaries are now forced to notify the DPB whenever they’ve suffered a breach, and then the DPB is able to tell the fiduciary to adopt urgent measures to remedy the personal data breach or mitigate any harm.
The digital liberties group said this was important as previous iterations of the Bill didn’t require fiduciaries to notify data principals in the event of a breach. Users wouldn’t have known that their data had been compromised because of this.
Additionally, more barriers have been introduced when it comes to processing children’s personal data. There are tighter restrictions around how entities carry out tracking or behavioural monitoring of children, including targeted advertising aimed directly at them.
