Possible misuse of sensitive personal data was the main ground for blocking Chinese web-applications, wherein the government invoked the power under Section 69A of Information Technology Act, 2000 (hereinafter referred to as the IT Act), terming it as a threat to the sovereignty and integrity of the country.
Sensitive personal data can be used as a weapon due to its inherent characteristic of allowing you to launch an attack through sheer narrative power. This has been established in various cases where its use in causing riots, influencing the election outcomes, disinformation campaign during the war, shaping the ideologies by terrorist and anti-national groups, etc. has been extensively witnessed. China, in particular, has used this unique advantage, offered by the increasingly creative ways data can be used, not only to gain international dominion but also, more specifically, in the present Indo-China rift, to influence Indian population through its malicious propaganda. The question then arises – What prohibits the Government from taking action against the Government departments, when the government itself has recognized that such breaches do indeed pose a threat to the sovereignty and integrity of the country? In recent times, there have been many data breaches reported in media whereby sensitive personal data was alleged to be breached and/or misappropriated including those of servers belonging to the NIC, SBI, ISRO, Nuclear Plant, etc. which could have been exploited for causing the threats to the Sovereignty, Security and Integrity of the State. There cannot, after all, be any other plausible reason not to register cases against and seek the accountability of the government officers for their failure to protect the sensitive data.
The current episode of Aarogya Setu App’s potential privacy breach attracts the criminal offence under this provision – Section 72A – and the government must act to protect the fundamental right of the people, in the larger interest of the society. An in-depth probe is also required to determine whether the misappropriated data has landed into the hand of adversaries who may use it not only for offences against the citizens of India but also against the nation as a whole, using such misappropriated data as a weapon for spreading their ideology, propaganda and for their misinformation campaign in general. It is an undisputed fact that the government and its departments are the biggest collector of sensitive personal data. Hence, it has also been quite evident that any regulation or law or policy to protect the sensitive personal data would be toothless in its attempt to protect the fundamental right of privacy, until it makes the government departments responsible as well, liable in enforcing a citizen’s right to privacy. The registration of criminal cases, tracing the offenders and the destination of the data, etc., could unearth the real threat and would enable the government to act proactively to uphold the right enshrined in Part III of the Constitution.