Why protecting privacy remains a challenge in India

Data theft is rising to menacing proportions in India and so is the lacklustre response to it, despite the fact that a nine-member bench of the Supreme Court unanimously declared (data) privacy a fundamental right, protected as an intrinsic part of the right to life and personal liberty, in the Puttaswamy judgement of 2017. The Lok Sabha Secretariat even circulated a note in 2017 to remind the members about this.

Yet, six years down the line, India doesn't have a privacy or data protection law.

In response to former Twitter CEO Jack Dorsey's statement that India threatened to shut Twitter and raid employees during the farmers' protest in 2020-21 for not taking down accounts critical of the government, the MoS for Ministry of Electronics and Information Technology (MeitY) Rajeev Chandrasekhar, tweeted on June 13, 2023 that data privacy "is not a fundamental right".

Two examples of data theft had a come to public attention a day earlier on June 12, 2023.

On that day, a Telegram bot made public a large number of Indians' personal data registered with CoWIN – the official portal with which millions of Indians registered to avail Covid-19 vaccines. These included Aadhaar, passport details and phone numbers, even the personal details of RS Sharma, CEO of the National Health Authority, who had vouched that the CoWIN was "safe and secure" in January 2022. His assurance had come after 'Raid Forums' put the personal data (name, age, gender, address etc.) from CoWIN on sale.

On the very same day, the CBI arrested a man for stealing ₹1.83 crore from EPF accounts by allegedly altering Aadhaar card details of unsuspecting persons through online claims. There was a similar data breach of EPF accounts in August 2022 when a Ukraine-based cybersecurity researcher and journalist claimed that 288 million personal records, containing name, bank account numbers and nominee information were exposed online before being taken off. The year 2022 had seen multiple hackings of the prestigious AIIMS hospital's servers too, compromising 30-40 million patients.

Living in denial

On the day he tweeted that privacy was not a fundamental right, Chandrasekhar rejected there was any breach of CoWIN data. He said the nodal cyber security agency Indian Computer Emergency Response Team (CERT-In) had reviewed the alleged breach and "it does not appear that CoWIN app or database has been directly breached". He added, the data made public was from the "data stolen in the past".

In response to an RTI query in 2021, the data regulating ministry MeitY said it didn't know ("no information") who developed the CoWIN and who spent the money on it. Interestingly, Covid-19 vaccines couldn't be availed without registering with CoWIN. It did order investigations into the 2022 data breaches in EPF and AIIMS but hasn't made them public.

This extends to the Digital Personal Data Protection Bill of 2022, circulated for public consultation on November 18, 2022 – in response to the Supreme Court's 2017 ruling which said privacy is a fundamental right. It doesn't recognise privacy as a fundamental right – in contrast with the previous Personal Data Protection Bill of 2019.

In fact, India's current system is not conducive to protecting privacy. Here is how.

Free pass to breach of privacy

The Digital Personal Data Protection Bill of 2022 does little to protect privacy.

It does mention the "right to free consent" but this is meaningless because it (i) grants wholesale exemptions to government agencies to breach privacy without any checks and balances (ii) a breach is declared non-criminal, attracting only monetary penalty (iii) takes away compensation for victims of data breach provided under the IT Act of 2000 (iv) allows cross-border data transfers, though limited to specific countries and territories under specific "terms and conditions" but to be spelt out later and (v) provides for a regulatory mechanism without spelling out its composition, eligibility and selection process – all critical to its functional independence – while vesting all this power with the executive – to be decided in future. In fact, (vi) it puts privacy on par with the "need" to process private data and (vii) does away with the need to classify personal data as "sensitive" and "critical" which were prohibited from processing outside India in the 2019 version. It is more of a concept note rather than a piece of legislation.

Instead, the previous version, the Bill of 2019 (which was withdrawn), declared privacy a fundamental right but came with two notional and vague safeguards: (a) prior written order specifying the reasons for exemptions from privacy and (b) procedures, safeguards and oversight for such exemptions to be laid out in future. That is why, a Joint Parliamentary Committee (JPC), which examined it, had suggested 93 amendments and asked the government to abide by the three tests for allowing any infringement on privacy: (i) tests of necessity (ii) proportionality (iii) legitimate state action. These have been ignored in the Bill of 2022.

Such is the idea of protecting privacy that while assuring the Supreme Court of how secure the Aadhaar data was (while the extent of Aadhaar card's use was being heard vis-a-vis privacy and data safety concerns in 2018), then Attorney General KK Venugopal told the court that it is very safe since it was protected by 13 feet high, 5 feet thick walls.

Data access to private players

Despite the Supreme Court limiting the use of Aadhaar to social welfare schemes, it stands diluted.

In 2019, it amended the law to allow private banking and telecom companies to carry out Aadhaar-based KYC verifications in 2019. In May 2023, the Finance Ministry allowed 22 financial entities – including Amazon Pay (India) Pvt. Ltd, Aditya Birla Housing Finance Ltd and IIFL Finance Ltd – to verify the identity of their customers through Aadhaar under the money laundering law, the PMLA. The MeitY proposes to further widen such verification for private entities.

It isn't just the CoWIN, a large number of government apps collect private data of Indians for various purposes without their privacy being protected in absence of law – Agristack for agriculture, e-SHRAM for migrant workers, Arogya Setu and Ayushman Bharat Digital Health Mission for health and National Digital Education Architecture for school children virtually covering every area of life. The DNA Technology (Use and Application) Regulation Bill of 2019, which is pending, seeks to empower the government to harvest citizens' DNA profiles too, even for civil cases.

The Pegasus spyware controversy of 2021 is another example of how privacy is devalued. Investigations revealed that the Israeli military-grade spyware was used to target journalists (more than 40), academics, human rights activists, opposition leaders and governments, a scientist, businessmen, two cabinet ministers (including the IT Minister Ashwini Vaishnaw who defended the government in the Parliament), senior CBI officers, a Supreme Court judge and other court officials and an Election Commissioner. This was in gross violation of the 1996 Supreme Court judgement, which disapproved indiscriminate snooping that violates rights to privacy. The report of the Supreme Court panel set up to probe it remains in "sealed cover" for close to two years.

The Pegasus is not new to India. In 2019, similar revelations about its use via WhatsApp had come to public notice when the latter alerted the targeted individuals.

In 2019, Britain-based Comparitech listed India third from the bottom on privacy protection among 47 countries, above China and Russia. In 2021, it said the IT Rules of 2021 – which requires social media platforms to record connection information and on-demand from authorities, break the end-to-end encryption that provides complete privacy in chat apps, such as WhatsApp – ensures that "no matter what steps you take in India, you have no privacy on social media or chat apps".

The IT Rules of 2023 (amendment to the IT Rules of 2021) in April 2023 envisages a censorship board by mandating the government to act as fact-check body on all information relating to itself. This makes the government the prosecutor, the jury and the judge.