The process of updating Indian privacy policy has gained momentum ever since the launch of the UID project and also the leak of the Radia tapes. The Department of Personnel and Training has led the drafting of the privacy bill for the last three years. This bill will ideally articulate privacy principles and establish the office of the privacy commissioner and, most importantly, have an over-riding effect over 50-odd existing laws, rules and policies with privacy implications.
Given the harmonising impact of the proposed privacy bill, we must ensure that rigorous debate and discussion happens before the bill is finalised; otherwise there may be terrible consequences.
Here is a short list of what can possibly go wrong:
One, the privacy bill ignores the massive power asymmetry in Indian societies, undermining the right to information β in other jurisdictions referred to as freedom of information and access to information. The power asymmetry is addressed via a public interest test. The right to privacy would be the same for everyone except when public interest is at stake. This enables protection of the right to privacy to be inversely proportionate to power and, almost conversely, the requirement of transparency to be directly proportionate to power. In other words, the poor would have greater privacy than middle-class citizens, who in turn would have greater privacy than political and economic elites. And transparency requirements would be greatest for economic and political elites and lower for middle-class citizens and lowest for the poor. If this is not properly addressed in the language of the bill, privacy activists would have undone the significant accomplishments of the right to information or transparency movement in India over the last decade.
Two, the privacy bill has a chilling effect on free speech. This can happen either by denying the speaker privacy or by affording those who are spoken about too much privacy. For the speaker β Know Your Customer (KYC) and data retention requirements for telecom and internet infrastructure necessary to participate in the networked public sphere can result in the death of anonymous and pseudonymous speech. Anonymous and pseudonymous speech must be protected as it is necessary for good governance, free media, robust civil society and vibrant art and culture in a democracy. For those spoken about β privacy is clearly required in certain cases to protect the victims of certain categories of crimes. However, the right to privacy could be abused by those occupying public office and those in public life to censor speech that is in the public interest. If, for example, a sportsperson does not publicly drink the aerated drink that he or she endorses in advertisements, then the public has a right to know.
Three, the privacy bill has a limited scope. Jurisprudence in India derives the right to privacy from the right to life and liberty through several key judgments including Naz Foundation v. Govt. of NCT of Delhi decided by the Delhi High Court. The right to life and liberty under Article 21, unlike other constitutionally guaranteed fundamental rights, does not distinguish between citizens and non-citizens. As a consequence, the privacy bill must also protect residents, visitors and other persons who may never visit India but whose personal information may travel to India as part of the global outsourcing phenomenon. Also, the obligations and safeguards under the privacy bill must equally apply to both the state and private sector entities that could potentially infringe upon the individual's right to privacy. Different levels of protection may be afforded to citizens, residents, visitors and everybody else. Government and private sector data controllers may be subject to different regulations β for example, an intelligence agency may not require 'consent' of the data subject to collect personal information and may only provide 'notice' after the investigation has cleared the suspect of all charges.
Four, the privacy bill is expected to fix poorly designed technology. There are two diametrically opposite definitions of projects like NATGRID, CMS and UID. The government definition is that all these systems will allow only for targeted interception and surveillance; however, the majority of civil society believes that these systems will be used for blanket surveillance. If these systems are indeed built in a manner that supports blanket surveillance, then a legal band-aid in the form of a new law or provision that prohibits blanket surveillance will be a complete failure. The principle of 'privacy by design' is the only way to address this. For example, shutters of digital cameras are silent and this allows for a particular form of voyeurism called upskirt photography. Almost a decade ago, the Korean government enacted a law that requires camera and mobile phone manufacturers to ensure that the audio recording of a mechanical shutter is played every time the camera function is used. It is also illegal for the user to circumvent or disable this feature. In this example, the principle of notice is hardwired within the technology itself. To remix Spiderman's motto β with great power comes great temptation. We know that a rogue NTRO official installed a spy camera in the office toilet to record female colleagues and that NSA officers confessed to spying on their love interests. If the technology can be abused, it will be abused. Therefore legal safeguards are a poor substitute for technological safeguards. We need both simultaneously.
Five, the bill does not require compliance with internationally accepted privacy principles including the ones discussed so far β 'consent', 'notice' and 'privacy by design'. Apart from human rights considerations, the most important imperative to modernise Indian privacy laws is trade. We have a vibrant ITES, BPO and KPO sector which handles personal information of foreigners, mostly from North America and Europe. The Justice A. P. Shah committee in October 2012 identified privacy principles required for India β notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. A privacy bill that does not include all these principles will increase the regulatory compliance overhead for Indian enterprises with foreign clients and for multinationals operating in India. There is also the risk that privacy regulators in these jurisdictions will ban outsourcing to Indian firms because our privacy laws are not adequate by their standards.
To conclude, it is not sufficient for India to enact a privacy law; it is essential that we get it right so that there are no unintended consequences on other equally important rights and dimensions of our democracy.