West Bengal considering state legislation to act against apps like Sulli Deals: Derek O'Brien

Derek O’Brien, member of the All India Trinamool Congress
Image: Sonu Mehta /Hindustan Times via Getty Images

Derek O’Brien does not mince words. Calling the move to link Aadhaar database to electoral rolls a move towards “a fascist state”, he says there could be a targeted genocide after this. And on whether the proposed legislation on privacy provides any reparative means to Muslim women targeted by the dehumanising app Sulli Deals and its clone Bulli Deals, he says he has lost all faith in the central government.

As a result, he continues, the West Bengal government—led by his party, the All India Trinamool Congress (TMC)—is considering a state-level legislation to deal with such events.

In an interview with Forbes India, O’Brien decried the Narendra Modi government for destroying all democratic institutions. A member of the Joint Parliamentary Committee (JPC) that deliberated upon the Data Protection Bill, and a former member of the Standing Committee on Information Technology, he says that Clause 35 of the proposed bill is a “bogey” that renders it toothless. “Nobody should be exempt,” he says.

In December 2021, O’Brien was suspended from the Rajya Sabha after he allegedly threw the rule book at the secretary general’s table during a discussion on The Election Laws (Amendment) Bill, 2021, and an amendment which links Aadhaar to voter ID. O’Brien had asked to see the footage of him throwing the rule book. He was previously suspended in September 2020 over "unruly behaviour" as he protested against the controversial farm laws which were eventually repealed in November 2021. Edited excerpts:

Q. A person I spoke to said the Personal Data Protection Bill has moved from protecting citizens in the 2018 iteration to protecting companies in the 2019 iteration to protecting the state in the parliamentary committee’s iteration. Do you agree?
The views of the Trinamool Congress on the Data Protection Bill have been clearly spelt out in the dissent note submitted by Mahua Moitra and me. The provisions in the bill are Orwellian in nature and the committee rushed through its mandate, without providing sufficient time and opportunity for consultations with the stakeholders.

Q. You have maintained that a diverse set of voices was not heard by the committee and meetings were rushed through the pandemic. However, other members I spoke to have said there was enough diversity. Would you agree?
There is a two-part answer to this question. First, the Modi government does not want any institution to function. It wants to destroy every institution. One of those institutions which it is very keen on destroying and trying hard to destroy is Parliament. Why does it want to destroy Parliament? The government is accountable to Parliament and through Parliament, the government is accountable to the people. Once you stop making Parliament functional, like the question you asked me about committees, that means you stop being accountable to the people. Second is the manner in which Parliament and its tools like standing committees have been bypassed. One quick example I can give you now is that till the 15th session of the Lok Sabha [2009-2014], seven out of 10 bills were scrutinised. That number is now down to one—only one of ten bills is scrutinised.

Q. Is there anything in the proposed bill that would allow women who have been targeted by the Sulli Deals and Bulli Deals apps to deal with the incursion into their privacy and non-consensual use of their personal data?
That's a good question. My response to that is a positive one. I'm not going to wait around for the central government to make a legislation on that. We are going to consider bringing something—consider at this stage—like this in the West Bengal assembly. States have to take a lead. I will not wait for the central government to come up with its own version—which it never will. That's why the West Bengal government is seriously considering this.

Q. You have previously talked about, including in your dissent note, how Clauses 35 and 36 grant excessive powers to the central government and exempts basically every government agency. Interestingly, the clauses do not allow the government to exempt political parties. Is there then enough power in the bill to prevent micro-targeting of individuals and abuse of personal data for political purposes, as we have seen with Tek Fog? Because that has ostensibly been done by one political party.
Clause 35 is the bogey in the bill. We can have hours of discussion about Clause 35. If there is one clause in the bill which many opposition parties have strongly objected to, that was Clause 35. There's lots to be discussed in that clause.

Q. Given that Clause 35 does not exempt political parties, do you think it can be used to pursue cases against political parties that misuse personal data, as we have seen in the case of Tek Fog?
Nobody should be exempt.

Q. Where do you stand on the Aadhaar-voter ID linkage? Has the UIDAI actively sought exemptions from the committee?
No, it [the linkage] is unacceptable. This is completely unacceptable because tomorrow who you vote for can be known and you could be targeted. We are moving towards a fascist state where you have targeted [persecution]. There could be targeted genocide after this. The way that bill was passed in Parliament, I mean, it is absurd that we are doing these kinds of things.

