In Election Season, Privacy Demands a Public Voice

Privacy is an essential aspect of liberty and dignity, and is not only a right in and of itself, but also one that enables the exercise of other rights. Without guarantees that privacy would be protected, the space for dissent, which is crucial in a democracy, would be limited. Crucial rights, such as the freedom of religion, speech and expression, and the right to information are dependent upon the right to privacy. Privacy ultimately ensures that the state and third parties do not gain untrammeled access into our private lives, and individuals enjoy a degree of freedom in shaping the personal aspects of their lives, without fear of persecution, judgment, or humiliation. 

The recognition of privacy as a fundamental right, in the Justice Puttuswamy v Union of India decision is only the first step towards securing a robust privacy protection regime. Whichever government emerges victorious in the 2019 general elections, must enact a comprehensive data protection legislation at the earliest. In the face of the Cambridge Analytica scandal, as well as emerging technologies that seek to collect increasingly greater amounts of private data, privacy protection must be treated as a policy priority. Further, the new government must ensure the privacy protection is kept central to all spheres where governmental functions interact with the private lives of individuals. This would entail that the new government must consider broader surveillance law reform, and only minimally regulate personal aspects of individuals’ lives. 

Privacy is not an elitist construct, but one that impacts all sections of society. It is imperative that voters scrutinise poll promises in manifestos and speeches, as well as examine the track record of previous governments when it comes to privacy protection, before casting their vote. It is, therefore, worth examining some privacy related developments in different spheres in India.

Aadhaar and the Puttuswamy Decision 

With 99% of India’s adult population enrolled, the most recognisable manifestation of privacy in recent times has been the Aadhaar scheme. Broadly, the challenges to Aadhaar fall within three classes –constitutional issues, procedural and substantive issues in the provisions of the Aadhaar Act itself, and finally, the implementational challenges. The initial lack of statutory basis to Aadhaar, followed by the mandatory linking of Aadhaar to avail certain services led to the scheme being challenged before the Supreme Court in the Puttuswamy case.

An assertion during the proceedings that the right to privacy was not a fundamental right led to the court making a reference to a historic 9-judge bench. The need for this reference arose on account of an uncertain legal regime created by virtue of two decades-old judgments where the court ruled that privacy was not a Fundamental Right. Since these decisions had been passed by benches of five judges or more, the reference to a larger bench in Puttuswamy was necessary to overrule them. While it is unfortunate that even in the 21st century the status of the right to privacy had to be contested, it did, fortunately, provide an opportunity to the Supreme Court to definitively accord constitutional status to the right.

The Puttuswamy judgment not only recognised the right to privacy as a fundamental right, but also enriched it by protecting different aspects of the same. Generally, privacy has two conceptions[1], a negative and a positive one. The “negative” conception of privacy, considers privacy as an aspect of liberty, and exists as a claim against the state as a “right to be left alone.” This conception is seen usually in the American legal system, and is manifested in the form of limits to state power, for instance, the state requiring a warrant to search a person’s home (Cornell 2016). The court, however, went beyond this and recognised a positive dimension to this right as well. This conception is grounded in dignity, witnessed in continental European systems. It provides individuals room to freely and autonomously make personal choices and shape their persona. Typically, this covers the privacy of family matters, choice of sexual orientation among others. Further, the court also recognised an individual’s right to privacy over their personal information and exhorted the legislature and executive to introduce a data protection legislation. Finally, the court laid down that any infringement on privacy must necessarily pass the muster of a three-pronged test –first, any infringement on privacy must be laid down by law, second, it must pursue a legitimate state purpose, and finally, it must be necessary and proportional.   

Applying the right to privacy, the Supreme Court upheld the Aadhaar Act but struck down its mandatory linking with any notified service, limiting it only to certain cases such as the provision of welfare services, or its linking with PAN cards. It also additionally read down other provisions of the Act, and introduced safeguards, such as requiring judicial involvement in the sharing of Aadhaar data. Amendments seeking to nullify some portions of this judgment were introduced by way of an ordinance. Once the Parliament reconvenes, Aadhaar would be among the first few privacy related legislations that our ministers would need to grapple with. 

The most enduring contribution of this judgment, however, is to bring to India, a “privacy-first approach.” Government programmes would no longer be able to mandate data collection without being adequately backed by legislation and without pursuing legitimate aims. Programmes such as the NATGRID, Smart Cities, and the Sex Offenders Registry, may need to see legislative enactments to be compliant with the decision. Similarly, corporations would no longer be able to shrug off data leaks and breaches without regard to individual privacy.  

Parliamentary Engagement with the Right to Privacy

The bulwark of any democracy is its legislature. Over the tenure of the 16th Lok Sabha, numerous developments in the sphere of privacy have occurred which can have a pervasive impact on the lives of Indians. The three main tools available to parliamentarians to engage on any subject, are legislative powers, debates and questions on the floor, and parliamentary committees. 

Some of the major legislations (proposed or enacted) impacting privacy have been the Aadhaar Act, the Transgender Rights Bill, and the DNA Bill. While privacy considerations have been factored in, some aspects remain less than satisfactory. Since Aadhaar, essentially an executive scheme having massive privacy implications initially lacked legislative basis, the enactment of the Aadhaar Act, and the incorporation of privacy protection measures therein were welcome measures. However, its certification as a money bill entailed that the Rajya Sabha’s seal of approval was no longer necessary. Key amendments proposed by the “House of ‘Elders’”, therefore, did not see the light of day. Similarly, some provisions of the Transgender Rights Bill fall foul of the right to self-identify one’s gender, recognised by the Supreme Court as an aspect of privacy (Hegde 2019). Although the bill ultimately lapsed, it is likely that the same may be reintroduced in the next session.

Four attempts were also made to introduce a data protection framework through private member’s bills. While these bills were by no means comprehensive enough to be able to adequately protect personal data, they ensured that privacy and data protection stayed alive as policy priorities. India, however, has a notoriously poor record when it comes to private member’s Bills, with only 14 such bills becoming laws since 1952. Naturally, therefore, there is not much cause for optimism on this front.

On the floor, several questions were raised relating to privacy. As expected, questions concerning Aadhaar were among the most frequently posed. Aside from this, there have been questions relating to data protection, cyber security, and surveillance. Thus, parliamentarians now certainly recognise privacy as a subject that merits debate. Questions, however, do not appear particularly probing, and have been superficial in nature, usually limited to queries on information that is sometimes already available in the public domain, and other times not addressing the core aspects of issues themselves[2]. For instance, MPs raised questions regarding the measures the government had taken to protect private data, and on the progress of the expert committees constituted to look into the same. Questions do not appear to have been raised pertaining to the actual contents of the report or concerning the committee’s recommendations themselves.

In terms of work by the Committees, many of the select committees constituted to examine bills have listed out privacy-based concerns with proposed legislations. For instance, in the Surrogacy Rights Bill, only medically certified heterosexual infertile couples were permitted to resort to surrogacy, and that too only through close family members. The committee examining the bill rightly pointed out that the move would have required a couple to disclose its infertility status to other family members. Not only would this have been a violation of the right to privacy, it would have also exposed them to possible stigma. Further, the bill did not recognise the right of homosexual couples, and single parents to make private choices relating to family matters. This aspect of privacy was recognised by the Supreme Court several decades ago in the Gobind v State Of Madhya Pradesh (1975) judgment. 

A marked difference between Indian Committee proceedings is the absence of parliamentarians summoning senior executives of social media platforms to explain allegations of data leaks. In the US, Mark Zuckerberg of Facebook and Sundar Pichai of Google have in the past been summoned to testify before the US Congress. While it is important for such committees to not engage in grandstanding and exercise their coercive powers with restraint, it would be a strong vote of confidence for the right to privacy if parliamentary committees, in exceptional cases, summoned the senior management of corporations, and demanded accountability in the event of breaches or data leaks. 

Companies must respect the prerogative of Parliament to summon individuals connected with the work of Parliamentary Committees. Parliamentary Committees ultimately work to investigate matters of public concern, and in today's day and age privacy and data protection are matters of importance for all strata of society. It is only natural, that in times to come, as and when there are allegations of data breaches/leakages, Parliamentarians would be concerned about the interests of their constituents and would demand accountability from companies who hold sensitive personal data of individuals in trust. Legislatures across the world, such as those in the US and in EU have summoned officials of the highest levels of management of social media companies over a variety of issues such as fake news, competition law violations as well as privacy. 

The recent move by the Standing Committee on Electronics and IT to summon social media execs was done with a view to "safeguard citizens’ rights on social/online news media platforms”. It was expected that issues of content moderation on social media and the spread of fake news were to be discussed. These are legitimate issues which can have an impact on the rights of citizens online to access information freely, and also the rights of the information disseminators to put forth their views freely. As Standing Committees are non-partisan and are composed of MPs transcending party lines, social media houses must respect the work of Parliament and cooperate with its Committees. Companies must assist lawmakers in their investigations by providing accurate responses to queries posed to them and provide such information as requested. This would require that the individuals appearing before the Committees are well-versed with the workings of their companies and are in a position to answer all queries, including those of a technical nature. Moreover, the executives appearing before such Committees must be authorised to make any commitments as required, during the course of the proceedings.

The Justice Srikrishna Committee and the Draft Data Protection Bill

India’s present data protection framework is highly disaggregated, and certainly not comprehensive enough, especially when compared to how other jurisdictions such as Europe protect their residents’ private data. Efforts in the past, such as the 2012 Justice AP Shah Commission, and a leaked “Approach Paper” by the Government evince that previous attempts at introducing a comprehensive data protection regime have failed. In 2017, the Justice Srikrishna Committee was constituted to draft a data protection legislation for India and provide a roadmap for the regime (Gupta 2018). After nearly a year of deliberations, the Committee submitted a White Paper, a Report, as well as a Draft Data Protection Bill. This Bill is being examined by the executive and is expected to be tabled in the first session of the 17th Lok Sabha. 

The bill is significant, for it fundamentally alters how data is to be treated, by introducing an element of “trust,” by terming those parties entrusted with private data as ‘data fiduciaries’. It also prepares a new governance framework, by establishing a Data Protection Authority (DPA), tasked with regulating and implementing the Act. A duly empowered DPA would be necessary for the successful implementation of the bill. Some aspects relating to this, however, such as reliance on excessive delegated legislation amount to a legislative abdication of duties and are worth reexamining. For instance, the DPA enjoys wide discretion in deciding what constitutes “sensitive personal data,” a category of personal data enjoying higher threshold of protection.

Further, innovations such as “privacy impact assessments,” and the requirement of providing notice and taking user consent before collecting data, are welcome. These conform to the cardinal principles of data protection, including data limitation, and privacy by design. This entails that only a limited amount of data would be collected, so as to provide the services the user is consenting to. Privacy by design requires public and private services and products to account for any privacy infringements occurring as a result of using the same, and providing for ways to address them. 

Some provisions, such as those mandating “data mirroring” or requiring copies of information collected and processed within India to be stored in servers physically present in India, while desirable from a law enforcement point of view, may act as a major disincentive to the private sector which would incur higher compliance. Moreover, such requirements may also be challenged at fora such as the WTO, if viewed as barriers to free-flow of trade. Even the Members of the Srikrishna Committee themselves did not uniformly endorse this idea. 

In terms of legislations that impact the daily lives of individuals, this Bill is perhaps the most significant for years to come, for it would regulate how our most private data is collected, processed and made available to others. At a time when everything from our identification documents, health and financial records, engagement on social media platforms, shopping and food ordering habits, to even our dating history are available with private business concerns, it is essential that the profit motive does not eclipse the duty of trust owed to us by those who collect and process our data. Moreover, such data, could in fact, be analysed in ways to profile individuals to learn their sexual orientation, political ideologies, religious leanings and other sensitive information, which could not only be monetised, but also be of interest to future authoritarian governments. By not including provisions relating to surveillance reform or the Aadhaar scheme, the bill continues to remain a work in progress.

The MHA ‘Snooping Order’

Section 69 of the Information Technology Act (IT Act) permits interception, monitoring, and decryption of data stored on computer resources. This, read in conjunction with the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 put in place the procedural framework for digital surveillance to be followed by competent law enforcement agencies (LEAs). The Rules however did not specify the LEAs. In order to rectify the same, in 2018, the Home Ministry designated ten agencies, including the R&AW, DRI, and CBI as the competent LEAs. 

Concerns were raised following the notification that it amounted to transforming India into a surveillance state. In reality, the scheme under the 2009 Rules are similar to the wiretapping procedure under the Telegraph Rules. Here too, authorisation is provided by the Home Secretary upon request by competent LEAs. The notification did not confer any new powers upon the designated agencies [3]. Further, the Rules under which the said notification was issued have been in existence since 2009. Since the Rules stipulate that only competent LEAs may make requests under §69, the objective of the notification was simply to clarify who those agencies are. 

This however, by no means entails that digital surveillance is not without flaws. First, despite the IT Act’s surveillance framework being similar to the Telegraph Act, both statutes differ considerably. The Telegraph Act permits surveillance only once it has been established that there exists a public emergency or that it is in the interest of public safety. This requirement is done away with in the IT Act. Moreover, the IT Act introduces “defence of India” and “investigation of any offence,” which do not feature in the Telegraph Act, as new grounds for when digital surveillance may be carried out. Surprisingly, it would appear, therefore, that the colonial era Telegraph Act contains stricter standards for surveillance than a law designed for the 21st century. Second, the IT Act’s procedural architecture suffers from the same structural flaws as that of wiretapping. For instance, the adequacy of the Home Secretary-based authorization is questionable. In many jurisdictions, such authorization is provided by members of the judiciary. Moreover, even within the present framework, the Home Secretary receives on average 250 requests per day for interception under the Telegraph Act alone. For an official tasked with the overall functioning of the Home Ministry to be able to carefully scrutinize such a high volume of interception requests in addition to his/her other official duties is questionable. 

Finally, digital surveillance permits disproportionate access by the state into the private lives of individuals. In case of wiretapping the state only gets prospective access to communications. In case of digital surveillance, however, entire conversations, including those predating an alleged conspiracy/crime, as also those with individuals wholly unconnected to the matter being investigated, are made available to the state. Thus, while the recent MHA notification limits the use of Section 69 only to competent agencies, broader structural reforms to the surveillance architecture continue to remain elusive. Given that the Supreme Court is presently seized of a challenge against Section 69, the new government must adopt an accommodative stance in bringing about changes in this sphere. 

Data is often termed the new oil. But data is not oil, oil will eventually run out. Data is an ever-replenishing source of ungodly amounts of revenue, waiting to be collected, processed, mined, analysed, scrutinised, and ultimately monetised. Through digital payments, artificial intelligence, big data, autonomous vehicles, drone operations, among many other developments, privacy will be impacted from new quarters – some which are not even foreseeable today. In the coming years, newer aspects of our everyday lives would be brought into cyberspace. It is essential that in election season, privacy be brought to the forefront of issues that the electorate considers significant. Whichever government India elects, would need to be one which has a clear vision to steer India through the times to come.