With the data-protection bill in limbo, these policies contravene the right to privacy

On 24 August 2017, a nine-judge bench of the Supreme Court ruled that the right to privacy is a fundamental right guaranteed by the Indian Constitution. The verdict, in Justice KS Puttaswamy vs Union of India, stated that the right to privacy is an intrinsic part of the fundamental right to life and personal liberty, as guaranteed under Article 21 of the Constitution. Puttaswamy, a retired high court judge, had challenged the government’s decision to make the biometrics-based Aadhaar cards mandatory for access to state welfare schemes. The government had argued that the Constitution does not grant specific protection for the right to privacy—a contention that the apex court overruled.

The ambit of the judgement—autonomy over personal decisions, bodily integrity as well as the protection of personal information—has far reaching implications for any data that is part of the state’s multiple databases with details of India’s citizens. The government relies on four kinds of data—administrative data that includes vehicle-registration records, tax receipts and property records, and survey data, which forms the bedrock of policy making. Indian citizens cannot opt out of these two databases. Citizens have the option of withholding their data from the other two databases—end-to-end transactional data on the Unified Payments Interface, a real-time payment system which facilitates inter-bank transactions and is regulated by the Reserve Bank of India, and institutional data such as hospital and academic history.

The historic judgement states that consent is paramount for the collection or distribution of any personal data. In the absence of consent, this should be accompanied by a legitimate aim of the state—such as public good—that is proportionate to the objective it seeks to achieve. But over the past one year, the central government has proposed or implemented a number of data- collection and surveillance schemes that could infringe on an individual’s privacy. These schemes have been proposed or implemented without a commensurate data-protection bill that would provide a rule-of-law framework for data collection and the corresponding concerns over privacy and consent. A rule-of-law framework safeguards citizens by restraining the powers of governing agencies. It establishes procedures and limitations for these agencies and determines the constitutionality of any proposed initiative.