Unpacking The Data Protection Law & Who Watches The Watchers? Government Surveillance Powers

The first working session discussed Government surveillance powers and its ambit under the impugned bill. The session was chaired by Shri Chander Uday Singh, Senior Advocate & Vice President of the Bar Association of India. He set the topic in motion with a slight overview and, and briefly introduced all four of the speakers. Each of the speakers highlighted a different aspect of government surveillance to identify potential reforms that could be made to the bill.

Amarjeet Singh Bedi :

Mr. Amarjit Bedi is an Advocate on Record at Supreme Court of India. Notably he was the Gold medallist of the AOR exam. He is the Joint General secretary of the Bar Association of India and his core area of practice is in Arbitration. Recounting his earliest memories of data breach, which started during the days of misplaced floppy disks and internet cards, Mr. Bedi analysed the demographic of the country to explain why such a law becomes imperative. Privacy is a fundamental right by virtue of the Puttaswamy Judgment, however our claims in case of breach of data privacy is currently being filed under a galaxy of laws and rules, the lack of a comprehensive umbrella legislation that governs the matter set the stage for the current bill which is inspired from the EU General Data Protection Regulation 2016. In a world where 2.5 quintillion bytes gets created every day, India as the second largest consumer of this data after China, indeed needs an umbrella legislation that addresses all matters of data breach and privacy. The intrinsic value of data to predict market behaviour makes the potential for risk and misuse sky high. Instances of data leaks over the past few years like in 2018 when around 200 government websites accidentally made Aadhar details public, the 2021 hack of the voters list in the election commission website, The Facebook – Cambridge Analytica data misuse for the Ted Cruz campaign, all tell us that laws protecting us against such misuse becomes the need of the hour. The expectations one has from such a legislation is that it must give one the power to be forgotten, if he wishes to do so.

Apar Gupta:

Apar Gupta is a young lawyer dedicated to the field of technology and data privacy. He completed his LL.M from Columbia Law School and has worked in the Shreya Singhal case, and served as a counsel in the Aadhar case. Mr. Gupta started his discussion, raising the question of what this legislation aims to achieve. Can this bill in its current form provide a degree of benefit or does it hope to formally and legally authorise certain existing practices that tilts the power away from the individual in favour of the state towards security functions which may be exercised in an unaccountable manner, but will be recognised by this law? He drew the attention to various specific sections of the proposed bill to answer this question. By leaving out the word 'personal' from the title of the bill in 2021, and section 2(b) which conveys that the bill aims to cover anonymised data i.e., data derived from a person that is not identifiable against such person, this bill now aims to cover a larger ambit and has bigger consequences since such anonymised data receives lower degrees of protection, reidentification from such anonymised data becomes a threat to personal privacy. This law does not aim to reform the surveillance framework, but rather only applies to consensual forms of sharing of data and consensual data processing which is defined under section 3(36). Therefore, it keeps surveillance done without the consent and knowledge of citizens outside the purview of this Act. He substantiates this understanding by emphasising on extracts from the BN Srikrishna committee report that accompanied the draft bill in 2019.

Chapter 8 of the report: non-consensual processing, p.124 reads that "Much intelligence-gathering does not happen under the remit of the law, there is little meaningful oversight that is outside the executive, and there is a vacuum in checks and balances to prevent the untrammelled rise of a surveillance society." The report goes on to note that the purview of the bill is not to reform surveillance practices in India and is limited to consensual sharing of data. Therefore, consent becomes the cornerstone of the ambit of this bill, and the format to collect such data is also explained thoroughly within the bill. However, this importance given to consent deteriorates in the study of the exemptions given within the bill. Section 12 enumerates the instances where personal data may be processed without consent if 'necessary'. Mr. Gupta explains how this test of being 'necessary' falls short of the requirements given in Puttaswamy which called for 'necessary, proportional and reasonable' grounds. The absence of the word 'proportional' throughout the proposed bill becomes an important concern. Section 14 allows personal data processing without consent, if necessary, as specified by regulations made by DPA (Data Protection Authority). The exemption provided under section 35 is of an en masse nature and this keeps the government agencies out of the purview of this Act in instances that is not limited to any particular activity, or to a particular time. The power of an authority, like the DPA, depends on its independence, autonomy and the ability to administer its functions without fear and favour. In reading sections 87 we can identify the power that the central government has to issue written directions that are binding on the DPA. Further, section 92 gives the Central Government the power to create policies to handle data without having to table them before the parliament, and by virtue of this provision litigations against such actions become even more inefficient. The real life ramifications of employing a digital contact tracing app like the 'Aarogya Setu' was discussed by Mr. Gupta, when he drew the example of Jitendra Macchar, from Mumbai who was diagnosed positive for Covid-19 in May 2020, but was shown as positive for the following 9 months which severely affected his business and travels. The 'Aarogya Setu' was created following a government policy design, and therefore, Mr. Gupta highlighted how the bill may fall short of delivering on its promises with its current design. He urges that the process of law is incremental. This bill, he believes is belated and must be passed even if it has certain flaws. Its improvements must be made with experience through litigations, and parliamentary amendments. He concluded his speech identifying the Indian digital policy setting, wherein, a lot of issues have been bundled into the proposed bill which deserve individual considerations as is being done in Europe with the separate Digital Markets Act, Digital services Act, The Artificial Intelligence Act, and so on. While the proposed bill may codify some improper practices, Mr. Gupta suggests that it needs to be passed to start the process of digital privacy law in India.

