Happy Independence Day! In today’s special edition of Inquisitorial, we take a look at the new age struggle various stake-holders are currently engaged in across the nation with only one goal in mind, that privacy is the foremost independent right a human should have access to in this digital age.
One of the central themes of George Orwell’s 1984 is the impact of mass surveillance on society. He presented a world where a ‘Thought Police’ watched every action, heard every word and vaporized people for having personal and political thoughts unapproved by the government.
This absence of privacy had a terrifying effect on people. It led to people following regimented behaviour, losing their sense of individual self, the freedom to express emotions, and ultimately their liberty and dignity.
Fortunately, we do not live in George Orwell’s dystopian creation that had ‘BIG BROTHER IS WATCHING YOU’ plastered on every wall. However, the writing on the wall is clear that not only big brother but also numerous private corporations are watching you. They do not use tele-screens or spies, rather they use your smartphones and other electronic devices to track your movements, listen in to your conversations, read your chats, and store cookies on your devices to track your internet searches and history.
(Credit: ZDNet)
Privacy: A Clash of Interests?
Privacy, in its simplest sense, is a right to be let alone in a core which is inviolable. It has been described as a right that is inherent to human beings. Experts have often drawn an analogy between the rights enjoyed in this inviolable zone and rights over private property. Since what must be kept ‘hidden’ varies not only from one society to another but even from one person to another. A definitive meaning of the term ‘privacy’ remains elusive.
Since people haven’t been able to establish a baseline of what privacy is and what it entails, the State has also remained disinterested to extend such a right. The State has cited national or public safety interests and questioned motives of those seeking wider recognition of this natural right. In Justice KS Puttaswamy (Retd) vs. Union of India and Ors, the government brazenly argued that the right to privacy is an elitist construct that does not fulfill the needs and aspirations of society at large. This argument was rightfully rejected as it insinuated the superiority of socio-economic interests over political freedom. Another standard statement or its variation you will come across is ‘If you have done nothing wrong then you should have no concern for your privacy.’ Such a statement is non sequitur. Firstly, because it undermines anything good can come out of privacy, for only criminal acts require privacy while all legal activities can be done publicly. People have a legitimate interest in avoiding disclosures that are none of anyone’s business. Privacy makes voyeurism a crime, protects the identity of sexual violence, assures dignity of individuals. Secondly, what constitutes a ‘wrong’ is defined by the State. Actions of the legislature aren’t infallible and can be bad too. Even in a vibrant democracy like ours, we until very recently punished homosexuals for engaging in consensual sexual intercourse. A totalitarian state can abuse its law-making powers, taking away the right to live a dignified life or express feelings. Thirdly, privacy laws protect not only against excessive government action but also private corporations.
Data privacy has taken the centre stage in tech and policy discussions today due to factors like mass adoption of portable devices enabling generation of data at unprecedented levels, corporations developing state-of-the-art programmes to process that data, data breaches becoming an everyday affair, whistle-blowers like Edward Snowden releasing evidence of state-sanctioned mass surveillance and Supreme Court recognizing ‘right to privacy’ intrinsic to right to life and liberty. Personal data has become a commodity. Corporations are willing to not only provide you with goods and service for free but even willing to pay you to use their service.
‘If you’re not paying for it; you are the product’
Current Legal Framework
Though Constitutional jurisprudence has evolved to recognize privacy as a fundamental right, the protection and remedy scheme hasn’t changed. Under the current regime of Information Technology Act, 2000 (‘IT Act’) and the various rules framed thereunder, affected people can only sue for compensation for a wrongful loss that occurs due to negligent private corporate possessing, dealing or handling any sensitive personal data or information (Section 43A). There is no scope for punitive damages. Even the rights available are limited. Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the information provider can only request for review of sensitive information to ensure inaccurate or deficient data is corrected. While the information provider can withdraw the consent given earlier to a corporation, it cannot seek deletion of the data already collected, stored and processed. The IT Act under Section 69 and 69A also grants government powers to intercept, monitor and decrypt information stored in electronic devices. It can carry out surveillance without a court’s permission if its authorized officers are satisfied it is in national interests, necessary for prevention and investigation of an offence or in the interest of cyber-security interests to do so.
