Privacy Critics Attack ‘Backdoor Clauses’ in Proposed India Data Bill

By Aishwarya Jagani

As India moves forward with its much-awaited Personal Data Protection Bill (PDPB), privacy critics fear that “backdoor clauses” could allow the government access to data without consent and could create a feckless oversight board whose members would serve the whim of officials.

“The two biggest flaws are the lack of independence of the Data Protection Authority and the several ‘backdoor clauses’ contained within the PDPB,” Rohin Garg of the Internet Freedom Foundation (IFF), a privacy-rights organization in New Delhi, told Digital Privacy News.

Even B.N. Srikrishna, a retired India Supreme Court judge who led the committee that drafted the first version of the bill in 2018, attacked exemptions legislators since have added, telling Digital Privacy News that the bill now could “slide into an Orwellian state.”

Under consideration by a joint committee of the Indian Parliament, the bill governs the collection, processing and storage of all data — and it is broadly modeled after the EU’s General Data Protection Regulation (GDPR).

The committee is expected to submit its report by the first week of July.

But critics told Digital Privacy News that the bill did not effectively protect individuals from the government and gave open-ended access to personal data.

Critics further raised concerns that the bill’s broad government exemptions would allow agencies to use facial-recognition technology with other data.

“As per the 2019 bill, the government can exempt any agency from all or any of the provisions of the bill by way of a written order (not a law passed by Parliament),” said Pallavi Bedi, a public policy analyst at the Centre for Internet and Society (CIS) in New Delhi.

“The government can exempt any agency from all or any of the provisions of the bill.”
Pallavi Bedi, Centre for Internet and Society.

India’s PDPB has been in the works for nearly three years. Prime Minister Narendra Modi’s government first organized the committee in 2017, appointing Srikrishna to head it. He retired from the Supreme Court in 2006.

The panel released its first draft in July 2018. It included the creation of a Data Protection Authority (DPA), an independent body to oversee data regulation and the bill’s enforcement.

Further, it envisioned DPA as an independent regulatory body, with Modi’s government having no role in appointing its chairman and six members.

However, the most recent iteration of this bill significantly diluted these provisions — total membership dropped to fewer than six members — and added what critics had charged were “backdoor clauses” exempting the government from many restrictions.

The revisions also stripped DPA of its independence, as members would be appointed or dismissed by Modi’s government — and the panel would not have a judicial member or a consultant.

“The composition of the DPA was carefully crafted in the 2018 bill,” Srikrishna told Digital Privacy News, “so that the chairperson would be a senior judicial officer — and there would be representation from independent academics, professionals and practitioners in the domain — such that the majority of the members would be independent of the government.”

He added: “The DPA contemplated under the 2019 bill would be a captive of the government.”

IFF’s Garg agreed.

“Without the presence of a member of the judiciary or civil society, a government-dominated DPA would potentially become subordinate to the government,” he told Digital Privacy News.

“Many provisions, such as those that allow the processing of data without consent in certain cases, infringe upon the digital rights of citizens.

“The key point here,” Garg continued, “is that these ‘backdoor clauses’ exist for private companies and government bodies.

“Ensuring these clauses are not unfairly taken advantage of … is the job of the DPA, something that would obviously be hampered by its lack of independence,” he said.

Key Changes

Critics particularly cited two clauses that had been modified in the latest version, Nos. 12 and 35.

The first clause now would allow the government to process personal data without consent, in order to provide state-backed services or benefits, while changes to No. 35 would exempt the government and its agencies from PDPB.

“The DPA contemplated under the 2019 bill would be a captive of the government.”
B.N. Srikrishna, retired India Supreme Court judge.

“The bill has vested power with the central government to exempt an ‘entire agency’ from the requirements of the bill,” CIS’ Bedi told Digital Privacy News.

Highlighting the broad discretion given to the government under the revised Clause 35, she quoted part of it: “‘(S)ubject only to such procedure, safeguards and oversight mechanism as may be prescribed.’”

Facial-Recognition Concerns

Bedi also expressed fears that the bill could allow the government to use facial-recognition data with other personal information.

