India, despite recognizing privacy as a fundamental right, continues to face significant challenges in protecting the privacy of its citizens. Data theft incidents and a lack of comprehensive privacy laws have raised concerns about the safety and security of personal information. Despite the landmark Puttaswamy judgment of 2017, which affirmed privacy as a fundamental right, India has failed to enact a dedicated privacy or data protection law. This article delves into the reasons behind the persistent challenges in privacy protection and highlights the need for urgent legislative action.

The State of Data Theft in India

Data theft has reached alarming levels in India, with several high-profile incidents exposing vulnerabilities in data security. In one notable case, a Telegram bot publicly disclosed personal data of Indian citizens registered on the CoWIN portal, which is used for Covid-19 vaccine registration. The leaked information included sensitive details such as Aadhaar numbers, passport information, and phone numbers. This breach not only compromised the privacy of millions but also raised questions about the security claims made by officials responsible for the CoWIN platform.

Additionally, instances of data breaches in the Employee Provident Fund (EPF) accounts and prestigious institutions like the All India Institute of Medical Sciences (AIIMS) have further underscored the need for robust privacy protection measures. The lack of a comprehensive privacy framework has allowed these incidents to occur with limited accountability and consequences for the perpetrators.

The Privacy Legislation Gap

Despite the Supreme Court’s recognition of privacy as a fundamental right, India has yet to pass comprehensive privacy legislation. The Digital Personal Data Protection Bill of 2022, which was circulated for public consultation, falls short in adequately safeguarding privacy. The bill grants extensive exemptions to government agencies, lacks criminal penalties for breaches, and diminishes the compensation rights of data breach victims. Furthermore, it permits cross-border data transfers without clear guidelines and fails to establish a transparent and independent regulatory mechanism.

In contrast, the previous version of the bill, the 2019 Personal Data Protection Bill, recognized privacy as a fundamental right and included safeguards and oversight provisions. However, the current bill disregards these essential elements, thereby undermining the protection of privacy rights.

Compromising Privacy for Convenience

The dilution of privacy protections is evident in the expanding use of Aadhaar, India’s biometric identity system. Despite limitations imposed by the Supreme Court to restrict Aadhaar’s usage to social welfare schemes, the government has extended its application to private entities, such as banks and telecom companies, for Know Your Customer (KYC) verifications. This expansion raises concerns about the misuse and potential breach of personal data, undermining the intended purpose of Aadhaar as a tool for targeted welfare programs.

Furthermore, various government apps and initiatives, ranging from agricultural databases to health platforms, gather substantial amounts of personal data without sufficient safeguards or privacy laws in place. The lack of comprehensive legislation exposes individuals to potential privacy violations, with their personal information susceptible to unauthorized access or misuse.

Urgent Need for Legislative Action

The current state of privacy protection in India demands immediate attention and legislative action. A robust and comprehensive privacy law is crucial to establish clear guidelines, impose stringent penalties for data breaches, and ensure accountability for all stakeholders, including government agencies. Legislation should adhere to the principles of necessity, proportionality, and legitimate state action, as suggested by the Joint Parliamentary Committee.

Moreover, privacy protection requires a balanced approach that acknowledges the importance of data processing while safeguarding individual rights. Privacy should not be undermined in favor of perceived development or national security interests. It is essential to establish an independent regulatory body with well-defined composition, eligibility criteria, and selection processes to oversee and enforce privacy standards effectively. India’s failure to pass comprehensive privacy legislation has left its citizens vulnerable to data breaches and privacy violations. Despite the recognition of privacy as a fundamental right, the current legal framework is inadequate in protecting personal information in the digital age. Urgent action is required to bridge this gap and establish robust privacy laws that address the evolving challenges of the digital era. By safeguarding privacy, India can ensure the protection of individual rights, foster trust in the digital ecosystem, and promote responsible data handling practices for the benefit of its citizens