Privacy and democracy have always had an uneasy relationship in India. There has never been a simple formula to cook up the right mix that could secure personal information, while maintaining transparency. And with the digital world entering the mix with its all-intrusive prying eyes and low-cost replication model, the relationship has only become more complicated. India is at crossroads where it has an opportunity to smoothen out this uneasy relationship forever. Or, alternatively, complicate it further, maybe beyond any redemption.

In an earlier day and age the constitutional brush stroke of the ‘right to privacy’ under ‘reasonable restrictions’, coupled with some active help from the courts in interpreting it, was considered sufficient to even out the wrinkles of the tussle between the protection of personal information and the need for public transparency. But data is no longer just information. It has acquired the contours of knowledge, with its value being assessed in terms of its impact on the larger social, economic, political and business landscape. It is this transformation of discrete data, once confined to personal space, into a series of interconnected socio-economic logic nodes, spread across public space, that is at the root of India’s current struggle for achieving the proverbial Zen moment.

It was in 2006 that India made the first serious attempt at legislatively clarifying the approach towards privacy and personal data with the introduction of the personal data protection bill in parliament along with the information technology amendment bill. Though the bill lapsed in parliament, it cut through the legal thicket to chart out specific conditions under which personal data cannot be collected or disclosed. The constant tug of war fought between telemarketers, bulk SMS providers and phone sales agents on one side and consumers on the other can be traced to this bill explicitly banning collection of personal data for purposes of ‘direct marketing’ and ‘commercial gain’. Of course, there were exemptions given for “detection of crime, prosecution of offenders or for collection of tax”. Despite setting boundaries on collecting and disclosing personal data, the definition of what constituted personal data was amorphous, leading to multiple interpretations.

The fog on that score was partially lifted, albeit indirectly, when the IT (Amendment) Act, 2008, based on the bill introduced in 2006, added two sections, 43A and 72A, providing for civil and criminal liabilities relating to privacy. For the record, Section 43A focuses on the nuts and bolts of “reasonable security practices” for sensitive personal data and information, while Section 72A provides for a jail term and a fine to anyone, a person, a body corporate or an institution, who causes “wrongful loss or wrongful gain” by divulging the personal information of another person. Both these sections operated on the supposition of an existence of a contractual framework. They could not have been possibly implemented without certain clarity on what constituted sensitive personal data and information. It came to be defined as a set of information about any individual that is capable of singularly identifying the person. Everything from a person’s birth registry details, hospital records, financial and census information, mobile number, social networking details, educational records to death certificate and even a person’s sexual orientation – practically a person’s entire life – can possibly be interpreted to mean personal data and information.

Despite providing for a more organised protection of personal data, the IT Act, 2008 made such protection dependent on the existence of a contractual agreement between an individual and the processor of his data. In India contractual arrangements are at best spotty, and when they do exist such agreements are often one-sided. The draft privacy bill, 2011 not only needs to be located in this context, but also within the framework of protecting biometric information, personal biological markers, like DNA, expression of opinion about a person and the larger freedom of speech and expression guaranteed as a fundamental right in the constitution. But more importantly, the draft bill provides all of us, finally, a chance to get to the roots of concepts like privacy, data and sensitive personal information and define them in a manner that protection and transparency can mesh together without undue friction.

Fundamentally, the foundations of robust privacy legislation have to be based on an expansive definition of ‘privacy’, ‘personal information’ and ‘sensitive personal information’. Such definitions have to be necessarily multifaceted and future proof. Additionally, such a legislation must provide for an ‘enforceable right’ to the citizen through a monitoring system and must impose specific responsibilities on the data processor. Moreover, the legislation must also provide for a strong deterrence in case of any non-compliance and a grievance redressal mechanism. It’s here that the precedent set by the supreme court in defining privacy needs to be revisited. Though the apex court has held privacy to be a fundamental right, it confines it to specific dimensions of a person’s life. These include the privacy of one’s home, family, marriage, motherhood, procreation and child-rearing. But if a person wants to claim privacy in any other aspect, he has to substantiate that such claimed aspects of his life are ‘private’ and should not be subjected to interference. For instance, in 1996 petitioners had to argue before the supreme court that the right to speak privately over the telephone was a fundamental right.

The draft 2011 bill, however, doesn’t define privacy, personal information and sensitive personal information in a manner that allows for expansive interpretations; critical if one were to take into account the immense changes that technology is bringing to the table. Moreover, the draft bill defines personal information as including “any expression of opinion about that person”. Coupled with Section 4, which details exceptions to the right to privacy, especially the one which says that it doesn’t constitute an infringement of privacy if it involves “protection of rights and freedoms of others”, the envisaged legal framework, quite obviously, opens the scope for powerful individuals and institutions to attack the freedom of speech and expression, another fundamental right explicitly guaranteed in the constitution. Privacy in the bill is defined by what does not constitute it, rather than what constitutes it. It’s here that the draft bill can show imagination and bring in a more layered definition that looks at privacy in more inclusive terms.

If the privacy bill has to become an omnibus bill, under which other bills relating to electronic service delivery and profiling have to position themselves, it is necessary to clearly define sensitive personal information. Currently the draft bill, quite rightly, defines UID, PAN and banking credit and financial data under Section 12 as sensitive personal information. But Section 12 (1) says the processing of such information has to be managed by a data controller with a prior authorisation and cannot be sub-contracted to a data processor. Such a framework, inadvertently, makes every business institution, including chartered accountants, that draws an invoice or pays TDS a data controller. This might seem minor when compared to the fact that the bill doesn’t specify a framework of privacy for a person’s biological material, like DNA, physical body or against surveillance.

India has a unique opportunity to evolve a progressive and expansive legislation on privacy and protection of personal data. The report of the experts group chaired by justice AP Shah is a good starting point. But for the recommendations of the group to be taken forward to its logical conclusion, the mindset has to change from one that’s focussed narrowly and exclusively on personal data and transform into one that perceives privacy and protection of personal data as an integral part of liberty, freedom of speech and expression and of life itself.