“You may say that you want to be forgotten but the state does not want to forget you.” This chilling argument for dominance over every Indian’s life was rejected six years ago, in August 2017, by the Supreme Court of India in the first Puttaswamy decision. The Court reaffirmed the fundamental right to privacy while requiring the Union Government to introduce a data protection law in Parliament, “as per this judgment”. Instead, in 2023, the country has now got the Digital Personal Data Protection Act, 2023, or the Data Act. Its provisions, according to Amrita Johri and Anjali Bhardwaj (who are associated with the National Campaign for Peoples’ Right to Information and the Satark Nagrik Sangathan), “threaten the very foundations of transparency and accountability”. And Professor Subhasis Banerjee (Professor, Computer Science and Engineering, IIT Delhi), says it “facilitates data collection and processing by the government and private entities rather than… data protection”.
Making Indians stand in line
But why did the Data Act take this shape?
The answer rests in total state control — a digital leash to yank us and make us stand in line than serve the preambular objectives of the Constitution of India.
Months after inaugurating the ‘Digital India’ programme in July 2015, Prime Minister Narendra Modi, who was in Silicon Valley in September 2015, announced that “technology is advancing citizen empowerment and democracy that once drew their strength from Constitutions”. The speech reveals a misplaced belief in the curative powers of techno-solutionism, and that all our problems will be fixed by the digital revolution rather than a transformative constitution. This ideology requires a continuous expansion of state power that is the result of a tie-up between surveillance capital and surveillance welfare.
It is most visible in digital public goods built with vast state resources and the personal data of every citizen. These deployments break promises on delivery, tighten a digital leash and create fresh problems. Let us take the example of Aarogya Setu. According to MIT Technology Review’s ‘Covid Tracing Tracker’, “India is the only democracy to make its contact tracing app mandatory… neither the privacy policy nor the terms of service for the app were publicly accessible....” Yes, due to outrage these were added later but the same issue re-emerged with the online vaccination platform Co-Win. Indians need to ask themselves to answer this question honestly: Did you install Aarogya Setu to travel or enter a building, or did you use it as a reliable method to avoid infection? How did it work for you? Quite simply, the state views data protection as being a nuisance to its digital programmes which is inherent in their architectural design. Take for example the “Smart Cities Mission” which at its heart requires an “integrated command and control centre” to gather real time data of residents and pool it in databases. It has missed its two deadlines from June 2021, and has been extended by three years to June 2024. Indians need to answer this question honestly: While there are more cameras that watch you and LED strips on the roads and metro stations, do our cities feel any safer or smarter?
Then there are more direct measures for mass surveillance that dispense with any camouflage. Examples are the tender in 2018 for a “social media communications hub” which wanted to “create a 360 degree view” over your social media accounts for moulding “nationalistic feelings”. Or, a tender on June 28, 2019 to build a “National Automated Facial Recognition System” as the world’s largest facial recognition system. In one way or other, all these projects are granted legal sanctity through exceptions under the Data Act. Rather than protecting the ordinary citizen, the Act prescribes duties such as “not to suppress any material information while providing her personal data for any document”. It imposes fines (up to ₹10,000) on at-risk groups of religious, caste, gender and sexual minorities, that might provide incomplete or incorrect information for their personal safety.
Thinking by the government
According to the government, there is scare mongering in the country. Instead, we should trust it with our privacy as the Data Act is a new social contract to participate in a digital society. Given the vague nature of the Data Act, it will appeal more to a partisan than a constitutionalist since trust is based on allegiance of a favoured political ideology than a rights-based law. It has also been argued that with experience, the Data Act will improve over time. This is magical thinking as it ignores the democratic backsliding in a digital India. Several recent pieces of legislation create databases that fit an authoritarian frame containing the intimate details of Indians and their family units. This includes the Criminal Procedure (Identification) Act, 2022 that has been made into law; as per Project 39A, it creates “database(s) unnecessary while also infringing on the fundamental rights”. More recently, the Registration of Births and Deaths (Amendment) Act, 2023 builds a national database seeded with Aadhaar, which means data sharing literally from cradle to pyre. It is clear from a map of government projects, policies and laws that all things lead to a Data Act as the destination for total state control.
This tight clasp over our smartphones is incomplete without the private sector. There is also the financial objective — for the digital sector to contribute a fifth to the ambitious $5 trillion dollar economy target by 2030. According to the National Economic Survey, this may be achieved by even having the government selling our data. It is a mistake to term the Data Act as “light touch regulation” as it provides for vast yet vague ministerial discretion. The Union Government can exempt a single company or a class of companies from compliances or suo motu file a complaint against them to a Data Protection Board of India that it constitutes and controls.
Further inspiration seems to have been drawn from the National Intelligence Law of China, where it can now demand any “such information as it may call for.” With such a law, the private sector will perpetually seek the favour of party workers, bureaucrats and Union Ministers for vague compliances, “as may be prescribed”. Companies will fear a government that can pick winners and losers in India’s digital market. Again, this follows a path of centralised state command where industrial concentration has alarmed former Reserve Bank of India Deputy Governor Viral Acharya and economist Nouriel Roubini who warn against select firms as “national champions”. While a set of giant private companies may risk economic growth, for the state, having fewer firms will be easier to control. These developments coincide with a fall in global rankings for economic liberty by conservative centres such as the Cato Institutes’ Human Freedom Index, the Heritage Foundation, and the Hudson Institute.
A warning to heed
So, where does it leave the citizens of India? In September 2018, nearly a year after its decision on the fundamental right to privacy, the Supreme Court upheld but also limited the Aadhaar programme. Justice D.Y. Chandrachud, in his dissenting judgment, drew from Nobel Prize winning author Aleksandr Solzhenitsyn’s experience in Stalinist Russia: “The invisible threads of a society networked on biometric data had grave portents for the future and unless the law mandates an effective data protection framework, the quest for liberty and dignity would be as ephemeral as the wind.” This Delphic warning has achieved a dystopian realisation with the Data Act. Incremental amendments or specific rulemaking when in isolation will not decrease state coercion, as this law is only a symptom of a deeper civic rot. India requires a wider constitutional reboot on digital authoritarianism.
Apar Gupta is an advocate and founder director of the Internet Freedom Foundation