A law governing data privacy is the need of the hour
Consequently, the digital footprint of Indians is set to increase with a colossal amount of data being generated 'voluntarily or involuntarily' by users
According to a report by the Internet and Mobile Association of India (IAMAI), the number of Internet users in India is expected to reach 500 million by June 2018. The Government of India, under its flagship scheme "Digital India", which aims to transform India into a digitally empowered society and knowledge economy, has made the delivery of public services using online platform(s), resulting in increased access to the Internet.
Consequently, the digital footprint of Indians is set to increase with a colossal amount of data being generated — voluntarily or involuntarily — by users.
However, the framework under which data is collected, processed and stored is nearly non-existent in India. Most Indians using Internet have no or little idea about data privacy, and this blissful ignorance exposes and makes them vulnerable to threats like illegal data harvesting, ID theft, profiling without consent, etc.
The data generated by our activities online can be analysed in ways a person making that digital footprint might not even know about. For instance, the recent controversy about ‘Cambridge Analytica’, where mass harvesting of data of Facebook users took place without their knowledge or consent, and the results were subsequently used to influence voters in India.
At present, Section 72A of the Indian Information Technology Act, 2000, provides for data protection by making it a punishable offence to disclose information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract. However, its enforcement remains deficient as the people tasked with enforcement lack subject knowledge and technical know-how, leaving users exposed, vulnerable and without any real protection from their data being misused.
The Supreme Court, while declaring the "Right to Privacy" as a fundamental right, also held that the same extends to both physical as well as virtual world. Justice Kaul, in his judgment, had observed that privacy in the digital age includes the "Right to be Forgotten", and hence, empowers individuals with control of the information they put out, enabling them to seek removal of data concerning them. The right is not absolute in nature and is subject to reasonable restrictions, such as that information which may have a social ramification or necessary for compliance of legal obligations, etc.
This "Right to be Forgotten" has to be made an integral part of the existing data protection regime in India. Reference in this regard can profitably be made to regulation (EU) 2016/679 of the European Parliament and of the Council of April, 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Some progress in this regard has been made, when BJD MP Baijayant Panda moved a private member Bill in Parliament last year by the name of Data (Privacy and Protection) Bill, 2017, which envisaged a right to “informed consent”, wherein, only upon giving an express and affirmative consent can a person’s data be collected, used or sold. The Bill, in principle, proposed to give right to every citizen, a right wherein s/he had control over data produced by him/her. “Express consent” of the individual was required before the data in question could be collected, used or sold.
Under the provisions of the Bill, a quasi-judicial body would have allowed juristic persons to file grievances against private as well as government bodies against any breach of privacy. This was a great leap forward, as this would have created a specialised body with experts at the helm, ones who would be best equipped to handle the situation, wherein the individual whose privacy had been compromised would have approached and could have had the breach addressed in a fast, reliable and time-bound manner.
The Government of India has constituted the 10-member committee headed by Justice Srikrishna in August 2017. The committee is likely to submit the draft for a new law regarding data privacy and protection by May 2018. A white paper released by the Committee suggests that it is in favour of a new law that would be applicable to both government and non-government sectors, to collect and process data after consent. It also proposes to fix accountability on data controller for any data processing; establishment of a high-powered statutory authority for enforcement, supported by a decentralised enforcement mechanism; and penalties for wrongful data processing to ensure deterrence.
The current provisions of law, which the masses are nearly oblivious to, face a problem in implementation and are mostly inept at delivering their aim. The Bill moved by BJD MP Baijayant, which called for independent data protection authority, can be used as a guide in order to come up with a strong data privacy law.
The government, in light of recent incidents like Cambridge Analytica and growing importance of effective data protection, should take notice, step in and fill the gap that exists in the current law and policy regime. Government’s push towards delivery of services through Internet needs to be backed by a full-bodied and dynamic framework to ensure that the data being generated by users is not used without their consent, and also to give them to decide how this data may be used. It will also bring accountability to data handlers, both government and non-government actors.
The author is a practising advocate in Delhi.