Recognition and Protection: India’s Data Privacy Journey
Amber is a Senior Fellow-Trustworthy AI at Mozilla Foundation studying models for algorithmic transparency. He works at the intersection of law, technology and society.
The Indian Government withdrew the Personal Data Protection Bill in August 2022, indicating it would work on a new bill soon. The legislative process towards data protection laws in India has been long and fraught.
The most recent legislative efforts began in 2017. There had long been judicial uncertainty regarding the existence, or indeed lack thereof, of a constitutional right to privacy in India. Legal challenges surrounding the controversial Aadhaar Identity Programme prompted the supreme court to constitute a bench and clarify whether the right to privacy was constitutionally protected.
Ironically, this was largely induced by the government’s insistence that there was no need for a constitutional right to privacy, and the privacy rights of citizens could be protected under a data protection law.
Ultimately the court rejected the government’s argument and concluded a fundamental right to privacy was very much recognised under the Indian constitution. The commitment by the Indian state to frame a robust data protection law was a happy by-product.
The Ministry of Electronics and Information Technology (MeitY) formed a 10-member committee led by retired Supreme Court judge B N Srikrishna in July 2017. On 27 July 2018, the Srikrishna Committee submitted a draft of the Personal Data Protection Bill, 2018 to MeitY, along with a report titled A Free and Fair Digital Economy. There was an updated draft by MeitY introduced in the Indian Parliament in December 2018 which was immediately referred to a Joint Parliamentary Committee (JPC). The JPC spent almost three years in deliberation and, finally, submitted an unwieldy draft to the Parliament.
This was not the first exercise towards the creation of India’s data protection law. In fact, the last decade is littered with multiple unsuccessful efforts and bills. In 2012, Justice A P Shah led another committee and provided detailed recommendations to the government. Before MeitY became involved, the Department of Personnel and Training had been the nodal authority tasked with working on privacy legislation. There were at least two different drafts, one from 2011 and another from 2014 which were produced. Aside from this, there were multiple private member bills introduced by Manish Tiwari, Shashi Tharoor and Jay Panda. Much like the most recent legislative process, they did not go anywhere. There have also been civil society efforts which include the Citizens Privacy Bill by the Centre for Internet and Society, and the Indian Privacy Code by Internet Freedom Foundation.
The most recent process which began in 2017 was distinct from the earlier steps in one key aspect. The commitment made in the court meant that the Indian state could not simply abandon the process as it had done earlier. Even as it failed to formulate a law, it had to continue to take newer steps toward it. With the latest withdrawal of the bill from the Parliament, it has been reported that the government is planning a new Digital India Act which would include a data governance policy framework, cybersecurity guidelines, and a new data protection law.
It must be remembered that the Puttaswamy judgment held that privacy is both a negative and a positive right, meaning that not only does it restrain the state from committing an intrusion upon the life and personal liberty of a citizen, it also imposes an obligation on the state to take all necessary measures to protect the privacy of the individual. It is clear that the data protection law emerges directly from this positive duty, to protect the privacy of individuals both from the state and private parties.
The delays in arriving at a robust data protection law can largely be attributed to a lack of political will in successive governments over the last decade. In recent times, there has been significant pressure from the judiciary as well as other actors, including voices from civil society, to create a strong law. At the same time, there has been greater recognition of privacy as a social and economic good. The series of data protection drafts set a poor example by equating the protection of privacy and personal data, which derives its origin from the positive right to privacy, with policy objectives influenced by political economy considerations such as ‘a free and fair digital economy’ (2018 draft), ‘interest and security of the state’, and the need for ‘norms for social media intermediaries’ (2021 draft). While it is entirely within the remit of the legislature and the executive to pursue policy objectives through laws and policies, it is unusual to see such considerations dominating the positive rights obligations of the state in legislation intended to directly discharge them. There is a need to see the privacy of the citizens as the primary end goal of data protection legislation.
Aside from the data protection regulation, several other policy documents such as Niti Aayog’s National Strategy of Artificial Intelligence, Ministry of Commerce’s Artificial Intelligence Task Force Report and the Economic Survey of India 2018-19 echo a growing national vision where data is at the centre of the state’s welfare agenda, as well as its ambitions to compete in the AI race. Leveraging data for both welfare and innovation requires untangling the tricky matter of how personal data is differentiated from non-personal data, how we must deal with mixed datasets, and how to meaningfully obtain consent for these additional purposes. There is a clear indication of the intent of the Indian state to extract value from large datasets on Indian consumers maintained by large corporations. These policy goals are not only distinct from but may run contrary to the positive duty identified in the right to privacy — to protect Indian citizens from both state and private surveillance.
The reported plan to integrate data protection regulations within an omnibus law governing all aspects of digital life promises to further muddy the waters. With multiple contradictory policy objectives, the fear is that privacy will be sacrificed at the altar of both the state and private sector’s ambitions.
Latest blog posts
Cyber laws around the world: Privacy is not the policy
There is no doubt that the European Union’s GDPR has changed the cyber regulation landscape forever. As onlookers from non-EU countries urge their governments and regulators to adopt similar legislation, countries are rapidly adopting their
READ MORE »
The long and winding road : Striving for data protection in Indonesia
Juliana Harsianti is an independent researcher and journalist working at the intersection of digital technology and social impact. The long awaited Indonesian Personal Data Protection Bill was approved by the parliament on 20 September 2022.
READ MORE »
Kazakhstan needs tougher laws to address the impacts of spyware
In July 2021, the United Nations (UN) High Commissioner for Human Rights, Michelle Bachelet, issued a statement exposing the widespread use of Pegasus spyware that targeted journalists, human rights activists, politicians, and other people across
READ MORE »