The right to privacy is really the right to be left alone, and it includes digital privacy. Digital privacy is about having the ability to control one’s online information, including withholding all such information from others. This is such a Herculean task that perhaps the only people who retain a shred of privacy are isolationist tribes such as the Sentinels of the Andamans.

Where is the rest of India on privacy? The spirit is willing, but the flesh is weak. There is a gap between stated preferences and actual behaviour, when it comes to digital privacy. It is called the privacy paradox. Let me illustrate.

How many apps have you installed on your phone? Did you read any of the terms of service, or did you just hit agree in a hurry, without a second thought? Yes, I do the same. That is how willing we are to give up data about ourselves in exchange for convenience and utility.

The privacy paradox is a global phenomenon, and it drives the multi-trillion-dollar digital advertising and commerce ecosystem. If you don’t participate in it, the alternative is being marooned digitally and cut off from almost all of modernity’s conveniences. Sure, there are some privacy-friendly alternative tools, but they see limited patronage. Google dwarfs DuckDuckGo, WhatsApp dominates over Signal; ditto for the Chrome versus Brave browsers. We all say we want and cherish privacy, but our actions suggest otherwise. That is how strong the pull of convenience is.

What choice does any single individual have anyway, we say (and to some extent, that’s fair). We lean heavily on privacy regulations to help. But these can only offer limited relief, if that. For example, the European Union enacted a set of information privacy laws called the General Data Protection Regulation (GDPR), but Big Tech firms have just shrugged and co-opted it. Users, addicted to convenience, just end up clicking one more “Accept cookies” button. There’s no escaping the leviathan.

Do we even want to? In India, it is only in 2017 that the Supreme Court ruled privacy a citizen’s right. In everyday life, we only pay lip service to privacy. More fundamental to us is the other RTI, the Right to Inquisitiveness. We openly inquire about a colleague’s salary. We ask how much their holiday cost, or what they are spending on their wedding. We ask strangers why a child is in a wheelchair, or why another isn’t married. No topic is off-limits. Privacy then is only the thin topsoil; a cultural import, as it were.

***

According to the cybersecurity firm Surfshark, India is among the top 10 countries when it comes to data breaches. Despite that, rare is the Indian company that notifies its users of a potential breach and of the remedial actions to be taken (like changing a password). Sunlight is the best disinfectant but alas, we don’t find in-depth coverage and analysis about data breaches in the media. Contrast that indifference to the CEO of the large US retail company Target having to resign over his handling of a customer data breach in 2014.

If a society’s expectations and norms shape policy and regulation, it is clear that in India we don’t prioritise privacy to the same extent as libertarian societies do. Amusingly enough, too-strict digital privacy legislation creates its own problems for the West. GDPR in particular is being seen as so stringent as to affect the ease of doing business in the EU — resulting in the US and EU doing a separate watered-down deal on data transfers, with greater flexibility and concessions for Big Tech companies. In the US, meanwhile, there are state and sectoral laws on data privacy, but no overarching law at the federal level. Robocalling (or automated marketing telephone calls) is a menace, as a result.

Thankfully, India now has a modern law, the Digital Personal Data Protection (DPDP) Act, passed in August. It lays down rules for the responsible handling of data, and is a significant improvement over the status quo. The DPDP Act requires that companies establish standard practices for data collection, processing and usage, and stipulates penalties for non-compliance. However, there are exceptions and exemptions for the government and its agencies.

That brings us to the complex issue of government surveillance of citizens. Clandestine intelligence-gathering is the legitimate purview of a State. Spy craft has always been part of statecraft. For instance, 50 of the 150 chapters of Chanakya’s Arthasastra, written c. 300 BCE, refer to spying. The real question is the safeguards against the abuse of the State’s discretionary powers (or unchecked State authority).

Don’t shoot the messenger, but it is clear that our society supports (and has supported) or at least tolerates “police encounters” and more recently, bulldozer justice. Perhaps it is a lingering reverence for authority, passed down for eras, that the ruler likely knows best, and that it’s best to stay out of the way. Perhaps, it is a fatalistic acceptance due to the snail’s pace of the judicial system burdened by backlog.

It has always struck me that there is a similarity between the way helmetless motorcyclists are made to do sit-ups and traffic offenders are sometimes slapped – without protest from the public at large — and the way communities and neighbourhoods celebrate the installation of CCTV cameras, without debating or inquiring who controls the footage, or how.

Because put together one can see how the onward march of technology, and our complete dependence on it in everyday life, is creating States with a growing ability to surveil but without a corresponding growth in capacity for oversight.

In India, the typical approach to enforcement resembles a hammer more than a scalpel. How will we then get to devising the many nuanced safeguards and the checks and balances required to prevent the misuse of the State’s oversight of its citizens? What kind of change in public attitude would it take to navigate the labyrinth better and more urgently, and where is the demand for such action likely to come from?

The answers matter, because there are time bombs waiting to go off. The Aadhaar and passport details of 815 million Indians, allegedly from the Indian Council of Medical Research database, were put up for sale by hackers in October. What happens when one of these mega data breaches causes real damage?

Our new norms, for instance, state that all users must be notified in case of a perceived breach, but they do not specify a time period within which to do so. Meanwhile, the stakes are rising. Our cars, our fridges, our smart speakers, and other smart devices at home and at work, are adding to the pile of information available about us. Artificial intelligence is being used to overlay and cross-index it.

***

What, then, is the answer?

I will go out on a limb and say this: if there were a Maslow’s hierarchy of things to fix, privacy transgressions by the state would not feature high on that list. But what gets us worked up are online frauds (where people lose money), or altered images used to harass women, and mischief-mongering deepfake videos.

Malicious actors are trying to leverage our lack of interest in privacy to target us in new and sophisticated ways. Fixing these problems requires both prongs: strong data security and better privacy awareness. Concerted action by the government and private players is needed to strengthen data security. But the onus is also on us as citizens and consumers to prioritise and fight to protect our right to be left alone.

(Kashyap Kompella researches and consults in artificial intelligence, regulation and policy)