Data, we are told with tiresome frequency, is the new oil. Well, this oil flows only in one direction — from every one of us ordinary citizens into the hands of those who receive, collect, manipulate and use (or misuse) it.
August 24 marked a year since the Supreme Court’s landmark judgment recognising the right to privacy of every individual as a fundamental right under the Constitution of India. We often take our privacy for granted; however, in an age when nearly 2.5 quintillion bytes of data is generated every day, the right to privacy has large implications, particularly on the manner in which the state and others collect and use our data. Whether it is submitting a form for a college application or downloading the latest app for our phone, we unknowingly share information about ourselves with a wide range of entities, without realising the repercussions involved. Cambridge Analytica’s website rightly said “Data drives all we do”, and the scandal which was exposed, revealed how they manipulated data to influence the commercial and political choices of common citizens.
That scandal is one among many worrying signals about the extent to which vested interests are willing to go, to mine the “new oil” of the 21st century. India has undertaken an ambitious project to create the world’s largest biometric database in the form of Aadhaar, ostensibly to regulate the transfer of benefits from government to needy citizens. However, the numerous instances of data leaks in relation to Aadhaar reveal the state’s callous attitude to data protection, while it aggressively pursues the sync-ing of Aadhaar numbers with essential services which have nothing to do with the government, from our mobile phones to our private bank accounts. In the absence of a robust data protection framework, we Indians are all sitting ducks in the world of data fraud and misuse.
This month, I finally introduced the Data Privacy and Protection Bill, 2017 in the Lok Sabha, more than a year after I’d first submitted the Bill to Parliament. (Unfortunately, multiple disruptions prevented me from introducing the Bill earlier.) The introduction was preceded by the release of the Draft Personal Data Protection Bill, 2018, drafted by the Justice B N Srikrishna Committee, which is likely to be adopted by the government as their official Bill. Through the process of public consultation, which has recently been opened on the Draft Bill, we now have an opportunity to contrast and highlight the provisions in the two bills. There are fundamental differences between the two.
A plain reading of my individual-centric Bill confirms that it is built on a strong foundation of the Right to Privacy, as laid down by the Supreme Court. My Bill vests in you, the individual, the right over your personal data, thereby protecting its misuse by both the state as well as private players. Your rights over your data implies that it cannot be handled in any manner in the absence of consent.
However, today, consent has become a matter of formality, where we click a button without consciously reading, let alone genuinely agreeing, to the terms and conditions. For consent to be effective, it must be unambiguous, free, voluntary, affirmative, revocable and obtained prior to its usage to a specific and easily comprehensible contract. To ensure consent remains effective, the data must be destroyed after the purpose is served. Despite this, there is a skewed power equation between the data processor and the individual, which any good data privacy law must redress.
The government’s draft Bill grants “the right to be forgotten” but deceptively defines it as disallowing further disclosure of data. It seems that the government wants to revamp the globally accepted meaning of “forgotten” to “limited recollection”. Through this, the government is merely posing as an upholder of privacy, unlike my Bill which has a leak-proof right to privacy through the incorporation of the right to erasure or the right to be forgotten.
Moreover, your ownership rights over your personal data are inalienable. Even if you consent to the usage of your data by another person for any purpose, you do not forego your rights over your data. You should have the right to revoke permission for its usage, object to its processing or ensure its deletion. If the data is to be used for a purpose different from the one consent was obtained for or if the duration for usage is longer than it was obtained for, or if there is any other change to the terms for which consent was granted, then effective consent must be obtained afresh for the new terms. My Bill firmly secures an individual’s right to privacy.
At the same time, circumstances such as medical emergency, authorisation by law and investigation of cognisable offences which need immediate use of personal data without effective consent, should be allowed. Similarly, your right to privacy can only be diluted when there are no other means to resolve a threat to security of the state. The state may carry out surveillance or interception of communication only after authorisation by a privacy commission, an independent impartial well-resourced authority established in my Bill. The surveillance and interception must be limited to the necessity of the measure and must be proportionate to the threat it wants to overcome. In all these circumstances, from medical to security, the data so obtained must remain confidential and should be destroyed immediately after the immediate threat has passed.
The right to privacy can remain a pillar of our Constitution only if the exceptions are rare and subordinate to your rights. That’s why I have provided for a privacy commission, so that even the claim of a security threat is subject to review. The independence of the commission is maintained by keeping out all those who may have a commercial stake in any activities relating to the right to privacy. Its effectiveness is enhanced through its power to impose civil and criminal liabilities.
You also have to be notified about the purpose, duration and manner of surveillance and interception you were subjected to. Such a measure also ensures that a person may have recourse to judicial remedy if the state has misused its powers. We have to ensure that the state actors cannot become the threat themselves.
The government’s Bill, unfortunately, fails to hold state actors accountable for any form of violation of privacy, even those as grave as interception or surveillance. Instead, the government proposes to confine the power of contesting individual’s privacy violations concerning Aadhaar to the UIDAI, whereas my Bill empowers every individual to fight against the exploiter, either the UIDAI, an errant company using UIDAI data or anyone else, irrespective of the channel through which they obtained the data.
The government has not only used the guise of privacy to strengthen its possibly privacy-violating state actors but has also reduced its own transparency and accountability. The government’s Bill primarily holds private entities accountable for the exploitation of personal data and dilutes the reach of the Right to Information Act; my Bill avoids authorising state actors to use right to privacy as an armour to evade their democratic responsibilities.
My Bill immunises an individual’s right to privacy from any and all misuse, in contrast to the government’s draft Bill, which makes state actors unsusceptible to public scrutiny.
For all these reasons, the government must remove these anomalies and improve its draft along the lines of my Bill. Better still, I invite it to adopt my Bill and pass it. It’s time to choose: Either we dam the new oil of data, or we allow our democracy to be damned.