RIGHT TO PRIVACY

Has right to privacy been narrowed down to data protection?

data-protection-pix Representational Image

If we could first know where we are, and whither we are tending, we could then better judge what to do, and how to do it” — Abraham Lincoln

Lincoln’s statement underscores the significance for a strong and meaningful debate on privacy in India. While the Aadhaar conundrum has already paved way for much of a discourse, there is more to it than meets the eye. The Centre has apparently launched its ambitious ‘Project Insight’ to keep an eye on citizens’ social media posts to check tax evasions. So, yes, next time make sure you’ve paid your taxes before flaunting pictures of your luxurious Mauritius vacation on Instagram.

Add to it, the Centre stating in the Supreme Court that a legislative process is in progress to bring in a bill for human DNA profiling in India. While DNA profiling could be a progressive step in medical research, it also comes with the requirement of storing the profiles in a secure database.

As days progress, we are increasingly confronted with situations where we feel our privacy is being exposed. Taking a cue, on July 31, the Centre constituted a data protection policy committee headed by former Supreme Court judge B.N. Srikrishna, to “identify key data protection issues” in India and recommend methods for addressing them. The 10-member panel will also suggest a draft data protection bill. "Protection of data is expected to provide big boost to digital economy of the country," reads a statement from the Ministry of Electronics and IT on the appointment of the panel, a realisation that has dawned on the Centre a tad too late.

The government has taken a step in the right direction by constituting a committee, thanks to the incessant right to privacy debates in the Supreme Court. However, with the formation of the data protection policy committee lurks the danger of the whole right to privacy debate being cut short or narrowed down to mere ‘data protection’. The debate has now been shifted from a privacy law to a data protection law, which are not one and the same.

Will a data protection law guarantee privacy?

The answer is a definite ‘no’. Privacy is the freedom to exercise one's choice to withhold or share information or details, which others have no right to know. On the other hand, data protection is safeguarding any information collected by a public authority or company from being used without the consent of the stakeholders involved.

By focusing on data protection law, we, as a nation, are not coming with a holistic approach to address the elephant in the room—the legitimate hopes of Indians that their personal data and data privacy are not infringed by any state or non-state actor.

Data protection and personal privacy are two distinct requirements. “Data protection is not equivalent either to personal privacy or data privacy. In fact, these are distinct challenges which go beyond data protection. Assuming that you do maximum data protection does not necessarily mean that there will be no privacy violations. We need to work on both independently,” says cyberlaw expert Pavan Duggal.

The senior Supreme Court lawyer drew an analogy of making a cup of tea to explain the concept. “Imagine I’m making a cup of tea. If data protection is the milk, then sugar or water has to be privacy. We cannot interchange or substitute one with the other, though in common lingo, they are often referred to an interchangeable manner.”

The issue of personal privacy is far more important. Referring to the privacy debate around Aadhaar, he says, “Aadhaar is not just about data protection but more importantly, it is also about personal privacy. That’s something that neither the IT Act nor the Aadhaar Act, 2016 covers.”

Precisely, that’s the reason why the Aadhaar Act, 2016, is increasingly becoming obsolete. When the law was passed, it was done so with the assumption that it is going to be voluntary.

When formulated, the Aadhaar Act was only looking at the protection of the critical National Data Repository. But by pushing for compulsory Aadhaar seeding, a lot of things started getting connected to Aadhaar. “As a result, a huge ecosystem started developing around the Aadhaar. Now, that ecosystem is completely unsecure and is not envisaged by the Aadhaar Act, 2016, because the premises for which the Aadhaar was made has now been changed,” Duggal explains.

So while the Centre has done a good job by appointing a committee on data protection, that still does not suffice for India to look at a distinct legislative framework on both personal privacy and data privacy in a digital environment.

Another danger with the whole debate shifting to mere data protection than that of privacy is its inability to address the devil of surveillance. “Data protection contains an aspect of privacy, of course, but it is not one and the same, because surveillance would not be covered in a data protection law," says an active stakeholder in the Aadhaar privacy debate, who did not wish to be named.

As disturbing as it might sound, surveillance, one among the gravest privacy-related concerns, will not be covered in a data protection law because this issue is larger than the matter of privacy. “For instance, the right to privacy debate has the potential to bring intelligence agencies in India under a law. Currently, the intelligence agencies are not answerable to Parliament or the public. This can be changed only by a privacy law and not by a data protection law,” the expert added.

Privacy in internet era

Do we actually have privacy in the modern world? What are the parameters of privacy? These are important questions that need to be discussed, debated and requires deeper understanding in the current world. The Supreme Court is contemplating whether we have an actual right to privacy. While that is being awaited, it is also important for us as a nation to determine how we want to define privacy; how are we going to deal with it.

Privacy is a multi-faceted concept, that includes decisional and informational privacy. With regards to informational privacy it is about control of your information rather than not letting it out. “Just as the right to freedom of expression includes the right to remain silent, similarly right to privacy includes within it the right to share. One can’t say that sharing means you have no privacy. That’s similar to saying that remaining silent will mean you don’t have any freedom of expression,” says Pranesh Prakash, policy director at the Centre for Internet and Society, a non-profit that engages in policy research.

A closer analysis of the privacy debate in India reveals that the government (conveniently) fails to recognise the contours between secrecy and privacy. “Privacy is about who has access to what information, including both personal as well as non-personal information. It isn't oxymoronic to say one can have privacy in public spaces, or to talk of the right to privacy even in public spaces; for instance when I am walking down the street, I can assert a right not to have a person following me with a video camera the whole day,” he explains.

With advancements in face recognition technology, we live in a world where people and their locations can be traced without manual intervention. This isn’t something that a person would expect in the contours of privacy—it reduces the control you have over certain aspects of your life. This is precisely what a privacy law should ensure and safeguard.

“It is incorrect to say that privacy should in all cases trump national security, or the freedom of expression. All these different rights should exist harmoniously. That’s what the government is currently resistant to. That does not board well,” Pranesh says.

According to Duggal, India should decide if we are adopting a Bollywood (masala) approach or a dedicated approach towards right to privacy. “A Bollywood (or the masala) approach would involve adding new elements to the IT Act (which will not produce the desired results). Also, we cannot do a cut and paste of foreign frameworks in India, it will not work. The Indian ecosystem and realities are different, and hence we need a completely different approach—a customised one solely for India.”

Creating a right ecosystem for privacy protection in the country will also require establishing right business practices that promote privacy. Unfortunately, at present, there is no system in place to incentivise or embarrass a company for following or not following privacy protection norms in India. There is a good range of international best practices globally, however, since the law does not mandate companies to do so, companies do not often follow them in India. “Proactive compliances is always lacking in India. Unless the law comes up with best practices that encourage protection of personal privacy, businesses in the country will also not be keen on the same,” Duggal says.

By reiterating that the right to privacy is not absolute, the government is currently trying to dilute the debate of privacy in terms of administrative conveniences. This, in turn, is manipulating the fundamental definition of privacy. 

This browser settings will not support to add bookmarks programmatically. Please press Ctrl+D or change settings to bookmark this page.

Related Reading