Privacy – that elusive fundamental right – is again under the spotlight with reports of a possible breach of CoWIN data of individuals. In January 2021, there were reports of some Covid-19 test results being leaked and the source for that breach was purportedly the gov.in and nic.in domains. In cases involving CoWIN or Aadhaar, citizens or residents do not have a choice in submitting data required to avail government-driven services due to the very nature of the service, despite the administration’s claim that the submission of data for such processes is voluntary. A starker example would be that of obtaining a driving licence or registering a vehicle. In such cases, individuals do not have a choice but to submit data required by the government, or entities authorised by the government.

Privacy – that elusive fundamental right – is again under the spotlight with reports of a possible breach of CoWIN data of individuals. In January 2021, there were reports of some Covid-19 test results being leaked and the source for that breach was purportedly the gov.in and nic.in domains. In cases involving CoWIN or Aadhaar, citizens or residents do not have a choice in submitting data required to avail government-driven services due to the very nature of the service, despite the administration’s claim that the submission of data for such processes is voluntary. A starker example would be that of obtaining a driving licence or registering a vehicle. In such cases, individuals do not have a choice but to submit data required by the government, or entities authorised by the government.

The government’s responsibility or liability to protect the data it collects – including in performing its function of governance – comes under the spotlight in such instances. When individual choice is subsumed by public interest, it is but natural to assume that the government will have a higher responsibility to protect the data collected, given the affirmation of privacy as a fundamental right by the Supreme Court in its 2017 Puttaswamy verdict.

The reality, unfortunately, is bleaker, given the scant provisions for basic protections, let alone heightened rights to seek damages for breach of personal data. The limited provisions available in India to protect an individual’s sensitive personal data, or SPD are bare bones, and even those don’t apply to the government.

Two provisions under the Information Technology Act, 2000 (as amended) (IT Act) – Section 43A and Section 72A – encompass personal data protection in India. Section 43A makes negligence in handling SPD by “body corporates” liable for payment of civil compensation, and rules framed under it incorporate the basic data principles for compliance. Section 72A enforces criminal liability with a maximum of three years imprisonment for any person causing wrongful loss, wrongful gain or breaching contractual terms, resulting in harm or damage. Both provisions hold corporate entities liable and not government agencies. Hence, whilst your data with cab aggregators or delivery chains, if breached, are open to civil or criminal prosecutions, the CoWIN breach only attracts common law remedies, as was invoked in Kerala under Balu Gopalakrishnan v. State of Kerala decision in 2020, which directed implementation of safeguards to protect data of patients suffering from Covid-19.

The General Data Protection Regulation (GDPR) and its ancillary regulations provide elaborate provisions for protecting the personal information of data subjects of the European Union and is followed globally as the gold standard. These provisions make governments or States liable for the personal data it collects, whilst providing some exemptions, such as those for governance or enforcing public interest, or law and order.

Pursuant to the Puttaswamy judgment of 2017, the central government released multiple drafts of the proposed personal data protection law, the last of which was the Digital Personal Data Protection Bill, 2022 (DPDP). Significantly, this draft explicitly extends the responsibility of personal data protection to the government, though it also provides several exemptions. Time and again, we are reminded of the urgency of this legislation, but to little avail. One of the critical aspects that GDPR and its ancillary regulations mandate, especially for the government, is the principle of data minimalisation, i.e. limiting the data that a government collects to only what is needed. The Indian government has publicised and showcased its Digital Public Infrastructure initiative, which envisages collation of SPD from multiple sources under one umbrella, including Aadhaar data, mobile numbers and bank account details. Consistently, instead of data minimalisation, India appears to be leaning towards collation of extensive personal and SPD information.

The repeated data breaches spotlight the need for India to not only expedite its personal data protection laws but also to review and correct course to data minimalisation. The wish list for the proposed data protection law includes, therefore, provisions incorporating government responsibility and liability, ensuring data minimalisation, incorporation of data principles in an effective manner including purpose limitation, rights of Indian citizens and residents to be informed of data breaches affecting them, explicit consent for collection of data without citizens and residents losing the right to access services, in line with global standards.

The writer is an advocate, Supreme Court of India and founder, Cyber Saathi Foundation. The views expressed are personal