A lot seems to be happening on debating data protection in India but actually, very little is happening to protect people’s rights to privacy and secure their data. For over nine months, a very specific debate has taken place on the shape the legal framework for privacy and personal data should take. Much of this has been channeled towards a particular policy development process – an expert committee chaired by retired Supreme Court judge BN Srikrishna. Appointed in August by the Ministry of Electronics and Information Technology, the committee is tasked with studying the subject of data protection and recommending principles and a draft bill that would “ensure growth of the digital economy while keeping personal data of citizens secure and protected”.
Last week, SaveOurPrivacy.in – a community-driven project aimed at ensuring India’s legal framework puts the interests of citizens and constitutional values first – went public. It unveiled seven principles and a corresponding model bill, a proposed Indian Privacy Code. Prepared by volunteering lawyers and policy analysts and building on previous model bill efforts (including the Privacy Protection Model Bill prepared by the non-profit Centre for Internet and Society, Bengaluru, in 2013), a copy of the SaveOurPrivacy Principles and Model Indian Privacy Code was also shared with Srikrishna for circulation among members of the expert committee.
More importantly, this project was initiated with the idea that the need of the hour is to publicly discuss previous attempts to pass a privacy law in India, current priorities in protecting the privacy of all residents of India and their data, and to ensure that a law with clear regulatory institutions, enforceable rights for individuals, and effective remedy is passed.
Not just about data
Anyone who has read the original notification issued by the Ministry of Electronics and Information Technology in August would be struck by its careful avoidance of the term “privacy”, and a seemingly limited, nearly technical view fixating on “data”. That becomes more understandable when one places it within the context of the government’s statements and public position in 2016-2017, when it was arguing that privacy was a not fundamental right before the Supreme Court in order to pull out a key foundation of the legal challenges filed against its Aadhaar unique identity scheme.
The same month, a landmark nine-judge constitutional bench ruling in Puttaswamy versus Union of India did not create a new right to privacy. In response to strenuous arguments made by several government law officers since 2015, including two successive attorneys general, the Supreme Court asserted that numerous provisions of the Bill of Rights under Part III of the Constitution did indeed provide for a fundamental right to privacy, most notably under the rights to freedom and life and liberty under Article 19 and Article 21.
It was also a constitutional bench of the Supreme Court chaired by Justice Dipak Misra (now chief justice of India) in the WhatsApp-Facebook data transfer matter that pressed the government last year on its position and legal approach to regulating private-sector data transfer. It was during the hearing of this case that the government’s lawyers first disclosed that an expert committee on the subject was being set up.
In December (three months after the committee was set up), the government published a white paper that referred to the Puttaswamy judgement and to a committee of experts on privacy set up by the erstwhile Planning Commission and chaired by former Delhi High Court Chief Justice AP Shah. It also shared a review of the state of comparative data protection legal frameworks internationally. But it made no reference to a 2010 approach paper on a legislation for privacy issued by the Department of Personnel and Training. Or to the fact that the department had compiled a draft bill by 2012-2014 for which stakeholders had been privately consulted and whose text had been leaked into the public domain on various occasions. What was publicly available on that earlier effort (also hinted at in responses to questions raised by MPs and government assurances to them as recently as 2015) indicated a draft bill that would include privacy protections for individuals, provisions on data protection that would regulate both the public and private sectors, as well as a consolidation and overhaul of legal provisions governing state surveillance and communications interception.
State of privacy regulation today
While the Puttaswamy judgement clarified the constitutional position of privacy in India and reasserted its status as a fundamental right, it did indicate that many of its facets – particularly around information privacy – were subject to existing law as well as potential legislative improvements from Parliament.
What India needs today is a strong, comprehensive privacy law that actually seeks to address the challenges and threats facing our current information ecosystem. We need to address our regulatory failure to provide for clear rights for residents of our republic to their data and to prevent mass surveillance.
Overbroad collection, misuse, and increasing breaches of personal data have become common among both private sector and governmental entities in India. The existing legal framework – comprising the ineffectual Section 43A provision of the Information Technology Act, bolstered by spurts of tighter sectoral regulation in some aspects of banking and telecom – is not fit for the task. No regulatory agencies with clear, executable legal powers and enforcement teeth for privacy and data protection currently exist in India, despite the repeated press updates referring to letters sent by the ministries to Facebook and others in the wake of the Cambridge Analytica revelations. (Data analytics firm Cambridge Analytica is reported to have mined the personal information of 70 million Facebook users – including 500,000 from India – to influence the outcomes of the 2016 United States presidential election and the Brexit campaign.)
Like network neutrality, most of the public discourse and policy debates around privacy appear to have everyone agreeing that they all love the principle – in theory. In reality, there are sections that dispute any role for public institutions and the law in protecting it as a right. Everyone claims they are pro-privacy but they do not explain what they propose with respect to legal measures, or instead suggest that the exceptions should shape the design of any regulatory framework.
The Indian Privacy Code is a modest endeavour to help policy actors – particularly in the executive and legislative arms of the federal system – consider how they can improve our legal framework. Recognising the approach reiterated by the Supreme Court on privacy as a fundamental right, it proposes that a statutory framework be created that:
- Legally codifies privacy principles and indicates that they cannot be used to curtail our fundamental right to free expression and right to information.
- Places restrictions on how public and private entities collect the data of individuals and provides the latter with a set of enforceable rights regarding their data.
- Creates an institutional framework for the regulation of such data protection provisions in the form of a Central Privacy Commission at the Union level, and an enabling framework for the establishment of similar privacy commissions across states.
- Consolidates and reforms the law governing surveillance and communications interception in the country, making it clearly overseen by judges rather than the opaque, unaccountable legacy system we have today of only bureaucratic control of ruling government-appointed civil servants.
The way ahead
We have an opportunity to finally advance true privacy legal reform – a task that has otherwise operated in fits and starts across the latter half of the 1990s and moved glacially since 2010.
Whatever the Srikrishna Committee proposes must be considered by the Ministry of Electronics and Information Technology, and the Union council of ministers. The general channel here would be that the government of India, as overseen by the council of ministers led by Prime Minister Narendra Modi, ultimately makes up its mind, indicates its official public policy position and unveils a draft bill that will then be taken to Parliament. That said, legislators have already indicated that the subject of protecting citizens’ privacy and personal data is crucial to them, with numerous parliamentary questions asked across party lines, a standing committee (chaired by BJP MP Anurag Thakur) inquiry initiated on the subject, and several private member bill initiatives to advance legal reform on privacy coming to the Lok Sabha and Rajya Sabha in the absence of a government-sponsored privacy bill.
Ultimately, engagement with the improvement of our republic’s law is not an exclusive privilege of government officers, expert committees, legislators and legislative secretariat officials. All of them are public servants operating under the Constitution to help carry forward its provisions and to serve the interests – and concerns – of all citizens. The making of a privacy law has been a private matter for government officers, corporations, special interest groups and others for too long.
The policy commentariat is abuzz that the monsoon and winter sessions of Parliament this year represent the last effective working periods for any legislative business for the current government, with general elections due in 2019. By engaging online and offline on what form our privacy law can take, the hope is that policymakers across the various branches of government can help advance a task that has been pending for nearly eight years, across two different ruling coalitions.
Raman Jit Singh Chima is a lawyer and a policy director at Access Now, and a volunteer with the drafting committee for the SaveOurPrivacy.in project.