Context

In the times of digital age, information asymmetry has become so skewed that it has eroded the very spirit of democracy by limiting the unbiased communication of ideas.

Background

• At a time when the Internet is the new jazz and a tool as also a venue for all political hues, it is important to understand how government, political parties and citizens are responding to this new triangular interplay between data protection, privacy and a flow of information.
• When the Government of India banned 59 Chinese apps on the ground of transgressing Indian security, the question as to-
  • Why in the first instance were they allowed into India?
  • Was there no security or privacy audit?
  • While Facebook and Amazon are facing scrutiny on their own soil for their data mining policies, how did we allow so many apps without any check?
• Government policy on national security should be based on advance strategic assessment rather than on a reactive basis.

Analysis

The Changing Nature of Information

• Today, the way in which the internet allows data to be produced, collected, combined, shared, stored, and analyzed is constantly changing.
• This change is also re-defining personal data and what type of protections personal data deserves and can be given.
• From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet.
• In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used.

Segregating the Data Data can be broadly classified into public data and personal data. Public data: Public data is that which is accessible to the public at large, such as, Court records, birth records, death records, basic company details. Private data: On the other hand, private data is personal to an individual/ organization and cannot freely be disseminated by anybody without the prior permission of the subject. It includes financial details, family details, browsing details, preferences, psychological characteristics, locations and travel history, behavior, abilities, photographs, aptitudes, and the like. It could also be a combination of these features or even inferences drawn from the refined data.

The Blurry Line between the Public and Private Sphere

• In India, the “sphere” of information on the internet is unclear.
• The information posted on social media
  • is public information – free for use by any individual or entity including law enforcement, employees, data mining companies etc.
  • or is private information, and thus requires authorization for further use.
• Authorization is not required for the lab to monitor individuals and their behavior, and individuals are not made aware of the same, as the project claims to analyze only publicly available information.

What’s take of India’s courts?

• The borderless nature of information flows over the Internet complicates online privacy, as individual's data is subjected to different levels of protection depending on which jurisdiction it is residing in.
• Indian Courts have yet to deal directly with the question of social media content being public or private information.

How private firms are exploiting the election process?

• Private data analytics companies have emerged to exploit the electoral process with the sole objective of customising political messaging.
• While the customisation of political messaging is notper se illegal, it certainly is unlawful to indulge in unauthorised data mining and collection by the industry.
• Many private enterprises routinely share the personal data of individuals with third parties including political organisations.
• The fact that there are dedicated IT cells which carry out a digital form of warfare with propaganda and fake news being two powerful weapons is making things more complicated.
• The present legal framework leaves these menaces outside the ambit of election laws as they were framed in a time and space that was primitive when compared to contemporary technological advancements.

Isn’t “privacy” a fundamental right?

• On the privacy front, even after the Supreme Court of India had declared privacy as a fundamental right, the government insisted on affidavit in the top court that informational privacy or data privacy cannot be a fundamental right.
• Though the protection of personal data has been recognised as a fundamental right, there is an absence of law to effectively outline the state purpose in collecting such data and enforce, limit and balance the rights of citizens against the larger public interests.
• The Aadhar Act diluted the notion of ‘privacy’ and the standard of proportionality test set up by the Supreme Court.
• In an ongoing dilemma, even the ‘Aarogya Setu’ app is battling to satisfy the conscience of privacy overseers.
• The clear impression is that the government is more interested in ‘control’ than ‘protection’ of data.
• A national policy on data privacy of individuals is still a non-starter. People continue to suffer because of the regular incidents of data theft.
• India’s cybersecurity watchdog, CERT-In, last year reported huge data theft of Facebook and Twitter users by malicious third party apps. Reportedly, more than 1.3 million credit and debit card details from Indian banks and the data of 6.8 million users from an Indian health-care website were stolen in the same year.

Justice K.S. Puttaswamy v. Union of India  The notion of informational privacy has become salient in the past decade but, India has privacy jurisprudence going back several decades. Most of it focuses on privacy in the context of harms caused due to a violation of privacy. This jurisprudence changed in 2017, when the Supreme Court in Justice K.S. Puttaswamy v. Union of India held that the Indian Constitution included a fundamental right to privacy. While deciding the case, though the court listed a long line of jurisprudence, the central deficiency in the existing jurisprudence in the court’s opinion was the lack of a “doctrinal formulation” that could help decide whether privacy is constitutionally protected. The jurisprudence on privacy therefore changed—from being valued as a right that protected other ends to being an end in itself. Along with holding that privacy is a fundamental right, the judgment also declared informational privacy to be a subset of the right to privacy.

