OCTOBER 07, 2024

By Mr M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

Privacy and Neural Rights

IN a world where the merging of Information and Communication Technology (ICT), Artificial Intelligence (AI), and neuroscience threatens individual privacy and 'Neural Rights', India's legal system has not sufficiently regulated or protected citizens from the misuse of these tools by fraudsters. With the ongoing unchecked commercial exploitation of these technologies, cybercrimes are increasing due to the lack of laws that protect citizens' privacy rights and the indifference of those enforcing existing regulations.

'Privacy rights' are essential for safeguarding individual freedom, dignity, and autonomy in any society. They shield personal information from unauthorized access or interference by governments, corporations, or individuals, enabling people to make decisions freely without the fear of being surveilled, manipulated, or coerced. In today's digital age, where vast amounts of personal data are collected, shared, and stored, the need for privacy protection has never been more urgent. Ensuring robust privacy safeguards empowers individuals to maintain control over their personal information, prevents exploitation, and ushers trust in both digital and societal systems. The absence of adequate privacy protection creates a breeding ground for abuse, discrimination, and the erosion of civil liberties, underscoring the critical importance of defending these rights. Despite the right to privacy being a fundamental right (Article 21 of the Indian Constitution) India still lacks comprehensive legislation to protect the privacy of its citizens effectively. Notably, 137 countries worldwide have already enacted laws aimed at securing the privacy of their residents, highlighting India's urgent need to catch up and implement a robust legal framework to safeguard the privacy of its people.

Now the 'Neural rights' constitute a new category of human rights aimed at protecting individuals from the potential risks associated with neurotechnology. This emerging field encompasses technologies such as Brain-Computer Interfaces (BCIs), neuro-prosthetics, and cognitive enhancement tools, all of which directly interact with the human brain. These interactions raise significant ethical concerns regarding privacy, mental integrity, and personal autonomy, prompting the need for specific legal protections. Neural rights are designed to address these concerns by safeguarding individuals from potential abuses, exploitation, or manipulation that could arise from the use of such technologies. In 2021, Chile made history by becoming the first country in the world to pass a constitutional amendment explicitly recognizing neural rights, setting a precedent for others to follow. Shortly thereafter, California became the second U.S. state to formally acknowledge neuro-rights, reflecting a growing awareness of the need for legal frameworks that protect individuals in the context of rapidly advancing neuro-technological capabilities.

Legal Framework for Regulating Privacy

Many countries across the globe have made significant progress in establishing legal frameworks to protect privacy rights. Chile and California have successfully enacted laws recognizing and protecting Neural Rights and Privacy. Unfortunately, India remains at a standstill, leaving its citizens vulnerable to potential violations of their personal privacy. The persistent delay in establishing an appropriate legislative and administrative framework that provides comprehensive protections in line with international standards is a pressing concern for all individuals traversing an increasingly digital landscape. (read The Delay Dynamics -SEPTEMBER 17, 2024, by the Author). As technology advances rapidly, the lack of effective measures to address privacy issues becomes more critical. The absence of such laws leaves individuals vulnerable to potential risks and highlights the urgent need for India to establish a robust legal framework that addresses these emerging challenges in the realm of neurotechnology and personal privacy. (read Privacy at Stake: Evaluating Data Principal Rights in the DPDP Act 2023 - MARCH 19, 2024, by the Author)

