Making a case for a data privacy and protection law in India

Saturday July 22, 2017 , 6 min Read

Given the rising internet penetration and growing emphasis on Digital India, it is imperative to protect the sanctity of data generated by netizens. A legislative framework to address the growing concerns around data protection and privacy is the need of the hour.

The Supreme Court of India on July 19 stated that the right to privacy cannot be an absolute right and that the state may have some power to put reasonable restrictions. A nine-judge Constitution bench, headed by Chief Justice JS Khehar, is revisiting the question of privacy 55 years after the Supreme Court decided that it is not a basic right for citizens.

Adding to the privacy debate with regard to the Aadhaar scheme, Justice DY Chandrachud, part of the nine-judge bench, observed that right to privacy cannot be linked to data protection. He questioned,

How do we define privacy? What are its contents? Its contours? How can the State regulate privacy? What obligations does the State have to protect a person’s privacy?

While the court is yet to give its final ruling, Baijayant Jay Panda, Member of Parliament from the Biju Janata Dal, introduced a private members bill on data privacy and protection on Friday, July 21.

Discussing the non-absolute nature of the fundamental rights, he says, “The nine-judge bench is now looking at the source of right to privacy in our Constitution and develop judicial tests to ascertain its contours. This will be a historic step. I am gratified that several judges’ oral observations seem to be in line with the stand taken by my Bill that privacy is a right but it cannot be absolute.”

He adds: "It needs narrowly defined exceptions to be specified for national security and other limited reasons. Data protection is a subset of privacy and hopefully the Supreme Court will pave the way for a robust data protection ecosystem. We are at a tipping point where we must define rights of individuals and liability of those who have our data."

Indeed, the sanctity of data generated by netizens has become a hotly-debated topic given the growing emphasis on Digital India and financial inclusion. With 391.50 million internet subscribers, as on December 31, 2016, and the government’s robust aim of doubling the internet penetration across the country by 2020, there is a pressing need to educate the masses on their privacy rights, benefits/threats of collection and processing of their data.

Privacy concerns beyond Aadhaar

Any information (data) generated by a user should ideally belong to that individual unless they willingly share it with other stakeholders, be it private companies, the government or a third party.

Now, since the government has established a link between the individual and the data through Aadhaar, privacy becomes important because these documents are used as an identifier.

Ranjeet Rane, Lead for Digital Policy at The Dialogue, an online policy analysis portal, says: “The element of trust is very high. If the information gets mismatched or ‘leaks’ in the public domain, trust is breached. And it cannot be reclaimed. Concerns of user privacy, emergency service management, legal interception and national security are legit in the face of new threats emerging from penetration of mobile internet in the country.”

Reliance Jio allegedly suffered a major data breach, compromising the personal data of over 100 million customers.

There have been growing concerns about rising data leaks of sensitive information online, and there is a perceived danger of misuse of Aadhaar.

Saikat Datta, author of India's Special Forces and Policy Director at the Centre for Internet and Society, says Aadhaar breaches the first lesson of cyber security by providing access to all information via single point.

He says: “The Constitution is very clear— it does not try to limit the power of the individual; it has been defined to limit the power of government over you. The very fact that the government is sitting on 1.3 billion Indians’ information is a danger by itself. The government now has the enormous power to manipulate you, thereby changing the social contract on the basis of which India as a union was formed. India can very easily become a totalitarian state, and you won’t even come to know.”

While Aadhaar has become the focal point in the public discourse, the threats to data security and citizens’ right to privacy goes far beyond it. There is a need to envisage digital privacy as a basic right and a legislative ecosystem for its protection.

The need for a legislative framework

It has never been more important to maintain the balance between harnessing technology and preserving privacy than it is today, given the government thrust on Digital India, financial inclusion programs and the rise of social media, especially Facebook. With a growing number of users, incidents of identity theft, unauthorised access and other such breaches have increased.

Jay Panda believes that with the potential addition of millions of internet users in the near future, this is the most opportune moment to discuss, educate and legislate on data privacy and protection.

Across the board, there is one consensus. As of today, India is not equipped with modern laws that address the rampant problem of opaque privacy and security standards, he says.

The legislative framework regarding the issue of data protection and privacy is dated and is currently viewed under the lens of Information Technology Act.

Calling for a new legal framework that recognises the fast-paced nature of technological growth, Ranjeet says, “Tech has always been 100 steps ahead of laws. A privacy and data protection law is needed but it should be dynamic in nature with a five-year review clause by a high-powered parliamentary committee. Privacy needs to be at the core of this legislation, followed by protection of data given to intermediaries and service providers. Thirdly, legal interception needs to be evaluated and addressed. And lastly, the law should ensure data sovereignty.”

Deliberating on the seven principles, the BJD Lok Sabha Member through a Private Member’s Bill aims to create a constructive public discourse which could assist the government to setup a gold standard for a much-needed Privacy Act.

Our Bill is drafted in such a manner that all obligations and safeguards for personal data also apply to sensitive personal data. One of the major concerns around data has been that people don't have access/control of their own data. I am in favour of a rule-based approach for correction, removal and alteration of personal data. This Bill must not be seen as an attack on Aadhaar but as a shield for data privacy, he adds.