The Senate testimony on Facebook's CEO Mark Zuckerberg, in April 2018 brought the issue of privacy to the mainstream. The role of Cambridge Analytica in rigging the 2016 US Presidential Elections with the help of Facebook’s data brought to light the extent of user manipulation that can take place. It exposed the amount of data that Facebook and other tech-firms like Google and Amazon capture. It also brought to fore the question of privacy of the individual against the private firms and the government. The Supreme Court of India (SC) has tackled the question of the Right to Privacy (RTP) since 1954. Although it finds no mention in the constitution, the SC in the MP Sharma (1954) and Kharak Singh (1962) case has laid out that RTP does not exist in the Indian Constitution. That was six decades ago when data use and misuse was limited, and the Indian democracy was in its infancy and arguably still suffering from the colonial hangover. Moreover, both the judgements were concerning police searching a person’s home (Ananthakrishnan 2017).
The elevation of RTP to a fundamental right came about in the Puttaswamy verdict in 2017. Retired judge Justice Puttaswamy filed a petition in the SC challenging the constitutional validity of the Aadhar. A 9-judge bench was set up to answer a broader question relating to Aadhar- ‘Is Right to privacy a fundamental right in India?’The Attorney General defended the government saying earlier verdicts have dismissed privacy as not being a fundamental right, that it was too broad a term to define and that the RTP is a privilege of the upper classes (Mahapatra, 2017). However, the bench unanimously agreed that RTP as a fundamental part of Article 21- Right to Life and Personal Liberty. There are numerous other countries, mostly developed ones, which have been doing much better than India in preserving this right. The US judiciary, which has supremacy over the other organs of the government, has interpreted RTP to exist. However, data protection exists only for healthcare and financial data. The European Union signed the EU Data Protection Directive in 1995 which has regulated data usage and processing. EU’s definition of personal data includes everything that can be traced back to a person including email address, IP address, etc. EU has the most stringent norms for data privacy, and it has been using its collective bargaining power to force other countries to enact and enforce data protection laws. In Asia, Singapore and South Korea have also come up with reliable data protection laws. Hence, India also is in need of a robust data protection law to protect the privacy of the citizen and prevent its misuse.
Justice Srikrishna committee was set in the backdrop of the Puttaswamy verdict to look into the details of data protection in India and prevent security breaches. The report, submitted in July 2018, aims to protect the privacy of citizens while also ensuring the growth of the digital economy. This is in contrast to the EU’s GDPR which give primacy to users and their control over their data on one end, and the Chinese Cybersecurity laws on the other which provide the State with the right to process the data, on the other (Anupam, 2018). Justice Srikrishna committee tries to balance both the roles. The Committee recommends that the collection and processing of personal data should be restricted, and such purposes should be clearly defined and lawful. However, the committee gives the State overarching powers to process personal data for performing its functions. This can be very quickly violated in the name of security. The report also includes ‘Right to be Forgotten,’ i.e. individuals have the right to opt out of disclosure of their data. One of the following recommendations is to have explicit consent for ‘sensitive personal data’ since the misuse of such data could be damaging to the individuals. However, the report is silent on the definition of sensitive personal data and leaves it to the legislature to enact a law defining the same. Finally, the report recommends setting up a Data Protection authority to look into violations, prevent misuse and ensure that data fiduciaries comply with the rules (Sircar and Sachdev, 2018).
While the civil society is troubled with the possibility of India turning into a surveillance state, corporate India is complaining about the extra cost of compliance that the bill places on them. Data fiduciaries like Google, Amazon will have to hire an additional workforce to review and monitor the usage of data in the company. It would also require firms to undertake the internal assessment of the impact of ‘new technology’. However, technology is continually evolving, and hence, impact assessment will be difficult, if not impossible (Philips, 2018). RTP is a continually evolving concept. What initially started as freedom from state surveillance has now morphed into various facets of an individual’s life- from sexual orientation to privacy in one’s home to data collection by fiduciaries. What constitutes under confidentiality can and will change as the digital economy changes the contours of the definition. For example, although governments are using CCTV cameras for ensuring the safety of citizen, this does violate the RTP especially since image and face recognition technology become commonplace. Although the Puttaswamy judgement elevated privacy to a fundamental right, the extent of privacy was not defined. Justice Srikrishna committee was supposed to bridge that gap. However, it too has decided to pass the buck to the legislature by keeping ‘sensitive personal data’ undefined with regards to functions for which the State can process personal data. However, the report is just a draft Bill and deliberations on the draft will take place before it is introduced in the Parliament. The legislature must ensure that the proceedings are transparent and all the concerns of the citizen are addressed before introduction.
Ananthakrishnan, G. (July 19, 2017). M P Sharma and Kharak Singh: The cases in which SC ruled on privacy. The Indian Express. Retrieved from https://indianexpress.com/article/explained/m-p-sharma-and-kharak-singh-the-cases-in-which-sc-ruled-on-privacy-4756964/
Anupam, S. (August 1, 2018). Can The ‘Ambiguous’ Draft Indian Personal Data Protection Bill 2018 Hold A Candle To The GDPR?. INC42. Retrieved from https://inc42.com/features/can-the-ambiguous-draft-indian-personal-data-protection-bill-2018-hold-a-candle-to-the-gdpr/
Mahapatra, D. (August 27, 2017). Right to Privacy is a fundamental right, it is intrinsic to right to life: Supreme Court. The Times of India. Retrieved from https://timesofindia.indiatimes.com/india/right-to-privacy-is-a-fundamental-right-supreme-court/articleshow/60203394.cms
Phillips, P. (August 04, 2018). Personal Data Protection Bill: Why it may impose an unnecessary burden on India inc. Firstpost. Retrieved from https://www.firstpost.com/business/personal-data-protection-bill-why-it-may-impose-an-unnecessary-burden-on-india-inc-4891871.html
Sircar, S. & Sachdev, V. (July 27, 2018). Key Highlights from the Srikrishna Committee Report on Data Protection. The Quint. Retrieved from https://www.thequint.com/news/india/key-highlights-from-srikrishna-committee-report-on-data-protection
Supreme Court decision on Right to Privacy today: How other countries across the world treat their citizens' data. (August 24, 2017). Firstpost. Retrieved from https://www.firstpost.com/india/right-to-privacy-and-governance-how-other-countries-across-the-world-treat-their-citizens-data-3829423.html
Image Credit: Tralaw
Subscribe to our weekly newsletters.
Get all our posts, blogs and video content via e-mail.