Two years ago, this month, a nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy. It held that privacy is a natural right that inheres in all natural persons, and that the right may be restricted only by state action that passes each of the three tests: First, such state action must have a legislative mandate; Second, it must be pursuing a legitimate state purpose; and third, it must be proportionate i.e., such state action — both in its nature and extent, must be necessary in a democratic society and the action ought to be the least intrusive of the available alternatives to accomplish the ends.
Prescribing a higher standard
That judgment in Justice K.S. Puttaswamy (Retd) vs Union Of India fundamentally changed the way in which the government viewed its citizens’ privacy, both in practice and prescription. It undertook structural reforms and brought transparency and openness in the process of commissioning and executing its surveillance projects, and built a mechanism of judicial oversight over surveillance requests. It demonstrated great care and sensitivity in dealing with personal information of its citizens. It legislated a transformative, rights-oriented data protection law that held all powerful entities that deal with citizens’ personal data (data controllers), including the state, accountable.
The data protection law embodied the principle that the state must be a model data controller and prescribed a higher standard of observance for the state. The law also recognised and proscribed the practice of making access to essential services contingent on the citizen parting with irrelevant personal information. This law established an effective privacy commission that is tasked with enforcing, protecting and fulfilling the fundamental right to privacy implemented through the specific rights under the legislation.
The data protection law also revolutionised the technology sector landscape in the country, paving way for innovative privacy-aware and privacy-preserving technical solution providers to thrive and flourish, and establishing the country as a global leader in the space.
This fairytale would have been the story of the last two years if the government had followed the script. But it did the exact opposite. The judgment in K.S. Puttaswamy effected little change in the government’s thinking or practice as it related to privacy and the personal data of its citizens.
National security as reason
It continued to commission and execute mass surveillance programmes with little regard for necessity or proportionality, with justifications always voiced in terms of broad national security talking points. The Ministry of Home Affairs, in December last year, authorised 10 Central agencies to “intercept, monitor and decrypt any information generated, transmitted, received or stored in any computer in the country”. This notification is presently under challenge before the Supreme Court. In July last year, it became known that the Ministry of Information Broadcasting had floated a tender for ‘Social Media Monitoring Hub’, a technical solution to snoop on all social media communications, including e-mail. The government had to withdraw the project following the top court’s stinging rebuke. A request for proposal for a similar social media surveillance programme was floated in August last year by the Unique Identification Authority of India (UIDAI), which is presently under challenge before the Supreme Court. The Income-Tax department has its ‘Project Insight’ which also has similar mass surveillance ends. These are but a few examples.
Data use vs. privacy
The government has shunned a rights-oriented approach in the collection, storage and processing of personal data and has stuck to its ‘public good’ and ‘data is the new oil’ discourse. In other words, personal data in the custody of the state is for the state to use, monetise and exploit in any manner it desires so long as it guards against security incidents such as breaches and unauthorised access — i.e. unauthorised by the government. This convenient redux of the idea of privacy to mere information security appears to inform all its policies. This is evident from this year’s Economic Survey as it commends the government for having been able to sell and monetise the vehicle owners’ data in the Vahan database and exhorts it to replicate the success with other databases. The Justice Srikrishna committee which has published the draft Personal Data Protection Bill uses a similar language of ‘free and fair digital economy’, with the digital economy being the ends and the notion of privacy merely being a shaper of the means – not only misrepresenting the purpose of the bill, but also its history and the mischief that it intended to tackle. The committee made the choices it made despite being aware that the courts are likely to interpret every provision of the legislation purposively, taking note that the purpose is couched in terms of the economy as opposed to the bill having a singular focus on the fulfilment of the right to privacy.
As K.S. Puttaswamy ages and steps into its third year, the script is still on the table. A rights-oriented data protection legislation — which includes comprehensive surveillance reform prohibiting mass surveillance and institution of a judicial oversight mechanism for targeted surveillance — and which recognises the principle that the state ought to be a model data controller as it deals with its citizens’ personal information; is still possible, one hopes.
Prasanna S. is a practising lawyer based in New Delhi
