Privacy Delayed Is Privacy Denied

Each day that goes by without a data protection law, the government is failing in its positive obligation to create a framework that enables us to exercise our fundamental right to privacy effectively.

Recently, both houses of parliament reportedly granted a fourth extension to the joint parliamentary committee to submit its report on the Personal Data Protection Bill, 2019 (PDP Bill). The previous extension for the submission of the report was granted until the second part of the Budget Session. Several news reports anticipated that the Committee would positively submit its report and the finalised draft of the PDP Bill in the Budget Session. Parliament, however, was adjourned sine die before Holi, bringing an end to the Budget Session earlier than expected.

What does another extension and further indefinite delay in the introduction of a privacy law mean?

As informational privacy takes low priority in the legislative order of business, government adoption of technology is at its peak and data-driven governance is becoming increasingly ubiquitous every day, particularly during the pandemic. While steps taken by the Government of India towards embracing technological capabilities in its endeavours are whole-heartedly welcome, these steps are accompanied by the unfettered collection of an insurmountable pile of personal data of Indian citizens, largely unregulated.

Also read: The Mandatory Imposition of the Aarogya Setu App Has No Legal or Constitutional Basis

Why a data protection law is imperative 

First, a data protection law has the potential of providing a clear legal basis to our entitlements reasonably expected to accrue from the fundamental right to privacy, delineating the permissible from the impermissible, clarifying the scope of our fundamental right to privacy, explaining what data fiduciaries that collect our personal data can and cannot do with regard to it. 

A ‘fundamental’ right to privacy does not specifically outline entitlements that necessarily accrue until it is adjudicated. In the absence of a data protection law, courts have, for instance, taken contrasting positions in relation to the scope of underlying facets of privacy such as the right to be forgotten. The absence of a data protection law makes it impossible to know what rights are specifically available to us, rendering the fundamental right largely meaningless. The absence of a uniform basis for entitlements also exacerbates incoherence across different courts and in our common understanding of such a right.

Second, a data protection law has the potential of enabling effective judicial redress, giving teeth to the fundamental right, as well as creating disincentives for data fiduciaries to collect personal data unlawfully. At present, the Indian constitution does not allow writ remedies against purely private bodies given that they do not constitute ‘state’ within the meaning of Article 12. This means that in every instance where a purely private body violates a citizen’s right to privacy, there is very limited recourse available under Indian law at present, such as, for instance, under section 43A of the Information Technology Act, 2000 (IT Act) read with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Privacy Rules).

Section 43A enables individuals to claim compensation from ‘body corporates’ (defined to include corporate entities that are engaged in commercial and professional activities encompassing tech businesses generally) that inter alia do not adopt reasonable security practices as a result of wrongful loss to an individual. However, the more significant obligations under the Privacy Rules (such as obtaining consent, processing for limited purpose, retaining only for as long as required, sharing only with prior consent, disclosing recipients to the user, and providing a grievance redressal mechanism) only apply in relation to ‘sensitive personal data’ which includes only specific defined categories of information (for instance, passwords, health data, financial data or biometrics) and not personal data generally.

Furthermore, our personal data can also arguably include many other categories which could be potentially sensitive such as phone numbers, home addresses, political opinions, religious beliefs, etc. While some of these are covered under the PDP Bill currently, they are not regarded as ‘sensitive personal data’ under the Privacy Rules. Even in relation to sensitive personal data, while section 46 of the IT Act provides for a framework to adjudicate complaints inter alia under section 43A, there are very few reported instances of individuals being able to successfully claim compensation under the Privacy Rules.

Perhaps one of the explanations of why there exist limited instances of enforcement of privacy is that there is a very limited incentive to expend time and resources to file a complaint under existing law. This is because the IT Act currently only entitles people to ‘compensation’ for actual loss suffered and not really ‘damages’ as such. Damages, on the other hand, can theoretically also be punitive and in addition to compensation which is a restorative remedy.

Further, in the absence of actual demonstrable financial loss, it is also difficult to make a claim where there has been breach of privacy per se but no related financial loss as such as injury to privacy without any actual damage. Apart from these limited redressal mechanisms, situations where the IT Act read with the Privacy Rules do not create a remedy, it is not feasible to file a writ petition against the state each time a private actor breaches citizens’ privacy, arguing that the government is responsible for such failure to prevent such breaches.

As with any other right, the right to privacy is not meaningful without our ability to successfully enforce this right, remaining a right without teeth, not creating adequate incentive for businesses or the government to respect our privacy (apart from market-driven incentives of course, which have their own constraints). Indeed, it is not unprecedented for Indian courts to adopt this understanding of our fundamental rights and for courts to impose such responsibility on the state.

In fact, in Vishakha and Ors. v. State of Rajasthan and Ors., the Supreme Court held the state indirectly accountable for its failure to introduce a law that adequately protected women against sexual harassment at workplaces, which violated their right to live with dignity, a fundamental right. The Supreme Court went so far as to publish its own guidelines to bridge the gap in law, until the government was obliged to introduce the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.

Each day that goes by without a data protection law, the government is failing in its positive obligation to create a framework that enables us to exercise our fundamental right to privacy effectively.

Also read: Do India’s COVID-19 Patients Have a Right to Privacy?

Even the PDP Bill may not solve for delay

What exacerbates this delay is that even if the parliament enacts the PDP Bill, and receives presidential assent, various provisions would only come into effect separately (or together)as and whennotified by the Central government. While introducing a complex law may be challenging and enforcing it all at once, even more so; the earlier draft of the Bill (PDP Bill, 2018) to the credit of the committee of experts chaired by Justice B.N. Srikrishna (Retired) envisioned a clear timeline within which different provisions would be enforced a fine balance between accounting for administrative realities as well as consciously striving towards making privacy a realisable right.

Under the 2019 draft of the PDP Bill, however, it is entirely possible that some provisions remain unnotified indefinitely, resulting in those provisions existing only on paper, and never seeing the light of day, in reality.

Indeed, the inordinate delay caused by the government in introducing the PDP Bill and its ability to further delay the coming into effect of the PDP Bill by notifying different provisions separately and indefinitely violates our right to privacy. Enough has already been written about the connection between due process and delay and how justice delayed is justice denied.

The fight for a right to privacy has been slow and steady, and one would say we have come a long way since M.P Sharma and Ors. v. Satish Chandra to the Puttaswamy & Ors. v. Union of India and Anr. However, one is left wondering whether, in the four years since recognising that privacy is a fundamental right, we could have created a law that helps in its effective realisation.

Siddharth Sonkar is an associate at the technology, media and telecommunications (TMT) team at Trilegal. Views are personal. The author is grateful to Tanvi Ahuja, an associate at Trilegal for her helpful edits.