Privacy - 2 - Right To Privacy ?
Disclaimer
I am not a legal expert or even with lay legal knowledge, so please do your research before drawing conclusions from this diary entry.
Pretext
According to Indian constitution, every Indian citizen has 7 fundamental rights (https://en.wikipedia.org/wiki/Fundamental_rights_in_India).
As per the wikipedia entry above -
⇢The right to privacy is an intrinsic part of Article 21 (the Right to Freedom) that protects the life and liberty of the citizens.
The right to privacy is the newest right assured by the Supreme Court of India. It assures the people’s data and personal security.
“Article 21” says - “No person shall be deprived of his life or personal liberty except according to procedure established by law.”
So, not being a lawyer (or having legal knowledge), if you summarize the above two parts, one can come to the conclusion that the law plays an important in assuring that this right under the constitution.
Cool. Now comes the part I have been setting this pretext for - the shiny new “Personal Data Protection Bill 2019” which is to be tabled in the upcoming Parliamentary monsoon session (https://en.wikipedia.org/wiki/Personal_Data_Protection_Bill,_2019).
How is this relevant to me you ask ?
If you are reading this on the internet (which you are fortunately/unfortunately), it is relevant to you. Your browser is reading this document through a Google site, which has in-built cookies to remember your computer, location (country/city) and correlate this data with all the other websites you’ve visited to form a unique picture of you that you may not want to expose to the world. I shall talk about what kind of data is being exposed through cookies or in general browsing activity in a separate diary entry - this one’s focussed on the bill in question.
What’s wrong with the bill ?
Well, first of all, I am at fault (as a citizen) because the data protection bill was floated for public comments in 2018 (https://innovate.mygov.in/data-protection-in-india/) and I was probably living under a rock at that point, to busy to comment or provide feedback on what was proposed in 2018. Fast forward to 2019, there was a new revision of this bill (circa 2019) which took the feedback on the 2018 version into account (including public views and expert committee feedback). All good you say? Yes, yes, all good - so far.
Now that I have read through the bill - you can find it at this site (https://www.medianama.com/wp-content/uploads/Personal-Data-Protection-Bill-2019.pdf), it wasn’t the most easy read as it mentions numerous sections and articles in the constitution but law is supposed to be like that I guess - it has its own way of expressing something and we oughta respect that.
Central Government == God
Basically, the central government is everything in this bill - they can do whatever they want, change the law as they see fit and no one can question them by law (if this gets passed).
Why is this a problem? If you compare to other fundamental rights we have, say right to education, the central government cannot legally change the meaning of what this means or who it applies to or how it applies. It is an undisputed right.
Privacy on that other hand is not a ‘fundamental right’ on its own but is ‘assured’ through the justice system and is based on laws. This bill (if passed) could be enacted into law this year and after that, the government would be the ‘hand of god’ if you like for the purposes of preserving ‘data privacy’ of an individual in this country.
EDIT - Sept, 04, 2020 - One of my previous colleagues was kind enough to point me to this post (http://www.legalserviceindia.com/article/l19-Amendability-Of-Indian-Constitution.html) which talks about how any ‘fundamental right’ could be amended by the parliament with a majority ruling. Essentially, anything could be changed given there’s as absolute majority but with the supreme court as the final arbiter.
What’s in the bill ?
The bill is very well-intentioned and it’s high time that there’s a legal framework around how ‘data’ (i.e. YOU in the digital world) is stored, shared, processed and used and how a normal citizen/person can be assured that their ‘data’ is being put to use ‘legally’.
These words are super-loaded - ‘data’, ‘legally’ and have too many connotations or deeper meaning to be able to express here.
The key point that I am trying to get across here is that this bill is hoping to provide a ‘legal’ framework for ‘protection’ of ‘data’. Protection from whom you ask ? Good question - the government decides who your enemies are and who can cause you ‘harm’.
What is ‘harm’ ?
According to the bill, ‘harm’ includes -
- bodily or mental injury;
- loss, distortion or theft of identity;
- financial loss or loss of property;
- loss of reputation or humiliation;
- loss of employment;
- any discriminatory treatment;
- any subjection to blackmail or extortion;
- any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal;
- any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; or
- any observation or surveillance that is not reasonably expected by the data principal;
That is all the different kinds of ‘harm’ that you can be caused because of someone messing with your personal data.
What happens when someone ‘harms’ you as per this bill ?
If you prove that you have been ‘harmed’ (in terms of this bill), you can go to the court (as the last resort, first you should go through the heeps of bureaucracy that await you). This is a special court which has its own laws (provided by this bill) and has its own authority and all of this is decided by guess who? The Central Government :)
Notable points from the bill
- “For reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data” - woohoo!!!
- Exemptions for cases “when personal data is necessary for research, archiving, or statistical purposes,” - research you say? What is this ‘research’ ?
- Consent - “capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.” - is this really the case with the current services/apps we use ?
Sandbox environment
From the bill - “The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest, create a Sandbox.”
These “Sandboxes” have to have - “the safeguards including terms and conditions in view of the obligations under clause (c) including the requirement of consent of data principals participating under any licensed activity, compensation to such data principals and penalties in relation to such safeguards;”
Keywords here are ‘consent’ and ‘compensation’ - no details of either of this is given here (as is of many many other points mentioned in this bill).
What’s scary ?
I am scared after reading this bill - it is so freaking vague in every single aspect and half of this bill is about the bureaucratic setup of who will do what, who will hire whom, how much will they get paid etc.., that it brings into question what the focus of this bill is - is it put a bureaucratic maze around protection of data with the central government playing the ‘hand of god’ or is it actually to protect the personal data of an individual.
EDIT Sept 04, 2020 - What I am actually scared of (more than the point above) is that when we give away our data, we don’t know what we are ‘consenting’ to. To paraphrase a quote from a recent newspaper article -
What can be done now ?
I don’t know to be honest - this blog is my way of sharing what I’ve read and hopefully it triggers some part of your thought to question what’s being tabled to be a law that’ll affect each of our lives and that of people we care about.
Links
Short and sweet read on what is ‘right to privacy’ - https://www.thehindu.com/news/national/the-lowdown-on-the-right-to-privacy/article19386366.ece
Coming next -
- What data is being collected about YOU and what tools can you use to prevent or reduce misuse.