In recent years, the question of privacy has loomed large over the global legal, political, and commercial imagination, and India is no exception.
As per Puttuswamy v India (2017), privacy is a fundamental right. This was an important development. When previous cases on privacy had come before the Supreme Court, most notably MP Sharma v. Satish Chandra (1954) and Kharak Singh v. Uttar Pradesh (1962), the judges had declared that while in certain circumstances the privacy of individuals was to be protected, there was no constitutional right to privacy in and of itself.
But a Supreme Court ruling is certainly not enough. The relentless march of global technology and the implementation of the Aadhaar biometric programme, in particular, have created the need to take a new look at the legal position of privacy in India.
The main battleground of privacy today, as demonstrated by Aadhaar and many others cases, is data, an intangible product that now forms the basis of much of the world economy and carries staggering political capital. The rising importance of data has pushed over 80 countries to pass national laws protecting the collection and use of their citizens’ data by companies and the government. Sometime in the near future, India will join them as the Personal Data Protection Bill 2019 (DPB) is currently under consideration by a parliamentary committee.
The DPB will have huge commercial and political consequences for India. According to Ernst and Young, emerging technologies in India will create $1 trillion in economic value by 2025. Much of this value will be founded on the creation, use, and sale of data, and the DPB will have immense implications as firms scramble to meet new privacy regulations.
The bill establishes a number of conditions for companies to follow, and for large international tech firms that wish to operate in Indian territory. For one, it would require digital firms to obtain permission from users before collecting their data. It also declares that users who provide data are, in effect, the owners of their own data. This has major implications, suggesting that users are able to control the data their online selves produce, and may request firms to delete it, just as European internet-users are able to exercise a “right to be forgotten” and have evidence of their online presence removed.
But the bill does not protect individuals against the Indian government as effectively. It stipulates that “critical” or “sensitive” personal data, related to information such as religion, or to matters of national security, must be accessible to the government if needed to protect national interest. Critics have suggested that such open-ended access could lead to misuse. Even B N Srikrishna, who chaired the committee that drafted the original bill, warned that government-access exemptions risk creating an “Orwellian state”.
There is enough reason to worry indeed. The bill outlines the establishment of a Data Protection Authority (DPA), which will be charged with managing data collected by the Aadhaar programme. It will be led by a chairperson and six committee members, appointed by the central government on the recommendation of a selection committee. But this committee will be composed of senior civil servants, including the Cabinet Secretary, raising questions about the board’s independence. The government’s power to appoint and remove members at its discretion also stokes fears about its ability to influence this ostensibly independent agency. Unlike similar institutions, such as the Reserve Bank of India or the Securities and Exchange Board, the DPA will not have an independent expert or member of the judiciary on its governing committee. The UIDAI, for its part, has a chairperson appointed by the central government and reporting directly to the Centre.
The need to protect individual freedom is particularly acute as recent developments have suggested that India was acquiring some features of a surveillance state. For instance, the government of India has resorted increasingly to facial recognition whereas using this technique violates privacy rights. After the anti-CAA protests and the Delhi riots, Home Minister Amit Shah declared, “Police have identified 1,100 people through facial recognition technology. Nearly 300 people came from Uttar Pradesh. It was a planned conspiracy.” How could the police know? It seems that the footage procured from CCTV, media persons and the public was matched with photographs stored in the database of Election Commission and e-Vahan, a pan-India database of vehicle registration maintained by the Ministry of Road Transport and Highways.
Aside from the controversy surrounding the Aadhaar programme, the most recent indication of the Indian government’s casual treatment of its citizens’ privacy was the backlash to the Aarogya Setu contact-tracing app, developed to track the spread of the COVID-19 pandemic. The government first made the app mandatory, but reactions from opposition parties and civil-society groups forced it into backtracking. Technology experts criticised the app for its apparently wanton data collection and its lack of adequate data protection measures. Where are these data stored and who has access to them remain open questions.
These developments do not augur well for the Indian government’s responsibility when it comes to mass data collection and protection. This is why the privacy bill is such an important piece of legislation. The DPB is a unique opportunity for India, a country with some 740 million internet users, to forge a pathbreaking agenda that will act as a standard-setter in the still-developing field of national data protection legislation. Strangely enough, it will not be discussed by the parliamentary committee on Information Technology chaired by Shashi Tharoor, but by a Joint Parliamentary Committee (JPC) of 30 MPs, 15 of whom are from the BJP, that is headed by Meenakshi Lekhi. Tharoor has argued that his IT committee holds the mandate to examine the DPB, and has called the government’s decision to refer it to the JPC a “wilful exercise of undermining the House” that shows a “brazen disregard for the Standing Committee”. Will a transparent debate take place in the JPC and then in Parliament for promoting transparency? Such a debate would make Parliament an important power centre again, after the cancellation of the winter session, and the cancellation of the question hours in the previous session.
This article first appeared in the print edition on January 7, 2021 under the title ‘Plugging the privacy gaps’. Jaffrelot is senior research fellow at CERI-Sciences Po/CNRS, Paris, professor of Indian Politics and Sociology at King’s India Institute, London; Sharma is a student of political science at Columbia University, New York