India, the world’s largest democracy, is also among the biggest surveillance states.

The country ranks behind only Russia and China when it comes to surveilling citizens, the UK-based research firm Compritech has found. On the company’s privacy index, India scored 2.4 out of 5, indicating a “systemic failure to maintain [privacy] safeguards”.

With a score of 2.7, the US was the seventh-worst performer among non-European nations. The main reasons that pose a threat to Americans’ privacy include constant updating of the database of biometric information, and data breaches across all sectors, Compritech said.

The survey was conducted across 47 countries, and their privacy safeguards were ranked based on constitutional protections, statutory protection, privacy enforcement, biometrics, data sharing, and the government’s access to data, among other things.

Though European nations fare better due to the stringent General Data Protection Regulation laws, “not one country is consistent in protecting the privacy of its citizens,” Compritech said. “Several countries are creating what can only be described as surveillance states, with privacy rights seemingly taking a serious back seat.”

This is particularly true for India.

Why India failed

The Indian constitution guarantees a fundamental right to privacy, but the level of privacy Indians enjoy is low, due to a number of factors.

  1. Aadhaar identification system: Under Aadhaar, citizens get a unique identification number. The system houses the largest biometric database, or data of 1.23 billion people. The controversial system has made headlines in the past for various data breaches. Aadhaar database also contains information such as purchases, bank accounts, and insurance.
  2. Data protection bill: “It is yet to take effect and there isn’t a data protection authority in place, meaning privacy protections are weak at present,” Compritech noted.
  3. Monitoring WhatsApp: In its findings, the survey mentioned that the government’s efforts to get Facebook-owned WhatsApp to make its messages traceable by adding a digital fingerprint to every message sent, is not helping the cause of privacy.
  4. CCTV: Regulations related to closed-circuit television surveillance are vague and any privacy laws relating to it are open to interpretation.
  5. Other reasons: India’s efforts to install hi-tech border surveillance and the practice of frequently sharing information with the US violates privacy rights. Notably, India also has multiple mutual legal assistance treaties with different countries. Compritech also stated that recently India has allowed 10 government agencies to authorise to decrypt, monitor, and intercept data on any computer – subject to the approval of the home secretary – and if service providers fail to offer intercept capabilities, they could face prison terms of up to seven years.

Compritech observed that laws in India have now started to protect data privacy but it was sceptical about the success.

“Covert surveillance will also be banned when the new data protection law comes into power,” it said. “However, with surveillance tactics and biometrics already going incredibly far, it’s questionable as to how much law will change things.”

Safe havens

Among non-EU nations, Norway with a privacy score of 3.1, tops the list. However, the introduction of biometric-based identification can put its rank in danger, according to Compritech.

Among EU nations, Ireland, France, Portugal, and Denmark are among the top four with adequate safeguards. Malta, on number five spot, had safeguards with weakened protection.

“What is interesting about these top five – the only ones to receive an adequate score – is that they are all governed by the GDPR laws,” noted Compritech. GDPR laws ensure data protection and privacy for all citizens of the EU and the European Economic Area. It also addresses the transfer of personal data outside these areas.

This article first appeared on Quartz.