PM in your DMs: Privacy, politics and digital governance

In the digital age, political campaigning has evolved into a sophisticated arena where the battleground is not just on the streets, but also within the confines of our smartphones. The recent proliferation of WhatsApp messages extolling the accomplishments of Indian Prime Minister Narendra Modi has ignited a fresh debate on the ethics and implications of political micro-targeting.

As the Lok Sabha elections loom large, the timing of these messages raises pertinent questions about their strategic intent and potential impact on the electoral landscape.

Recent revelations about direct messages (DMs) purportedly sent by the Prime Minister have ignited debates concerning privacy, political messaging and electoral integrity. These DMs, disseminated through platforms like WhatsApp, have raised concerns about the ethical boundaries of political communication and its potential impact on democratic processes.

One of the primary concerns surrounding the PM's DMs is their potential to influence electoral outcomes through targeted messaging. Micro-targeting, the practice of tailoring messages to specific demographic groups based on detailed data analysis, has become increasingly prevalent in political campaigns. While personalized messaging can be a powerful tool for engaging voters, it also raises questions about the fairness and transparency of electoral processes.

At the heart of this controversy lies the alleged violation of the Model Code of Conduct (MCC), a set of guidelines aimed at ensuring fair and transparent elections. By leveraging social media platforms for targeted propaganda, the Bharatiya Janata Party (BJP) has been accused of skirting these regulations, thereby raising concerns about the integrity of the electoral process. However, beyond the realm of electoral ethics, the dissemination of unsolicited political messages also strikes at the core of individual privacy rights.

The PM's WhatsApp message campaign

The recent circulation of a message purportedly originating from government channels through WhatsApp has ignited a flurry of concerns, particularly among recipients both within India and abroad. What is raising eyebrows is not just the content of the message, which lauds the achievements of Prime Minister Narendra Modi, but also the manner in which it was disseminated. While it's not uncommon for Indian citizens to receive alerts and updates from governmental bodies via SMS, the use of WhatsApp for such messaging, without a clear mechanism for obtaining consent, has sparked questions regarding data privacy and security.

What adds to the intrigue is the involvement of the Ministry of Electronics and Information Technology (MeitY) in accessing a vast database of WhatsApp numbers. The lack of transparency surrounding the acquisition of these contact lists raises pertinent questions about the safeguards in place to protect individuals' privacy rights, especially considering the global reach of the messages.

Furthermore, the timing of this messaging campaign, just ahead of crucial elections, amplifies suspicions of political manoeuvring. The MCC explicitly prohibits the use of public funds for partisan advertisements and mandates the avoidance of partisan coverage of political news during election periods. By extending beyond national borders, the message's reach raises concerns about the potential misuse of official channels for political gains, both domestically and internationally.

The Election Commission took the matter into its hands and instructed the Ministry of Electronics and Information Technology to cease the distribution of bulk WhatsApp messages as part of the "Viksit Bharat Sampark" program, following complaints received by the Commission.

As concerns mount, one cannot help but wonder: How exactly did the government gain access to such a vast database of WhatsApp numbers? Were proper protocols followed to ensure compliance with data protection regulations? What measures were taken to address privacy concerns, particularly among recipients outside of India? And most importantly, what are the implications of these actions for the integrity of electoral processes and the protection of individual privacy rights? As these questions linger, it becomes imperative to scrutinise the intersection of technology, governance and privacy in the digital age.

Privacy concerns

While Indian citizens are accustomed to receiving governmental notifications, particularly during emergencies, the lack of a clear consent mechanism for the dissemination of political messages on WhatsApp raises red flags. This messaging campaign, purportedly orchestrated by the government, has extended its reach beyond national borders, targeting individuals in Dubai and Pakistan, thereby amplifying privacy concerns on an international scale.

At the crux of the matter lies the unauthorised access to a vast database of WhatsApp numbers, allegedly facilitated by the Ministry of Electronics and Information Technology (MeitY). The opacity surrounding the acquisition of these contact lists and the absence of robust privacy safeguards exacerbate anxieties regarding data protection.

The use of official channels for partisan purposes not only undermines the sanctity of individual privacy rights, but also raises doubts about the impartiality of the electoral process. As citizens grapple with the intrusion into their personal space, questions loom large over the government's commitment to upholding constitutional guarantees of privacy and freedom of expression.

