Both in the world of start-ups and software development, iteration is a good thing. In fact, it is the only way to go: build, test, rebuild, test, and so on. The version of Java running on my laptop, for instance, is Version 8, Build 351. When it was introduced, it revolutionised the world of computing and made a host of things, from computer games to mobile telephone operating systems, possible. And it has stayed as the world’s most popular programming tool for two decades because it is being constantly rebuilt and improved.
But in the field of legislation, iteration is not such a good thing. This is not to say that lawmakers get it right first time, every time. That is practically impossible. But when you make a less than perfect law, there are costly downsides: miscarriages of justice, confusing and conflicting interpretations, unintended consequences, and often, making an already bad situation worse. The process of course correction after making an imperfect law is also lengthy and complicated and often involves costly lawsuits to test the provisions of the law against meaning and intent.
Which is why one had much hopes for the fourth — and latest — version of the Data Protection Bill, a draft of which has been placed in the public domain for comment. One would have assumed that having made three previous attempts at framing a law as crucial as this — without a proper data protection and privacy law, there can be no digital economy — the framers would have had the opportunity to do the necessary course corrections, without going through the trouble and expense of rushing through an imperfect law and tinkering endlessly thereafter (the GST Act is a good example — as many as 376 changes were made within the first 10 months after the Act was passed and the changes are still going on; nearly twenty this year alone).
Of course, iteration has helped. For starters, the current draft is noticeably shorter — and simpler — than the earlier versions. The first, 2018 version, ran to 15 chapters and two schedules. The second was only slightly shorter and the third had as many as 89 amendments suggested by a Joint Parliamentary Committee which evaluated the proposed Bill. Now, its just 24 pages, and is much more simply worded. This has been done, as IT Minister Ashwini Vaishnaw said, at the behest of the Prime Minister, to enable “all citizens to understand the Bill.”
The emphasis on the common citizen is understandable, since there is extensive delineation of the “duties” of the data principal — that is, the owner of the data, which is you and me — in the Bill. These include an obligation to “comply with the provisions of all applicable laws while exercising rights under the provisions of this Act”, an injunction against registering “a false or frivolous grievance or complaint with a Data Fiduciary or the Board”, a warning not to “furnish any false particulars or suppress any material information or impersonate another person” and a requirement to “furnish only such information as is verifiably authentic while exercising the right to correction or erasure under the provisions of this Act.”
All this reference to the “digital nagrik”, however, appears to be lip service, just like the conspicuous use of the feminine gender pronouns (she, her) to refer to individuals does not materially alter the safety or status of women in our patriarchal society.
At the core of the Bill is a battle between Big Tech and the overwhelming ability it has to direct or control the public narrative, and the government’s attempt to take that control into its hands. The individual ‘she’ has little say on this.
There has been some give on the part of the government as far as Big Tech is concerned. Data localisation norms for critical and sensitive personal data have been eased. All references to non-personal or anonymised data have been dropped. Data can also be moved to select geographies at the discretion of the Centre, which allows it to both wield a stick over global Big Tech operating in India, as well as use this as a foreign policy tool. The new Bill no longer requires personal data processing to be limited strictly to the purpose for which it was collected, which will further help data collectors to mine it for any purpose they deem fit — usually to boost their revenues.
There are other business-friendly provisions. The government has the power to exempt certain businesses from certain provisions. Compliance has been made easier. And while penalties for breaches appear significant on paper — they are capped at ₹500 crore — the previous provision, which was a percentage of turnover (a much more significant deterrent for Big Tech players) has been scrapped.
But the ‘takes’ are much more significant. The biggest is that the government, which is the biggest data fiduciary in the country, has been kept completely out of the purview of the proposed law. In fact, it has armed itself with sweeping powers to name any “instrumentality” of the government as being outside the purview of the law in the name of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognisable offence relating to any of these,” all of which exigencies have been left undefined.
The draft is also noticeably missing in the checks and balances suggested by the JPC. The data regulator, proposed as an autonomous authority earlier, has been changed to an authority, with the Centre retaining the powers to appoint members and fix terms.
When the government is one of the entities meant to be regulated, having a government-controlled regulator raises questions on what kind of checks there will be against bureaucratic and administrative overreach. Without these, the surveillance state will have a free hand.
The writer is a senior journalist