The past as a compass for the future

The 2019 PDP Bill laid down exemptions for government agencies from data regulations prescribed in the Bill. The 2021 DPB continues to retain these exemptions for the government and central agencies, including police, CBI, ED, RAW, IB and UIDAI, after the JPC Report. The draft DPB also has an insertion of a non-obstante provision in Clause 35:

“Notwithstanding anything contained in any law for the time being in force…”

This clause is also backed by an explanation which states that such exemptions should be as per a “just, fair, reasonable and proportionate procedure.”

It states:

“Notwithstanding anything contained in any law for the time being in force, where the Central Government is satisfied that it is necessary or expedient,
(i) in the interest of sovereignty and integrity of India, the security of the State,
friendly relations with foreign States ox public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”

Respondents fear that such provisions grant overarching powers for the government and central agencies to process data without the user’s consent. Among other things, they are concerned that these exemptions are “scary”, “unjustified”, and “unconstitutional”.

“While companies were being held to a standard in terms of how they should store, collect, report all of that stuff, keeping government agencies out of the ambit of this (draft) Data Protection Bill, when we are seeing so many cases of a lot of data aggregation being done by various government departments,”

said a concerned senior engineer of an IT services business.

Engineers of a business that deals with open source software products and services said,

“The excessive grant which the government has been given under this bill, that, is very scary. And it is also very unjustified, I would say.”

To explain their concerns about how this is likely to affect the future of businesses in India, an architect of a FinTech business said,

“People are talking about the fear of mass surveillance by the government. And, you know, there is a lot of scepticism in general, because of these overarching powers of the government.” The “ripple effect” of this will be the “loss of confidence in sharing data with private enterprises.” and “significantly impact” all businesses that operate in the “extremely data dependent industry”.

Respondents said they get requests to share data from law enforcement agencies for regulations and in cases of financial fraud, cybercrime, consumer complaints, and so on. They said that they have had to share details like financial transactions, call logs, and IP addresses.

“Sometimes all this does not even require customer consent,”

said an architect of a FinTech business.

Only two respondents felt that overarching powers to the government for data access might actually be justified when it is a matter of national security, specifying the instances of curbing fake news and avoiding social unrest. But, even they had concerns regarding these provisions. As one of the respondents said,

“It should be as a matter of exception, not the rule. Nowadays, I think it has become a rule rather than an exception.”

Others were also sceptical about what the exceptional circumstances even meant anymore to justify such provisions.

One of the respondents asked, “What is not covered in national security?” It was unclear to the respondents what could be classified as a reason for national security, but they were apprehensive of this resulting in intensified surveillance instead of protecting privacy.

A senior engineer of a FinTech business said,

“if there are any requests, we would always be conscious of the fact that why they are coming, what is the purpose?”

Another senior engineer from a cloud service business wondered what else even remains to be shared:

“Like, everything is getting linked by Aadhaar, etc. Right?

Interestingly, the DPB ignores the Justice Srikrishna Committee Report’s acknowledgment that unfettered government access to personal data without adherence to safeguards like “necessity and proportionality” is potentially “unconstitutional.”

Second, respondents worry about the potential misuse of data given the fact that the intention is unclear and the exemptions seem like an overreach of powers to them. One of the respondents asked what will happen if the data is passed on informally from one person to another within government agencies, or what is the procedure to handle the breach/leak of data from these businesses when in the hands of government agencies.

“The agency is also made up of people. You’re not confident that this data is going to be used against the person. So, on one hand, if you think this law is needed, like given that the agency needs to have access to certain data, but at the same time, how do I ensure that agencies are not misusing the data? So that is a concern,”

the founder of an agritech business said.

The founder of another agritech startup said she is not comfortable with this idea

“just for the fact that we have seen that in the past where things have got leaked, and not sure of how secure really the government is going to, you know, have these things taken care of. We know that there is bribery and corruption and you know, in all echelons. And, there could be personal data and non-personal data of my consumers that is available with the government and what if the government decides to give it to my competitor? I am not sure. So I’m not comfortable with the idea of the government peeping into our data.”

One specific example of the fear of such misuse is with data from the health tech industry. A respondent from a health tech business explained why he is in two minds about this provision.

“When you’re in healthcare, you kind of have a responsibility towards public health, you have responsibility towards making sure that policymaking is data-informed and things like that. So, I think, sharing anonymized and de-personalized data is probably a good idea. Except in the cases where you kind of need to identify the patient in epidemics and things like that. But again, the challenge is how the data gets shared and things like that, because of wildly different standards in different countries for different things.”

