In India, there is a growing tussle between freedom of expression and privacy as increasing numbers of people complain that their online reputation is being corroded by outdated, inaccurate or malicious information that cannot be removed.
Everyone has the right to privacy online. This includes freedom from surveillance, the right to use encryption, and the right to online anonymity. Everyone also has the right to data protection, including control over personal data collection, retention, processing, disposal and disclosure.
Protection of Personal data
Everyone has the right to exercise control over the personal data collected about them and its usage. Whoever requires personal data from persons, shall request the individuals informed consent regarding the content, purposes, storage location, duration and mechanisms for access, retrieval and correction of their personal data.
Identity, security and privacy are terms that represents highly complicated, nuanced and deeply philosophic issues. India’s UID project itself deals with digital sovereignty of India and the privacy and dignity of its citizens. The current implementation of the UID numbers framework in India is, however, likely to lead to a direct contravention of citizens’ fundamental right of privacy. On 7th August 2013, the Delhi High Court directed the Centre and the city governments to respond on a PIL against implementation of Unique Identification (UID) scheme that alleged that collection of personal data for UID or Aadhaar card is violative of right to privacy of a person.
Issuing notices to Unique Identification Authority of India (UIDAI) under Planning Commission and Delhi government, a bench of Acting Chief Justice B D Ahmed and Justice Vibhu Bakhru sought their response within six weeks. The bench was hearing a PIL filed by Beghar Mazdoor Foundation, an NGO, challenging UIDAI’s 2009 notification to issue UID or Aadhaar numbers to every citizen of India.
The litigation claimed that the UID numbers will be issued by collecting demographic and biometric information that is unique to every individual. “The collection of personal identifying information for the issuance of UID number is highly invasive and raises serious concerns regarding the security of critical personal and biometric information which is in complete violation of the right to privacy and dignity which forms part of the right to life under Article 21 of the Constitution of India,” said the PIL.
“The collection of vital personal data for the purposes of issuance of the UID number by the respondent UIDAI, is without any legislative sanction, and in the absence of any data protection laws regulating the use and disclosure of such personal data,” the PIL added
Unique Identification Authority of India (UIDAI) has already started collecting biometric and other sensitive personal information of citizens without having the requisite sanction of Parliament. The present process of collection, collation and preservation of sensitive personal information including biometric information of Indian citizens without adequate safeguards amounts to a direct infringement of the citizens’ fundamental right to privacy.
No specific law on data privacy in India
The vulnerability of governmental databases to cybercrimes has been well documented all over the world. The absence of any legal safeguards for lapses on the part of the Registrars and collation authorities and enrolling agencies, further makes the entire situation far more problematic for an individual’s privacy. Still, India doesn’t have a specific law on data privacy.
Considering the fact that the said UID data being collected is data and information in the electronic form, it is being directly covered by the Information Technology Act 2000 and is subject to various norms pertaining to data protection as have been stipulated by the government.
Fair information practices should be enacted into national law to place obligations on companies and governments who collect and process personal data, and give rights to those individuals whose personal data is collected. Data must be deleted when it is no longer necessary for the purposes for which it was collected. Data protection should be monitored by independent data protection authorities, which work transparently and without commercial advantage or political influence.