Some time ago, an HIV-positive patient working with a multinational firm approached his lawyer, requesting him to file a suit against his employer for revealing his medical condition to other employees. His attorney turned down the request, despite a law prohibiting employers from making such disclosures. The lawyer opined as the victim didn’t have proof, the case would not stand in a court of law.
Under the Information Technology Act, 2008, an employer is supposed to implement reasonable security practices to prevent misuse of sensitive data which might cause loss or gain to an individual.
An employer or a company can be fined up to Rs 50 million for failing to protect “sensitive information” about an employee, which includes passwords, bank accounts and physical, physiological and mental health conditions, sexual orientation. Another section of the Act says if a person, while providing services under the terms of lawful contract, gains access to material information about another and reveals without the latter’s permission, he can face imprisonment up to three years or can be fined up to Rs 5,00,000.
“The IT Act provides limited relief. A corporate is only accountable for ensuring and maintaining safety procedures to protect data. The law becomes irrelevant if the information leaked is through word of mouth. Till date, not a single person has been compensated under this clause,” says Pavan Duggal, a lawyer.
A person’s privacy can be breached and he still cannot take any legal action, despite the Act. Whatever little reprieve was available to such persons through various Supreme Court judgments, too, has now come under attack from the Centre, after Attorney General Mukul Rohatgi argued that privacy was not a fundamental right and a larger Bench be set up to decide the issue.
Before this, privacy in India was considered a fundamental right after it was read with the right relating to life and liberty (Article 21) or the right to free speech, movement and peaceful association (Article 19). India does not have a stringent privacy or data protection Act like other countries.
Now, imagine a situation where a person’s personal details such as pictures, videos, call records, bank details are leaked. The victim will have to first prove who leaked it. Even if he proves it, in no way can he seek compensation. This is when various arms of the government are busy collecting and storing all possible details of its residents, without any constitutional safeguard.
For instance, the Unique Identification Authority of India (UIDAI) is capturing biometric details of 1.2 billion residents, besides basic information. UIDAI has captured biometric details of around 900 million and generated a 12-digit unique identity number called Aadhaar for each resident from 2010. The purpose of this mammoth exercise is to weed out illegal beneficiaries of government-sponsored schemes.
The question is: How safe is the storage of personal and biometrics details? Are there any remedies available if secrecy is compromised?
Security experts argue that some countries, which feel threatened by the mere mention of a particular surname, will make covert attempts to access the sea of biometrics and personal data to profile individuals.
Many countries collect fingerprints of foreigners upon their arrivals in the country.
This threat of profiling is not restricted to one country. It would be a matter of concern when India completes the linkages of all databanks. Work is underway to develop a National Intelligence Grid (NATGRID), which would provide intelligence and investigating agencies real-time access to 21 databanks, including banking, credit card, income tax, election identity card, travel details, call records, PAN card, property, income tax and driving licence details of 1.2 billion people. The government’s defence is that it can anyway get access to such information under the Code of Criminal Procedure (CrPC) and NATGRID will expedite the process.
NATGRID will be hooked to biometric details and data collected under the National Population Register (NPR) and the 2011 Census. Then, there is a plan to link all police stations in the country through the Crime and Criminal Tracking Network System. It means a complaint registered in one part of the country will be available live across the country.
One of the most important aspects is interception of telephone calls and monitoring of social websites. On an average, the Union government monitors some 10,000 phone calls daily to fight terrorism and for investigation of sensitive cases. This data is for the consumption of 11 government agencies, including the Central Bureau of Investigation, Enforcement Directorate, Intelligence Bur- eau and the Research & Analysis Wing to thwart and investigate cases, but the system is not foolproof. In case of a leak, it would be difficult to pinpoint the faulting agency, as it happened in the Niira Radia case.
Governments have been dragging their feet on the privacy and data protection Bill, in the works for four years. One section in the government believes Rohatgi’s argument for a larger Bench was to wriggle out of a legal dilemma. The government wants to buy more time till UIDAI and the NPR complete the process of capturing biometric data in the entire country.
“The UIDAI Bill was never tabled and there is no law which allows the government to collect biometric data. It cannot introduce a law with retrospective effect and scrapping of UIDAI will have large financial implications,” said a senior official, requesting anonymity. “Officials in UIDAI and NPR have been asked to finish the work by December or face a reprimand.”
Both agencies have spent billions of rupees and missed many deadlines. A larger bench of the Supreme Court must find a solution to strike a balance between the needs of the state and privacy concerns of citizens.