Q. Where do you stand on the issue of granting safe harbour to intermediaries, where they should not be held responsible for third-party content posted by users?
Considering the mammoth presence of technology and social media in our lives today, users’ safety and privacy should be central to all our policies. Both governments and intermediaries must recognise their role in India’s democratic functioning today and take proportionate responsibility enthusiastically. We must strive to achieve a balance of freedom of functioning and expression along with accountability in a manner that prioritises users’ experience and welfare.
 
[O’Brien declined to answer what this “proportionate responsibility” would look like and if it would have a chilling effect on free speech.]

Q. The committee has made certain recommendations about the regulation of social media entities. Do you think we are ringing the death knell for safe harbour with some of the recommendations that have been made?
The whole social media ecosystem needs a serious [overhaul]. Look at what is happening [with Tek Fog]. The worst part is that the government and its own allied entities seem to be involved. I have written two letters and am now waiting for the committee [of home affairs] to discuss this. This entire ecosystem has to be discussed. That is why we are taking it one step further. This is not just for the IT committee to take note of. This is an issue of national security and, therefore, for the home affairs committee too.

Q. In your dissent note, you have recommended that social media accounts should not be linked to users’ identities.
Yes, of course. Are you seeing what is happening in the current election on social media? And the bill [linking Aadhaar to voter IDs] which was bulldozed in Parliament? All of that is all linked.

Q. The Joint Parliamentary Committee (JPC) has recommended that minors should be allowed to withdraw consent at 18. The Supreme Court had made a similar ruling in 2018 with respect to Aadhaar. Where do you stand on that?
Regulation of personal data of children is a challenging area. Initially the Aadhaar Act did not give an option to children to withdraw consent on attaining 18 years of age. The Supreme Court in 2018 held that children who are enrolled under Aadhaar shall be given the right to exit. In 2019, the Aadhaar Act was amended to incorporate this provision. The JPC on Personal Data Protection Bill was faced with a similar question. The committee did not make a change to the text of the bill, but recommended that the provision for withdrawing consent on obtaining majority be incorporated in the rules/regulations that will be framed by the Data Protection Authority. Would it have been better had this provision been incorporated in the main text of the bill? Will the committee's recommendations in this regard be accepted during the framing of the rules/regulations by the Data Protection Authority? That is yet to be seen.

Q. How should the press be regulated? Does establishing a statutory body, as recommended by the JPC and the standing committee on information technology, undermine press freedom?
My party and I have always spoken strongly for press freedom. For the press to fulfil its functions, it is necessary to provide them with appropriate autonomy under the Data Protection Bill. The committee has recommended a statutory media regulatory organisation for regulation of different forms of media. If the government goes by the committee’s recommendations, then a statutory organisation to regulate media can be established in the future which will be created and controlled by the government. Will the creation of a statutory body for media regulation lead to misuse? It must be ascertained that the media is not strong-armed due to the establishment of a statutory body. Press regulation is a separate issue and should be dealt with separately. For a free society to exist, there must be a free press. My party will continue taking stands wherever necessary to preserve the fourth pillar in a democracy.
 
Q. Where do you stand on the data localisation mandate? Is that a feasible ask given how internet infrastructure is set up?
There is a need for a balance to be brought to protect citizens on one hand from surveillance by government agencies, and on the other side from unauthorised use of their data by private companies or foreign entities in foreign jurisdictions. As a developing market with vast potential for data misuse, it is important that we classify data categories clearly and set up appropriate regulatory frameworks for each. The inclusion of non-personal data into this bill, as we pointed out in our dissent note, is one such example of muddling different categories of data. The JPC’s suggestions to assist local companies and MSMEs in complying with localisation requirements, and the legislative restriction of government surveillance on data stored locally, are important to protect businesses and citizens.

Q. You have also recommended that non-personal data should not be a part of this bill. There is a fundamental opposition between the JPC’s belief that anonymisation is not possible and the non-personal data committee’s that anonymisation is possible. Where do you see this debate going?
There is a need for a detailed study and separate framework for regulation of non-personal data and as a result, all recommendations to include any governance of non-personal data should be removed from the Personal Data Protection Bill.

Correction (June 13, 2022 5:30 pm): Corrected the reason for O'Brien's suspension in September 2020. The error is regretted.