Mozilla’s CEO, Mitchell Baker, said yesterday that India’s lack of data protection bill has “increased the harm faced by ordinary Indians”. The country’s data protection bill is stuck in draft mode; last we heard of it was when the parliamentary committee invited comments on the revised drafted.
Last December, IT minister RS Prasad floated the new draft of the data protection bill, which listed some controversial points such as social media users verification and forced transfer of non-personal data to the government. Just after the bill was released, Mozilla wrote a blog criticizing some of these aspects of the draft.
Baker said in a TNW Answers session that current expectations from the government listen in the data protection bill poses risk to the average user’s data:
Unfortunately, India’s draft data protection law contains broad exceptions for the government that increases the risk to the average user’s data. We have been advocating for Indian internet users’’ privacy to be protected no matter who processes their data, and have also pushed back against the weakening of encryption under the proposed IT Act amendments.
Earlier this year, Mozilla began to turn on DNS over HTTPS (DoH) for the users in the US by default. If your browser has DoH protection, no one can snoop on your DNS lookups. While the company is exploring to roll out this technology to other countries, Baker believes India’s priority should be a strong data protection bill that protects people’s fundamental right to privacy.
In 2017, India’s apex court ruled in a landmark judgment that privacy is a citizen’s fundamental right. And that judgment has been a cornerstone of many privacy-led debates in the country. Till now, India has relied on its age-old IT Act 2000 for all technology-related debates.
Because India doesn’t have a data protection bill, there’s no regulation on how the government can use the data for facial recognition or define the scope for contact-tracing apps such as Aarogya Setu. A robust data protection bill is the need of the hour for data privacy of users in India.