On 24 August 2017, a nine-judge bench of the Supreme Court ruled that the right to privacy is a fundamental right guaranteed by the Indian Constitution. The verdict, in Justice KS Puttaswamy vs Union of India, stated that the right to privacy is an intrinsic part of the fundamental right to life and personal liberty, as guaranteed under Article 21 of the Constitution. Puttaswamy, a retired high court judge, had challenged the government’s decision to make the biometrics-based Aadhaar cards mandatory for access to state welfare schemes. The government had argued that the Constitution does not grant specific protection for the right to privacy—a contention that the apex court overruled.

The ambit of the judgement—autonomy over personal decisions, bodily integrity as well as the protection of personal information—has far reaching implications for any data that is part of the state’s multiple databases with details of India’s citizens. The government relies on four kinds of data—administrative data that includes vehicle-registration records, tax receipts and property records, and survey data, which forms the bedrock of policy making. Indian citizens cannot opt out of these two databases. Citizens have the option of withholding their data from the other two databases—end-to-end transactional data on the Unified Payments Interface, a real-time payment system which facilitates inter-bank transactions and is regulated by the Reserve Bank of India, and institutional data such as hospital and academic history.

The historic judgement states that consent is paramount for the collection or distribution of any personal data. In the absence of consent, this should be accompanied by a legitimate aim of the state—such as public good—that is proportionate to the objective it seeks to achieve. But over the past one year, the central government has proposed or implemented a number of data- collection and surveillance schemes that could infringe on an individual’s privacy. These schemes have been proposed or implemented without a commensurate data-protection bill that would provide a rule-of-law framework for data collection and the corresponding concerns over privacy and consent. A rule-of-law framework safeguards citizens by restraining the powers of governing agencies. It establishes procedures and limitations for these agencies and determines the constitutionality of any proposed initiative.

In July 2018, a ten-member team, led by Justice BN Srikrishna, a retired judge from the Supreme Court, submitted a final report, and data-protection bill to the government. The bill—which is yet to be tabled in the parliament—sought amendments to the Right to Information Act, 2005 and the Information Technology Act, 2000, to establish a procedure for the disclosure of personal information. The absence of a rule-of-law framework, essentially a data-protection law, makes the government’s schemes—the ones already implemented and those in the pipeline—problematic.

In April 2018, the Andhra Pradesh government had published the details of about 1,30,000 Aadhaar cards with bank details and demographic data. The new proposals, that will entail new databases with several agencies, are prone to the same lapses in privacy. In addition, the section 4 of the 2019 Economic Survey, assumes that “the processing of data will be in compliance with accepted privacy norms and the upcoming privacy law, currently tabled in Parliament.” But absence of data-protection bill could render all the initiatives listed below unconstitutional and in direct violation of the Puttaswamy judgement.