Illustration: Binay Sinha
The Snowden revelations of 2013 were, in some ways, the “Lehman Brothers moment” of the privacy crisis, sparking a global loss of faith in government surveillance systems. More recently, the Cambridge Analytica episode has illustrated how something as innocuous as taking a personality quiz on Facebook could become a tool for influencing political outcomes. These are not isolated incidents of a few rogue agents but examples of the unlucky few that got caught with their hands in the cookie jar. Since the benefits of indulging in data excesses clearly outweigh its regulatory, economic and political costs, it is only logical to expect such practices. This makes it unrealistic to rely on self-regulation or intermittent scrutiny following a detected violation to address the complexity of modern-day privacy concerns.
In India, the concept of “privacy” found its way into popular consciousness through the debates surrounding Aadhaar and the Supreme Court’s Puttaswamy verdict. The biometric nature of Aadhaar and its ubiquitous adoption across public and private services sparked concerns about the volume of data being amassed under the system and the threats to its safety. These concerns are magnified by the state’s incentives to gain deeper insights into the lives of citizens; the lack of transparency around surveillance practices in India; and its potential consequences for civil and political rights. As in the case of private data collectors, relying merely on the UIDAI to monitor how personal data is collected, managed and secured on its platform is not sufficient. Both cases call for a solution that is grounded in a robust data protection law, with mechanisms for independent oversight. The Justice Srikrishna Committee constituted by the government is in the process of drafting such a law, although we are yet to see its exact direction.
While our discussions on Aadhaar and data protection are necessarily local, these conversations are not taking place in isolation. Rather, they are being informed by equally spirited debates that are taking place in other parts of the world. The adoption of the General Data Protection Regulation (GDPR) in Europe, concerns around fake news and the economic implications of data localisation norms are some examples.
The GDPR, which comes into effect in a few days, creates a comprehensive framework to protect the personal data of European subjects. Its actual footprint is, however, likely to be much larger. First, many global businesses are responding to GDPR by tightening their worldwide privacy policies — this will mean better protections for individuals located outside Europe also. Second, the developments in EU are feeding into data protection discussions in other jurisdictions, including India. Third, the GDPR’s compliance norms will increase the cost of operations for smaller businesses, with implications for the data processing industry in India. At the same time, enhanced compliance requirements should fuel a new wave of RegTech solutions, using technological tools to facilitate regulatory compliance.
The constitution of the Justice Srikrishna Committee comes against the background of the Puttaswamy verdict, the Aadhaar challenge and questions about the Facebook-WhatsApp privacy policies before the Supreme Court. This gives hope that the work of this committee will not meet the fate of a similar exercise conducted by the Justice AP Shah Committee a few years earlier. This time, we have the momentum of the global privacy crisis to nudge policy makers towards a data protection law. The challenge, of course, would be to ensure that the law that is finally adopted does more than paying lip service to data privacy. A critical step towards this would be to open the draft law to public comments at an early stage. We need to build confidence and consensus towards a framework that can truly safeguard our personal liberties, from abuse by private actors and the state itself.
The author is a technology policy researcher at the National Institute of Public Finance and Policy