Inadequacy of the Data Protection Act

The delayed enforcement of the Digital Personal Data Protection Act (DPDPA) has sparked apprehensions regarding the expansive powers bestowed upon the government without adequate constraints. This Act, designed to safeguard personal data, appears to provide the government with significant latitude in data handling practices, particularly exempting governmental entities from certain privacy regulations. Section 17 of the Act holds the power to exempt government and other public authorities from its very application at any given time. Consequently, this exemption grants governmental bodies considerable autonomy in data processing activities, potentially extending to political communication and electoral campaigning. The absence of stringent restrictions on data usage raises concerns about the government's ability to exploit personal data for its own benefit, even without obtaining explicit consent from individuals.

This scenario creates a worrisome prospect of unchecked data exploitation, particularly evident in cases of unsolicited promotional messages and political micro-targeting, which contravenes the principles of fair electoral practices. As highlighted in precedents such as TRAI v. Bharti Airtel Ltd. and Ors, the lack of transparency surrounding data acquisition and utilisation underscores the urgency for robust privacy laws and regulatory oversight.

Section 7 of the DPDPA, 2023 permits a data fiduciary to forego obtaining informed consent from the data principal and instead assume consent under specific circumstances deemed necessary for processing. Notably, the DPDPA, 2023 differs from its 2022 version by excluding "public interest" as grounds for deeming consent and processing data without explicit approval. This omission is considered a positive advancement as the 2022 version lacked clarity on the criteria for invoking this provision, potentially leading to its misuse.

It is noteworthy that Section7(b) grants state instrumentalities considerable discretion in processing personal data of data principals if consent has been previously granted or if such data is maintained by any arm of the State. However, it remains uncertain whether such unsolicited and non-consensual data handling by the government would contravene Clause 7 of the Act, given that it has not yet come into effect.

Amidst concerns over violations of the MCC and breaches of privacy, it is imperative to address the existing legal loopholes and ensure that data protection laws empower citizens while preventing potential misuse by political entities. Upholding the principles of individual privacy rights enshrined in Article 21 of the Indian Constitution and reinforced by judgments such as Justice KS Puttaswamy (Retd) and Another v. Union of India is paramount. As India navigates the complexities of digital governance and electoral integrity, it is essential to enact and enforce data protection laws that prioritise the rights and interests of citizens over unchecked governmental authority.

Parallels with Cambridge Analytica

Governments want to know everything about us, but keep their own actions secret. This causes a lot of legal and policy issues. One big concern is the relationship between political parties and voters. Take the Cambridge Analytica scandal in the 2016 US Presidential Election, for example. Facebook didn't do enough to protect our privacy. Cambridge Analytica used Facebook to gather data on millions of users - what they liked, commented on, and more. Then, they sold this data to political campaigns, like Donald Trump's. These campaigns used the information to send targeted messages to people, a tactic called 'micro-targeting'. Having access to this data gives a huge advantage to a party or candidate over others.

Conclusion

In the digital era, our lives are intertwined with data in ways we often don't fully comprehend. Nowhere is this more apparent than in the world of politics, where the power of information can shape the very course of elections. As candidates contest for votes, they tap into a vast array of digital tools, from bulk SMS to social media, to reach voters in unprecedented ways. Yet, amidst the flurry of campaign tactics, a crucial aspect often gets overshadowed: the erosion of voter privacy.

In this digital battleground, voters find themselves unwitting participants in a game where the rules are set by algorithms and the stakes are nothing short of the integrity of democracy itself. Despite the pivotal role they play in shaping the political landscape, citizens are kept in the dark about the existence of vast databases housing their personal information. The notion of consent, a cornerstone of privacy rights, becomes a distant memory as individuals relinquish control over how their data is collected, disclosed, and ultimately weaponised, for political gain.

By shedding light on the shadowy practices of political micro-targeting, we can reclaim agency over our digital identities and demand a more transparent and ethical approach to the democratic process. For in the end, it's not just about winning votes, it's about safeguarding the very essence of democracy itself.

Srishti Sharma is an Associate at Lawsikho. Aarlin Moncy is an Associate at Chadha & Chadha.