Protecting privacy

New legislation must address all concerns

There are several implications to the withdrawal of the Personal Data Protection Bill. Legislation on this front is an urgent priority, and years overdue. But poorly drafted legislation, which doesn’t serve the purpose, may have had even more deleterious effects than an absence of legislation. In 2017, the Supreme Court held “the right to privacy is protected as an intrinsic part of the right to life and personal liberty”. The apex court asked for legislation to protect personal data as a fundamental right. A committee chaired by former Supreme Court judge B N Srikrishna submitted a report on data privacy, and a draft Bill in 2018. However, the legislation cleared by the Cabinet and presented to a parliamentary committee in 2019 had many changes, and was termed “Orwellian” by Justice Srikrishna. That Bill, which has been withdrawn, offered sweeping powers to the government and its agencies to conduct surveillance and collect data for a wide range of purposes including the catch-all, “security”.

The parliamentary committee presented a report in 2021, suggesting 81 changes and 151 corrections to that draft. But many controversial aspects remained, and some recommendations added to the controversy. Several Opposition members wrote dissent notes. The absence of personal data protection has been felt acutely because individuals must put increasing amounts of personal data online. There have been umpteen incidents where huge quantities of personal data have been leaked, or stolen. Besides, data leaks and cyber-attacks fall in a grey area where redress for victims is difficult. One cannot sue a service provider for breaches, for instance. In addition, there is no transparency about the current government practices in data collection and surveillance. The roll-out of 5G will lead to a jump in the penetration of internet of things into households and consumer spaces, making legislation even more urgent. If smart refrigerators and washing machines can snoop on households, citizens will need very strong protection.

But the Bill, even with suggested changes from the committee, was seriously flawed. If it had been pushed through Parliament, citizens would have had little protection against government snooping. Admittedly, the Bill would have instituted better safeguards against misuse of data by private agencies, and offered higher levels of protection against cybercrime. The withdrawal of the Bill and the promise to introduce a fresh draft offer hope that the new Bill will be better drafted to fulfil what is ostensibly its primary aim: Assure citizens their personal data will be secure, and their privacy will be respected by commercial interests and government agencies. In commercial terms, the lack of data protection has also made it difficult for the IT industry, data centres, and cloud service providers to woo overseas clients due to an understandable unwillingness to allow data to be stored and processed in an insecure environment. Hence, the legislation could empower these sectors.
 

Ideally, the redraft should be modelled on the European Union’s General Data Protection Regulation (GDPR). The GDPR protects the privacy of all individuals regardless of nationality if any part of their personal data is held within the European Union. The GDPR also offers granular protection and transparency against government surveillance, along with a “Right to Forget” clause. Given the policy thrust to digitise all spheres of life and place every interface between government and citizens online, India’s citizens deserve similar levels of protection.