POV: THE SANCTITY OF PERSONAL DATA
August 24 marked one year since the Supreme Court’s landmark judgment in the Right to Privacy case. A watershed moment for India’s constitutional jurisprudence, the judgment unequivocally recognised that privacy was essential to the core human values of dignity, liberty and autonomy. This was also the first time the judiciary took notice of contemporary, technology-related privacy threats and expressed the importance of individuals having a choice in, and control over, how their personal information was collected and used. Despite being articulated by six different judges, the court was unambiguous in its assertion that the individual lies at the centre of the right to privacy.
It is, therefore, not only surprising but also disappointing that the Justice Srikrishna Committee, which submitted its report along with a draft Personal Data Protection Bill to the government last month, chose to view data protection through the lens of innovation and a ‘free and fair digital economy’. It is important to note that the committee was set up in the wake of the right to privacy case itself. By constituting the committee, the government had suggested to the court that it was serious about regulating through a law the indiscriminate use of personal information, and therefore there was no need to carve out a separate fundamental right to privacy.
Irrespective of the government’s approach, it was incumbent on the committee to engage with the court’s emphasis on empowering the individual and give meaning to the constitutional guarantees articulated by it. But instead of setting its goal as putting individuals in control of their data, the committee appears fixated on promoting a digital economy, and sees the state as the key facilitator in this exercise.
The committee’s understanding of its mandate is apparent from the first chapter of its report, which is titled ‘A Free and Fair Digital Economy’. This chapter calls for an ‘Indian approach’ to data protection, based on the country’s development needs. It suggests that restrictions on privacy may be necessary in the interests of innovation and delivery of services, which is reminiscent of the government’s argument in court that individual rights must give way to welfare considerations. Importantly, however, the court had rejected this line, noting that individual freedoms are essential prerequisites for people to enjoy social benefits.
The report makes no real attempt to justify its departure from a (fundamental) rights-based approach to data protection. It fails to make a convincing case for why (additional) restrictions on privacy may be necessary, and erroneously presumes that innovation is possible only at the cost of privacy. As a result, the draft bill ends up diluting individual rights and jettisoning safeguards. For instance, the report makes much of using big data and artificial intelligence for common good. Processing large volumes of personal data enables indiscriminate profiling of individuals, and while AI aims to make machines capable of reason and decision-making, the scholarly consensus is that outcomes are prone to error, resulting in discrimination and other kinds of harm. It is telling, therefore, that the committee felt it unnecessary to incorporate the right to object to such automated decision-making and a right to access the rationale for such decisions.
Another feature of the bill that undermines privacy is the requirement to store a copy of all personal data in India. While apparently motivated by the desire to create digital infrastructure in the country, the provision makes personal data more vulnerable to security threats and open to surveillance by the government. Given India’s permissive surveillance laws, this requirement could be misused to target citizens— for example, political dissenters who question the government’s actions. Curiously, the committee does acknowledge the lack of effective checks (such as prior judicial sanction for interception of communication) in India’s surveillance regime, but nevertheless dismisses these concerns while advocating localisation of data.
Given that we currently have little choice in giving up personal information in interactions with the state and corporations, the committee would have done well to prioritise individual rights over vague notions of innovation. Let’s hope the government will revisit these gaps and pass a bill that actually bolsters fundamental rights.
The Srikrishna panel report makes no real attempt to justify its departure from a (fundamental) rights-based approach to data protection