Almost all countries, today, are gearing up to deal with a range of issues posed by increasing digitisation in all spheres of public and private lives. The delicate line that threads and, at the same time, keeps apart the public and the private, is increasingly under threat. While we cannot afford to lose out on the immense benefits of what is being called the fourth industrial revolution and hence, must try to enable the requisite informational environment, we cannot, at the same time, allow commercial interests to completely supersede individual autonomy and dignity. What makes the situation even more precarious in India is the fact of its widespread illiteracy, especially of the digital kind, which makes a major section of the population vulnerable not only to arbitrary acts of digital violation, but also to potential systematic deception by entities, both private and public. The security of data, then, becomes a concern for both the government, which has to deal with the security of the nation state and hence must protect sensitive data from breach, and for the citizenry who must guard zealously against both private and state intrusion.
A host of events in recent years have opened our eyes to the gamut and potential of privacy breaches that technology has enabled. While the revelation of widespread government surveillance led to great hue and cry in the US, the WikiLeaks, at the same time, also presented a whole new dimension of citizen empowerment against the
all-powerful state. More recently, the revelation that Facebook had struck a deal with Cambridge Analytica to allow the latter to harvest information from Facebook profiles without the consent of users, fuelled a good deal of indignation amongst people and governments against the clear and present danger of corporate surveillance. There is a scramble now on part of nations to institute data protection laws. The European Union’s General Data Protection Rules (GDPR) enshrine an attempt to curtail the unbridled powers that information-based companies have come to wield today.
Closer home, we have our own share of misgivings about endeavours that entail a sacrifice of individual privacy. The ‘Aadhaar’ number that the Government of India seeks to use to deliver its welfare policies has been considered by many an attempt at state surveillance and a means to pander to commercial interests. There is a fear that seeding the Aadhaar number and associated biometric information with other information will allow 360° profiling of persons by the state or other entities. While the Supreme Court has struck down Article 57 of the Aadhaar Act, thus disallowing private companies to leverage the Aadhaar database for commercial purposes, the possibility of state abuse still remains. It is for the government to assuage these legitimate fears.
The government, on its part, is trying to modify the regulatory landscape in keeping with changing needs. The government has set up a Computer Emergency Response Team, CERT-In, to provide early warning with regard to security breach. The government and the RBI have taken various measures for the protection of financial data from hacking. Extant laws like the Information Act 2000 and the Act on Credit Information have served the nascent digital environment for some time now. The Information Act, for example, seeks to protect sensitive personal data like passwords, financial and banking information etc. There is, however, a need to ensure more stringent and elaborate protection of private information. The Personal Data Protection Bill, drafted by the Srikrishna Committee, has proposed a slew of measures to protect personal and sensitive personal data. It expands the notion of personal data by defining it as any information that renders the individual identifiable. Crucially, the Bill seeks to put the individual in the centre of the entire narrative by assigning him ownership over his data.
But the Bill relies almost exclusively on the idea of informed consent as the guarantor of individual autonomy in the cyberspace. While the idea of informed online consent is engendered in almost all data protection laws, including the EU GDPR, its value in the Indian context must be judged in the light of the widespread lack of both general and digital literacy. But, in the absence of a better alternative, the idea of informed online consent, no matter how preliminary a bulwark against intrusion, can still make it difficult for companies to grossly violate norms of individual privacy. Moreover, with great strides in Artificial Intelligence enabling easy translation into local languages, the issue of not knowing the English language may no longer be a problem for tendering one’s consent online.
The Bill, however, leaves room for the government to collect data for purposes of national security. Read in conjunction with the recommendation to amend Section 8.1.j of the Right to Information Act, 2005 which allows for non-disclosure of information for a greater public good, it creates the fear of rampant abuse on the pretext of privacy to stifle the power of the RTI. So, it is pertinent that the civil society bring to bear enough pressure on the government to ensure that the RTI is not compromised.
The Bill also proposes that all companies keep a serving copy of the data amassed in the country for ready access by authorities. This is similar to the directives of the RBI and the Commerce Ministry, through its e-Commerce Bill, asking for companies to localise their data. Many companies regard this as a protectionist measure and maintain that such moves stymie the benefits of free information flow. But it must also be remembered that the national security and the privacy of the citizens of a nation cannot be held to ransom by commercial interests. At the same time, the government must also assuage foreign companies that it has no protectionist designs and that it does not seek to favour local firms.
The narrative that sees privacy and innovation in terms of a trade-off is increasingly being countered. It is now acknowledged that companies that take care of privacy concerns are likely to be better off in the long run as they build trust amongst a larger consumer base. Where individual privacy concerns are left unattended, consumer trust may suffer and the resultant attrition in usage can stem the very flow of information. In this regard, it is worth pointing out that consumers are not so rigid and pedantic as to disallow companies the use of reasonably required information. Even the Supreme Court, while delivering the Aadhaar judgment, has acceded to the idea of proportionality in the actions of those using personal data, where the extent and means of data collection must be in tandem with the requirement and the nature of the good. The draft Personal Data Protection Bill also talks of this rule of proportionality which must guide the data fiduciary while handling sensitive data belonging to the data.gov.in.
As mentioned before, the world is now on the cusp of a new revolution wrought by the use of Artificial
Intelligence and allied technology which will alter the very landscape of economies worldwide. It will require countries to take enormous pains to withstand the transition. India, with its tremendous demographic and economic potential, can successfully ride out this wave of change if it adapts quickly to the emerging requirements of the day. It will have to evolve a new set of rules that allow it to tap into the potential of this new revolution to address its own economic problems and at the same time, to stand tall against all related perils that wash ashore and threaten the very liberal values that form the nation. Individuals must also adapt to this changing environment and take care to ensure that their digital footprint is as secure as possible. Measures like air-gapping, which seek to separate personal data from the cyberspace, can be taken up.