India’s shield of privacy should reflect Article 21
Summary
What began as an enunciation of fundamental rights has taken shape as data regulation of private players. Our personal data protection law must prioritize privacy as a basic rightThe monsoon session of Indian Parliament will likely take up a bill framed in response to the Supreme Court ruling of 24 August 2017 that said privacy is a fundamental right. The Digital Personal Data Protection Bill, a draft of which was published last year to replace an unwieldy earlier proposal, got Cabinet approval this week as part of the Centre’s effort to update Indian laws for the digital age. A shield for our personal data was dearly needed; think of the online heist pulled off by data hoarders before the EU and others tightened rules. If New Delhi enacts its proposed law, digital players must take our point-wise consent for data, explain its storage and/or use, let us wipe our files clean, disclose data leaks and act responsibly in other ways—or risk steep fines. In the okayed version, the facility of ‘deemed consent’ may have been tweaked and relief offered to global operators on data held abroad, but the rest is largely expected to be what was released in 2022 for public comment. If so, then the private sector that’ll be regulated by it has reason to worry about the autonomy of a proposed data board for dispute resolution; a statutory body that stands apart from the day’s government would’ve signalled neutrality. Yet, a reset of the platform-user equation under regulatory oversight isn’t the be-all and end-all of it, even if that’s where this law seems headed.
Nearly six years ago, India’s apex court held privacy as a basic right in consonance with Article 21 of the Constitution on ‘Protection of Life and Personal Liberty’, by which nobody can be deprived of either, except in accordance with a process of law. Basic rights hold value only if upheld against all forces, the state included. To minimize the denial of life and personal liberty, justice demands that only impartial judicial rigour can waive those rights, case-by-case. As a key aspect of liberty, privacy must be seen in similar light. No one should be locked up and nobody spied upon unjustly. The potential indignity of both was captured vividly by the recent Netflix web series Scoop, about a jailed journalist in a brick-and-mortar setting. Given the web’s reach, dignity in the digital realm needs to be secured with no less urgency. To guard online privacy, we should ‘own’ our personal files as the law’s default position, so that it’s for us to part with what data we want, with a firm list of carve-outs for information the state must necessarily have on us for it to function. With the alleged use of spyware like Pegasus not forgotten as a scandal that wasn’t settled satisfactorily, clear limits on intrusion by state agencies are a must. Properly issued e-search permits may click.
The draft bill of 2022, however, gave the government and its arms such wide scope to operate above the rules proposed for private players that its efficacy as a universal data shield—as an assurer of digital privacy ought to be—was thrown in doubt. Even the concept of ‘deemed consent,’ needed for emergency access to data (say, at a hospital), looked a bit too susceptible to misuse by authorities for comfort. Suspicions of a dismissive disposition towards privacy, as seen in the Centre’s push to break chat encryption (for “public security"), have willy-nilly been part of the buzz around this law. Fixing its flaws is critical for it to fulfil its original intent as outlined by the judiciary. If it remains too easy for sarkari officials to peer into our online lives, privacy would weaken as a fundamental right at the very start of its legislative life. That would be a let-down.