Is India the Wild West of data privacy?

Indians speaking up for privacy rights, says Apar Gupta, IFF


February 2, 2021

/ By / New Delhi

Is India the Wild West of data privacy?

From facial recognition to national digital health mission, the biggest collector and user of the data is the government itself (MIG photos)

The recent controversy over WhatsApp’s revised privacy policy has put the focus back on privacy in many countries, including India. Even though there is a rising awareness about privacy in India, the threats to privacy, notably data privacy and protection, continue to rise incessantly.

Rate this post

The parliamentary panel on Information Technology has been holding discussions on the Personal Data Protection Bill for almost a year now. Even as the bill stays in a draft stage, on the ground a lot has changed that would make a material difference to data privacy and protection rights of the citizens, with numerous organisations, public and private, collecting and using an alarmingly increasing amount of data collected without any legal basis.

The range of data being captured is immense. From facial recognition to national digital health mission, for many of these, the biggest collector and user of the data is the government itself.

For instance, there are cases of private as well as government-run CBSE schools using facial recognition technologies without any fundamental legal framework setting the boundaries of how the data can or should be collected, used and stored and how to protect the rights of the individuals. This has alarmed rights and privacy organisations like the Internet Freedom Foundation which have moved the courts seeking urgent guidelines to be framed for regulating collection, usage and storage of such data.

“There are a lot of issues on using facial recognition, but right now the main issue in India is that we don’t have any legal framework around facial recognitions. So there is no specific law which addresses facial recognition and we don’t have any law which addresses data protection in general. Data protection bill is currently in Parliament. But it has not been passed and we don’t know when it will be. The problem with Data protection bill is also that it gives wide exemption to the government with regards to surveillance. So even if the bill does get passed, it will not be very helpful in maintaining that the government itself has not used facial recognition for surveillance. Because we do not have any specific law with regards to facial recognition, now there are several ministries that have in some way or the other started using or are going to use facial recognition,” Anushka Jain, associate counsel (Transparency & Right to Information), IFF tells Media India Group.

Internet Freedom Foundation (IFF) has launched a project called Project Panoptic for use of facial recognition in India. In this, the IFF says it tries to track all ongoing facial recognition cases. Right now, IFF is tracking around 38 projects all over the country that are at state level as well as the central level.

Rising awareness amidst increasing use

But it is not all dark as far as data privacy goes in India. While the government and private companies have been busy collecting all sorts of data about everyone, there is rising awareness amongst the users as well and people now have begun to talk of the value of data and the importance of data privacy. For IFF’s executive director Apar Gupta these are very key landmarks on any country’s journey from data anarchy to a well-regulated society where data and privacy are highly valued.

“Even people to a large degree, what we are noticing today are speaking up for their privacy rights, because there’s been a sense of growing political engagement on these issues, civic awareness and they are realising these. So as a society, at least in the metropolitan areas where people are well educated, as the younger set of Indians which constitute the more populous category of Indians today, step into adulthood, we are more aware. I think when these demands are voiced, I would say only then we as a society, government not removed from people is when we will be able to question these assertions by the government,” Gupta tells Media India Group.

He is not unduly worried about the pace at which the importance of privacy is being understood in India or that currently the debates over privacy are limited to the well-to-do youth in the country’s metros.

“I think that recognition is coming. A good indicator is that most radio shows in metropolitan cities covered the WhatsApp privacy policy change in local Indian languages. There were pranks alongside that WhatsApp is demanding ABC by very popular radio jockeys. This is just evident. It’s just seeping into the language of the people. Rather than people asking what is privacy now and why should I be concerned about privacy they have reached the stage, yes this impacts my privacy, but do I have a better option? And that’s a good second stage to step into,” he says.

