4 yrs after privacy judgment, former judges warn against delayed legal framework
With no movement on the personal data protection bill even four years after the landmark Puttuswamy judgment that established privacy as a fundamental right, former Supreme Court justices BN Srikrishna and AK Sikri, who have both been at the adjudicating end of the country’s privacy laws, have stressed on the need for a robust system that not only protects citizens personal data but also checks government surveillance in light of the Pegasus allegations.
“We have been running on sand, if not in circles. On the other hand, thanks to rapid digitalisation, there is a deluge of data that is strewn around, collected and utilised without nary a thought about the privacy of the principals of the data,” Justice Srikrishna said.
Sikri highlighted how the journey to establish privacy as a fundamental right began in 2012. “I think the entire world is embracing digitisation,” he said. “India has progressed quickly in terms of digital economy and use of technology. We talk about a digital economy but do not have the wherewithal to protect the rights of citizens.”
The right to privacy
On August 24, 2017, a nine-judge bench of the Supreme Court in Justice KS Puttaswamy vs Union of India passed a historic judgment affirming the constitutional right to privacy.
It declared privacy as an integral component of fundamental rights of the Constitution; these rights cannot be given or taken away by law, and all laws and executive actions must abide by them. The court considered detailed arguments on the nature of fundamental rights, constitutional interpretation and the theoretical and philosophical bases for the right to privacy as well as the nature of this right.
The Supreme Court clarified that like most other fundamental rights, the right to privacy is not an absolute right. Depending on certain tests and benchmarks, a person’s privacy interests can be overridden by competing state interests. Through the judgement, the judges laid down a variety of such tests that can be used to ascertain an infringement of one’s right to privacy.
In light of the Pegasus allegations, which claimed that an Israeli spyware was used to snoop on journalists, activists, Opposition leaders and others, and the delay in the enactment of the Personal Data Protection framework, there are widespread concerns about how the state can ensure the citizens right to privacy.
Translating the right into policy and law
The Puttuswamy judgment was followed by the Justice BN Srikrishna Committee, which submitted its report on July 27, 2018 titled “A Free and Fair Digital Economy - Protecting Privacy, Empowering Indians”, along with a draft Data Protection Bill, to the ministry of electronics and information technology.
The committee’s focus was not singularly on protecting an individual’s right to privacy and spelling out the state’s responsibilities for the same, but also to foster an environment that encourages trade and industry in this sector.
The 200-page report identified key issues in data protection such as consent frameworks, establishment of a regulatory authority for data, classification of data and data fiduciaries, regulation of cross-border data flows to name a few. The Draft Personal Data Protection Bill, 2018 was submitted along with the report to the ministry.
Then came a second Supreme Court judgment, wherein the constitutionality of Aadhaar, or the unique identification number was challenged. The case was based, among other issues, on lack of adequate privacy safeguards available. The court upheld Aadhaar but also struck down parts of the Act due to the lack of purpose limitation as it placed no limits on the usage of information collected.
Following this, the government tabled its version of the Personal Data Protection Bill in the Parliament on December 12, 2019. Moreover, immediately after introduction of the Bill, it was sent to a Joint Parliamentary Committee (JPC) for scrutiny. Several delays later, the Bill still remains with the JPC with a draft yet to be circulated among members.
Also Read | The agony of being a secular Indian Muslim
The government also, separately and much later, moved on to introduce the controversial intermediary and digital platform guidelines that came into complete effect on May 25, 2021. The guidelines put in place a new mechanism for digital companies to regulate content, appoint officers who will be liable for compliance, and adopt features such as traceability of messages and voluntary user verification. WhatsApp has challenged the new rules, which mandate to trace the first originator of a message, in the Delhi high court stating it represents a “dangerous invasion of privacy”. The guidelines have also been challenged by various media houses, with the Kerala high court placing a stay on the rules.
The fears of surveillance state
Justice Srikrishna and Sikri believe that the infrastructure to address right to privacy is inadequate in India.
“My view of the 2019 Bill (the watered down version of the 2018 Bill) is that it is wholly inadequate to meet the challenges of privacy rights, which have been identified by the Puttaswamy judgment as fundamental rights. Another worrisome issue has been thrown out by the Court of Justice of the European Court Schremms II judgment invalidating the Data Shield agreement between European and transatlantic companies on the ground that the federal laws in USA afford easy access to personal data without enough safeguards, This is equally true of the 2019 Bill, if it ever, inter alia, becomes an Act of Parliament,” Srikrishna said.
Sikri, who was on the bench for the Aadhaar judgment, said that when Aadhaar was introduced, there were concerns about the use of the data collected. “With Aadhaar, the main concern was protection of data from government use under the name of giving benefits,” he said. “Demographic details, iris and fingerprints were collected, which was perceived, at that time, as a lot of data collection. There were concerns that there is no misuse of this data that may lead to a surveillance state or be exploited by private players.”
Srikrishna also underlined that the current checks and balances to protect data privacy are “hopelessly inadequate”. “That is why, it was suggested in the 2018 report and the 2018 Bill that there should be a separate Parliamentary enactment postulating the objective for encroaching upon the privacy rights, with the law demonstrating how that objective is to be achieved and not being disproportionate to the objective to be achieved,” he said.
Sikri concurred that as far as data is concerned, citizens in India remain at great risk. “The current IT Act throws up many questions, splintering our understanding of data privacy,” he said. “In last four years, there has been a great rise in digital economy that has again exposed a lack of privacy as the main issue.”
The way forward
Kazim Rizvi, founder of Dialogue, a policy institute that works on digital rights and privacy, said that the fundamental right to privacy needs to be cemented. “The right to privacy had its origins in pre-constitutional times and the initial conception of privacy protected the right of an individual’s agency to make decisions on exercising control over one’s private and domestic life. The right to privacy has now evolved to include even that of informational privacy after much legal struggle,” he said.
Srikrishna also contested the introduction of non-personal data into the PDP Bill framework. “The PDP Bill was intended to deal with personal data and there was no consideration of non-personal data at all. The provision about non-personal data introduced in it, surreptitiously, is nothing short of legerdemain,” he said.
To enact a robust system of check and balances, he said that the government should follow the Puttaswamy judgement scrupulously. “Citizens, State and commerce and trade have to be dealt with in that descending order of precedence. That would be the ideal situation. All else would be, to quote the Bard of Avon, ‘Sound and fury, signifying nothing’,” Srikrishna said.