Opinion
Time's running out to craft a data protection law
Summary
Citizens need guarantees consistent with the apex court’s 2017 upholding of privacy as a basic rightOn 24 August 2017, a 9-judge bench of India’s Supreme Court passed a historic judgement in the Puttaswamy and Others vs. Union of India and Others case that guaranteed informational privacy to each citizen of India as a fundamental right. It was a momentous occasion in the country’s constitutional law history, as the Supreme Court actualized a new fundamental right, one that finds its basis in the rights to life and personal liberty under Article 21. Possibly, no other country in the world has the right to informational privacy as a fundamental right, meaning thereby that in India, such a right now becomes a part of the ‘basic features’ of the Constitution and therefore becomes fully justiciable, not merely persuasive or recommendatory.
The idea of the right to privacy stems from the right to express oneself the way one desires and to keep such choices private to oneself. It is an amalgamation of several rights: The right to be left alone, the right to body, mind and soul, the right to control over one’s data and information related to one’s personal life, the right to one’s individuality, and the right to be forgotten, besides several other aspects of what constitutes ‘informational privacy’. Privacy is not just an idea, but a way of life that enhances the scope of individual liberty, speech and expression. And this is also linked to the right to dissent in a democracy. This is why it was a moment to celebrate when the country’s top court adjudicated on this right. Four years past this landmark judgement, we must look back and assess as how far we have reached.
Towards our first legal data protection regime: Until that judgement, privacy and personal data were broadly regulated under Section 43A of the Information Technology Act, 2000, and the Information Technology Rules of 2011 framed thereunder. But it was soon evident that our technology ecosystem was too dynamic and fast-paced for these regulations to sufficiently protect a citizen’s privacy rights. With the rise of digitalization in the country and the rapid increase of technology-led services in the daily lives of people, which in turn led to the sharing of personal data at different levels, the need arose to evolve from a basic level of privacy to a more granular and comprehensive mechanism. Europe passed its General Data Protection Regulation in 2018. India, thankfully, was also working on a data-protection law at the same time. The broad idea of such reforms is to provide citizens ownership of their data.
Following the judgement of the Supreme Court, the government had set up a committee of experts in 2017 under the chairmanship of Justice B.N. Srikrishna, a former judge who submitted a report titled, ‘A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians’, a year later along with a draft Data Protection Bill.
With principles such as informed consent, data minimization, process limitation and the right to be forgotten embedded in the Bill, its focus was to ensure that citizens know how their data is processed, why it is being processed, for how long such data would be stored, where it’s being stored, how secure it would be, etc. In addition, it featured ‘privacy by design’, a concept that puts privacy at the heart of systems and processes, taking privacy into account during the entire engineering and production processes of a data fiduciary. As the report’s name suggests, the panel’s focus was not confined just to protecting an individual’s right to privacy, but also extended to fostering an enabling environment for free and fair trade and industry. The latter was important, as it recognized the value of data in economic activity and nation-building.
The Personal Data Protection Bill that was introduced by the Centre in Parliament on 12 December 2019, however, has drawn some criticism for blanket exemptions provided to the executive, with little or no judicial or parliamentary oversight.
The Bill was sent to a Joint Parliamentary Committee (JPC) for assessment. While the JPC is currently analysing the contours of the Bill and will soon submit its report, India could become one of the few countries in the world that have enacted a separate law on informational privacy and data protection.
We need an independent data regulator: In order to regulate the implementation of India’s new data protection law, we would need a strong Data Protection Authority (DPA) that protects citizens from any abuse of their personal data. However, in its current form, the envisaged DPA does not have the autonomy of an ideal regulator and is largely executive-driven, with only minimal safeguards against political interference. Besides, its independence could be put at risk by a lack of technical competence.
Time to operationalize privacy: While India has come a long way from where the country was even a decade ago, we still have quite a long road to traverse when it comes to operationalization. Even China has a fully operational privacy law now. It is, therefore, critical that we move forward with purpose and promptitude to pass our own data protection law as soon as possible in order to demonstrate our leadership at the global level in this newly-emerged but important field of jurisdiction.
Once the legislation is passed, the task of implementation and ensuring compliance will begin. Considering India’s size, this is going to be a herculean task. We have to give our people a fully implementable and operational privacy law, complete with attendant regulations (to be framed by the DPA as suggested in the Bill) and rules (to be framed by the government) at the earliest.
Amar Patnaik is a member of the Rajya Sabha from Odisha and a former bureaucrat who worked with the Comptroller and Auditor General of India
