Privacy, in India everything to be redone: the plan does not convince the Government

The new bill on personal data that had aroused protests from big tech and beyond has been deleted. But there is a risk of the boomerang effect: the revision could have greater powers for the state on the basis of a model closer to the Chinese one than to the European one

11 Aug 2022

Patrizia Licata


The government of India has decided to withdraw the proposed law on the protection of personal data that had aroused protests from activists and technology companies, including Alphabet, Meta and Amazon. This was announced by the Minister of Information Technology and Electronics, Ashwini Vaishnaw, in a note to parliament in which he attributed the decision to the wide range of changes to the text on privacy proposed by the Joint Parliamentary Commission (JPC).

For big tech and fundamental rights activists it is a half-way victory, because the new law that will be introduced could be even more controversial than the one shelved, granting the state even more surveillance powers at the expense of data privacy and the protection of individuals' freedoms. A law, according to many commentators, much closer to the one in force in China than to the European GDPR .

Index of topics

•             The tug-of-war with Big Tech on privacy

•             Identity card on social media

•             The difficult path of the right to privacy

The tug-of-war with Big Tech on privacy

The newly scrapped privacy bill was the result of five years of negotiations involving the government, tech companies and civil society activists. Last December, the Joint Parliamentary Committee tabled 81 amendments and 12 recommendations that now push the government to abandon the text altogether to replace it with "a comprehensive legal framework". Activists and big tech fear a step backwards from the recognition of privacy as a fundamental right on which India had routed.

The deleted proposal sought to give the state broad powers over both individuals and companies that collect the data, such as Alphabet, Meta and Amazon, according to the complaint from both the web platforms themselves. Big tech was concerned about the bill's insistence on storing "critical" personal data only in India for national security reasons calling it a double-edged sword that opened up to abuse by the state.

The identity card on social media

India's abandoned data protection legislation also wanted to allow voluntary verification of social media users, ostensibly to check for fake news. But according to researchers at the Internet Freedom Foundation, the collection of identity documents by platforms like Facebook would leave users vulnerable to more sophisticated surveillance and commercial exploitation. In addition, what starts as a volunteer can become mandatory if platforms deny certain services without being able to check identity, depriving whistleblowers and political dissidents of the right to anonymity. This element was not among the amendments indicated by the Joint Parliamentary Group and could, therefore, be retained.

The demolition of the Indian bill is not good news if the new law turns out to be even more calibrated on the powers of the state rather than on the rights of the people. Both Meta's Twitter and WhatsApp have initiated legal proceedings against the Indian government, the former against "arbitrary" instructions to block buttons or remove content and the latter against requests to make encrypted messages traceable.

The government was given the power to impose fines of up to 4% of global revenues and it is likely that New Delhi will also retain this aspect in the new legislation.

The difficult path of the right to privacy

In July 2017, New Delhi set up a panel under retired judge B.N. Srikrishna to frame data protection rules. The following month, the country's Supreme Court ruled that privacy was part of a constitutionally guaranteed right to life and freedom. The liberals' optimism was soon betrayed: the law introduced in parliament in December 2019 granted the government unlimited access to personal data in the name of sovereignty and public order, a move that "will turn India into an Orwellian state," Srikrishna warned.

Those fears are coming true even without a privacy law, reports the Business Standard website. Razorpay, a Bengaluru-based payment gateway, was recently forced by police to provide donor data to Alt News, a fact-checking portal. Although the documents were obtained legally, as part of an investigation against its co-founder, there was no protection against their misuse, giving concrete form to the risk that the authorities would target opponents of Bharatiya Janata, the ruling Hindu right-wing party.

In the meantime, the reference context has also changed. Indian society has digitized: if in 2017 mobile data was still too expensive and most people, especially in villages, used feature phones, today this is no longer the case. In 2026, estimates say, India will have 1 billion smartphone users and the consumer digital economy is poised for a 10-fold surge that will bring it worth $800 billion at the end of the decade.

But this is happening, activists say, at the expense of freedom and privacy. For example, in order to obtain a loan from the private sector or a subsidy from the state, citizens are forced to give up much more personal data than in the past. The New Delhi government operates the world's largest repository of biometric information and has used it to distribute $300 billion in benefits directly to voters. Rapid digitization without a robust data protection framework is leaving the public vulnerable to exploitation. Ethnic, religious and political minorities are the ones who will have the most to lose.