Justice BN Srikrishna made a telling point recently at a symposium marking the second anniversary of the Puttaswamy judgment which affirmed that privacy
was a fundamental right. He said given the parliamentary majority the ruling party enjoys, it should have been possible to pass the data privacy
legislation that a committee headed by him drafted, “with the same ease that cash is withdrawn from an ATM”. But it has been two years since the Supreme Court recommended specific legislation to protect privacy, and over a year since the Srikrishna Committee submitted its recommendations, and draft legislation, and there has been no movement in terms of turning that draft into law, even though a number of other legislation has been passed by Parliament at an impressive speed.
This is unfortunate as in the absence of a specific privacy
protection law on the lines proposed by the Srikrishna Committee, it is difficult to prevent privacy being breached in practice. In this two-year period, there have been multiple disturbing developments that have impacted privacy. For example, the DNA Profiling Bill has been cleared and there are grey areas in that legislation. DNA is not only sensitive personal data — it can uniquely impact the privacy of persons related to the individual whose DNA is stored and tested. The government has also proposed the bulk sale of automobile registration lists, and driving licence data from state motor vehicles departments, to private sector entities. Aadhaar has been linked to income tax returns despite being supposedly voluntary. There are also proposals to link Aadhaar to electoral rolls, which may result in voters being profiled in unconstitutional ways.
There are multiple public interest litigations currently being heard in various courts proposing that Indians should be forced to link Aadhaar to their social media accounts and to the usage of instant messaging services. The petitioners, including the Tamil Nadu government, claim that this would be effective in curbing the spread of fake news. Whether that is true or not, the loss of anonymity on social media would inevitably result in curbs on free speech. The privacy of citizens who may express unpopular opinions, or indulge in acts of whistle-blowing, would no longer be sacrosanct. Any democracy, which recognises privacy as a fundamental right should give primacy to those freedoms and seek other ways to combat fake news.
There will soon be other privacy issues as the ecosystem of the Internet of Things (IoT) proliferates. Given that a fridge, air-conditioner, or car may now see, hear, record and transmit private conversations, privacy breaches will, in fact, become even more egregious in the near future. Legislation must be “future-proofed” to deal with fresh challenges on the IoT front. These examples should make it clear that it is necessary to balance multiple considerations when it comes to privacy. Data is indeed digital gold, and a national resource. All manner of public services can be enabled by data, and all sorts of business models can be based on data. But data must be acknowledged as the personal property of the individual generating it, and it should not be gathered, stored, or used without the informed consent of those individuals. Until there is a specific privacy legislation built upon that foundational principle, the Puttaswamy judgment of August 2017 will mean very little in practice.