The past decade has seen the initiation of numerous government programmes like Aadhaar and Natgrid. Due to the increased collection of citizen’s information by the government, concerns have been raised on their impact on citizens’ privacy. The road map for addressing these concerns was laid down by a Bench of nine Supreme Court judges in the judgment delivered last week in Justice KS Puttaswamy and Anr Vs Union of India and Ors.
The nine-judge Bench, speaking through six separate opinions, unanimously held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as part of the freedoms guaranteed by Part III of the Constitution.”
It is well known that fundamental rights are enforceable vertically – that is, against the state. However, the advent of technology into every aspect of human life ensures that the question of privacy is a little more complex.
Individuals are constantly generating valuable data that can be used by non-state actors to track their moves, choices and preferences. The data once processed can be of immense value. In fact, even Nandan Nilekani, the man many see responsible for setting the Unique Identification Authority of India (UIDAI) infrastructure, has observed that data in the 21st century are like oil in the 18th – an extremely valuable asset. In spite of this, India remains one of the few large economies without a regime for protection of data that is in the hands of private players. In this context, some of the observations made in the last week’s judgment are extremely significant.
Justice Chandrachud’s leading opinion notes that it is an age of “big data” – data sets capable of being searched and marked by their exhaustive scope and permanency of collection. He goes on to note that “the dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”. He suggests that the state put together a data protection regime after drawing a careful and sensitive balance between individual interests and legitimate concerns of the state.
The strongest expression for the need for a robust data protection regime comes in the opinion of Justice Kaul. He observes, “Social network providers, search engines, email service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations – both personal and professional – health, mental state, interest, travel locations, fares and shopping habits.” Justice Kaul goes on to state that there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors.
As already pointed out, India does not have a data protection law. However, it is not as if no groundwork has been laid. A privacy Bill was drafted in 2005. However, it never found its way out of the parliamentary logjam. Subsequently, the Planning Commission constituted a ‘Group of experts on privacy under the chairmanship of Justice A P Shah. The group submitted its report in October, 2012. However, no steps were taken by the government thereafter. Less than a month ago, the Ministry of Electronics and Information Technology constituted a committee of experts to deliberate on a data protection framework, under the chairmanship of Justice B N Srikrishna. It is to be seen what steps are taken from here.
Ultimately, the creation of a data protection regime remains the prerogative of Parliament. However, the Supreme Court has set the ball rolling by determining certain issues which the data protection framework must address. These relate to the type of data that can be collected, the time for which it can be stored and the uses to which it can be put. In a world where our bank accounts are connected to our emails, which in turn are connected to our social networking accounts – it is imperative that the issue of data mining techniques and cross-linking of databases is addressed.
Finally, as observed by Justice Chandrachud, the data protection framework must also lay a special emphasis on consent – a principle that is at the heart of the data protection regime in the European Union. The principle of consent relies on the ability of the individual to make an informed choice after reading a privacy notice. It is common knowledge that such notices are not easily accessible, are too long or are simply unintelligible to the common man. Most of us click through privacy notices – the ones required to access Twitter or Facebook – without really reading them. A vast majority of Indians might not be able to understand notices written in English. This is a major cause for concern and can only be addressed by a framework that brings about a degree of uniformity in these notices.
The judgment has also brought to the fore some sensitive issues like anonymity, the right to be forgotten. All of these will undoubtedly crystallise over time.
Knowledge about a person gives power over that person. Personal data are capable of effecting representations, influencing decision-making processes and shaping behaviour. It can be used as a tool to exercise control – like the Orwellian ‘big brother’ state exercised. In Code, written as far back as the year 2000, Harvard Law School professor Lawrence Lessig had predicted that cyberspace would become a “perfect tool for control” – not by the government, which Lessig characterised as clueless and inadequate, but by software programmers who knew how to use the data generated.
Rather than quarrel about whether it lost or won the battle for privacy rights, both the government and civil society need to come together, to set up an architecture of consent, in which privacy can be structurally negotiated.