Sunil Abraham is the Executive Director of the Centre for Internet and Society, in addition to being an entrepreneur and free software advocate. Recently he visited the Centre for Culture, Media and Governance at Jamia Millia Islamia, where he delivered a lecture and also found time to speak to Arshad Amanullah on various issues related to privacy laws and data surveillance.

Sunil will deliver three lectures (on September 16, 17 & , 19, 2014) to the students of Media Advocacy, a course that CCMG has launched in the current academic year (2014-2015).


Arshad Amanullah: What is the current status of data privacy in India as compared to more developed countries?

Sunil Abraham: Indian law does not have all the safeguards that are available to citizens under European law, which means that India is technically not data-adequate from a European perspective. That means that European data controllers and corporations are not allowed to outsource their data to India. The Indian government and industry have been pretending that Section 43A of the IT Act is a comprehensive data protection provision, and under that pretext, trade continues. However, there is growing concern in many quarters of Europe. European trade expectations are the third-most important reason why policy is developing in this country. To summarize the reasons, they include the open data approach of the Supreme Court of India; the launch of the UID and perhaps other projects that are similar in their surveillance contribution such as NATGRID and CMF; and trade expectations from the European Union. With respect to the third, Human Rights Commissioners and Privacy Commissioners in European jurisdictions want to uphold the rights of their citizens when their data is transferred to India.

The debate around privacy policy

Arshad : What are the recent developments that have shaped the contours and the course of the debate around privacy policy in India?

Sunil : For the last three years, the Department of Personnel and Training (DoPT) has been working on a draft Privacy Bill. The process had started with a first round of closed-door consultations. A year and a half into that process, they started releasing draft versions of the bill. Some of these draft versions – if I am not mistaken, version three in particular – got leaked and left civil society very concerned at its lack of international best practice and adequate safeguards for human rights. At that point in time, Mr. Ashwini Kumar was the minister in charge of the Planning Commission. Without consulting the DoPT, as far as I understand, he constituted a committee under Justice A.P. Shah. After about eight months, that multi-stakeholder committee produced a report which collated and analysed international practice, and based on an analysis of key laws and draft legislations such as the DNA profiling bill, UID bill, Citizenship Act, Telegraph Act, IT Act, etc. put together a list of principles that should be upheld when it comes to privacy in India. It also conceived a regulatory mechanism. So, that was the second development. This report has been taken back to the DoPT, which from February to August 2013 consulted all other ministries and took their suggestions on board. A new draft is now ready and is with the Law Ministry.

Arshad : Are you referring to the citizen’s draft?

Sunil : No, this is the official government draft. It has been unavailable for the last one and half years, and so nobody has seen it yet. In cooperation with two industry consortia – FICCI and the Data Security Council of India, which is a NASSCOM subsidiary that is responsible for the ITES, KPO and BPO sectors – my research organization, the Centre for Internet and Society, has organized six rendezvous so far: two in Delhi and one each in Kolkata, Chennai, Bangalore and Mumbai. The last one was held in Delhi on the 19th of October 2013. We have had around thirty to fifty participants at each meeting. Seventy five percent of these participants come from the corporate sector, but there is some NGO representation as well. We took the Justice A.P. Shah Committee Report as our starting point and have drafted a bill, and today several large corporations have provided us their feedback on it during meetings, with some of them promising to give us written feedback as well. The US-India Business Council has met us and asked for details of the bill, and we will soon have a meeting with the US Federal Trade Commission. Also, European Privacy Commissioners have a club called the “Article 29 Working Party”. Under European data protection directives, Article 29 requires all Privacy Commissioners to form this working party, which is meant to issue recommendations. Whenever a court within an applicable jurisdiction hears any privacy-related matter, it needs to take these recommendations into account. Those Privacy Commissioners have attended four of our meetings. So we have involved European governments and the US government, and have set about on a shadow, multi-stakeholder, public consultative process of discussing and debating our version of the bill, primarily because the government version is not available. Our intention is to raise the quality of the debate.

Arshad: What is the government’s response?

Sunil : We invited DoPT to our meetings, and they responded by sending a director-level representative to observe the proceedings at two of them. I think their hands are tied, but in any case they will have a public consultative process after the Law Ministry approves the bill. And because a bill as sensitive as this will definitely be referred by the parliament to a Standing Committee, civil society will in any case be able to testify before the committee. Some people say that three years is too long, but most big and complicated laws, such as data protection regulations in Europe, which are now being amended, take a long time. This is not a binary choice – it is not, for instance, about choosing between national security and privacy, or transparency and privacy. In this case, you have to have both, and for that the law has to be very carefully drafted.

There are two important global factors that help us contextualize the Indian situation. The first is the fact that we lack adequacy status. Trade is the biggest reason India might enact a privacy law, because we want personal information from Europe to continue flowing into India. So during talks over the EU-India Free Trade Agreement, India said, “If you want market access and if you want us to drop trade restrictions, then you must consider us data adequate.” This brings up the phenomenon of asymmetric trade negotiation: I am not negotiating access to my market for product A in exchange for access to your market for product B. Instead, for market access one way, I am asking you to consider me data adequate. That involves mixing trade and privacy.

The other international story is Edward Snowden. After Snowden’s disclosures, it seems that the Indian bill will have to take the concerns of the National Security Agency very seriously. This is an instance of the “race to the bottom” phenomenon. Sometimes you have a “race to the top”, where best practices are cherry-picked from different jurisdictions and each jurisdiction slowly gets better than earlier. For example, in human rights, broadly speaking: we have international instruments, and different countries raise the level of rights protection.

Post-Snowden scenario

Arshad : Does this add to the length of the bill? How do considerations such as Snowden’s case affect the Indian privacy bill?

Sunil : After Snowden, America has normalized large-scale surveillance, and it is now common news that its so-called open society and democracy are actually carrying out centralized blanket surveillance of all US citizens. In India it has also become almost impossible to block such centralized blanket surveillance, even though from a security perspective it is completely counterproductive. Centralized blanket monitoring only prevents people from actually speaking. Security is actually undermined.

Arshad : Could you explain the significance of the Justice A.P. Shah report?

Sunil : It was a bit of an unorthodox move by the minister, Mr. Ashwini Kumar, to set up the Justice A.P. Shah Committee. There was no legal basis for the report: the law did not require it, and it did not follow the normal legislative drafting process. Basically, the birth of the UID was connected to the Planning Commission and it was initially housed in the same building, and Mr. Kumar was personally interested in the topic, so the report was produced. The DoPT might have asked about the motive for producing it, or could have just thrown it into the dustbin. Fortunately, the authorities at the DoPT had an open mind and they tried their level best to push the report’s recommendations into the main bill. We now know for a fact that at least some chapters in the government bill incorporate Justice A.P. Shah recommendations, and so we can say that in retrospect, the report has been given the status of representing legislative intent.

Arshad : It was certainly well-timed, and the minister seems to have anticipated the mood of civil society, despite his not having any legal justification for commissioning the report. Would you agree?

Sunil : It was not a case of a statutory body doing what it was meant to do by law. Here the Planning Commission just had an inspiration.

Arshad : Thanks a lot for talking to us.