The world celebrates 28 January as Data Privacy Day. In India, data privacy was obtained after much opposition and struggle. It is now a fundamental right.
The Indian Constitution starts with the phrase “We the people”. It is built around the principle that every citizen of India has fundamental rights and that every citizen of India equally enjoys the same fundamental rights. The debate on privacy is a more recent one in terms of contemporary modern democracies.
The biggest opposition to privacy as a fundamental right came on the grounds of national security and other similar public interest arguments—where it was argued that collective good had precedence over personal privacy.
Data is at the core of digitalisation and cyberspace. It is the raw material that catalysed a whole new data economy and industry. Collecting, harvesting and processing huge volumes of personal data of people using their platforms is at the core of many of the fast-growing applications, search engines, social media platforms, and websites. At its most benign this data is being used to train learning models and improve services. Its most worrying application is to profile users and target them. This phenomenon created an exponential growth in the debate and discourse of privacy in general and informational and data privacy in particular.
Misuse of personal data has been widely known since the 2010s. The Facebook-Cambridge Analytica scandal is a case in point. It spotlighted risks and dangers even to democratic processes—which in turn heightened the debate around privacy and data protection into a clamour for legislative protection of the individual’s privacy online.
As Bill Gates said, “Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments but for private companies”. Privacy changed from an obscure abstract concept to a right that cannot be compromised.
Also read: Data sharing policies can’t be one size fits all. Crucial to address privacy, ownership
Evolution of the privacy debate
The privacy debate in India is an example of how democracies legislate for new, emerging challenges for their people. It is a shining example of a fundamental right that citizens argued for and wrested from the government. The evolution of this debate makes for a fascinating case study for all other democracies and rule-based nations and societies.
India’s first major national digitalisation project was the idea of a national ID. First mooted by the government of PM Atal Bihari Vajpayee in 2000, Aadhaar the digital ID was launched in 2009.
The approach to building this mammoth database was expensive and flawed from its inception. It was built around very little public consultation, the database revolved around coercing citizens to enrol, with non-existent verification and a loose casual approach to storing, accessing and processing the data being collected.
Over 500 million people were rapidly enrolled with this weak leaky framework. It resulted in a situation where two things happened—Aadhaar became a gateway for fake identities and individual citizen ID details were leaking prolifically.
Aadhaar under that dispensation quickly became a good idea gone bad and thus triggered the very strong clamour for privacy and data protection framework for citizens.
As a new MP in 2006, I leapt on this issue as a part of my approach to use my space in Parliament to argue for more rights for citizens across a broad spectrum of issues from voting rights to privacy.
The chatter around Aadhaar was about all the great things that a digital ID can do (all correct) but that meant there was very little discourse or scrutiny around privacy and data protection. Senior editors would comment that privacy was elitist. To counter the scrutiny, the architects of Aadhaar and then government pointed to its “inbuilt privacy”—whatever that meant.
In 2010, I introduced The Right to Privacy Bill, which triggered a debate in and outside parliament. In 2012, Justice Ajit Shah said, “A privacy legislation must statutorily establish a right to privacy to all individuals in India.” But the government was stonewalling, saying “Privacy is elitist” or “Privacy was designed into Aadhaar”.
A PIL in the Supreme Court was filed by several petitioners led by Bengaluru-based Justice Puttaswamy—with my support and my own intervening petition for privacy to be declared a fundamental right in 2013.
In August 2017, the right to Privacy was held to be a fundamental right under Article 21 of the Constitution in the “Justice Puttaswamy and Others vs Union of India” case. It remains the biggest milestone in India’s journey to create a framework of digital citizens’ rights.
The next step was codifying this right through a data protection law. There were three broad digital regulatory models available in 2017.
First, the American one, which essentially left it to the markets and consumers (and hence contracts) to determine and establish privacy. The Chinese model had no codified rights and the state from time to time determined who or what could access personal data and whether citizens had or didn’t have rights to privacy (most of the time it was a no). Then there was the European GDPR construct that was the most quoted standard to regulate data protection and privacy.
In July 2021, when I was appointed the Minister of State for Electronics and Information Technology, I initiated a back-to-basics rewrite of the bill. In less than six months, we had a brand-new bill— the DPDP Bill 2022. It was introduced in Parliament and passed as law in 2023. The rules to operationalise this act are going to be notified in February after consultations.
Also read: 6 reasons why privacy is a lost cause in India. Don’t wait for DPDP Act to fix it
AI regulation
Even as India was building its data protection legislation, the phenomenon of artificial intelligence has exploded in the last 3 years. It has brought with it privacy-invasive technology, products and models.
If anything, the gap between regulations, guard rails and innovation is only widening. AI applications/devices and large language models all depend on huge amounts of data. The data ecosystem is largely unregulated. This shows there is more work to be done especially around the non-personal and anonymised data world that AI is being trained with.
India’s DPDP Act has established that encouraging digital innovation and protecting citizens’ rights are not binaries. It is an important marker for India’s vibrant and fast-growing digital economy.
The author is a former Union minister and tech entrepreneur. Views are personal.
(Edited by Theres Sudeep)