Trust us: how India takes control of personal data

A creeping authoritarianism now extends to the digital sphere in India.

India is often called the world’s largest democracy. While this brand had cache in the post-independence period, India’s status as a liberal democracy is losing its lustre.

Democracy indexes that have consistently downgraded India on their lists during the past decade have been dismissed as ‘conspiracies’ by the government.

After India recently slumped 11 places on the Reporters Without Borders Press Freedom Index — from 150th to 161st — S. Jaishankar, the Minister for External Affairs, said “somebody is getting something fundamentally wrong in a country that has an uncontrollable press”.

“These are the ways of playing mind games which are like lowering the rank of the country whom you don’t like while others do not,” he said.

But a creeping authoritarianism now extends into the digital sphere.

The Digital Personal Data Protection Act, 2023 was approved by the President in August. It replaces the Personal Data Protection Bill introduced in 2018 and withdrawn in 2022 after criticisms from industry.

The general response to the new Act can best be described as lukewarm since there have been little more than cosmetic changes to its original, draft version.

The focus on the governance of personal data is long overdue, particularly for a country with ambitions to become a cashless society.

Indian citizens are already using smart devices to pay for purchases, to claim entitlements and to access information from the public and private sectors. This includes information on health, education, land records and pensions.

A range of national digital projects covering health, employment, education and other portfolios has given the government extraordinary access to citizen transactions through the national Unique Personal Identity (Aadhar) ID.

Previously and in the absence of privacy laws, some government departments have monetised this data and sold data to third parties in the private and public sector.

In 2019, data from 250 million vehicle registrations and 150 million driving licenses was sold to 87 private companies and 32 government departments for almost AUD$12 million.

These records were sold without owners’ consent, in stark contrast to what is now expected from the private sector and ‘significant data fiduciaries’, as expressed in the new data protection act.

While Big Tech have rightly been brought under a consent framework, the new law appears to still allow government ministries and various government-linked organisations involved in data collection to have unlimited control over all personal data.

This position has been taken supposedly in the interests of national security.

Trust is one of the central issues around personal data protection in India. In liberal democracies, that trust lies mostly with public entities — especially after Big Tech’s repeated missteps. In the context of illiberal democracies, control over such data is an even bigger problem.

The current government has a reputation for excessive control over the internet, for censorship in the name of national security, and for enforcing internet shutdowns when it sees fit.

While clampdowns in the interest of national security can sometimes be justified, the religious-nationalist bent illustrated by the current government’s constant marginalisation of minority groups often dictates where and how these clampdowns are most forcefully maintained.

The result is extended information blockades, as was the case in Kashmir in late 2019 and recently in Manipur state, where open WiFi hotspots have been banned, social media websites blocked and VPN software removed.

While Big Tech certainly needs to be regulated, the government’s actions suggest its inability to accept critique, dissent or opposition. This was most visible during the farmers’ strike in 2021, when it ordered Twitter to remove posts critical of the government and threatened to arrest Twitter employees if the company didn’t comply.

After so many years with little or no regulatory oversight over the use of personal data, forcing Big Tech — also referred to as systemically important digital intermediaries — to get user consent is a sensible development.

However, plain digital intermediaries, including Indian start-ups, are not required to abide by the rules in the Digital Personal Data Protection Act.

With the Indian government openly stating its intent to be a frontrunner in the AI space, experiments by firms using personal data in areas like health are not covered by the Act.

The government also has no plans for legal guidelines regulating the use — and limiting the abuse of AI. In fact, start-ups in general have been granted exemptions from labour and environment laws and compliance with financial reporting that are in place for brick and mortar firms.

There is a larger issue. Much of the data generated by Indian citizens finds its way to data and cloud centres owned by Big Tech — companies like Amazon’s AWS or Microsoft’s Azure. Although the government has invested in its own Meghna (‘cloud’ in Hindi), hyperscale cloud storage in India is all owned by Big Tech.

Big Tech is thriving in India irrespective of attempts to regulate its activities. Arguably, the Modi government is too caught up in its ambitions to transform India into a digital nation and all its citizens into digital natives.

The question is whether this ambition will be shaped by authoritarian pressures or liberal freedoms.

Pradip Thomas is an associate professor in the School of Communications and Arts at the University of Queensland.

Originally published under Creative Commons by 360info™.