“Facial images, iris scans, fingerprints fall within the definition of ‘biometric data’ under the bill — and they are further recognized as sensitive personal data,” she told Digital Privacy News.

“However, extensive powers have been given to the government to exempt any agency from any or all of the provisions of the bill.

“Therefore,” she concluded, “it is possible for the government to exempt law enforcement agencies from the requirements of the bill, including the need to undertake a data-protection impact assessment and to exempt agencies from being notified as significant data fiduciaries under the bill.”

Last year, citizens were outraged over the government’s use of facial recognition with data from driver’s licenses and Aadhar cards to identify and crack down on demonstrators during the countrywide anti-citizenship amendment act protests.

“Many provisions … infringe upon the digital rights of citizens.”
Rohin Garg, Internet Freedom Foundation.

Critics told Digital Privacy News that the proposed PDPB would not prevent such instances in the future.

“Theoretically,” said Garg, “this would be the exact type of unconsented data-processing that the PDPB would protect against.

“However, given that such databases are already in use, such cases will be referred to the DPA — and after that, it will depend upon how much the DPA will bend to the government’s will.”

Better Than Nothing

Even though PDPB comes across as a weaker, diluted version of such international standard privacy legislation as GDPR, some privacy advocates and data experts said they welcomed the introduction of a data law to India.

It would, they said, bring some semblance of regulation to the mounds of data collected by companies operating in India.

Further, with India having been subject to numerous data breaches and violations — the current controversy surrounding WhatsApp’s updated privacy policy, for instance — any data regulation is a step in the right direction.

“The bill does confer upon users certain important digital rights,” Garg told Digital Privacy News, “while the existence of some sort of data authority is to be welcomed.”

Aishwarya Jagani is a writer in India.

India’s PDPB vs. EU’s GDPR

While the latest version of India’s Personal Data Protection Bill (PDPB) is broadly modeled after the EU’s General Data Protection Regulation (GDPR), key differences remain:

Data Localization

PDPB would be the first privacy law in the world to require data localization.

With GDPR, the location of servers where data is stored does not matter. Any company or entity processing data relating to EU residents falls under the jurisdiction of the law.

PDPB’s requirement is expected to pose challenges for international companies operating in India, which would need to obtain permission to share sensitive personal data abroad or change how they store and process Indian users’ data.

Government Exemptions

India’s PDPB would allow sweeping exemptions for the government and its agencies, under the guise of national security.

“The GDPR is a more robust and user-oriented framework,” said the Internet Freedom Foundation’s Rohin Garg, “while, unfortunately, the PDPB occasionally comes across as catering to private and governmental interests.

“This is best exemplified by the effective carte blanche given to private firms with respect to the regulatory sandboxes — as well as by the blanket exemptions given to the government for restricting the digital rights of individuals.”

Garg noted that GDPR, by contrast, only provided measured and specific grounds “for infringing upon these rights.”

Categorizing Sensitive Data

GDPR does not separately define sensitive personal data, whereas PDPB would categorize financial and health data, sexual orientation, caste or tribe, intersex status and other information as “sensitive personal data.”

This data would be subjected to stricter rules than other categories.

Further, sensitive personal data could not be transferred outside of India, unless under exceptional circumstances defined by the proposed bill.

Consent

Like GDPR, the proposed PDPB would require clear and valid consent before any data is collected or processed.

Valid consent is specific, informed, given without ambiguity, capable of being withdrawn at any point and given without coercion.

PDPB additionally would require data-consent notices to be made available in multiple languages to ensure that it was understood clearly.

Compatibility Test

GDPR requires companies to pass a “compatibility test,” which would determine whether the further processing of data is compatible with the original purpose for which it was collected.

By comparison, PDPB would permit incidental processing of data.

“‘Incidental purpose’ is a wider standard than the compatibility test,” said Pallavi Bedi of the Centre for Internet and Society.

Despite the differences, the proposed PDPB and GDPR agree on what critics said was the most crucial issue: The maximum penalty for noncompliance is up to 4% of total revenues of the offending party.

The sum in both cases generally is widely considered woefully inadequate for tech giants.

— Aishwarya Jagani

Sources: