What Enables the State to Disregard the Right to Privacy?

Does the nebulous state of data protection laws in India benefit the government? 

As the internet proliferates the country at an increasingly rapid pace, India still has not been able to establish a legal regime that can adequately address the intersection between civil rights and the threats posed by technological advances in the digital sphere.

The situation is especially alarming in light of the recent notification issued by the Ministry of Home Affairs that now allows for 10 private companies to access personal data. The notification comes after the 2017 Puttaswamy judgment which strongly established privacy as a fundamental right guaranteed by the Indian Constitution. Furthermore, it also comes in the wake of the 2018 Aadhaar judgment where the Supreme Court ruled that private entities will not have access to biometric data.


In this reading list, we analyse the problems posed by India’s data protection laws.

1) Why Is Data Theft Such a Big Problem?

The Cambridge Analytica catastrophe showed that personal data can be used to skew elections. In her 2018 article, Amba Uttara Kak explains that data theft is actually a threat to free speech because it would limit the diversity of opinion by manipulating the pool of information that is available to an individual.

“The manipulation of their preferences may not interfere directly with an individual’s options, but, as legal philosopher Joseph Raz (1986: 377) explains, “perverts the way that person reaches decisions, forms preferences, or adopts goals.” This distortion, too, is an “invasion of autonomy.” India’s constitutional jurisprudence affirms that a range of informational choices is intrinsically important for both individual freedom and democracy.”

2) How Is Data Protection Connected to Our Right to Privacy?

In the Indian context, Aadhaar was central to the debate on privacy and data protection. The main contention, in this case, was that third parties were given access to biometric data that had been collected under the Aadhaar scheme. This was in contradiction to the idea of privacy as control. As Amber Sinha explains in his 2018 article, modern data protection regimes are based on the understanding that privacy constitutes individual control over one’s own data. However, this is often neglected by data aggregators for whom “privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers.”

“The idea that in policymaking, technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. The social argument is premised on the promises of mathematical models and computational capacity being capable of identifying key insights from data. In turn, these insights may be useful in public and private decision-making. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way. Sufficient research suggests that indiscriminate data collection is greatly increasing the ratio of noise to signal, and can lead to erroneous insights. Further, the greater the amount of data you collect, the greater is the attack surface that leads to cybersecurity risks.”

3) What Is the Legal Framework Available to Us?

The Information Technology Act 2000 was introduced to enable online governance and grant legal recognition to electronic records and digital signatures. However, the act leaves far too much discretion and power in the hands of the government, especially when it comes to access to digital data.

“The section [29 of the Information Technology Act] empowers the controller to access any information or data from any computer system if he has a reasonable cause to suspect that any contravention of the provisions of this act has occurred. The controller is an aim of the executive branch of the state and is under the absolute control of the central government and there is absolutely no reason why the controller will not oblige executive whims. Neither the section nor the general context of the act imposes any kind of accountability on the controller – if anything is a subtle (?) attempt at excluding judicial review of actions on the ground that the controller had reasonable cause to suspect a contravention.”

4)  Are We Heading Towards a Surveillance State?

The state itself may benefit from the nebulous state of India’s data protection laws. A colonial law, that is, the Indian Telegraph Act, 1885 and later the Indian Telegraph Rules, 1951 allow the government and certain law enforcement agencies to intercept communications provided that they receive an authorisation from the home ministry. Theoretically, there is a comprehensive review mechanism in place to ensure that this provision is not misused. However, from data revealed through Right to Information requests, Zubin Dash finds that the review process is regularly flouted.

“Prima facie, these rules appear comprehensive enough and padded with sufficient safeguards. Yet, based on central government responses to right to information (RTI) requests, annually, the union home ministry approves close to 1 lakh requests for interception, while some estimates place the number between 7,500–9,000 requests per month (SFLC 2014). Even if we assume the lower number at 7,500 interception requests per month to be true, it would mean that the home secretary has to scrutinise about 250 requests for authorisation per day.”



Must Read

Do water policies recognise the differential requirements and usages of water by women and the importance of adequate availability and accessibility?
Personal Laws in India present a situation where abolishing them in the interest of gender justice also inadvertently benefits the reactionary side.   
Back to Top