Plugging the privacy gaps
Mains: G.S. II Polity and Governance, Science and Technology
- In recent years, the question of privacy has loomed large over the global legal, political, and commercial imagination, and India is no exception.
- As per Puttuswamy v India (2017), privacy is a fundamental right.
- This was an important development. When previous cases on privacy had come before the Supreme Court, most notably MP Sharma v. Satish Chandra (1954) and Kharak Singh v. Uttar Pradesh (1962), the judges had declared that while in certain circumstances the privacy of individuals was to be protected, there was no constitutional right to privacy in and of itself.
- But a Supreme Court ruling is certainly not enough. The relentless march of global technology and the implementation of the Aadhaar biometric programme, in particular, have created the need to take a new look at the legal position of privacy in India.
- The main battleground of privacy today, as demonstrated by Aadhaar and many others cases, is data, an intangible product that now forms the basis of much of the world economy and carries staggering political capital.
- The rising importance of data has pushed over 80 countries to pass national laws protecting the collection and use of their citizens’ data by companies and the government.
- India will join them as the Personal Data Protection Bill 2019 (DPB) is currently under consideration by a parliamentary committee.
- The Data Protection Bill will have huge commercial and political consequences for India. According to Ernst and Young, emerging technologies in India will create $1 trillion in economic value by 2025. Much of this value will be founded on the creation, use, and sale of data, and the Data Protection Bill will have immense implications as firms scramble to meet new privacy regulations.
Personal Data Protection Bill
- The bill establishes a number of conditions for companies to follow, and for large international tech firms that wish to operate in Indian territory.
- For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed.
- But the bill does not protect individuals against the Indian government as effectively. It stipulates that “critical” or “sensitive” personal data, related to information such as religion, or to matters of national security, must be accessible to the government if needed to protect national interest. Critics have suggested that such open-ended access could lead to misuse. Even B N Srikrishna, who chaired the committee that drafted the original bill, warned that government-access exemptions risk creating an “Orwellian state”(destructive to the welfare of free and open society).
- The bill outlines the establishment of a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme. It will be led by a chairperson and six committee members, appointed by the central government on the recommendation of a selection committee.
- But this committee will be composed of senior civil servants, including the Cabinet Secretary, raising questions about the board’s independence. The government’s power to appoint and remove members at its discretion also stokes fears about its ability to influence this ostensibly independent agency. Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee.
Issues of concern
- The need to protect individual freedom is particularly acute as recent developments have suggested that India was acquiring some features of a surveillance state.
- For instance, the government of India has resorted increasingly to facial recognition whereas using this technique violates privacy rights. After the anti-CAA protests and the Delhi riots, Police have identified 1,100 people through facial recognition technology. Nearly 300 people came from Uttar Pradesh. It was a planned conspiracy. How could the police know? It seems that the footage procured from CCTV, media persons and the public was matched with photographs stored in the database of Election Commission and e-Vahan, a pan-India database of vehicle registration maintained by the Ministry of Road Transport and Highways.
- The most recent indication of the Indian government’s casual treatment of its citizens’ privacy was the backlash to the Aarogya Setu contact-tracing app, developed to track the spread of the COVID-19 pandemic. The government first made the app mandatory, but reactions from opposition parties and civil-society groups forced it into backtracking. Technology experts criticised the app for its apparently wanton data collection and its lack of adequate data protection measures.
- Strangely enough, the bill will not be discussed by the parliamentary committee on Information Technology chaired by Shashi Tharoor, but by a Joint Parliamentary Committee (JPC) of 30 MPs, 15 of whom are from the BJP, that is headed by Meenakshi Lekhi. Tharoor has argued that his IT committee holds the mandate to examine the DPB, and has called the government’s decision to refer it to the JPC a “wilful exercise of undermining the House” that shows a “brazen disregard for the Standing Committee”.
- These developments do not augur well for the Indian government’s responsibility when it comes to mass data collection and protection. This is why the privacy bill is such an important piece of legislation.
- The Data Protection Bill is a unique opportunity for India, a country with some 740 million internet users, to forge a path breaking agenda that will act as a standard-setter in the still-developing field of national data protection legislation.