The Ministry of Electronics and Information Technology (MeitY) on 18 November released the draft
Digital Personal Data Protection Bill, 2022. The Bill grants a host of rights to data principals (users), such as the Right to correction and erasure of personal data (Section 13), the Right of grievance redress (Section 14) and the Right to nominate (Section 15), and most importantly, the Right to information (Section 12) about personal data. Section 12 empowers data principals to receive a summary of the data processed by the data fiduciaries or entities that determine the purpose and means of processing data along with details of all data fiduciaries who have received the personal data. This summary is critical for the data principal to exercise other rights. For instance, once the data principal has the summary of the data being processed, they can correct the information processed or even register a grievance with the data fiduciary.
The Right to Information is bound to play a central role for citizens to exercise their rights and practise their duties as outlined in Bill.
Additionally, this Bill has assigned some duties to the data principals under Section 16 — compliance with provisions of all applicable laws, abstaining from registering frivolous or false grievances with the data fiduciary or Data Protection Board and furnishing accurate information while exercising the Right to correction. The outlined duties impute knowledge on the data principals, for example, on what could constitute a ‘frivolous’ complaint which is difficult to ascertain without information on the data collected and processed of the data principal. The Right to Information is bound to play a central role for citizens to exercise their rights and practise their duties as outlined in Bill.
Nevertheless, Section 18 of the Bill allows for the largest Data Fiduciary, the Government of India (GoI) to exempt itself or its agencies and even certain data fiduciaries from the provisions of the Bill by notification in the interests of security, sovereignty, and integrity of India along with maintenance of public order. Despite many case laws attempting to dissect these legacy state exemptions for decades, an exhaustive list of what could fall within the maintenance of public order and the maintenance of sovereign interests seems distant.
Regardless, there has been a massive push from the Indian government to collect data, build national and state databases, and utilise emerging technologies to identify and track threats. For instance, India’s Ministry of Defence, over the past eight years, has significantly invested in modernising military and defence equipment to further India’s defence preparedness. The Department of Defence Production, Ministry of Defence hosted
AiDef 2022 in July to showcase how emerging technologies, like AI are being leveraged by domestic defence organisations and startups. It released “
Artificial Intelligence in Defence” to document 75 prominent use cases. Four of the identified use cases centre around the use of intrusive AI systems like Facial Recognition Technology (FRT)—Project Seeker—Facial Recognition System for Population Monitoring, Surveillance and Garrison Security Face Recognition System under Disguise (FRSD), Silent Sentry (Rail Mounted Robot with AI) and Driver Fatigue Monitoring System. These use cases seem to address issues that have conventionally limited the use of FRTs. Project Seeker can source data from many sources, can be remotely set up and does not need constant Internet connectivity. The FRSD can identify disguised or low-resolution images behind face masks, moustaches, beards, wigs, sunglasses, and monkey caps. The report states that use cases like FRSD or Project Seeker could be deployed in public places to identify “anti-social” or “anti-national” elements.
GoI has outsourced many public service delivery functions like ensuring public order to private sector enterprises or Third Party Actors (TPAs) that are collecting and processing data and deploying FRT systems to track citizen movement and activity.
Moreover, GoI is not pursuing technology development and deployment in isolation. At present, GoI has outsourced many public service delivery functions like ensuring public order to private sector enterprises or Third Party Actors (TPAs) that are collecting and processing data and deploying FRT systems to track citizen movement and activity. More than 10 State police departments across India such as
Punjab,
Telangana, and
Delhi have deployed FRT in some form to support policing efforts. Yet, the majority of citizens remain unaware of the incessant collection of personal data by the State through TPAs with the use of such technologies. In the absence of oversight mechanisms to curtail misuse of such technologies and the collected data by the State, the emanating risks will be enormous for citizens, especially marginalised communities that are often identified as threats to society.
India’s journey towards a comprehensive data protection law has been long and thorny. Since the release of the present draft, critics have been vocal about their dismay with the carte blanche authority given to the government over personal data much similar to the previous draft.
MeitY recently claimed that the GoI has no incentive to do anything in a non-transparent manner when asked about wide-ranging government exemptions in the Bill. In that case, GoI must put efforts to ensure citizens have unfettered access to information on how their data is collected, processed, used and to what end. The first step to achieve that would be not to exempt itself from Section 12, and the second would be to inform citizens of the purpose of using their personal data. In ORF’s inaugural
Tech Policy Survey, one of the most critical findings was that the Indian youth is largely comfortable in sharing their personal data to support the government in providing rations or cash to the poor (82 percent) and for reducing road accidents (79 percent) as long as they had information on the purpose behind sharing their personal data.
The majority of citizens remain unaware of the incessant collection of personal data by the State through TPAs with the use of such technologies.
Within this Bill, GoI and its agencies or TPAs that assist GoI in developing and deploying technologies, especially for public use could describe the personal data collected and the purpose for which it was collected and processed or could be processed. MeitY’s flagship citizen engagement platform,
MyGov could be utilised to share this information widely with the citizens. As per MeitY officials, this draft is attempting to strike the delicate
balance between aligning itself with global approaches to data protection and the foundations laid down by Justice K. S. Puttaswamy & Anr. vs Union Of India, or the Right to Privacy verdict but with reasonable restrictions. The State might have to engage in making trade-offs for the citizens that might not be “just, fair and proportional” but these exceptional uses of data must allow for citizens to review and contest the use and that can only be guaranteed with Section 12 of the Bill.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.