The Right to Privacy is one of the fundamental rights guaranteed to every Indian citizen by the Constitution of India. It is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
Today, our privacy is in serious danger of being eroded, partly because of our lifestyle. We deal with hundreds of organisations throughout the day – whether it’s when we buy a bottle of Amul Cool at an ice-cream parlour, or make a doctor’s appointment, call a friend, swipe through Instagram or simply search for a place on Google Maps.
All of these tasks give businesses an opportunity to store our data, which is often used to cater to our needs as customers. Outlets might save your birthdate or anniversary date to send greetings. Your dentist would save your dental records to better serve your interests. Clinics might store your contact details to send you periodic reminders for visiting them or to send you updates on the newest regime available for your particular dental condition. They might even store other relevant medical details like allergies to certain medications. This storage of data comes with risks and responsibilities. After all, it’s your data!
Technically, businesses should store ‘only’ relevant data, with the customer’s consent for a limited period of time.
This would ensure that data is sufficiently protected and not shared without the required consent. Because the truth is, even the data stored by your dentist could be immensely valuable to other organisations. For example, if a local restaurant wants to do business with you, they can send you a coupon, if they have your contact details. Your dentist sharing this data with another person/organisation without your consent would be a serious breach of your right to privacy.
Similarly, the government itself can collect plenty of data about you – from the ration that you collect from the ration store, to the number of gas cylinders that you buy or learning whether you vote or not. With Aadhaar, all of these can be linked at an individual level to create a mega picture of your standard of living. The mere collection of this large amount of your data, could pose a massive threat to your right to privacy.
The Justice K.S. Puttaswamy (Retd) vs Union of India is a seminal case where the constitutional validity of the Indian biometric identity scheme Aadhaar was challenged. It resulted in a resounding victory for privacy. The judgment’s ringing endorsement of the right to privacy as a fundamental right marked a watershed moment in the constitutional history of India. The judgment also concluded that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.
What does all of this mean in the context of data protection and why does it play a vital role?
The World Economic Forum’s (WEF’s) Global Risks Report 2019, says, “The largest data breach was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs 500 for 10 minutes.”
At the core of the heated privacy debate, lies the ability of the state to conduct surveillance on the lives of its citizens. This is a debate that predates Aadhaar, as evidenced by the early line of Supreme Court judgments on privacy. The growing protests about Aadhaar and its ability to be used as a tool of surveillance finally forced the government to set up a committee of experts headed by Justice Srikrishna to propose a new data protection law.
This new Government of India bill on data protection merely describes, in brief, the existing process for conducting surveillance under the Telegraph Act and the Aadhaar Act before concluding that any data protection should be exempted in cases of threat to national security or in the case of criminal investigation. It also states, “any such exemption should be subject to strict safeguards, such as a judicial mechanism to provide prior approval invoking such a clause.”
But, there is no discussion in the bill about the scale of surveillance, or even the legal framework for surveillance.The Standard Operating Procedures (SOP) recognise nine central agencies namely, the IB, the NCB, the DE, the CBDT, the DRI, the CBI, the NIA, RAW, and the Defence Ministry, and the State Directors-General of Police and the Commissioner of Police in Delhi, as a part of this exemption.
This begs the question of reliability and abuse of power, because there have been cases in the past of “snooping” by local police in the name of security. Further, the Bill doesn’t address scenarios wherein these organisations themselves get hacked and sensitive data gets out in the open.
The Government of India draft bill on protection of data clearly lacks provisions to ensure accountability regarding the security of citizens’ data.
To amend this, I, as a Member of Parliament introduced a private members’ bill for submission, which explicitly recognises the right to privacy.
Where the Government of India Bill makes it easier for government entities to access data and put its subjects under surveillance in the name of national security, my draft bill on the same issue specifically places restrictions on state entities for surveillance.
Be it any bill, safeguarding the citizens right to privacy should be of the utmost importance and should be at the centre of any data protection framework. The need to address this issue is very crucial and vital, because with every passing day, more and more transactions occur in the digital realm. The ability to store and utilise data is expanding, and a comprehensive data protection law is needed to curb its infringement upon the constitutional right to privacy.
(With inputs from Abhishek Ranjan, and research interns Omkar Sathe, Krishna Chaitanya and Aishwarya Singh)