Missing: a sound data protection law

It has almost been two years since the Supreme Court delivered the K S Puttaswamy-I (2017) judgement, ruling ‘privacy’ to be a fundamental right. However, this epic declaration did spur any change in Parliament, especially on a data protection law, one of the essential elements of privacy. This facet of privacy was emphasized in the judgements of Justices DY Chandrachud and SK Kaul. Additionally, in the Aadhaar judgement (K S Puttaswamy–II) (2018), Justice Chandrachud had emphasized on a stronger data protection regime for India, where more than 40% of the population is surfing the internet without any safeguard.

Following the judgement, the Government of India had appointed an expert committee under the chairmanship of retired judge BN Krishna. The recommendations of the committee became the basis for a legislative Bill, the ‘Personal Data Protection Bill, 2018’, but it remains a Bill.

One major reason that the issue of data protection came into existence was the Aadhaar project, which gathered criticism against itself for its unruly data collection process, under which information pertaining to demography, fingerprint and iris scan were being taken without any set objective. It did not stop there, as the original Aadhaar scheme came through a notification in 2009, and not through an enactment. There were no set standards as to what information had to be collected by different states. This created a major privacy concern across the nation, as states were collecting different information, which were not even required for Aadhaar. One such instance was of state governments collecting information pertaining to ‘Caste’ to enrol people for Aadhaar. As Aadhaar was linked to more than 240 government schemes, most people had to register themselves for Aadhaar.

Proximate to that time, there was also news that the 2016 US elections were being manipulated by way of voter-profiling with the help of social media giants such as Facebook and search engine website Google. This raised an array of questions over data privacy under Aadhaar as well, and the possibility of something like that happening in India. Therefore, it became a matter of urgency that concerns pertaining to data protection are softened as soon as possible. The fact that there is a major threat to privacy coming not only from the ‘State’ but from the ‘non-state’ actors as well makes it much more critical that a sound privacy protection regime is forged.

It needs to be said that a good data protection law will not only protect the citizens against the ‘State’ but rather it also works as a safeguard against multinational corporations, who have been manipulating behavioural choices of their customers in the name of better services. As most of these are multibillion-dollar e-commerce corporations, the customers using their services are at a disadvantage when it comes to bargaining with them on privacy issues. If you visit any e-commerce website today and click on the ‘privacy’ option, you will realize that most of the privacy clauses drafted by them are pretty much one-sided -- favouring the corporation.

In order to bring this disparity in bargaining power to an end, it is necessary that there is a sound data protection law, which would bring consumers on par with these corporations. These concerns are well met by the new Data Protection Bill, 2018. It not only abrogates collection of personal information by social media and search engine websites, but it also obligates them to notify the customer as to what use the information collected by them will be put to.

The pending data protection Bill suffers from a serious disability. There are several provisions under it which give overriding powers to the government to collect any kind of personal, critical or sensitive information of the citizens (perusal of sections 13, 14, 15, 16 and 19, 20 and 21 of the Personal Data Protection Bill, 2018).

The bill also obligates the corporations dealing with Indian Citizens to store one set of all the information with them in India. For example, Facebook, which has more than 400 million users in India, needs to store one set of all that information in India. But, keep in mind that though it looks like an accountability-enforcing move, it is actually meant to enable the government’s mass digital surveillance. Under sections 13, 14, 15 and 16 of the Bill, the government can access any information in India, which means it will also include information stored by Facebook in India as well. Welcome to the Orwellian era.

Therefore, an enactment which was meant to be a great leverage against the tendency of the State and MNCs to invade the privacy of individuals has been turned in this Bill into a mechanism of digital captivity. The only change that this Bill will bring about is to change the masters of personal data -- from the ‘non-State actors to ‘State’ actors.

(The writer is Assistant Professor of Law, National Law University, Odisha)