Ria Singh Sawhney:

Ria Sawhney studied at the Delhi university, and went onto to becomes a Human Rights fellow at Columbia Law School. She has worked as a consultant to conduct Privacy impact assessments for various international organisations in Nigeria, Bangladesh, Philippines and so on. Ms. Sawhney spoke on the Privacy Impact Assessment (PIA) aspect of the Data Protection Bill 2021. She recounted her various experiences conducting such impact assessments for various international organisations in Nigeria, Sri Lanka, Philippines, and Bangladesh wherein she analysed the impact of data processing on the lives of the people in the community being assessed. The pur

pose of such PIA is to bring a sense of responsibility over the data fiduciary, and to establish consent of the subjects. Section 27 of the impugned bill mandates PIA over a 'significant' data fiduciary. A PIA involves looking into the regulations in a country and the quality of rule of law being followed. The risk of surveillance, and data sharing between departments is assessed, along with the study of the beneficiary community are all done to take appropriate measures. She recalled her experience in conducting the PIA for the Rohingyas refugees in Cox's Bazar where she translated the idea of privacy to them as 'Sharam' substantiating significantly that privacy is not an elitist concept, but rather in its true sense a fundamental right. The first major challenges that occurs in conducting a PIA is the tenuous nature of the whole process as an ethnographer coming into a vulnerable community trying to explain the crux of consent. The process of acquiring consent, Ms. Sawhney emphasises, cannot be of a tick-box nature, or be done in mass consent camps as was the case with Aadhar. Since the community in such instances is more often than not, unaware about the process they are consenting to be a part of, as was in the case of a majority of Rohingyas who were under the garb that their data was being used only for providing aid and access. It further becomes challenging to convince organisations to conduct such extensive assessments and to change their business model according to the results. The second main challenge is that one cannot adequately envision all potential harms involved in data sharing and processing, while working in line with proportionality. It is the duty of the data collector fiduciary to conduct the PIA. However, a few questions that the impugned bill raise regarding such assessments are Who will be included under section 27? What kind of projects will need to conduct a PIA? Who decides these criteria? Who will check the authenticity of a consultants PIA report? And Who will be accountable for acting on the PIA reports?

Anand Venkatanaryanan:

Mr. Anand Venkatanarayanan is a cyber security and privacy researcher. He was called as an expert witness before the Supreme Court of India in the Aadhaar case, and was the first one to break the story of the hack of Kudunkulam nuclear reactor in the public domain. The discussion hosted by Mr. Venkatanarayanan revolved around the surveillance work of intelligence agencies, and how they are, more often than not, beyond the purview of law. Nation states often face multiple threats such as wars, insurgencies, public order issues, regimes changes or epistemic threats. To control such risks, the intelligence agencies have to work at different time scales prioritising secrecy and autonomy. These intelligence agencies over time become a threat themselves, much like the Praetorian guards during the Roman Republic. The balance between the secrecy that grants autonomous powers to function with efficiency and the Praetorian guard problem is 'in theory' done by the oversight of the other branches; Legislative and Judiciary. The speaker went on to discuss the surveillance architecture that was employed in the pre-smart phone era like the Sting Rays, and Internet Junction boxes. The counter measure that were employed to avoid data surveillance through these forms was to encrypt web traffic, voice calls, messages, video calls, and meta data designs. Zero day burn downs also protected against extensive data surveillance. The speaker emphasised how the post- smartphone era surveillance methods are based on entirely different systems. The new forms of surveillance focused of end points, hostage laws, data localisation, employing influence operations on claims of national security, outlawing encryption directly or indirectly (traceability). Mr. Venkatnarayan also explained the working of Zero Day brokers like Arms Bazar where malware vulnerabilities were sold for millions to Intelligence agencies of various countries. The last part of his speech focused on the Pegasus investigation, and the involvement of citizens labs and Amnesty. The targets of Pegasus, Mr. Venkatnarayan states were a mix of domestic and foreign individuals which led to exposure via cross-correlations. The speaker concluded, calling for a push on surveillance reforms that would mark clear red lines, forces accountability over agencies, forces transparency and employs better oversight.