Data for Development without Data Protection: A View from India

Problems are emerging in the Government of India’s approach to data protection, which risks sacrificing privacy protection in the name of national security.

February 6, 2023
Indian Prime Minister Narendra Modi walks at the Welcoming Dinner during the Group of Twenty Leaders’ Summit, at the Garuda Wisnu Kencana Cultural Park, in Badung, Bali, Indonesia, November 15, 2022. (Willy Kurniawan/REUTERS)

Data is the lifeblood of the twenty-first century economy. It’s already clear, as India takes up the presidency of the Group of Twenty (G20), that data for development — or “D4D” — will be a key priority of India’s tenure. That’s as it should be.

But there are emerging, serious problems in the Government of India’s approach to data protection. Simply put, there’s a risk that the protection of individuals’ privacy may be sacrificed on the altar of national security. India can and should do better.

When the country held its first Development Working Group meeting of the G20 in December 2022, an important side session was organized to discuss D4D. The focus was a follow-up from Indian Prime Minister Narendra Modi’s pledge at the G20 Leaders’ summit in Bali in November that data will be integral to India’s G20 presidency.

At the meeting in Mumbai, Amitabh Kant, the G20 Sherpa for India, spoke of the power of data to bring about good governance. Kant asserted the need for generating quality data in real time from across sectors and for the use of data analytics, machine learning and artificial intelligence in governance.

The Indian government has several major initiatives across sectors intended to establish technological infrastructure, products and services for the collection and analysis of data.

The implications are profound. Big data presents myriad avenues for governance interventions. However, the collection and analysis of large data sets, including personal data, raise important questions as to how individual privacy will be protected. Unfortunately, there is little reassurance from the Government of India that the individual’s fundamental right to privacy will be protected, despite the rapid rollout of data collection in India.

The Indian government has several major initiatives across sectors intended to establish technological infrastructure, products and services for the collection and analysis of data. For example, in agriculture, the government has introduced the India Digital Ecosystem of Agriculture (IDEA) initiative. IDEA lays out the framework for compiling extensive data on crops, farms and farmers, and for developing standards and mechanisms around collecting and sharing that data in a vast public database known as the “Agristack.” The government notes that farming practices in India are plagued by major challenges that include yield plateaus, inadequate market linkages, unpredictable and volatile prices, post-harvest wastages and lack of crop planning due to information gaps. Digitization policies such as IDEA, the government alludes, can address these problems by facilitating informed decision making, precision agriculture and innovation.

Central to IDEA is the unique digital ID that will be provided to farmers, and which will contain their personal details, cultivation history and financial details, including credit history.

With respect to labour governance, the government has set up the National Database of Unorganised Workers to deliver benefits to workers under various social security schemes. The database will contain personal details for each worker, such as “name, occupation, address, educational qualification, skill types and family details.”

And, in the domain of public health, the Ayushman Bharat Digital Mission was announced in 2021. This is a project that seeks to digitize individuals’ health records, including prescriptions, diagnostic reports, medical histories and billing information; put the data on a platform accessible to public and private hospitals, labs and pharmacies; and provide citizens with a health ID.

These kinds of modernization policies can be problematic if procedural safeguards of fundamental human rights have not been integrated into their development and implementation.

Quite predictably, the lack of sufficient transparency and accountability in data collection under these schemes has raised fears that the programs are more about gathering data than improving services. The absence of a balanced and comprehensive data protection law in India is a key reason for the concern. That legislation remains in the works.

Indeed, the meeting of the Development Working Group in Mumbai in mid-December came on the heels of the introduction on November 18 of the fourth and latest iteration of data protection legislation, entitled The Digital Personal Data Protection Bill, 2022. This bill is intended by its framers to apply to both the state and private sectors. But it has drawn criticism, quite rightly, for being insufficiently robust in protecting people’s rights to their personal data.

The new draft allows the government wide discretion in exempting state agencies from its ambit in the interest of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” (section 18(2)a).

A data protection bill is not worth the paper it is written on if State surveillance can continue unchecked and unregulated.

Gautam Bhatia
Legal scholar

These powers of exemption have been carried forward from earlier versions of the legislation, despite concerns about their open-endedness and a consequent risk of state surveillance. The perpetuation of these exemption powers in the draft law is surprising, given that the 2021 iteration of the law was withdrawn precisely because these carve-outs met strong opposition. Further, unlike previous versions of the legislation, the most recent iteration includes no guardrails for exempting state agencies. There are no procedural safeguards, oversight mechanisms or guiding principles about what would constitute just, fair and reasonable exemptions.

This change is excessive and alarming. The broad exemption of state agencies is not supported by constitutional principles and legal precedent and will result in the large-scale violation of the informational privacy of citizens.

In its current form, the bill assumes that informational privacy is a secondary consideration when it conflicts with other interests, in particular, national security. But this assumption is false. International human rights law recognizes that the right to privacy, a component of which is informational privacy, can be subject to restrictions, but only as long as they are reasonable and proportionate. In 2018, the Supreme Court of India delivered a landmark judgment affirming that the right to privacy is fundamental under the Constitution of India.

Importantly, the Supreme Court also laid down strict conditions that must apply when the right to privacy is restricted. For example, the restrictions must emanate from a law passed by India’s Parliament; they must serve legitimate government objectives; they must pose minimal interference to individual rights; they must be proportionate to the need; and they must come with procedural safeguards against abuse. But the draft bill’s present wording belies the court’s ruling. Reflecting on this contradiction, legal scholar Gautam Bhatia notes, “A data protection bill is not worth the paper it is written on if State surveillance can continue unchecked and unregulated.”

The draft bill also sets out instances where an individual’s consent may be assumed, which are problematically broad. The list of circumstances where consent may be assumed includes credit scoring and purposes related to employment. No explanation has been given as to why these uses of data qualify for an exemption for informed consent, especially when the surveillance of workers has been on the rise and studies have reported how credit scores often discriminate against marginalized communities. Again, previous versions of the bill contained similar provisions, but with safeguards that have been done away with in the present draft.

The continuing conversation about data-driven governance must include discussions on data justice, to help us “determine ethical paths through a datafying world,” in the words of Linnet Taylor. Taylor, whose scholarship has explored frameworks for data justice, notes that as digital technologies spread and embed themselves worldwide, and as the state’s capacity for surveillance expands, we need to reckon with how social justice can be integrated and upheld.

In effect, issues like data privacy and anti-discrimination must be discussed in conjunction with issues of data access.

There is still time for India to pivot. It is imperative that the country pursue an approach that explicitly aligns with the goals of data justice. The protection of informational privacy is a critical, ethical pathway in India’s journey toward data-driven development.

While some deviations from absolute privacy are inevitable and understandable, these should never be introduced arbitrarily. Legislators must abide by the limitations set out by the Constitution of India. Absent this, visions of a digital revolution could turn out to be another vehicle for rights violations by the state.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Amrita Vasudevan is a CIGI fellow and an independent researcher focusing on the political economy of regulating digital technologies and investigating the impact of these technologies through a feminist lens.