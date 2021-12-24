Data privacy, primarily the privacy of individuals, is emerging as a major issue in India. The recent controversy on Pegasus, though some of it was politically instigated, occupied more space in public debate because of rising concerns on privacy, but international data surveillance is also worrying for national security reasons. The rising surveillance capitalism is a cause of worry on the economic front.

The right to privacy has evolved across nations. It encapsulates obligations of the State concerning the protection of personal data. The Constitution of India does not specifically provide for privacy as a Fundamental Right. According to the Supreme Court of India, the Right to Privacy is a part of the Right to Life and Liberty under Article 21 of the Constitution. It is interpreted as a vertical right against the State under Article 12 of the Constitution, and not against private citizens.

India, however, does not have comprehensive privacy law, and limited data protection standards are defined under the Telegraph Act, 1885, and the Information Technology Act, 2000. The collection and use of data are also regulated under different sector-specific laws and regulations, such as the Right to Education Act, 2005, the National Food Security Act, 2013, the Aadhar Act, 2016, and the Reserve Bank of India Act.

Procedural safeguards against misuse

The Telegraph Act empowers the State to carry out interception of phones on the grounds of public emergency or in the interest of public safety provided that such interception is in the interest of the security of the State, friendly relation with foreign states, public order, and for preventing the incitement of offences. However, there were thus no procedural safeguards against the misuse of the powers of the State. The Telegraph Rules were notified in 2007, as per the guidelines of the Supreme Court.

The Information Technology Act was enacted in 2000 and amended in 2008. The Act allows for the interception, monitoring, and decryption of digital information in the interest of sovereignty and integrity of India, friendly relations with foreign nations, public order, preventing the incitement to the commission of any cognizable offence concerning these, and for the investigation of an offence.

The Criminal Procedure Code 1973 deals with access to stored data. It provides that a court in India or any officer in charge of a police station may summon a person to produce any document or any other thing that is necessary for any investigation, inquiry, trial, or any other proceedings under a law.

India has ratified the International Covenant on Civil and Political Rights (ICCPR). Article 17 of the ICCPR provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation”. The Government of India is also conscious of the GDPR of the European Union.

In 2012, the Planning Commission of India appointed a group of experts to review the Telegraph Act, 1885, and the Information Technology Act, 2000, and suggest a way forward for privacy legislation. The group concluded that the discrepancies in existing laws created an ambiguous regulatory regime that is non-transparent, prone to misuse, and does not provide effective remedies for the aggrieved individuals.

Formulating data protection law

The Government of India established a committee under the chairmanship of Justice (retd) BN Krishna in 2017 to comprehend and formulate a data protection law for the country. The committee proposed a Personal Information Data Protection Bill, 2018.

The proposed Bill aimed to reduce the cost of data acquisition, ensure safety due to reduced use of fiber optic cables, boost the information infrastructure, and ensure data sovereignty. It applied to personal data, categorising it as sensitive and non-sensitive personal data if it has been used, shared, disclosed, collected, or processed in India. However, it was modified to apply to the companies and empowered the Government of India to exempt companies, which are solely engaged in processing personal data of foreign nationals not present in India. The Data Protection Authority, an independent regulator, was proposed for data protection and accountability.

The law envisaged that personal data should be processed only if the reason is clear, specific, and lawful and, the processing was crucial to the functioning of Parliament or state legislatures, maintenance of law and order, and public interest or in an emergency. Data principals and those whose data is processed shall have the right to be forgotten.

After consultations with the stakeholders, the government introduced it in Parliament in November 2019. But it was referred to a joint parliamentary committee (JPC) that submitted its report in November 2021.

Protecting privacy in its full depth

The Data Privacy Bill was tabled in the just-concluded winter session of Parliament. The Bill covers non-personal aggregate and personal data. Whatever, apart from responding to international conventions on human rights and privacy protection, the new law should be simple and easy to use, without adding to the compliance burden on its subjects. It should not create data congestion and encourage minimum data collection.

Further, the new data law will require process changes at various levels, but such changes should result in better revenues and quality delivery of services. The law should also recognise existing regulations and avoid duplication, and it should be technology agnostic and holistic. The legal provisions on data recovery and deletion should protect privacy in its full depth. It should create more trust through effective anti-trust and ex-ante regulations and establish new structures such as data cooperatives and data trusts.

Independent and effective oversight on data and information surveillance by the State and its security and intelligence agencies is necessary to enthuse its acceptance. Data protection authority shall cover both the private and public sectors. It should be adequately resourced and empowered to investigate and punish the guilty for violations of anti-trust and ex-ante laws. These are some of the prerequisites of effective unified privacy legislation, which will change the privacy landscape in India. sureshkumarnangia@gmail.com

The writer, a retired IAS officer, is a former chief principal secretary to the Punjab chief minister. Views expressed are personal.