Bittersweet moment: 5 years to the landmark Privacy judgement, but no data protection law yet! #SaveOurPrivacy

tl;dr

Today marks the 5-year anniversary of a momentous day in constitutional history, especially significant for the history of digital rights and freedom in India. On August 24, 2017, a landmark judgement by a nine judge bench of the Supreme Court in the Justice K.S. Puttaswamy. (Retd.) v. Union of India recognised the right to privacy as a fundamental right under the Constitution of India. The declaration of privacy as a right and an integral part of the right to life and liberty was a watershed moment in the constitutional history of data protection. The historic judgement also has far reaching consequences for key areas such as mass and targetted surveillance, right to freely express one’s sexual preference, etc. The fundamental right to privacy was further cemented as the Supreme Court acknowledged its application across the golden triangle of the Indian Constitution, i.e., fundamental rights pertaining to equality and dignity (Article 14), speech and expression (Article 19), and, life and liberty (Article 21).

Building on the landmark judgement in Courts of law

Much has been written about the events leading up to the judgment in Puttaswamy, the arguments led by counsel who appeared before the Supreme Court, and the reasoning adopted by the 9-judges who delivered the verdict. To understand how the right to privacy has played out in the last half decade, it is important to understand some of the specific areas where the Right to Privacy has been specifically recognised to advance jurisprudence on certain issues, to grant protections to the public and to recognise the dignity of every Indian that must flow naturally from the preambulatory promise of the Constitution.

Puttaswamy famously formed the basis of the Supreme Court’s judgment decriminalising same-sex relationships in India, as well its judgment decriminalising adultery. The Allahabad HC was able to uphold the right of choice in inter-religious marriages. Several High Courts, including the Uttarakhand HC, the Gujarat HC and the Chattisgarh HC have relied on Puttaswamy to further reproductive rights of women. A division bench of the Delhi HC recently found itself split on the legality of marital rape, where Justice Shakder relied on the Puttaswamy judgment to hold that marital rape is illegal.

Several High Courts, including the Allahabad HC, Bombay HC, the Calcutta HC, the Delhi HC have relied on Puttaswamy to hold that various illegal means of investigation, search and seizure by law enforcement are illegal. However, limits to the application of Puttaswamy in criminal investigations have already begun to be placed. The Chief Justice of India wrote in a judgment that “the fundamental right to privacy cannot be construed as absolute and but must bow down to compelling public interest”, to allow the collection of the voice samples of the accused. The Himachal Pradesh HC relied on the above case to find that tests such as narco analysis and polygraph with the consent of the accused would not violate the right to privacy.

On digital rights, perhaps the most important development has been Anuradha Bhasin’s reliance on Puttaswamy to understand the proportionality analysis and hold that speech and trade through the medium of the internet are fundamental rights, and thereby any curtailment on such rights, must adhere to the principle of proportionality. Before the Anuradha Bhasin judgment, the Kerala HC had relied on Puttaswamy to say that internet access would be covered by an individual’s right to privacy.

While the right to privacy has already advanced Indian jurisprudence on sexual autonomy, criminal evidence and dignity among many other aspects, the informational and data privacy of Indians remains under threat. Beyond holding facets of the access to internet as a fundamental right, Courts have not decided several issues of digital privacy pending before them.

Over a year has passed since the Pegasus revelations, but the victims are nowhere near a resolution of such an insidious invasion of their privacy. Conflicting decisions on the contours of the right to be forgotten have been pronounced by different High Courts. High Court petitions challenging the IT Rules, 2021, which intend to destroy encryption by mandating traceability of messages back to the original sender, have been stayed by an order of the Supreme Court, but no next date of hearing in the Supreme Court has been fixed as on date of writing this. Challenges to WhatsApp’s Privacy Policy have been forgotten. The Ministry of Home Affairs continues to block any attempt at finding transparency regarding the aggregate number of surveillance orders it issues.

The past five years have been busy. The next five may be busier still.

Privacy policy paralysis

We have tracked developments on this front rather closely (and optimistically) as we continuously strive to ensure that the Government upholds this fundamental right for all citizens of India. Our fight for privacy and India’s journey to build a comprehensive privacy law began in 2017 when the Supreme Court directed the Government to bring out a robust data protection regime. We engaged with the three key versions of a data protection bill, i.e., the Draft Personal Data Protection Bill, 2018, the Personal Data Protection Bill, 2019 (“PDPB, 2019”) and the Data Protection Bill, 2021 (“DPB, 2021”) through submissions to public consultations, filing RTI applications requesting transparency and proactive disclosure, sending representations to various Government ministries and departments advocating for privacy.

There is no doubt that the DPB, 2021 was imperfect (read our public brief on DPB, 2021 here). While it should have ideally empowered the user with rights surrounding their own personal information, it failed to prioritise the user. It instead provided large exemptions to Government departments, prioritised the interests of big corporations, and did not adequately respect our fundamental right to privacy. Despite these drawbacks, a bill in the making gave us hope that we were closer to a law with scope for significant improvement through judicial interventions and legislative procedures such as amendments. However, on August 03, 2022, the Minister for Communications and Information Technology, Shri Ashwini Vaishnaw withdrew the draft Data Protection Bill, 2021 in the Lok Sabha. The stated reason for the withdrawal was to accommodate the several changes suggested by the Joint Parliamentary Committee on the PDPB, 2019 and to make way for a ‘comprehensive legal framework’ that can address the rapidly evolving technology landscape in India.

