Let me start with a confession. I had waded into the discussion around privacy and data protection rather late in the day and am not a subject expert. A recent personal experience served as a rude awakening. The receptionist of a tony spa in South Delhi passed on my phone number to another customer because our footwear had got mixed up. I had gone home wearing someone’s else’s flip-flops, which looked very much like mine. The lady whose sandals I had mistakenly worn screamed the place down, used well-heeled Delhi’s weapon of choice — Jaanta hai main kaun hoon? — and demanded that she be given my phone number so that she could settle the issue directly with me. This, when the mystery of the missing slippers had been solved; the turmoil-triggering sandals were on their way back to the owner.
But sandal-snobs are impatient. Her flip-flops were branded; mine were garden variety, from Sarojini Nagar. I later learnt that the young woman at the reception had been bullied, and coerced into passing on my mobile number. And so I got a call from this total stranger.
The tragi-comic nature of what followed need not be narrated here except to say that the incident opened my eyes to something very basic.
While we have been talking a lot about the need for privacy legislation, it is equally important to recognise the need for privacy training. I took up the issue with the management of the spa and insisted that every staffer get basic training on privacy.
What I experienced tellingly illustrates the challenges ahead as India seeks to put in place mechanisms to protect personal data and privacy.
This was hip South Delhi. Imagine the situation elsewhere.
That’s why I was so pleased to discover that a public interest community project “Save Our Privacy” has not only put together a draft citizen’s law, titled the “India Privacy Code 2018” (www.saveourprivacy.in) for debate, discussion and endorsement, it is also actively spreading public awareness about the basics of privacy.
Last week, these public-spirited lawyers released a draft model bill which the campaign calls the “Indian Privacy Code 2018”, and which adheres to seven core principles, arrived at after much debate and tapping into the best global practices adapted to India. The draft bill envisages stiff penalties — up to Rs 1 crore and a prison sentence of three years for people who “collect, receive, process or hold personal data” in contravention of the provisions of the proposed law, and Rs 10 crores and five years in prison for “sensitive data”.
This is not legislation and we await the final report of the Srikrishna Committee, that is the Committee of Experts on a Data Protection Framework for India headed by Justice B.N. Srikrishna, the 77-year-old former Supreme Court judge who is leading the initiative to draft new data privacy laws for India.
No one quite knows when the Srikrishna Committee will present its final report to the government, but it could be pretty soon.
Meanwhile, we have the civil society-led draft bill and the those behind it are inviting endorsements and comments.
Such community-led initiatives are significant because this is India’s “privacy moment” and the discussion about data protection and privacy can’t be left to just experts, lawyers and bureaucrats. The public needs to weigh in and have their say.
Alas, public awareness about what is really at stake is still low in this country though we have had numerous reports about data breaches and privacy violations. The triggers include alleged data leaks related to Aadhaar and the Supreme Court’s famous Right to Privacy ruling last year. This landmark judgment takes a historic step by declaring that the Constitution contains the right to privacy, embedded in long-established fundamental rights including individual dignity, liberty and freedom of expression, as legal scholars have pointed out. Then, there is the white paper released by the Justice B.N. Srikrishna Committee and the shocking revelations about Cambridge Analytica and the European Union’s General Data Protection Regulation (GDPR), to name just a few.
Generating public awareness about what is at stake is vital and a range of stakeholders are getting into the act. Last month, I also attended an event organised by the European Commission which provided an opportunity to different sections of society to come together and discuss the benefits presented by modern data protection rules. Europe recently put into place its new data protection regulation, GDPR (General Data Protection Regulation). There were good discussions about global trends in data protection and privacy.
Europe’s experience in putting in place its data protection regime provides a useful model for India, but India would have to factor in its own specific challenges while crafting its law.
Let us face the stark truth. Most people in this country even today are hazy about what privacy really means, about data protection and what needs to be done despite the myriad reports in the media about data leaks and breach of privacy.
As things stand today, there is no comprehensive legislation on data protection in India. So though privacy and data protection are among the buzzwords of the day, none of us are really protected. That’s why it is so important to take these critical issues to the lay person and let him/her weigh in. The data protection and privacy regime that is being finalised is about “us”. That’s why we can’t afford not to be in the loop.