Principle data protection legislation in India

• Currently, India does not have comprehensive and dedicated data protection legislation. Some provisions of the Information Technology Act, 2000 as amended from time to time and the Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).
• In December 2019, the government introduced the Personal Data Protection Bill, 2019, in parliament, which would create the first cross-sectoral legal framework for data protection in India.
• In addition to this, personal data is also protected under Article 21 of the Indian Constitution which guarantees to every citizen, the Right to Privacy as a fundamental right. The Supreme Court has held in a number of cases that information about a person and the right to access that information by that person is also covered within the ambit of right to privacy.

What’s worsening the situation?

• More focus on control than protection: The Personal Data Protection Bill, struggling to be born in Parliament despite conception in 2018, is more about control and surveillancethan about promoting privacy and protection of data. 
  • Far-reaching exemptions, in large measure swallowing the rule, have been carved out where personal data can be processed.
  • Section 35, which provides the government with unfettered access to personal data, negates the three tests of legality, necessity and proportionality given by the Supreme Court in Justice K.S. Puttaswamy (Retd.) vs Union Of India.
  • The Bill also allows State and private parties to process personal data without obtaining consent and such broad exemptions would not only open the floodgates for misuse but also reduce India’s prospects of entering into bilateral arrangements for law enforcement access.
• Wholly government controlled system: Selection committees, terms of appointment and of removal establish beyond doubt that the Authority is likely to be like a rehabilitation centre for retired bureaucrats, yet a sinecure wholly controlled by the government. It is a classic case of rolling up judge, jury and executioner.

Assessing the impacts:

• Re-tribalisation of politics: Resultantly, “Information Superhighways” (coined by the U.S.’s “almost” President Al Gore) in democracy are leading to “re-tribalisation” of politics in cabals and cocoons while deliberations are fast transforming into ‘consultations among computer systems’ where trust and security are illusions.
• Easy spread of fake news: For citizens, digital media are carriers of images and sounds, rather than words and thoughts, and the system where images run faster than thoughts is suitable for the spread of fake news.
• Disinformation: Times of fear and uncertainty also provide a fertile ground for disinformation to grow. The fake WhatsApp forwards that triggered the primitive “Us v/s Them” group mentality and is manifested in Delhi riots reports, and the forwards on the novel coronavirus which declare COVID-19 a bacteria and the World Health Organization stating that vegetarians cannot be infected with COVID-19, are all reminders of the potency of data, true or false, in a democracy.

What needs to be done?

• A balanced approach: There need to be a gatekeeper to balance appetites for technology, security and privacy. So long as the gate keeper is for regulation, not surveillance, and so long as it is completely and genuinely independent.
• Internet Ombudsman: An Internet ombudsman with experts on cyber and Internet laws, IT, data management, data science, data security, public administration and national security, and consciously involving eminent sections of civil society, can be an effective antidote to unregulated technological disruptions.

The need for constitutional entrenchment  Any data protection body must be abundantly independent, especially in the manner of appointment of its members, conditions of their service and the manner of their removal. They must not be appointees of the executive alone but must be appointed on the recommendation of a committee having bipartisan legislative representation and representatives from the judiciary – as is the case with the information commissions, the Central Vigilance Commission and the NHRC. Their removal from office must only be allowed in the same manner as a judge of the Supreme Court and their salary must also be fixed similar to the CAG or an election commissioner. Only a constitutionally entrenched body will be sufficiently protected from executive aggrandizement, political control and institutional capture, leading to a robust fourth branch institution – one which can act as an effective guardrail against violation of the right to privacy. Incorporation of a full-fledged Data Protection Commission through a constitutional amendment must be envisaged by the legislature as a replacement for the DPA in its current form.

• Usage of data with consent: Data should not be collected and processed without consent. Businesses that violate this principle would also violate Indian constitutional norms of informational privacy, as well as the property interests of users.

Conclusion

A country like India—with low levels of access to credit, insurance, and other financial services—may potentially make very different trade-offs between the need for such access on the one hand and the need for informational privacy on the other. Therefore, a law sanctioning collection of data and requiring the government to follow crucial data protection and surveillance principles is the need of the hour.