The Run-up to India’s first Personal Data Protection Legislation

This was followed by a batch of decisions of the Courts which included various acts, of the State as well as other individuals, bringing them under the ambit of the right to privacy. This includes the general right against targeted surveillance of the innocent, right not to bear children, the use of phone tapping,  and the protection from invasion of privacy by investigative techniques such as narco-analysis, polygraph examination, and brain-mapping. The Court, during this time also brought about a new understanding of the jurisprudence of fundamental rights, and its applicability against private actors. Hence, the right to privacy was not to be violated even by private actors, such as press, or hospitals, unless the same would cause grave repercussions which could be proven in a court of law.

Legislative History of Data Protection 

The Hon’ble Supreme Court, in its wisdom, developed the ambit of the right to privacy, alongside which the data boom happened. Big Tech companies were establishing their systems, and data gained more traction and importance. The first attempt at any regulation of data was the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Under these rules, the idea of prior consent from the user was briefly stated. Mandates such as informed consent, reasonable security practices for the sensitive personal data or information, and necessity of a privacy policy were laid down in the same.

This was followed by a right to privacy bill. The Right to Privacy Bill, 2011 tried to address a wider spectrum inclusive of the right to privacy. It defined the terms sensitive personal data, in lines to the SPDI Rules, and envisioned to create a statutorily recognized right to privacy. It is the first document resembling the PDPB, 2019 in form. It envisioned the establishment of a Data Protection Authority, as well as better accountability on surveillance. The Bill’s treatment of direct marketing was radical in giving a right to the citizens against targeted marketing.

In 2012, the report by the expert committee constituted by the Planning Commission, led by Justice A P Shah formulated nine privacy principles that should inform the privacy legislation in India. It laid down principles as wide as the European Union’s General Data Protection Regulation, as early as in 2012. In 2014, Shri Vijay Jawaharlal Darda introduced a private member’s bill titled The Personal Data Protection Bill, 2014 in the Rajya Sabha. Although not as extensive as the 2011 Draft, the Bill attempted to address the uncontrolled sale of personal data, as well as provide safeguards against misuse of the same. A graphical representation of these developments can be accessed here.