The Data Protection Bill has been withdrawn, with a statement that a ‘comprehensive legal framework is being worked upon’. This is an admission that the legislative effort was piecemeal and was fundamentally flawed. Introspection on the ‘why’ is called for! That there is a long pending legal void on protection of a fundamental right does not paint any nation in a good light. The legislative effort was through out curated by ‘big money’ interests, as seen in the flawed approach adopted by the Expert Committee on Data Protection headed by Justice B N Srikrishna. It prioritised economic benefits for corporations over the protection of citizens and ignored national security aspects of privacy. The vast majority of such corporations, with access and control of Indian data are foreign owned. This should ring alarm bells for a nation celebrating Independence from colonialism in its 75th year.
A data protection framework that addresses the substantial national security and correct economic aspects is needed in the upcoming legislation. Narratives wherein individual privacy is seen as being protected, as the data is under control of foreign corporations and hence beyond the reach of the Indian State is a perverse and illusionary understanding of privacy. Dr Smitha Francis in her recent article correctly brings out how India stands to loss out economically from Industry 4.0 without domestically owned, software-embedded products across industries.
From this recognition will flow the need for trusted and resilient ICT platforms. This will now need to be fleshed out in the form of a national security doctrine that comprehensively addresses the cybersecurity needs of the Critical Information Infrastructure (CII) covering all the seven layers of the OSI model rather than emphasising chip design and manufacturing which only addresses layer one. This emphasis on chips, postpones certain hard decisions the nation needs to address in ensuring its national security goals are met coherently. Layers two to six are controlled by the Operating System (OS), the network and data storage aspects. The creation of an OS unlike chips can easily be done as it falls in the software domain which is India’s strength.
Other fundamental drawbacks to the withdrawn bill that needs to be addressed are: Clause 35; exemptions from the regulation: this allows any agency under the government to be exempt from any or all provisions of the law. Providing blanket exceptions undermines not only privacy but also national security. This provision elicited maximum dissent notes from JPC members and a just, fair, reasonable and proportionate procedure should have judicial warrants for surveillance of citizens.
Surveillance by government agencies in India has hitherto fore been of telephone interceptions, financial activity, social media posts, etc. The fourth industrial revolution and 5G will change all this with billions of sensors being embedded into both public and private spaces including homes of citizens. This will change the sheer volume and variety of data that will now be available and will give rise to the ability to profile a person to 360-degree scrutiny from his birth to death. This data will enable all people to be open to blackmail as the human condition is such that even saints have their moments of weakness and frailties. That being the universal truth, enabling surveillance without adequate checks and balances can open us to being a surveillance society beyond Orwellian imagination. This is a clear threat to a democratic society and is beyond the chilling effect to free speech as envisaged today.
While debating this with a group of experts, one expert on cyber security, opined that such surveillance and profiling of people is already illegal, hence the risk is minimal. This is a simplistic understanding of the issue and ignores the history of the security profession and existing literature on the subject of mission creep. A possible mitigation is the clear demarcation of certain types of surveillance by judicial warrant only. Specialised courts manned by judicial officials with expertise in privacy and surveillance technology are the answer.
The second drawback is the Composition of the DPA (Clause 42). In spite of the recognition of the national security aspects, there is no provision for a member with a background in national security. This does no justice to the Prime Ministers’ recognition of the dangers to national security from the information domain. This needs to be addressed by mandating a member with adequate expertise in the national security aspects of the information domain.
The proposed DPA as envisaged in the now withdrawn bill, is a body that will wield immense power in the information age. The history of the evolution of the Indian ICT sector shows an unhealthy influence from the ITES industry and its representative bodies which is dominated by MNCs. This has led to the complete domination of the Critical Information Infrastructure by Foreign Original Equipment Manufacturers (FOEM) with clear ties to the deep state of foreign nations. This needs to be addressed by ensuring that the economic and trade advantages alone do not drive the working of the DPA. Cybersecurity under the present business rules has MEITY as the lead ministry, this needs to be reworked as the domain is a field of national security and is better addressed by shifting the mandate to either the MHA or the MoD in the lead.
Finally, the nation needs to carefully think of strategies wherein the citizens trust indigenous platforms and do not see them as instruments of domestic surveillance and seek out foreign platforms beyond the law of the land as is presently the case. This will need the nation to build subtle boundaries between intelligence and law enforcement agencies wherein local platforms are seen as trusted data repositories under judicial protections and foreign platforms are rightly seen as instruments of surveillance that have national security dimensions.