Ten Reasons Why The Digital Personal Data Protection Law Doesn't Empower Citizens

Among the ten-point list of issues this Bill doesn't address is unchecked data collection by employees, the weakening of the RTI Act, and the sanctioning of a data protection board that will be beholden to those in power.

India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.

The Digital Personal Data Protection Bill 2023 has been passed today in the Lok Sabha. After years of exhaustive public consultations and multiple drafts, this seemingly final version of the Bill is being termed the simplest of all drafts.

There are many concerns around how the Bill continues to ignore purpose limitation and push for further data collection through duties on data principals. But will this Bill really empower us?

‘Data empowerment’ has been the magic term that has been used to push various centralised databases onto the citizens of India. We were told we can become rich by exchanging our personal data.

But so far, the problems in Digital India’s software designs have resulted in people being exploited and harmed by loan apps and social engineering fraud. Neither of these will stop with the passage of the Bill as long as the data proliferation continues, and this Bill won’t stop that either.

Here is a long list of issues the Bill doesn’t address and which will be litigated further in the courts, with the fundamental right to privacy recognised as part of Puttaswamy vs Union of India. This should help us understand who the Bill is empowering.

1. The practice of mandating people to link their Aadhaar will continue and expand to create 360-degree profile databases, as the Rajya Sabha is expected to pass the Registration of Births and Deaths Bill. Indians will be forced to part with their personal information from birth to death. The Bill ignores purpose limitation entirely and says that any data collected can be used for other purposes by the government.

2. All personal data collected by the government will be shared with surveillance institutions, with no mention of restrictions on surveillance in the Bill. The ten agencies authorised under the Information Technology Act and various policing departments will continue to collect personal data without any restrictions. A blanket exception has been made for the police to use 360-degree profile databases like NATGRID for surveillance. 

3. The Enforcement Directorate and Income Tax authorities’ raids on the Opposition and tax surveillance of every resident in India will go unchecked. A weapon in the arsenal of the government to suppress any form of dissent, there is nothing that stops these institutions to raid even media houses and to clone their mobile phones and laptops. 

4. Facial recognition and other biometric technologies will continue to flourish, for tasks ranging from basic attendance usage to surveillance. The government could grant exemptions to companies involved in facial recognition to collect this data in order to build surveillance systems. Projects like Digi Yatra, facial recognition for de-duplication for KYC, access management, monitoring of work, and surveillance will thrive. 

5. This Bill doesn’t stop the government from forcing you to submit your health data and use it as they want during and after health emergencies. From Aarogya Setu to Co-WIN, there are blanket exemptions on how much personal data can be collected and how they use them.

Also Read: CoWIN Data Leak Is a Sign India Needs to Rethink its Digital Public Infrastructure Strategy

There is no provision in the Bill to demand deletions of personal data. Even after the COVID-19 vaccination drive is over, we are still not allowed to delete Co-WIN and any other health data the government collected. 

6. All employers are exempt to collect the personal data of their employees as they see fit. Every company from Uber, Ola and Swiggy to Urban Company can continue to collect the personal information of their employees – including facial biometrics – and even use it to fire them or stop them from working for their platforms. 

The surveillance of employees’ devices – from phones to work machines – will continue to go unchecked. Government employees have no option but to share their facial biometrics for attendance, and surveillance of their work through cameras. With the push for real-time work, anganwadi and sanitation workers will continuously be monitored by various apps. 

7. Google, Facebook, Amazon, Microsoft, Apple and other Big Tech companies can continue to use your personal information that you publicly share. This Bill doesn’t stop any personal data collection by these Big Tech companies and is unlikely to result in any major changes in how the entire IT industry operates.

The duties in the Bill force us to not to supply any false information to these or any other companies, killing anonymity. The government can demand all of this data from these companies with no oversight. This Bill at best forces these companies to allow you to delete your personal data, if you choose to exit these platforms. 

8. The Bill weakens the RTI Act by making it hard for us to access any personal information, including the names of the bureaucrats that are signing key government files. This will create an information asymmetry between the state and citizenry, where the state knows everything about the citizenry but citizens know nothing about the state.

Also Read: Changes to RTI Act, Rs 500 Crore Fine: Five Pitfalls to Watch Out for in the Data Protection Law 

9. A key feature of Digital India and surveillance capitalism is the use of personal data for financial services, from loan apps to insurance. The Bill provides these companies exemptions to process the personal data of any loan defaulter.

This means that private companies are allowed to collect personal data from anyone who takes loans. That data will be deleted once the loan is paid, but it can be processed in any way the company wants until it recovers the loan amount.

This will lead to the creation of loan defaulter databases that will be used for the further economic exclusion of marginalised people in India. 

10. The Data Protection Board that the Bill sanctions will be set up by the government, making it less independent, and prone to acting at the whims of the powerful bureaucrats, businessmen and politicians of India. Even if there is a data breach, the data protection board will act partially, with no clear independence.

This is not a privacy Bill, but a mere data processing Bill that doesn’t address the issues of the common citizen. This Bill is just a rubber stamp at the end of India’s digitisation process that doesn’t empower any citizens, but only businesses and government institutions.

It is a travesty that a powerful judgement like Puttaswamy vs Union of India has been reduced to this unjust form which will continue to be contested in the courts. There may not be any relief from these mandatory data collections by Digital India anytime soon.

Srinivas Kodali is a researcher on digitisation and a hacktivist.