The law must prescribe fines or even imprisonment for the handling or collection of data, in contravention to the standards prescribed under the data protection framework.
The oft-quoted (and contested) adage of our times, ‘Data is the new oil’, is back in the limelight with the uncovering of the Cambridge Analytica scandal. The confession of Christopher Wylie about how Cambridge Analytica harvested data from millions of Facebook profiles, without taking the consent of the users, is alarming. The scandal, along with the instances of Aadhaar data leaks, has exposed the fault lines in the data protection regime in India.
On 22 July 2015, the attorney general of India at the time argued before the Supreme Court that the right to privacy was not guaranteed as a fundamental right under the Constitution of India. While the Supreme Court formed a Constitution bench to determine the nature of the right to privacy in India, I submitted ‘The Data Privacy And Protection Bill, 2017’, a private member’s bill I had drafted, to the Lok Sabha on 4 July 2017 for introduction and consideration. For various reasons, mainly related to Parliament disruptions on the handful of Fridays allocated to private members’ business, the bill has yet to be introduced, so I am not at liberty to divulge its contents. But the principles it seeks to uphold are vital to the current discussion on data security.
My Bill envisages a comprehensive framework to protect the right to privacy of all, in furtherance of the recommendations of the Justice A.P. Shah committee and international best practices. Nearly two months after the Bill was submitted, a nine-judge bench of the Supreme Court, in its landmark judgment in Justice K.S Puttuswamy v Union of India, unanimously and unambiguously held that the right to privacy was a fundamental right guaranteed under articles 14, 19 and 21 of the Constitution.
While that should simplify matters for all of us — since privacy is now recognised as a constitutional right — there is an urgent need to enact a comprehensive data protection law to implement it. The Justice Srikrishna committee is looking into the matter and its final report is awaited. Meanwhile, it is important for policymakers to be clear about certain essential principles on privacy, which I have incorporated in my Bill.
The law must be clear on what it seeks to protect, which in this context is the personal data of each Indian citizen. Personal data is the type of data which, if linked to other information, can be used to identify the concerned individual. Within the sphere of personal data, the law must recognise and distinguish sensitive personal data, which encompasses information relating to a person’s sexual preferences, political and religious views, ethnicity, race, financial information, DNA, biometric data and so on. The level of protection for sensitive personal data should be more stringent than in the case of other personal data.
Consent is the cornerstone of any comprehensive framework on data protection, and it must be obtained by the data-controller or processor before collecting, processing, using and disseminating personal data. The underlying principle for a consent-based mechanism is that personal data is owned by the subject — the person who generates the data. It is important to understand that privacy, which arises out of the right to life and liberty, is not a creation of the Constitution; instead, “these rights are recognised by the Constitution as inhering in each individual as an intrinsic and inseparable part of the human element which dwells within”, as the Supreme Court has succintly explained. So every one of us whose personal data is collected has the right to be informed about the particular purpose of the exercise, the duration for which the data will be stored, the manner in which it has to be obtained, and how our consent can be withdrawn.
Once the consent to use personal data is withdrawn, the collector should destroy any record of the data collected. There should be a general bar on disclosing data, except to the person to whom it pertains. The consent of the subject should be required to transfer any personal data. The subject should also have the right to access her own data at all times, so that she may check and update it as necessary. The law must prescribe fines or even imprisonment for the handling or collection of data in contravention of standards prescribed under the data protection framework.
Consent should be meaningful. We must ensure that the subject can make an informed choice and still retain control over the data collected, unlike the prevailing scenario in which websites merely intimate the user that they use cookies, or where they interpret the scrolling of a website or the clicking of a banner as consent. At the same time, the law must be flexible to allow for exceptional circumstances due to which data may be collected without prior consent, such as the prevention of commission of a cognisable offence or a reasonable threat to the security of the State. It is essential that the exceptions to the consent-driven regime are strictly and narrowly defined, without leaving any elbow-room for the crushing of dissent under the guise of ‘national security.’
Facebook founder Mark Zuckerberg has grudgingly accepted this week that, maybe, his company’s activities should be regulated. To ensure the effective implementation of a data protection regime, the law must create an independent regulatory body — let’s call it a privacy commission. The privacy commission should be empowered to investigate complaints of any breach of the data protection framework I have described above. It should be enabled to issue orders to those collecting data (like Facebook) on activities that may be in contravention of the law, as well as to take necessary steps to implement the law. All forms of interception and surveillance should only be permitted if authorised by the privacy commission, and carried out strictly to the extent necessary for the express purpose.
Industries dependent on data for their businesses may fear that a regulatory body could end up as an overburdening behemoth, and, therefore, be in favour of a law that prescribes general principles of privacy for self-regulation by companies. But we must not give in to their fears. We can define the scope of powers of the regulatory body to reduce the risk of misuse.
Since earlier laws (such as the Information Technology Act, 2000, and the Aadhaar Act, 2016, as well as older laws) impact an individual’s right to privacy, any proposed Bill on data protection must specifically require that all existing laws on the subject comply with itsprovisions.
The admirable Justice Chandrachud, while delivering his judgment on the right to privacy, noted that a constitutional democracy could survive only when citizens were provided an
“undiluted assurance” that the rule of law would protect their rights and freedoms against any intrusions, and judicial remedies were provided for the redressal of any unwarranted intrusion or violation of a right. That’s what a data protection law should do.
The citizens of India deserve a strong and comprehensive statutory framework to supplement the fundamental right to privacy, as part of the “undiluted assurance” of the State to uphold the rule of law. The way things are going, my Bill may never see the light of day, but the government can surely prepare a law that does everything I have suggested.
The ball is squarely in the government’s hands. Let us hope that, unlike the Australian cricket team, they do not scuff it so badly that it reverses the direction the law should take.
Dr Shashi Tharoor is a Member of Parliament for Thiruvananthapuram and former MoS for External Affairs and HRD. He served the UN as an administrator and peacekeeper for three decades. He studied history at St. Stephen’s College, Delhi University, and International Relations at Tufts University. Tharoor has authored 17 books, both fiction and non-fiction; his most recent book is ‘Why I am a Hindu’. Follow him on Twitter @ShashiTharoor
I’m very much shocked by the logics of UIDAI ceo that we can’t ensure 100%Authentication as Aadhar is covering 1.2BILLION people across the nation and it may fail in case mechinary… If u can’t able to protectect our data then why seeking for our data s..
Samrat Ray Chaudhuri i, m agree with u
One more Commission would provide a post retirement nest for judges and mandarins, who seem to have no desire to play with their grandchildren. We must accept that data cannot be made absolutely secure. Starting from that premise, we will have to reorder our means of communicating, keep close to ourselves information we do not wish to share.
We need to have a Right to be forgotten law brought in similar to what is now coming up in EU. It is much more than data privacy. Hope you can be a champion of the Right to Be Forgotten camp.