At least three respondents made direct or indirect references to a recently reported incident about Razorpay, one of the biggest business payment processing services in India, being caught sharing their user’s financial and personal information with the police.¹

One respondent said that these cases of the power to access users’ private data from the government is becoming a norm in India, and needs caution. A product manager from an AI tech business said,

“So, for example, I think it was in the papers recently that the courts made a request for specific data of an individual through Razorpay. I think, again, they didn’t have to go through a court mandated process, but it’s not like they had to handle all financial leaders only towards that specific account.”

The founder of another AI tech business also said in reference to this,

“I guess we all follow what is happening in the news right now, too. So, it is that there are limits to what can be asked. And I guess it’s finding that fine balance between when a data request comes because many times it is of critical importance, but many times it also gets potentially misused for things.”

Respondents categorised this provision of the DPB to be more of a ‘civil liberties issue’. The founder of a FinTech company said that such blanket access to bypass existing legal frameworks to access any data means “terrifying ramifications” And, he said,

“If you incorporate that into an industry where it is known that the state can access whatever they want, whenever they want directly from any player, public or private institution, by bypassing the existing legal judicial framework, I think it is chilling. It will definitely affect businesses and investments and everything. I’m unable to enumerate how, but it is a much larger political problem.”

Third, respondents also find this to be another “compliance restriction”. The founder of an agritech business said,

“India is not very friendly for startups or for SMEs because the amount of regulations, the amount of different kinds of compliances, that we have to do on a regular basis is itself very large.”

Fourth, in the same vein, respondents also find this to be a threat to security of their digital information and proprietary information. An architect of a FinTech business said, “All these years, we’ve been collecting a lot of data. There is a lot of proprietary data, for example, how different types of consumers are using financial products, how they operate in our system, on our platform, and so on. So all these details are very much the way we created the technology to consume this data. We also created different models, where this data can be useful.” She said that it will be “unfair” to send out this data to the central agencies “because we spend a lot of our efforts to know our consumer better and if this data needs to be collected and then shared with everyone, I don’t think it is fair practice.”

Product managers of a software development business also said that this provision essentially “requires opening information systems and making it accessible to any central agency in any agency format, for that matter.” “I see any opening up of Information Systems, the first threat is digital security. This can hence lead to incidents that in a way affects the availability and integrity of the data. And, we are answerable to the users if anything happens to their data in this process. That is where I think it can be a double edged sword... a harmful thing for our business.”

A founder of an agritech business also added that this ultimately is discomforting for the end user. He said the end user must be thinking “I want to be anonymous, I want to use the system, my dealing with the system should be private. But if that data goes to someone else, so definitely, as a consumer, I’ll be apprehensive. And once I’m apprehensive, then I’ll stop using the system. So, it is not good for the company.”

One of the respondents, however, decided to gauge this as a glass half-full at the moment. He said, “You can argue that data is the base on which all research is built, and therefore, access to open source data means that more research and innovation will happen. The flip side of that is if all of my confidential information that I’ve worked hard to build is now available as a public dataset, then what is my incentive to continue to build on those datasets or to invest in creating that? So the minute I think it is a bit more nuanced than that question, I think it deserves a bit more attention and thought.”

Coupled with these concerns is the problem of segregating anonymized datasets and personal data on a regular basis for data sharing. Anonymization essentially means de-identification or separating data in a way that there is no personally identifiable information in it. Respondents agreed that it is not a viable solution.

Technical experts agree that irrespective of how one tries to anonymize data, there is always the inherent risk of re-identification. A founder of an agritech startup said, “I mean, everything could be traced back, especially if it is shared with the government or shared somewhere publicly, or shared to communities or to competitors. I’m sure there is a risk of it getting unencrypted and going back to the and the private data getting leaked.”²

A senior engineer of a cloud based business cited the example of a time when researchers could de-anonymize anonymized ratings data released by Netflix.³ Another founder of a FinTech business shared an example, “Google is trying to integrate some cohort-based advertising tracking directly into the Chrome browser. Where they say that users will be anonymized, and the browser will share like a generic anonymized identifier. But there have been so many examples, papers proving that even this generic identifier can be used to target specific groups of people.” So, he said, “anonymization, and dependency on anonymization, as a solution for data privacy is not bulletproof. And different kinds of data using different kinds of anonymization techniques or algorithms, there are always ways to backdoor and reverse engineer anonymization. Maybe not to the most granular possible level, but to a harmful level.”⁴

An architect from a FinTech business explained that there have to be guidelines, processing, and governance systems in place for anonymization of personal data to be even close to some success. “Because at the end of the day, there is always a human in the loop of any technology that is there. And, even if the technology is bulletproof and there are strong processes, almost in 100% of the cases there is a human involved in the loop. Hence a potential for breach exists.”⁵