Apar Gupta, executive director, Internet Freedom Foundation (MIG photos)

He acknowledges that at this rate, the debate over privacy and data rights is unlikely to reach the villages, where two-thirds of India resides, for years to come. “The large course of history about civil rights and human rights is always incremental, it is imperfect. It happens over a period of time. It takes 100 to 200 years. Nobody achieves these things in two or three years. Laws step in, enforcements happen also, but as a social value for this to build into, a better degree of acknowledgment by people. I think people will also need a greater degree of familiarity with devices. Most people in India got their first smartphones only over the past two years. And to expect from them to understand what values their personal data holds for them when they are getting instant messages which is such a tangible boon to them is a huge expectation from them,” Gupta says.

One of the biggest challenges for the awareness over privacy to spread all across the nation at a uniform pace is the diversity of the country and its languages. Gupta says that a large amount of conversation around privacy has been limited in English to certain elite and legally expressions which only today are breaking down to a popular discourse. For instance, several Indian languages do not have a very clean translation of privacy, where it sometimes means confidentiality and sometimes means secrecy.

Lessons India could take from GDPR

As India struggles to put in place a law that protects its citizens’ rights over the collection and usage of their data, especially the personal data, there are already a few models that the Indian lawmakers  could look at before finalising the Indian law under consideration. Gupta agrees that the European Union General Data Protection Regulation (GDPR) is a very good role model. “Certainly. I think the GDPR is a well evolved document. India can actually draw inspiration and it does draw inspiration from the GDPR. Justice Srikrishna’s report on Personal Data Protection Bill actually does draw inspiration from the GDPR and notes it expressly but it also does a comparative study with other legislations. A much more matching legislation which is rights respecting, GDPR focused, has lesser number of exceptions, has in fact been proposed as a private member’s bill in different variations by Dr Shashi Tharoor and by Dr Ravi Kumar. The IFF assisted in drafting of these laws and again it comes from understanding of the GDPR. However, the GDPR is not a complete code, For instance, it does not contain what will be the intersections between the GDPR and the Right To Information laws or the Representation of People’s Act which governs elections in India, where a high degree of transparency is required given the unique demands in Indian society where a high amount of accountability is necessary due to systemic and endemic corruption which has taken place through decades,” says Gupta.

Gupta goes on to say that while the Srikrishna report draws significant inspiration from GDPR, the government has also taken bad practices that exist globally. “So it’s playing to its own self-interest to some degree but also there is genuine citizen interest reflected in it. There are also economic interest reflected in it, which I personally find quite strange. You do not in a legislation, let’s say about environmental protection or about air, consider vehicular manufacture as an economic priority and place it within the preamble of that law. Because that is a separate area itself of legislation, but the personal data protection law from the Srikrishna Committee, then sent back to the ministry and from the ministry to the minister and proposed in Parliament has several provisions with respect to data being viewed as a unit of economic resource, which is a recognition which should be there, but it is also a legislative priority reflected within it. So I would say that, it doesn’t have a very clearly defined focus in terms of protecting personal data because that’s supposedly the primary objective of that law. And one hopes that this experience, in terms of implementation, comes through with time,” Gupta adds.

With no clear timelines on tabling of the bill or the final shape that the draft may have, IFF feels that the discussion on the issue will go on for a long while yet. It also believes that over the years the issue would be debated highly as an increasing number of sectors of the economy turn digital and all citizen and government interactions are similarly also transcending into being digital.

This is leading to a situation of immense amounts of data being created every day in India without any controls over who collects and uses the data for which purpose and one of the biggest threats to citizens’ privacy comes from the government itself, which has become extremely data-hungry. In the absence of a comprehensive data protection and privacy law, India risks becoming the wild west of the universe of data, where anarchy prevails. “The problem of the surveillance and all that system integrating in the backend and like a 360-degree profile of a person being created are getting bigger and bigger and there are no laws and regulations to check against that.  But since these systems are already being introduced we need the laws pre-emptively and not after the systems have been introduced, because the damage by then will already been done,” cautions Jain of IFF.



    Leave a Reply

    Your email address will not be published. Required fields are marked *