The Missing Jurisprudence Of A Sound Data Protection Law
It has almost been two years now that Supreme Court of India had delivered K.S Puttuswamy judgment – I (2017), by which it had recognized 'privacy' as a fundamental right in India. However, this epic declaration did not foster any substantive kinetic changes in the Indian Parliament, especially in the area of data protection law, which by the way, was regarded as one of the essential elements of privacy. This facet of privacy was emphasized in the judgments of Justice DY Chandrachud as well as Justice Sanjay Kishan Kaul, additionally, in the Aadhar Judgment (K.S Puttuswamy – II) (2018) Justice Chandrachud had emphasized on a stronger data protection regime for a country like India, where more than 40 percent of the population is surfing the internet without any safeguard.
However, on the outcome of the judgment, the Government of India (GoI) had appointed an expert committee under the chairmanship of (retired) judge B.N Krishna. Interestingly, the recommendations of the committee became the basis for a legislative bill, styled as 'Personal Data Protection Bill'2018; and that is the irony of it, it still remains a bill.
Why we need a Data Protection Law?
One of the major reasons that the issue of data protection came into existence was the Aadhar scheme, which was able to foster enough criticism against it, for its unruly data collection process; under which information pertaining to demography, fingerprint and iris scan were being taken without any set objective. It did not stop here, as the original Aadhar Scheme came through a notification and not through an enactment in 2009, there were no set standard as to what information has to be collected by different states. This created a major privacy concern across the nation, as a lot of states were collecting different information, which were not even required for the usage of Aadhar. One such instance was of State governments collecting information pertaining to 'Caste' for enrolling people under the Aadhar Scheme; and as Aadhar was linked to more than 240 government schemes, most of the people had to register themselves with the scheme. Proximate to that time, there was also news that 2016-U.S elections were being manipulated by way of voter-profiling through the help of social media giants such as Facebook and search engine website Google. This raised an array of questions as to the data privacy under the Aadhar scheme as well and the possibility of something like this happening in India had also increased. Therefore, it became of utmost urgency that concerns pertaining to data protection are softened as soon as possible. The fact that there is a major threat to privacy coming not only from the 'State' but from the 'Non-State' actors as well makes it much more suitable that a sound privacy-protection mechanism is forged.
It needs to be accepted that a good data protection law will not only protect the citizens against the 'State' but rather it also works as a safeguard against the Multinational Corporation, who for decades have been manipulating behavioral choices of their customers in name of better services. As most of these are e-commerce corporations with a multi-billion organization, therefore, the customers using their services are at a lower pedestal to bargain with them. If you visit any e-commerce website today and click on the 'privacy' option you will come to realize that most of these privacy clauses drafted by them are pretty much one-sided; favoring the corporation. In order to bring this disparity of bargaining power to an end, it is necessary that there must a sound data protection law, which shall bring the customers at par with these corporations. These concerns are well met by the new Data Protection Bill, 2018. It not only abrogates collection of personal information by Social Media and Search Engine Websites but it also obligates them to notify the customer as to what use the information collected by them will be put to.
The lacunae of the present 'Bill'
However, it suffers from a serious disability against the Government of India. As per the new bill, there are several provisions under it, which gives overriding power to the government for collecting any kind of personal, critical or sensitive information of the citizens (perusal of section 13, 14, 15, 16 and 19, 20 and 21 of the Personal data Protection Bill, 2018). The bill also obligates the corporations dealing with the Indian Citizens to store one-set of all the information with them in India. For example if, Facebook has more than 400 million users from India, it needs to store one-set of all that information in India; but keep in mind though it looks like an accountability-enforcing move, but under section 13, 14, 15 and 16 of the bill, the government can access any information in India, which means, it will also include information stored with Facebook as well. Welcome to the Orwellian era.
Therefore, an enactment which was meant to be a great leverage against the MNCs and the State, has turned into a mechanism of digital-captivity. The only change that this bill will bring is to change the masters of personal data (from the 'Non-State actors to 'State' actors).
Ashit Kumar Srivastava is an Assistant Professor of Law at National Law University (Odisha).
[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]