On 24 August 2017, the Supreme Court of India, in a historic judgment, affirmed the Constitutional right to privacy. A nine-judge Bench declared that privacy is an integral component under part III of the Indian Constitution.
In other words, citizens of India enjoy a fundamental right to privacy, including the privacy of their personal data.
The question then, is, over four years since that judgment, are Indian citizens truly enjoying their fundamental right to privacy? Is the state ensuring an atmosphere that enables and strengthens this right of individuals?
While the commencement of a new year ushers in a new hope for the world to be a better place, will Indians enjoy their right to privacy in 2022 better than they did in 2021?
The short answer is, no. But, hope one must.
This article explores the contours of privacy specifically in the context of personal data and information. To that end, there are four primary issues that raise grave concerns for privacy in 2022. These issues are:
Data Protection Bill, 2021: Absence of a Data Protection Law
IT Rules: Weakened encryption in messaging platforms
Aadhar-Voter ID: Voter Profiling
Pegasus spyware, AI & Facial Recognition: Surveillance
In analysing them, we shall look at where they stand at the beginning of 2022 and what it means for privacy.
Data Protection Bill, 2021: Still No Privacy Law
The first and foremost challenge to our right to privacy comes from the absence of a law protecting the personal data of citizens. India is among a handful of democracies that do not have a data protection law enacted.
Following the 2017 Supreme Court judgment, a long process started that led to a Personal Data Protection Bill being tabled in Parliament in 2019 and referred to a Joint Parliamentary Committee (JPC). After two long years, the JPC report was tabled in Parliament on 16 December 2021.
So, what does the JPC report have to say? Well, for one, the name has been changed and the “Personal” has been done away with. The Personal Data Protection Bill is now the “Data Protection Bill”. Why? As they say, “the personal is political”.
Essentially, the Draft Data Protection Bill continues with the problematic objective of promoting the economic benefits of data for enterprises over protecting the personal information of citizens. The draft Bill continues to view data as the new oil that must be exploited to boost India’s digital economy.
In doing so, it dilutes the emphasis on personal data protection and also widens its ambit to include ‘non-personal data’, ie, data not identifiable with individuals. However, from this flawed approach flows further dilutions of individual consent for data processing and weakened user rights and the proposed Data Protection Authority, who, as per the design of the new draft Bill, will be beholden to the Central government.
Among the gravest concerns, however, is the continuation of broad exemptions to the government from provisions of the law in accessing the data of citizens. The Internet Freedom Foundation, in its blog, states, “However, the Draft Data Protection Bill, 2021 marks a worrying progression and makes it easier for the government to completely evade the jurisdiction of a data protection law.”
IT Rules, 2021: Encryption Matters
The next challenge to our right to privacy comes in the form of weakened encryption in personal messaging platforms.
Announcing Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 – “IT Rules” and a code of ethics for OTT streaming platforms and digital news media, then Union Electronics & IT Minister Ravi Shankar Prasad on 25 February 2021 said they “are empowering the ordinary users of social media”.
In particular, Rule 4(2) has a traceability requirement that mandates significant social media intermediaries such as WhatsApp to “enable the identification of the first originator of the information on its computer resource”.
The requirement of “tracing out of such originator of information on its platform” constitutes a direct attack on the privacy of users by requiring encryption to be broken by messaging platforms such as WhatsApp.
There are two specific shortcomings of the traceability requirement that IFF highlights:
It has been shown to be vulnerable to spoofing, where bad actors can falsely modify the originator information to frame an innocent person.
The originator of the message has no control over who forwards the content, or how many times it is forwarded, or in which fora.
Encryption becomes even more important now as more of our lives involve our personal data being aggregated and analysed at a scale that was never possible before.
The Example of Telangana's 'Data Hubs'
On 21 December, the Election Laws (Amendment) Bill, 2021, was passed in the Rajya Sabha, a day after it was cleared by the Lok Sabha. The specific threat that this legislation raises is voter profiling and deanonymisation – a serious blow to privacy.
The threat to privacy exists parallelly with the proven danger of voter deletions and disenfranchisement. Merely 45 days prior to the Lok Sabha elections in 2019, an official app of the Telugu Desam Party (TDP) in Telangana was investigated by the Election Commission and the police over allegations of voter profiling, privacy breach and misuse of citizen data. The app, Seva Mitra, classified voters on the constituency and booth levels. Party volunteers are expected to verify voters at the booth level and provide voter details such as:
Are they living in the constituency?
What is their caste?
What is their political preference?
How much they rate the party of their choice on a scale of 1 - 100
Family information
The government was alleged to be getting granular information from the Smart Pulse Survey conducted in 2016, which was linked to Andhra’s State Resident Data Hub. This database has Aadhaar numbers, caste, sub-caste, beneficiary details.
The Andhra Pradesh and Telangana governments’ controversial State Resident Data Hubs (SRDH) are well-documented examples of 360-degree profiling of residents.
Activists and experts working on privacy have warned that linking Aadhaar to electoral rolls, along with the push for network-based voting, would mean the end of the secret ballot.
Pegasus, AI, Facial Recognition: Surveillance Max
A fundamental threat to citizens’ privacy arises from surveillance by the state. The nation witnessed in horror as hundreds of Indian activists, legal professionals, media persons and critics of the State were found to have been spied upon remotely through the Pegasus spyware.
While the Centre has denied any involvement and the matter is being heard in the Supreme Court, NSO Group, the maker of the software, has maintained that it supplies its technology to only governments and state actors like law enforcement agencies.
As per a forensic analysis of activist Rona Wilson’s phone done by Amnesty International as well as a private US company, Wilson’s phone was infected with the Pegasus spyware three months before he was arrested under the Unlawful Activities (Prevention) Act (UAPA) in June 2018 for his alleged role in the violence at the Bhima Koregaon memorial, The Guardian reported.
Add to this the deployment of a variety of artificial intelligence (AI) and facial recognition systems deployed by various institutions and law enforcement agencies across the country. In the absence of specific laws to govern and regulate their unfettered use, overbroad application of such privacy-intrusive technology – one that has been heavily scaled-down in western countries – is a challenge for 2022.
The battle for privacy stands today as a political battle against the notion that our privacy stands in the way of a flourishing data economy, against unaccountability by state actors and against giving up our rights at the slightest promise of convenience by the next app. It is not too late.
(Sushovan Sircar is an independent journalist who reports on technology and cyber policy developments. His reports explore stories at the intersection of internet and society, covering issues of privacy, surveillance, cybersecurity, India’s data regime, social media and emerging technologies. He tweets @Maha_Shoonya. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)