Green light illuminates the keyboard of laptop computer as a man enters the data using the computer keyboard. (Photographer: Chris Ratcliffe/Bloomberg)

Meaningful Data Protection Law Vital In Securing Right To Privacy

BloombergQuintOpinion

Depending on where you stand, the judgement of the Supreme Court in Justice K Puttaswamy vs Union of India has made the task of the expert committee set up to draft the data protection bill either a much harder task or a much easier one. Thanks to the Supreme Court’s judgement there is now no doubt about the content and scope of the fundamental right to privacy under the Constitution. However, this also means that the law will have to walk a legal tightrope balancing various considerations as it goes along.

Data protection has come to the fore in recent times thanks to the widespread data collection taking place due to the Aadhaar scheme and the surge of breaches of Aadhaar data. These breaches have sometimes happened because of the laxity and ignorance of government departments, and on other occasions, due to the malice of those trying to use this data for nefarious purposes. Even where there is no breach, concerns have been raised about the government accessing this data for surveillance purposes, potentially chilling free speech and cracking down on opponents.

But the concerns of data protection go beyond that of biometric and demographic data of individuals in the context of Aadhaar.

One aspect that the Supreme Court’s judgement (specifically Justice AS Bobde’s opinion) has clarified is that the common law right to privacy (hitherto claimed against individuals) and the fundamental right to privacy (which can be claimed against the government) are the same in so far as the content of the respective rights is concerned.

Anything an individual does that amounts to a breach of another’s privacy is also a breach of privacy if the government does it, and vice versa.

In common law, there is already a remedy for such breach of privacy by the government – an individual can approach a civil court for damages or an injunction (a private law remedy) against the person who breached the privacy. What the court has now fashioned in this judgement is a remedy in public law, where a law, order or government action can be struck down if it infringes on privacy contrary to the Constitutional mandate. However, this judgement has also added nuance to this seemingly clear public-private distinction – a fundamental right to privacy is not just a boundary against State action, but also creates a positive obligation on the government to make this right meaningful for citizens and individuals.

As Justice DY Chandrachud’s judgement concludes, there is, therefore, a mandate on the government to not only ensure that it does not infringe privacy but also to pro-actively put in place measures to ensure that an individual’s privacy is not infringed by others as well.

A data protection law would therefore not just concern itself with what the government can and cannot do in the context of data collection, storage, dissemination and use, but also what private entities and individuals can and cannot do with others’ data.

While the committee has been set up to come up with the principles concerning data protection, where the Supreme Court’s judgement has undoubtedly helped it, is to create certain non-negotiables on this front, chief among which is recognition of an individual’s right to control information about herself. A data protection law must give control over one’s information to the individual in a meaningful way.

Even when a person hands over her data willingly to another entity or person, it should be based on informed consent.

This obviously cannot mean that merely placing a mass of unreadable text in the form of terms and conditions of contract constitutes valid, informed consent. The onus should be shifted to the person collecting the data to ensure that the giver of data is properly informed of what the data is being collected for, what it will be used for, and what her rights to the data are, under the law.

Presently, data protection happens in a fragmented manner across different laws with different standards.

  • The data of taxpayers is governed under the Income Tax Act, 1961 and rules.
  • Computer devices and electronic databases storing information are under the ambit of the Information Technology Act, 2000.
  • Information relating to patients’ health is protected under the Mental Health Act, Indian Medical Council Regulations, and similar specific laws.

A data protection law will prescribe one uniform, threshold standard in accordance with the Supreme Court’s judgement, but there is no reason why a higher standard cannot be prescribed in another law for a specific purpose.

At the heart of the Supreme Court’s judgement is a tacit acknowledgement of the oft-repeated aphorism: knowledge is power. Having information about another person and the ability to do with it what you will, gives one enormous power over the other. In the hands of large corporate entities and the government, as Justice Sanjay Kishan Kaul warns us in his opinion, the uninhibited use of power can have dire consequences for the future of democracy itself. A data protection bill is vital therefore in securing the right to privacy against such threats at present and in future.

Alok Prasanna Kumar is an advocate based in Bengaluru, an Executive Committee Member of the Campaign for Judicial Accountability and Reforms and was a Senior Resident Fellow at the Vidhi Centre for Legal Policy.

The views expressed here are those of the author’s and do not necessarily represent the views of Bloomberg Quint or its editorial team.