After five years of negotiations involving government, tech companies and civil society activists, the world’s largest democracy is sending its privacy debate back to the drawing board. The Indian government has rejected the Personal Data Protection Bill and decided to replace it with “a comprehensive legal framework“. If the current lawlessness weren’t bad enough, no one knows what the revamped regime will contain – whether it will prioritize individuals, as in Europe, or whether it will favor business interests and state parties, like in China.
In 2017, Indian liberals were hopeful. In July of the same year, New Delhi set up a panel under retired judge BN Srikrishna to define data protection standards. As early as the following month, the country’s Supreme Court ruled that privacy is part of a constitutionally guaranteed right to life and liberty. But the optimism soon faded. Legislation introduced in parliament in December 2019 gave the government unfettered access to personal data in the name of sovereignty and public order – a move that will “turn India into an Orwellian state”, Srikrishna warned.
These fears are realized even without a privacy law. Razorpay, a Bengaluru-based payment gateway, was recently forced by police to provide donor data to Alt News, a fact-checking portal. Although the records were obtained legally — as part of an investigation against the website’s co-founder — there was no safeguard against their misuse. The risk of authorities targeting opponents of the ruling right-wing Hindu Bharatiya Janata party has sparked howls of protest at the stifling of dissent under Prime Minister Narendra Modi.
The backdrop of the privacy debate in India has changed. Six years ago, mobile data was expensive and most people, especially in the villages, used feature phones. This is no longer the case. By 2026, India will have 1 billion smartphone users, and the consumer digital economy is poised to grow 10 times in the current decade to $800 billion. To obtain a loan from the private sector or a grant from the state, citizens now have to part with far too much personal data than before: dodgy loan applications request access to entire lists of telephone contacts. The Modi government runs the world’s largest repository of biometric information and has used it to distribute $300 billion in benefits directly to voters. Rapid digitization without a strong data protection framework leaves the public vulnerable to exploitation.
The European General Data Protection Regulation is not perfect. But at least individuals own their names, email addresses, location, ethnicity, gender, religious beliefs, biometric markers, and political opinion. Instead of following this approach, India has sought to give the state an edge over individuals and private sector data collectors. Major global tech companies, such as Alphabet Inc., Meta Platforms Inc., and Amazon.com Inc., were concerned about the now-abandoned bill’s insistence on storing “critical” personal data only in India for reasons of national security. Not only does location hinder efficient cross-border data storage and processing, but as China has shown with Didi Global Inc., it can also be weaponized. The ride-hailing app was forced to delist in the United States months after it was made public there against Beijing’s wishes and was eventually fined $1.2 billion over data breaches that “severely affected national security”.
Yet removing India’s bill will bring Big Tech little joy if its replacement proves even more drastic. Twitter Inc. and Meta’s WhatsApp have both taken legal action against the Indian government – the former against “arbitrary” instructions to block handles or remove content and the latter against claims to trace encrypted messages. The government’s power to impose fines of up to 4% of global revenue – as provided for in the abandoned data protection law – may prove useful in forcing tech companies to go online; it is therefore unlikely that New Delhi will water it down in the new legislation.
For individuals, the big risk is the authoritarian bent of Indian politics. The revamped framework may grant citizens even less protection against a mix of surveillance state and Beijing-inspired surveillance capitalism than the abandoned law. According to the government, it was the 81 amendments requested by a joint parliamentary committee that made the current bill untenable. One such request was to exempt any government department from privacy regulations as long as New Delhi is satisfied and state agencies follow fair, equitable, reasonable and proportionate procedures. It’s too carte blanche. To prove overbreadth, for example in the case of Alt News donors, citizens would have to fight costly legal battles. But to what end? If the law does not beat for the individual, the courts will offer little help.
Minority groups in India have the most at stake. SQ Masood, an activist from the southern city of Hyderabad, sued Telangana state, after police arrested him on the street during the Covid-19 lockdown , asked him to remove his mask and took a picture. “Being a Muslim and having worked with minority groups that are frequently targeted by the police, I fear that my photo will be mismatched and that I could be harassed,” Masood told the Thomson Reuters Foundation. The zeal with which authorities are embracing technologies to profile individuals by extracting information scattered across databases shows a penchant for a Chinese-style command and control system.
India’s scrapped data protection law also wanted to allow voluntary verification of social media users, ostensibly to verify fake news. But as researchers from the Internet Freedom Foundation have pointed out, the collection of identity documents by platforms like Facebook would leave users vulnerable to more sophisticated surveillance and commercial exploitation. Worse still, what was initially voluntary may become mandatory if platforms begin to deny certain services without identity verification, depriving whistleblowers and political dissidents of the right to anonymity. Since it wasn’t exactly a bug in the rejected law, expect it to be a feature of India’s upcoming privacy regime as well.