Data protection rules must be principled, permissive and pragmatic

For smooth and safe traffic, we have the Motor Vehicles Act; infrastructure like traffic lights and driving lanes; and, traffic police. Likewise, to ensure digital privacy we need Data Protection law, technological infrastructure, and Data Protection Authority for enforcement.  

Unbeknownst to most, government had initiated stakeholder consultation on privacy law in July 2010, two months before Aadhaar rollout commenced; and, seven years before Srikrishna committee and the Supreme Court judgement, both in 2017. In fact, several private member’s bills had also been introduced since 2006. 

Since then, the country has made great strides across digital connectivity, content, and commerce. Its relevance was amply demonstrated during the pandemic, a tragic yet natural experiment! 

Admittedly, recent withdrawal of the Personal Data Protection Bill, 2019 would delay the enactment. However, past deliberations and experience elsewhere must inform the new law. 

Perspectives of the Indian Context

India is full of diversity, complexity and paradoxes. At least one out of five Indian adult is illiterate, leave aside being digitally literate or familiar with English, the preferred language for privacy policies. However, many of them use digital payments with mobile phones, relying on innovations like voice confirmations.

Hence, the law must factor in the Indian context and ground realities.

Principles

Constituted by then Planning Commission in 2012, an expert group chaired by Justice A P Shah had recommended nine principles for privacy law, applicable equally to all, including government -  Notice; Choice and Consent; Collection Limitation; Purpose Limitation; Access and Correction; Disclosure of Information; Security; Openness; and, Accountability.

Similar articulations exist across EU’s GDPR, Council of Europe’s Convention 108+, OECD’s Privacy Framework and California Consumer Protection Act.

The law must enunciate the principles.

Protection of Individuals’ Data 

The law must empower individuals to exercise agency and control over collection, processing or sharing of personal data subject to informed, repetitive, and revocable consent. Lacking both cognitive capacity and inability to negotiate, most users just accept privacy policies.

Such asymmetry is further exacerbated with quintessential government services like tax, Aadhaar and railway reservations but also private providers of education, healthcare and financial services.

Twin mandates deserve consideration – Firstly, not to deny service if a user provides necessary data;  Secondly, a commitment to comply with threshold privacy norms that could evolve through consultation, self-regulation or standards.

Prospects for digital economy, startups and innovation

Personal data is necessary to drive innovation in the digital economy. Seeking fresh consent for using data for a different purpose would add significant friction for users and companies alike, limiting opportunities for innovation and monetization. Moreover, ‘right to erasure’ and duty to publish ‘privacy by design’ policy may lead to additional compliance burden without any commensurate privacy protection, especially by start-ups.

Moreover, it is impractical to seek consent from the individual when another person provides the former’s personal data. Examples include insurance and visa applications seeking personal data of family members; and services like Truecaller collating contact lists of its users.

It must be mandated to seek fresh consent before sharing with a third party while allowing internal use for any legitimate purpose. Rather than treating the government as a monolith, a government entity must also seek consent before sharing, even with another government one.

The law must be permissive for innovation while ensuring privacy protection.

Powers of the state

Incursion of privacy by the state must pass the triple test of legality, necessity, and, proportionality. Two specific provisions warrant closer scrutiny.

Firstly, unbridled power to obviate individual’s consent even for a lawful purpose is prone to misuse, unless it also passes the test of both necessity and proportionality.

Secondly, the extraordinary power of exemption must be limited to agencies responsible for national security, intelligence, and law enforcement only and that too case and context specific.

Government powers must be narrowly crafted and, subject to external oversight by judiciary or legislature.

The way forward

The law must be rooted in the Indian context; principled; permissive of innovations; and pragmatic with built-in checks and balances against incursion of privacy, both by the state and the private sector.

---