Author: Rushika Rabha
Campus Law Centre, University of Delhi
Data Protection and Privacy concerns have come to the center stage in the last few decades because of sensitive information being uploaded and exchanged online at an exponential rate. Data protection is an important facet of the right to privacy. This essay explores the evolution and expansion of the right to privacy through case laws and gives an overview of the data protection legislation that has emerged in India. From the historical Puttaswamy judgment to the latest Personal Data Protection Bill, there has been a recognition of the need to protect personal data of individuals during its collecting and disseminating as a necessary mechanism to ensure the Right to Privacy, while also maintaining that this right is not absolute and is subject to reasonable restriction like any other fundamental right.
The right to privacy can be defined as a right to be free from government interference in the personal space of an individual and to be protected from state surveillance. This right ensures that an individual’s electronic data which includes their financial and biometric information to be protected from misuse in order to prevent wrongful loss to the individual. It is a right to keep the domains of bodily autonomy, home, our identities, and thoughts under our control and free from unlawful interference. Article 12 of the Universal Declaration on Human Rights,1948, and Article 17 of the International Covenant on Civil and Political Rights provides a right to privacy by protecting an individual from arbitrary interference into his privacy, family, home or correspondence, as well as attacks on his honor and reputation.
Some important legislation relating to privacy and data protection include the General Data Protection Regulation (EU) which regulates data protection in the European Union and European Union Economic Area, the Asia Pacific Economic Cooperation Privacy Framework which protects privacy within and beyond borders while exchanging personal information which benefits customers, businesses and governments and Records, Computers and Rights of Citizens.
THE EVOLUTION OF RIGHT TO PRIVACY THROUGH VARIOUS CASE LAWS
India does not have a comprehensive law on the protection of data and privacy. The right to privacy has been only recently recognized as a right guaranteed by our constitution. The evolution of this right to privacy has been one that has been spread over various cases and a long period. The Supreme Court of India first addressed the question of whether the right to privacy is a right guaranteed under the Indian Constitution in M.P Sharma and Others V. Satish Chandra, District Magistrate, Delhi (1954 AIR 300). In this case, the constitutional validity of search and seizure was challenged on the ground of violation of Article 19(1) f and Article 20(3). The judges were to decide whether the search and seizure would violate the right to privacy. The bench held that our constitution-makers did not intend to subject the power of search and seizure to a fundamental right to privacy. Unlike the Fourth Amendment right in the American Constitution which protects the people from the power of search and seizure, such right is not given in our Constitution. A fundamental right to privacy does not exist in our Constitution.
In Kharak Singh V. State of Uttar Pradesh (1963 AIR 1295), the question before the court was whether state surveillance was an abuse of the petitioner’s fundamental right under Article 21 of the Constitution of India. Kharak Singh, an accused in a dacoity case who was released due to lack of evidence, was put under surveillance after police opened a history sheet against him. The surveillance was to be done through secret picketing at night, domiciliary visits among other methods. The question of whether Article 21 included the Right to privacy was considered. The court held that a right to privacy was not a right enshrined in the fundamental rights of our constitution. However, Justice Subba Rao gave a dissenting view and opined that a right to privacy was an important part of personal liberty under Article 21.
“If physical restraints on a person's movements affect his personal liberty, physical encroachments on his private life would affect it in a larger degree. Indeed, nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy.” He further held that such acts of surveillance to be unconstitutional.
In Govind V. State of Madhya Pradesh (1975 AIR 1378), the court held that although the right to privacy is not explicitly provided in our fundamental rights, it can be implied from Article 21 of the constitution. However, this was not an absolute right and it was subject to reasonable restrictions. This right has to evolve through a process of case by case development.
The Supreme Court recognized the right to privacy as a part of the right to life and personal liberty guaranteed by Article 21 of the Indian Constitution in People’s Union For Civil Liberties( PUCL) V. Union of India [(1997) 1 SCC 301].
In 2015, the K.S Puttaswamy case became a landmark decision on the right to privacy. While discussing the issues and the judgment in the case of K.S Puttaswamy(Retd.) V. Union of India [(2015) 8 SCC 735], it is crucial to address the privacy debate surrounding “Aadhar Card”. Aadhar is a twelve-digit unique identification number which is issued by the Unique Identification Authority of India (UIDAI). It required an individual’s biometric data to be stored in the government’s database, this data included iris scan and fingerprints. The privacy concerns that were expressed included the risk of identity theft as the leakage of biometric data would be detrimental to an individual’s right to life and personal liberty, and illegal tracking of individuals without proper authorization and legal sanction. The petition challenged the collection of data for Aadhar as it was an infringement of the right to privacy. The court held that the right to privacy was a fundamental right which is guaranteed by our Constitution. However, the court upheld the validity of Aadhar. A law infringing upon the right to privacy of the individual must pass the proportionality test, only then will such infringement be justified. There should be a balance of the positive benefits of the Aadhar and risks associated with it. Justice Sikri laid down the following requirements to be fulfilled to pass this aforementioned proportionality test: there should be a legitimate goal which the infringement seeks to fulfill and the means to be employed must be suitable, there should not be any other method which is less restrictive but has the same effect as the restrictive method and lastly, the right holder must not be disproportionately affected.
