In a landmark verdict on August 24 2017, the Supreme Court of India ruled that privacy is a fundamental right of Indian citizens as per Article 21 of the Constitution. Is this the beginning of a real improvement regarding privacy?
The ruling aims to curb the noxious effects of the linkage between a citizen’s PAN card number and their personal information contained in UIDAI’s Aadhaar system. The system collects biometric and demographic data and shares it with authorized government and private entities. To date, more than 92% of India’s population has signed up for the scheme.
The public debate since 2014 was spurred by the increasingly mandatory requirement to provide Aadhaar information for welfare, taxation, banking and other purposes. However, it really only exploded after the highly controversial Reliance Jio data breach in July, which was publicly denied initially, but later acknowledged and reported to the authorities. It involved the personal information of 100 million customers who provided their Aadhaar for authentication to access the 4G mobile service offered by Jio.
Until today, the absence of a strong legal framework to delimit what personal information is protected and what is subject to use by the government or third parties—such as companies—has allowed for unsupervised collection of large amounts of data. This laissez faire approach is a time bomb in a country that already has severe deficiencies in cyber security infrastructure and collective idiosyncrasy toward data privacy.
The turmoil during the past weeks has cast a light on the extent of vulnerabilities in the system, as well as the reach of data breaches. The fact that a student was able to trick the system into giving him confidential data meant for medical use, using an app that he made available on Google Play, is not only worrying—it is harrowing.
With the new ruling, the following personal information is protected from being collected or used by the government or third parties: “Intimate details regarding marriage, sexuality, relation with family are protected. Private details such as the parting of personal data by use of credit card, social network platforms, I-T declarations are protected. All public details, where privacy protection requires minimal regulation, are also protected”, the Mumbai Mirror summarized.
The ruling affects not only the Aadhaar system but all private data gathering schemes.
From a business perspective, the ruling is a game changer, since data collection is a very profitable endeavor that now faces stringent regulation; as Reliance Jio chairman Mukesh Ambani said, “We are really at the beginning of that era where data is really the new oil.”
In order to comply with the ruling Facebook, Microsoft, Google, and many other companies that gather personal information and sell it for marketing purposes, will have to modify their modus operandi and perhaps their business model in the country.
While certainly a move forward, the ruling seems to have little effect for the average Indian citizen. Aadhaar linkage is expected to continue as planned for many government services. The most meaningful change is then that concerned citizens can now take data privacy matters to court and likely win.
A more pressing concern is that the average user is not tech-savvy nor acquainted with the consequences and scope of data collection. “[Aadhaar] data will not be shared without the consent of the person” said Ajay Bhushan Pandey, CEO of UIDAI.
Under this status quo, data privacy concerns must become ingrained in the habits of the average consumer to prevent unwanted uses of personal information. This change is dependent on high-level technological education and legal awareness among users, a rather difficult expectation in any developing country.
Empowering the Indian people with the right to privacy is a huge step forward. Effective protection of their data, however, requires sustained and adequate enforcement paired with increased public awareness on the issue. Is India up to the task?