We are very disappointed with the decision to withdraw a Bill that has been in the making for over 4 years, subject to long consultations and review processes (read our statement on the withdrawal here). The impact this delay has on the users is that as of today there exists limited remedy for Indians in case of any violation of their digital rights. Moving forward, we hope that the feedback and input provided by technical experts, civil society and digital rights organisations as well as several Members of Parliament in the form of dissent notes filed by them, be considered and taken into account while forming the new comprehensive legal framework.

In the existing legal vacuum on data protection, the country has witnessed the following incidents that have seriously undermined every citizen’s constitutional right to privacy:

  • Illegal surveillance through the use of Pegasus spyware against opposition leaders, journalists, the legal community, businessmen, Government officials, scientists, rights activists, and others.
  • The use of facial recognition technologies by the Delhi police to investigate the North East Delhi riots, the Kisan Rally (Lal Qila Riots), and the Jahangirpuri Riots cases. This is especially concerning following the Delhi Police’s revelation that it treats all results above 80% similarity as positive results.
  • Wide and disproportionate data collection as well as retention of biological and personal data under the Criminal Procedure Identification Act, 2022.
  • Increased digitisation of valuable personal data by the Government through various digital ecosystems (such as National Digital Education Architecture, Unified Health Interface, Account Aggregator framework and Agristack), frameworks, and policies, in the absence of adequate safeguards against misuse of personal and sensitive data.
  • The Indian Computer Emergency Response Team (CERT-In) issued fresh directions, ostensibly to strengthen the cybersecurity posture of the country, that raise concerns around state sponsored surveillance and data retention beyond need or purpose.
  • A blatant violation of the data security and privacy rights of almost 100 Muslim women due to the infamous “Bulli Bai” and “Sulli Deals” incidents, a fake online auction which severely impacted their constitutional right to life and free speech by displaying sensitive information without consent.
  • Government’s attempt to collect and compile both demographic as well as biometric data of residents and link it with several databases, including the electoral roll. Such a step not only undermines informational privacy but also enables mass surveillance that breaks data silos and increases the profiling of individuals.
  • Monetisation and sale of our data, accessible to the Government as well as third parties, through the Vahan database under the Ministry of Road Transport and Highway Bulk Data Sharing Policy. Given the high intensity of data collection, storage and processing envisioned by the Government, risks of data misuse and monetisation, 360 degree profiling and surveillance is high in the absence of a law to determine the regulatory landscape of protection of personal and non-personal data.
  • Amid the COVID-19 pandemic, the government’s inclination towards online self-registration for vaccination without a walk-in facility arose fears of further entrenching inequities in access to the vaccine. On an even more concerning note, several states and hospitals across the country made Aadhaar mandatory for accessing diagnostics, medicines, oxygen supplies, and even the vaccine. News about the Government deploying facial recognition facilities at vaccination centres for the purposes of authentication also saw strong opposition from the civil society.
  • India became a signatory to the “International statement: End-to-end encryption and public safety” which calls on technology companies to weaken end to end encrypted secure messaging by invoking concerns about public safety.

In several of these instances, the loss of privacy has led to the loss of dignity and liberty. One cannot lead a meaningful life in the absence of privacy. While we obtained the right to it 5 years ago, we are yet to truly interpret it and breathe life into it.

Privacy Supreme is here!!

We will continue to engage and work with all institutions of governance, while constantly challenging and pushing them to ensure, protect and promote an individual's right to privacy. While we all wait for legislative measures to be introduced in Parliament to uphold the right to privacy decision of the Supreme Court of India, we encourage every reader and member of our wider community to celebrate today, reflect and share on what privacy means to them across social media.

Our celebration of the landmark right to privacy judgement, much like every year, is about to begin. This time around, we are bigger, larger and grander! This year, we have decided to bring #PrivacySupreme 2022 to Bengaluru, which has always been an essential part of our community. We would be honoured to have you join us for this year's event, which will have two sessions:

  • A conversation between Aakar Patel and Usha Ramanathan on “Democratic rights and privacy in the pandemic years” which will be moderated by our Of-Counsel, Abhinav Sekhri.
  • A panel discussion with Gaurav Godhwani (CivicDataLab), Kailash Nadh (Zerodha), Mahima Kaul (Bumble), and Uthara Ganesh (Snap Inc.) on “How can technology advance privacy?” which will be moderated by our Policy Director, Prateek Waghre.

The idea is to allow the IFF staff, members, donors, and wider community to meet, discuss ideas, and also have a little fun! In addition to the panels, we will have art installations related to our projects as well as by artists who have worked with us previously. After the event, we will also host a short mixer (with drinks & snacks!) to allow all the participants and attendees to mingle.

When: Saturday, August 27, 2022 at 5 PM

Where: Bangalore International Centre, Bengaluru

We hope that you will join us in our celebration. Please RSVP through this link and we look forward to seeing you there!

Important Documents

  1. K.S. Puttaswamy v Union of India (2017) (link)
  2. Public brief and analysis on the Data Protection Bill, 2021 (link)