After Right to Privacy Ruling, Focus Must Now Be on Creating Robust Data Protection Laws

Digital privacy is a subset of the right to privacy, which can be fully exercised only if a good data protection system is in place.

The right to privacy has been declared a fundamental right but to prevent financial losses or any other kind of misuse of data, further steps need to be taken. Credit: Reuters

The right to privacy has been declared a fundamental right but to prevent financial losses or any other kind of misuse of data, further steps need to be taken. Credit: Reuters

The Supreme Court’s recognition of privacy as a basic fundamental right paves the way for discourse around informational privacy, as underscored by each of the judges in the detailed verdict. Though this is a victory for many of us who have been advocating the need for this recognition, our work is far from over. Robust data privacy laws are needed to allow citizens to enjoy this newly provided right while imposing accountability on anyone handling personal data. Digital privacy is a subset of the right to privacy but can be fully exercised only if a good data protection system is in place.

Technological advancements directly affect the contours of privacy in the 21st century. Presently, India has an internet penetration of about 31% and in the coming years it has the potential to boom, much like, or perhaps faster than, the cellphone phenomenon. The size of an individual’s digital footprint is dramatically expanding everyday with a plethora of information readily available about them. Experts have gone to the extent of saying that there is technology that can analyse individuals by simply reviewing a few hundred ‘likes’ on Facebook and ‘know you better than your spouse’. Similarly, Aadhaar, which forms an essential part of the government’s flagship JAM trinity – Jan Dhan, Aadhaar, mobile – for better governance, is being couched as an insurmountable ‘big brother’ threat to privacy. The discourse around this is starkly divided between those who consider privacy intrusions to be inevitable and those who are advocating privacy as an absolute right. Such a binary approach is unlikely to amount to any pragmatic solution.

Exceptions to right to privacy

The right to privacy, while fundamental, must make room for some accurately and narrowly defined exceptions. The Supreme Court has expounded a three-tier test for any exception to be made to the privacy right – legality, which postulates the existence of the law; legitimate state aim, i.e. the need for the invasion and proportionality, which ensures rational connection between the ends; and the means adopted to achieve them. According to the verdict, legitimate aims of the state for which invasion of privacy can be permitted, includes “preventing the dissipation of social welfare benefits”. This outlook permits the continuation of Aadhaar for purposes of distribution of welfare benefits and prevents any further “dissipation”. Thus, the Aadhaar initiative can not only coexist with the status of privacy as a fundamental right but can also flourish as a viable system of welfare distribution and lead to increased financial inclusion.

Going forward, the interpretation of legitimate state aim must be narrowly tailored as observed by Justice Jasti Chelameswar. A good reference point for this may be found in the higher standard of limitations to speech laws in the US as compared to India.

In the context of free speech, the Brandenburg test is gold standard which lays emphasis on ‘imminent lawless action’ and ‘likelihood to incite such action’ being directly related to any form of speech for it to warrant action restraining it. In India, well intentioned ‘reasonable restrictions’ have thus far been vague and broad making them prone to misuse. We must evolve legislation around privacy in a manner that our emphasis is on narrowly defined exceptions to prevent arbitrary abuse.

Data protection

The right to privacy encompasses the right to have our data protected. This rights-based approach allows citizens complete control over their data – consent for any kind of usage, processing, sharing with third parties or even removal and the ‘right to be forgotten’.

Day to day, we face the threat of data breaches and financial frauds leading to monetary losses. This year reports of malware and ransomware have become commonplace. Last year, a sum of Rs 1.3 crore was reportedly lost in fraudulent transactions because of a malware attack on debit card details. In fact, our financial data is so vulnerable that out of all kinds of data breaches in 2016, 73% were based on unauthorised access to financial data and identity thefts.

Also read: FAQ: What the Right to Privacy Judgment Means for Aadhaar and Mass Surveillance

These facts may seem alarming at first, but it is important to take a step back and look at the large and proven benefits of Big Data as well. For example, let’s look at health innovations that are being guided and shaped by Big Data globally. Technological giants like Google and Amazon are using their Big Data capabilities in furthering ground-breaking medical research related to critical health challenges like cancer. Grassroot governance is witnessing a paradigm shift from the age-old tradition of corruption and leakages to targeted delivery to those in need. Should we act as gatekeepers and resist innovation being brought in by a global technological revolution? A cynic may go to the extent of saying that if our data is being mined, perhaps we should just sell it for a nominal price. This may hold some appeal or a morsel of reason but it would be a short-sighted approach. Instead of giving up our autonomy over our data, shouldn’t our efforts be directed towards safeguarding our data?

Need for data protection law

In the age of machine learning algorithms, our focus should be on tighter regulation of data and making data handlers, both government and private, accountable. Recent US government research showed that while determining the creditworthiness of someone utilising the facility of digital loans, there was a bias hurting the scores of younger borrowers as people with lower incomes were targeted for higher-interest rates. To import this to the Indian scenario, there is a possibility that similar machine learning algorithms could display a bias towards farmers or members of a particular community based on the criteria of low income. Therefore, as recommended by a study by Ford Foundation discussing this issue at length, we must invest in developing a greater cohort of public interest technologists who can review and correct such flaws in algorithms. With the growing emphasis on ‘Digital India’ and financial inclusion, it is likely that situations like these will manifest with greater frequency in the future. This calls for a regulatory authority with power, inter alia, to conduct inspections or algorithm audits of entities, both government and private, which deal with data.

There is a dire requirement for India to address the concerns around data security by mandating prompt response to data breaches and fortification of security by government or private entities. Compliance has to be ensured through adequate punitive measures and hefty fines. Transparency arising out of the shift of the implementation and compliance burden on the actual handlers of our data will promote greater trust in the data ecosystem.

The right to privacy has been declared a fundamental right but to prevent financial losses or any other kind of misuse of data, further steps need to be taken. The nine-judge bench has traced the evolution of an individual’s right to privacy but the way forward has to be charted through a robust data protection law.

Jay Panda is a four time member of parliament from the Biju Janta Dal. He introduced a private member’s bill on data protection and privacy in the monsoon session of the parliament.