India's data privacy law triggers surveillance fears

Laws in India regarding data privacy were ambiguous for a long time, but in 2017 the country's Supreme Court ruled that the Indian constitution guaranteed a fundamental right to privacy for every citizen.

Recently, however, public debate over the government gathering personal information for India's biometric identification system, Aadhaar, and discussions around data privacy in the EU prompted the Indian government to introduce a Personal Data Protection (PDP) legislation.

The bill is likely to be passed by the Parliament and become law by early 2021. Supporters see it as a comprehensive piece of legislation that is similar to information privacy laws in the European Union, and California in the United States.

Read more: India's contact-tracing app comes under fire

Speaking to DW, Anirudh Burman, associate fellow at the Carnegie Endowment for International Peace India in New Delhi, said that in design, the draft PDP law was based broadly on the same principles as the European Union's General Data Protection Regulation (GDPR). 

These principles include protective laws for storing consumer data, asking for the user's consent before using private information, periodic audits for companies and rules for reporting breaches. The PDP also includes setting up a Data Privacy Authority (DPA) to "maintain, monitor frameworks, firms and penalties to companies."

The debate around storing information

The issue of locally storing data came up between the Indian government and global technology companies like Google, Facebook and Amazon, whose executives were summoned by a joint parliamentary committee to answer questions related to data localization.

"In the context of the committee's question, data localization refers to the storage of data in India. One version of it is that the data can only be stored in India, and the other is that copies of the data must always be available in India," Chinmayi Arun, resident fellow at the Yale Law School, told DW.

Legal researcher Burman points out that the question of saving data locally or transferring it also depends on the kind of information that is being dealt with. He says that personal information is divided into three broad categories in the Indian data protection law.

These include personal data, sensitive personal data and critical personal data. Personal data can be transferred freely. Sensitive personal data includes data related to finances, health, religion, caste and so on and can be transferred abroad only if the user has explicitly consented to it and if the government has approved the transfer, Burman explained. 

Read more: How India's loose data privacy laws open the door to hackers

The government has said that global companies dealing with information on Indian citizens can take out certain kinds of data, but sensitive data needs to be "brought back," or deleted, once it has been used for a given purpose, the expert said. Critical data, which has not been explicitly defined, cannot be transferred outside India other than under exceptional circumstances.

In these cases, companies need to wait for permission before they can store data abroad and this could prove to be a major hindrance to their business and spike costs.

Rohini Lakshane, director of emerging research at the techno-feminist collective Bacchao Project in Bengaluru, told DW: "Multinational companies state that localization of user data is harder for them because of the global nature of the internet and the mechanisms via which information travels through the internet, and certain other infrastructure-level decisions that are made to reduce costs, increase affordability, increase speeds and implement data protection standards."

Legal researcher Burman said that locally storing data in India could pose challenges for international firms, as they would have to seek permission from New Delhi to store sensitive data abroad, or be forced to change their business models. 

Read more: India setting up world's biggest facial recognition system

Furthermore, storing information in India could make it vulnerable to government monitoring. "Companies may be concerned about the costs of storing data locally and of the losses incurred if it can't be processed with global data, but they may also be worried about the risk of unrestrained state surveillance that inevitably arises from storing the data locally in India," said Yale expert Chinmayi Arun.

Policing by the state

Surveillance by the Indian state has been mostly shrouded in ambiguity, especially since concepts like endangering state security, sovereignty and integrity have not been properly defined.

Last year, for instance, a study by the University of Toronto's Citizen Lab revealed that several Indian lawyers and Dalit activists and journalists were surveilled by the Indian government using the Israeli spyware Pegasus.

The Personal Data Protection law may only be able to do little when it comes to addressing concerns of potential surveillance victims. According to technological researcher Lakshane, "The government is mostly exempt from the provisions of the Draft Personal Data Protection Bill, 2019, if it considers the exemption to be necessary 'in the interest of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order or for preventing incitement to the commission of an offence.'"

Lakshane says that citizens' data becomes even more vulnerable considering that "India's intelligence agencies were not instituted by an act of Parliament. There is very little information about what they are empowered to do (or not do) and the restrictions on such powers."

For potential victims of data theft and surveillance, consent forms are one way of protecting their privacy, but this may be marginally effective because users typically do not pay attention to consent forms, according to Carnegie Endowment's Anirudh Burman.

"More consent won't necessarily protect privacy, and users develop a false sense of trust in privacy, although they can still suffer from illegal data usage."

Meanwhile, global tech giant Facebook has said it will comply with the new data regulations, and Amazon and Google are expected to eventually follow suit. The Indian government has also announced that it is going to regulate digital content from streaming websites like Netflix, Amazon Prime Video and Disney+ Hotstar.

However, critics feel that the Indian government needs to be careful about stifling new digital economic ventures. For companies, especially small businesses, too many government restrictions on data privacy law could be a barrier to growth and investment, said Burman. 

Ultimately, he stressed, digitization is one means to simplify things in India and it can help poor people without sufficient physical infrastructure get access to a range of public services and facilities.