Delay in data law can prove costly
The draft law has bounced from panel to panel while identity theft and bank fraud proliferate
In two months, it will have been five years since the Supreme Court (SC)’S landmark judgment that laid down the right to privacy as a fundamental right for Indian citizens. But the ruling has not helped efforts to draw up a law to protect the digital privacy of Indian citizens. For 58 months, a draft legislation has bounced between committees, the government and Parliament, being redrawn and redrafted several times — each iteration arguably more controversial than the last. The first version of the proposed law was drawn up by a committee headed by retired SC justice BN Srikrishna in July, 2018, after a month-long stakeholder consultation. The second iteration was when the government first brought it to Parliament more than a year later, at the end of 2019. This version was criticised for giving the government excess authority to authorise its agencies to circumvent privacy protections — eventually triggering a debate in Parliament where members forced it to be sent to a joint parliamentary committee (JPC). It was at this stage that the proposed law languished the longest — more than two years. On December 16, 2021 — the JPC, having undergone an overhaul after some members were inducted, finally presented its report to even more controversy. In contention was how it gave the government unbridled prerogative. For instance, it authorised the government to exempt any agency from privacy safeguards for most State function activities, and provided an even broader immunity for “national security”. Experts and dissenters within the JPC said this version, which also sought to cover non-personal data, would give agencies more power to surveil citizens than before. This newspaper reported earlier this week that officials are planning to hive off provisions related to nonpersonal data and bring in the bill afresh in the monsoon session.
The lack of a law not only means that entities, private or public, are not required to take proactive steps to protect sensitive personal information of the public, but also that when a person’s privacy is violated, the only recourse lies in the courts. At a time when arguably all facets of an individual — personal, economic and social — are on digital domains, the abuse of personal information carries the risk of several harms. At its worst, this can lead to identity theft, and at the least, it can allow scammers to clear out bank accounts — a crime that is far from being uncommon today.