By Kazim Rizvi and Ranjeet Rane
Public discourse around data privacy is probably at its zenith in India today. In the Supreme Court, a nine-judge bench is hearing arguments to decide whether right to privacy is part of the right to life of an individual under Article 21 of the Constitution. Meanwhile, member of Parliament Baijayant “Jay” Panda tabled the Data (Privacy and Protection) Bill, 2017 in the Lok Sabha recently, proposing the right to privacy as a fundamental right for Indian citizens.
This is not the first time a Bill proposing such a right has been laid down in Parliament. As a matter of fact, Panda himself had presented a Bill dating back to 2009, titled The Prevention of Unsolicited Telephonic Calls and Protection of Privacy Bill, which aimed at prohibiting unsolicited telephone calls by business promoters or individuals to persons who didn’t want to receive such calls. It stated that every person shall have the right to privacy and freedom to lead and enjoy his life without any unwarranted infringement. Apart from Panda, Rajeev Chandrasekhar (2010), Vivek Gupta (2016) and Om Prakash Yadav (2016) have in the past introduced Bills pertaining to citizen data privacy.
Whether it will break the impasse among the legislators this time will be clear in due course, but the fact that it is already on the table would be heartening to data privacy activists as well as citizens. The Supreme Court previously interpreted that Article 21 does not contain the right to privacy. Keeping in light the need to secure private citizens’ data, Panda’s private member bill is a welcome step but one that will have to stand legal scrutiny.
One of the primary differentiators is that the Bill has defined terminologies as well as “processes” like data processing, and profiling of individuals. Clarity of definitions is one of the main areas of concern around laws in India, as definitions have often been misused for enforcing the state’s authority by encouraging sweeping generalizations. Section 66A of the Information Technology Act, which was repealed by the Supreme Court in 2015, is one of the most recent examples of this. This Bill, however, follows a rights-based approach and mandates the consent of an individual for collection and processing of personal data. It states that the final right to modify or remove personal data from any database, whether public or private, rests solely with the individual. More importantly, the “exceptions” against this right are defined narrowly, providing for a case-by-case consideration.