After five years of negotiations involving the government, tech companies and civil society activists, the world’s largest democracy is sending its debate on privacy back to the drawing board. The Indian government has junked the personal data protection bill, and decided to replace it with “a comprehensive legal framework.” If the current anarchy wasn’t bad enough, nobody knows what the revamped regime will contain — whether it it will put individuals first, like in Europe, or promote vested commercial and party-state interests, like in China.
Back in 2017, India’s liberals were hopeful. In July that year, New Delhi set up a panel under retired Justice B.N. Srikrishna to frame data protection norms. The very next month, the country’s Supreme Court held privacy to be a part of a constitutionally guaranteed right to life and liberty. But the optimism didn’t take long to fade. The law introduced in parliament in December 2019 gave the government unfettered access to personal data in the name of sovereignty and public order — a move that will “turn India into an Orwellian State,” Srikrishna cautioned.
Those fears are coming true even without a privacy law. Razorpay, a Bengaluru-based payment gateway, was compelled by the police recently to supply data on donors to Alt News, a fact-checking portal. Although the records were obtained legally — as part of an investigation against the website’s cofounder — there was no safeguard against their misuse. The risk that authorities could target opponents of the ruling Hindu right-wing Bharatiya Janata Party led to howls of protests about the stifling of dissent under Prime Minister Narendra Modi.
The backdrop to India’s privacy debate has changed. Six years ago, mobile data was expensive, and most people — especially in villages — used feature phones. That’s no longer the case. By 2026, India will have 1 billion smartphone users, and the consumer digital economy is poised for a 10-fold surge in the current decade to $800 billion. To get a loan from the private sector or a subsidy from the state, citizens now need to part with far too much personal data than in the past: Dodgy lending apps ask for access to entire lists of phone contacts. The Modi government manages the world’s largest repository of biometric information and has used it to distribute $300 billion in benefits directly to voters. Rapid digitization without a strong data protection framework is leaving the public vulnerable to exploitation.
Europe’s general data protection regulation isn’t perfect. But at least it holds natural persons to be the owners of their names, email addresses, location, ethnicity, gender, religious beliefs, biometric markers and political opinion. Instead of following that approach, India sought to give the state an upper hand against both individuals and private-sector data collectors. Large global tech firms, such as Alphabet Inc., Meta Platforms Inc. and Amazon.com Inc., were concerned about the now-dropped bill’s insistence on storing “critical” personal data only in India for national security reasons. Not only does localization get in the way of efficient cross-border data storage and processing, but as China has shown with Didi Global Inc., it can also be weaponized. The ride-hailing app was forced to delist in the US months after it went public there against Beijing’s wishes and eventually slapped with a $1.2 billion fine for data breaches that “severely affected national security.”
Still, the scrapping of the Indian bill will bring little cheer to Big Tech if its replacement turns out to be even more draconian. Both Twitter Inc. and Meta’s WhatsApp have initiated legal proceedings against the Indian government — the former against “arbitrary” directions to block handles or take down content and the latter against demands to make encrypted messages traceable. The government’s power to impose fines of up to 4% of global revenue — as envisaged in the discarded data protection law — can come in handy to make tech firms fall in line; so it’s unlikely that New Delhi will dilute it in the new legislation.
For individuals, the big risk is the authoritarian tilt in India’s politics. The revamped framework may accord even less protection to citizens from a Beijing-inspired mix of surveillance state and surveillance capitalism than the abandoned law. According to the government, it was the 81 amendments sought by a joint parliamentary panel that made the current bill untenable. One such demand was to exempt any government department from privacy regulations as long as New Delhi is satisfied and state agencies follow just, fair, reasonable and proportionate procedures. That’s too much of a carte blanche. To prove overreach, for instance in the Alt News donors case, citizens would have to mount expensive legal battles. But to what end? If the law doesn’t bat for the individual, courts will offer little help.
Minority groups in India have the most at stake. S. Q. Masood, an activist in the southern city of Hyderabad, sued the state of Telangana, after the police stopped him on the street during the Covid-19 lockdown, asked him to remove his mask and took a picture. “Being Muslim and having worked with minority groups that are frequently targeted by the police, I’m concerned that my photo could be matched wrongly and that I could be harassed,” Masood told the Thomson Reuters Foundation. The zeal with which authorities are embracing technologies to profile individuals by pulling information scattered across databases shows a hankering for a Chinese-style system of command and control.
The abandoned Indian data protection legislation also wanted to allow voluntary verification of social-media users, ostensibly to check fake news. But as researchers at the Internet Freedom Foundation have pointed out, collection of identity documents by platforms like Facebook would leave users vulnerable to more sophisticated surveillance and commercial exploitation. Worse still, what starts out as voluntary may become mandatory if platforms start denying some services without identity checks, depriving whistleblowers and political dissidents of the right to anonymity. Since that wasn’t exactly a bug in the rejected law, expect it to be a feature of India’s upcoming privacy regime as well.