First principles should guide India’s privacy law
PremiumIndia’s legislative proposal on personal data protection going back to the drawing board allows us to conceive a law that does actual justice to privacy in an age of online violations
Indians live digital lives in large numbers, going online for reasons of work and leisure, creativity and commerce. That adds up to millions of digital transactions, each leaving a trail of information—the valuable “new oil" of the digital economy. But the internet’s design has been such that of the three stakeholders involved—the individual, tech platform and the government—the former has the least control over who has access to one’s personal details, be it profit-seeking firms or intrusive governments. Data leaks and thefts, allegations of politically motivated use of spyware or the reckless use of facial recognition software make people vulnerable to fraud and faulty prosecution. A data protection law, as has been enacted in several Western jurisdictions, is what citizens need. The wait for such a legal framework, however, has been exasperating. Recently, the Centre withdrew its Personal Data Protection Bill after four years of deliberation, promising a revised version. While this puts the proposal in limbo, it is a chance to start afresh and stick to first principles: individuals must be empowered with legal rights to their personal data and it should be accessible to others only for reasons that are fair, transparent and legitimate.
The idea of such a law draws from a 2017 Supreme Court judgement that upheld the right to privacy as a part of our fundamental rights to life and liberty. The top court directed the government to enact a law to protect personal data, following which a panel chaired by Justice B.N. Srikrishna drew up a draft bill in 2018. But the law introduced in Parliament a year later saw a considerable weakening of safeguards. For one, it gave sweeping powers to the Centre and its agencies to call up data at will, more or less, prompting Justice Srikrishna to flag its “Orwellian" risks. A joint parliamentary committee (JPC) examined the bill, but there was a striking lack of consensus on its provisions across the political spectrum. The JPC’s report suggested 81 changes and 151 corrections, which would have made for an unwieldy draft. Seven opposition members wrote dissent notes, flagging a provision that would let the government exempt itself from strictures on users of data. Critics said this was like two laws being legislated—one that brought commercial entities under scrutiny and another giving state agencies a free pass. By stiffening data localization and increasing the regulatory burden on digital players, the JPC’s recommendations also sparked worries of a business environment that might choke innovation.
Those flaws mean that the cancelled bill will not be missed. But, as the government starts redrafting this vital piece of legislation, it must engage with the dissent and criticism put on record, as well as invite greater consultation. It could take inspiration from the EU’s data law that offers a strong shield against commercial and state surveillance, commits companies to using only minimal data and for specific purposes, bars them from holding data longer than necessary and makes them accountable for lapses. Since our personal data evidently holds value, the basic thrust of India’s revised law should be to accord us explicit ownership of it by default. Consent mechanisms, the use of anonymized data, etc, could all flow from that. Urgently, however, as the Centre revs up its Digital India ambitions, it must commit itself to a clear timeline of delivery. The longer it takes for a new data protection law to go into force, the more it puts the digital Indian at risk.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less