India's recent enactment of the Digital Personal Data Protection (DPDP) Act, 2023 represents a modest advancement in the effort to protect digital personal data. However, the focus of this legislation is more towards the management of personal data by fiduciaries rather than directly safeguarding the privacy of citizens, as promised by the Union Government to the Supreme Court during the proceedings of the Justice K S Puttaswamy (Retd.) case. [2017-TIOL-311-SC-MISC-CB,]. The court has recognized privacy law as equivalent to fundamental rights, yet the current DPDP Act does not offer any protection to individuals who fall victim to personal data breaches that may harm their privacy. (Inadequacies in the Digital Personal Data Protection Act, 2023 - AUGUST 21, 2023). Without provisions to address the consequences of such breaches, the law fails to empower citizens in a meaningful way to address their rights in the event of data misuse or exploitation. (India's Privacy Journey - Two Steps Forward, Three Steps Back - OCTOBER 25, 2023) Thus, the DPDP Act marks a step in backward direction. It is essential that future regulations prioritize comprehensive protections for individuals' privacy to align with the assurances given to the judiciary. While the 2018 Srikrishna Committee recognized the potential dangers associated with personal data handling, including financial loss, identity theft, and discrimination, the current DPDP Act of 2023 fails to address these risks. In contrast, comparable harm regulations can be found in the European Union's General Data Protection Regulation (GDPR), which emphasizes the need for compensation for victims of data breaches. Moreover, the Act eliminates the right to claim damages for potential harm resulting from the mishandling of personal data, a right previously established under Section 43A of the Information Technology Act (ITA) 2000. The enactment of the DPDP Act, instead of enhancing protections, has led to a concerning regression.

Historical Context of Personal Data Protection

Section 43A of the ITA 2000, introduced through amendments in 2008, was a critical step in addressing data breaches. This section mandated that entities handling sensitive personal data implement reasonable security practices and procedures. It also established that corporate entities could be held liable for damages if they failed to adhere to these practices, resulting in wrongful loss or gain to individuals. Alongside this, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011 provided guidelines for the protection of sensitive personal data. This framework marked an important moment in India's approach to data privacy, recognizing the importance of safeguarding sensitive personal information and imposing responsibilities on entities handling such data. It empowered individuals to seek remedies in the event of data breaches and compelled businesses to adopt improved data protection practices. However, the inadequate execution of these provisions and the failure of adjudication officers to enforce them have rendered this framework largely ineffective.

Unfortunately, the DPDP Act of 2023 fails to incorporate even the minimal expectations and relief mechanisms previously established under Section 43A of the ITA. By omitting this mechanism, the Act negates the remedies that were once available to victims. The definition of sensitive personal data, which included information related to passwords, financial information, medical records, and biometric data, has been largely disregarded in the new law. The DPDP Act now takes precedence in matters related to personal data protection, leaving individuals without recourse to seek compensation for harm caused by the mishandling of their personal data.

The withdrawn PDP Bill of 2019 also acknowledged the potential harms arising from personal data processing in the digital age and recommended that the law include provisions to prevent such breaches. However, the DPDP Act of 2023 fails to comprehensively regulate the risks and harms individuals face from mismanaged personal data processing. These harms can range from tangible losses, such as financial repercussions, to intangible consequences like identity theft, damage to reputation, discrimination, and unwarranted surveillance. Furthermore, if a report of personal data breach cannot be substantiated during adjudication proceedings, the principal faces a penalty of Rs.10,000/-. This penalty undermines the seriousness of privacy as a fundamental right, leaving victims with inadequate protection under a law that is supposed to promote their rights.

Amend the DPDP Act

The enactment of the DPDP Act has not achieved the desired outcomes for privacy protection in India. A critical shortfall is the absence of provisions that allow for the compensation of victims affected by data misuse, coupled with a lack of thorough oversight to ensure compliance with privacy standards. The protracted delay in establishing the necessary rules and the formation of a dedicated data protection authority further aggravates this situation, with the reasons for these hold-ups remaining unclear. Such delays hinder the effective implementation of the Act and contribute to the prevailing uncertainty regarding data protection in the country. Notably, the existing rules, even when enacted, cannot adequately shield individuals from the harms inflicted by data breaches committed by fiduciaries responsible for maintaining privacy. Thus, it is imperative that the DPDP Act, 2023 be amended to incorporate robust provisions that empower citizens to assert and protect their privacy rights. Such amendments should include mechanisms for victims to seek damages determined by relevant authorities, similar to frameworks in other privacy regimes worldwide, ensuring that individuals have the necessary tools to safeguard their personal data and hold violators accountable.

It is essential for all concerned citizens to bring this issue to the attention of lawmakers, ensuring that the rights of individuals are safeguarded in accordance with the guidance provided by the Apex Court. Only with these crucial reforms can India aspire to build a credible and effective data protection framework that truly upholds the privacy rights of its people.

[The views expressed are strictly personal.]