New Laws for the Digital Age
This lacklustre regime is set to change as India introduces its first comprehensive data protection legislation: The Personal Data Protection Bill, 2019. It acknowledges that personal data in the age of big data is a commodity and its uninhibited exchange can corrode human dignity, however, banning the exchange of data is not viable either so the best bet lies in regulating the exchange of data and providing remedies to people. The bill views personal data as the private property of a person that is partially alienable and even after it is transferred carries a burden that “runs with” it and binds third parties.
The Bill requires corporations which determine the purpose and means of processing of personal data (referred to as ‘Data Fiduciaries’ in the Bill) to seek explicit consent from people and inform them about their data processing practices. It also grants a plethora of rights to people like the right to obtain a brief summary of their personal data being processed, know the status of data (right to confirmation and access), correct any inaccurate, incomplete data, seek its erasure (right to correction and erasure), transfer personal data between service providers (right to portability), right to withdraw consent and right to be forgotten. These provisions are in no way perfect, some of these rights come with riders under which Data Fiduciaries may refuse to honour requests made by people, however, it is an important first step to allow people to control the data, its access and exit arrangements so that initial bad bargains do not have long-term consequences.
The Bill also mandates Data Fiduciaries to ensure ‘privacy by design’ and ensure commercial interests are not achieved by compromising privacy interests. Data Fiduciaries are to appoint a Data Protection Officer to monitor and assess internal data protection practices and create a Grievance Redressal Mechanism to comply with data requests of people and redress any data-related grievances. Data breaches are to be notified to the Data Protection Authority and Fiduciaries must take prompt and appropriate action in response to a data security breach. Contravention of the duties attracts heavy penalties and fines up to 4%. of its total worldwide turnover in certain situations. The Bill also contains provisions to penalize departments, authorities or bodies of the government for contravening provisions of the Act.
The government has made an audacious attempt to maintain unfettered access to people’s private lives. The Bill contains provisions that give Central Government power to exempt any government agency from the purview of the Bill. Such provisions enhance existing surveillance powers of the government and gives it overarching authority to access personal data. It effectively enables the government to collect and process any category of personal data per their requirements without the principles of necessity and proportionality being followed or judicial oversight.
A Report on Non-Personal Data Governance Framework by a Committee headed by Kris Gopalakrishnan recommends a new law and regulator to regulate non-personal data i.e. data to not reveal any person’s identity and anonymised data. The report takes propertization of data to a new level and views data as an economic good. The committee has recommended enabling governments and businesses to acquire “non-personal data” from various sources of data, including other companies and the government. The expectation is that such a step would create an incentive for innovation and new products. The Framework is in a very nascent stage and given the amount of criticism it has received, it is expected that it will be undergoing significant overhauls before becoming a law.
It will be interesting to see what legislative scrutiny these Bills face and the conviction with which the government implements them because ‘the proof of the pudding is in the eating’.
In this reality TV and internet influencer-obsessed world where everyone else’s life and, given the recent prime time TV debates, even death has become a subject of great public interest, free for voyeuristic media consumption, privacy is at a premium. A privacy law can only be effective when people exercise the powers emerging from it. Privacy Policies, Consent Notices, End User Licence Agreements, Permission Requests will remain legal mumbo-jumbo and check-boxes unless we make a conscious effort to understand them. Annoying messages, phone calls, newsletters (unlike this one) will continue as long as we take our privacy for granted. Corporations have reduced human identity to data sets capable of being tracked and predicted. The right to privacy, then, protects the individual's interest in becoming, being, and remaining a person.
Ravneet Singh is a final-year law student at Campus Law Centre, University of Delhi and holds a B.A. (hons.) in Business Economics.