Privacy isn't negotiable

Privacy isn't negotiable

The Ministry of Electronics and IT (MEITY) is working on finalising the data protection bill. While the bill that was released to the public a few months ago is groundbreaking in many ways, it contains loopholes. Read more about the good and bad aspects of the bill below:

The top level highlights of the bill include:

The good

  1. Strong obligations:
    1. This bill puts limits on what companies and the government can do with your data - how much they collect, what they use it for, how they keep it safe.
  2. Data Protection Authority:
    1. This bill creates an authority that will be empowered to investigate and fine companies and the government if they put our data and privacy at risk. It is also their duty to take requests and complaints from individuals, and grant compensation for privacy violations. However, the government has too much discretion in deciding who this body will be - If the body is not sufficiently independent, how will it effectively regulate government agencies?
  3. Consent:
    1. This bill defines and puts in place meaningful consent - which means that the long tedious ‘privacy policy’ you’ve had to blindly accept will have to change to be easier to understand and give you a meaningful choice.
  4. Biometric Data:
    1. This bill states that biometric data and the Aadhaar number are “sensitive personal data” which means that in order for this data to be collected, processed etc, there are stricter obligations in place.
  5. No exceptions for agencies:
    1. This bill will ensure that data processing by security, intelligence, and law enforcement agencies will now have to be scrutinized and limited by law.

The bad

  1. Data Localization:
    1. A copy of all personal data is required to be stored in India. This would be bad for businesses, users, and security, and could be a way to enable easier surveillance.
  2. Broad permissions for government data processing:
    1. The government only needs to show that any processing of personal data (like your address and phone number) is “necessary” and processing of sensitive personal data (like your biometrics) is “strictly necessary”. However, without more clarity on what these terms mean, they are prone to abuse, especially because the government isn't required to ask for consent.
  3. Correction, edits, and data portability:

While this bill gives you the ability to make updates and corrections to your data, and move it from one service to another with more ease, the rights to deletion and to object to processing are missing. The bill also allows users to be charged a fee for changing or correcting their data. This means that users who can’t afford this fee may not be able to exercise these rights.

Mozilla Ask Me Anything on data protection and the Aadhaar verdict

This is part of a broader movement for a healthy internet. See more.