DATA PROTECTION & RIGHT TO PRIVACY LEGISLATION IN INDIA
Data protection means the protection of individual data through laws, regulations, and safeguards in order to secure the individual’s right over its data and to avert its misuse. Currently, India does not have a dedicated legislation for data protection. The Information Technology Act, 2000 along with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 embodies the relevant laws for data protection. The IT Act is grounded in the United Nations Model Law on Electronic Commerce adopted by the United Nations Commissions on Internal Trade law on 30 January 1997. It was enacted to recognize transactions done through the exchange of data via electronic communication or e-commerce and digital signatures. This act lays down penalties for cybercrimes, such crimes include tampering with computer source documents, acts of cyber terrorism, unethical hacking, publishing child pornography and accessing or attempting to secure access to a government-protected system without authorization. The IT Act and Rules seeks to provide protection ‘personal information’ and ‘sensitive personal data and information’. This Act applies to all sectors though laws specific to a particular sector would apply simultaneously. Such sensitive information means passwords, financial information of an individual from his bank account, or debit/credit card, medical records, biometric information. This Act provides security practices and procedures to be observed by a ‘body corporate’ while collecting, storing, and handling of such information. When failure to observe such practices leads to wrongful loss to an individual, the body corporate would be liable to pay compensation. The law only provides for compensation when there is wrongful loss or gain, it does not provide compensation when there is merely a failure to observe reasonable security practices and procedures.
Telecom service providers have access to personal information of the service recipient due to which a protection mechanism is required to protect their data. The Indian Telegraph Act,1885 was a legislation enacted to govern the use of wired and wireless telegraphy, telephones, teletype, radio communications and digital data communications. It prescribes penalties for illegally accessing the contents of messages and tampering with or damaging telegraphs. This Act provides the government of India power to infringe upon the privacy of an individual by ways of monitoring or intercepting communication and taping phone lines under conditions of public emergency or public safety, or in the interests of sovereignty, integrity and security of the state, or maintaining friendly relation with foreign states or maintaining public order.
The Right to Information which is bestowed on Indian citizens gives them the right to furnish information held by government bodies. This right guaranteed by The Right to Information Act, 2005 has limitations when it comes to national security and interests. Furthermore, section 8 of this Act restricts access to personal information of an individual, whose disclosure has no relation to the public activity or interest and it would be an infringement upon the right to privacy. There should be a balance between the right to information and the right to privacy as both rights are important to be maintained for a healthy democratic society.
In 2019, The Personal Data Protection Bill was introduced in the Lok Sabha with the purpose of protecting an individual's privacy by data protection and to establish a Data Protection Authority of India for that purpose. It proposes to protect sensitive personal data of individuals which relates to an individual's identity, personal autonomy over their sexual orientation and sexual life, financial data, medical data, biometric data, and genetic data, as well as their political and religious beliefs. This Act would stipulate the ways in which such data is to be collected, stored, disseminated, and transferred. Businesses across India will have to change their policies and procedures in handling personal data of their customers to comply with this Bill’s requirement. The only exception will be ‘small entities’ which are businesses that collect data manually and meet some other conditions which are be specified by the Data Protection Authority. Businesses are required to inform their customers about their data collection practices and have to seek their consent for their same. Customers will have the right to withdraw their consent, so companies have to form their systems accordingly. The biggest criticism to this bill comes from the fact that the central government has the overriding power to exempt any of its agency from the applicability of this act on grounds that are much broader than interests of security, sovereignty, and integrity of the state and maintaining friendly relations with foreign states. It gives the central government a relaxation in monitoring and accessing an individual's data which may be detrimental to the right to privacy of an individual. Justice B.N Krishna who is a retired Supreme Court Judge, who headed the committee that drafted the bill warned that such excess of power provided to the government can lead to India turning into an ‘Orwellian State’.
To end this discussion on data protection and privacy, it is pertinent to note that the consent-based model of data protection should be changed to a rights-based model. In a consent-based model, the data collector is free to use the data in any matter after consent for the same is obtained from the user. This model is inadequate and can be dangerous to the preservation and protection of data as the individual might not be aware of what exactly he or she is giving consent for. In contrast to this model, the rights-based model is much more utilitarian in securing the rights and interests of an individual over his data. Under this model, it would be the responsibility of the data collector to ensure that the use of data does not violate an individual's right to privacy. Adopting a robust system of data protection based on the rights-based model would ensure that sensitive data is handled scrupulously.
The recognition of the right to privacy as a fundamental right under the Indian Constitution has paved the way for future legislation for data protection and privacy. With the ever-increasing number of e-commerce websites, government services being provided online and a substantial number of works being carried out through the exchange of data over electronic means, a dedicated privacy and data protection mechanism is necessary to prevent misappropriation and exploitation of personal information. Encroachment on the right to privacy of an individual leads to violation of their right to life and personal liberty. Preservation and observance of the right to privacy is paramount in a democratic nation.
1.https://www.lexology.com/library/detail.aspx?g=d1edde8f-71b9-49cb-b333-35fcae73402b 2.https://www.businessinsider.in/tech/apps/news/these-are-the-privacy-issues-in-aarogya-setu-indias-covid-19-tracker-app-alleged-by-french-hacker-elliot-alderson/Articleshow/75592800.cms 3.https://www.livemint.com/industry/infotech/why-privacy-advocates-have-concerns-over-aarogya-setu-app-11588509094177.html 4.https://www.thehindu.com/news/national/how-does-the-aarogya-setu-app-work/Article31532073.ece 5.https://www.scobserver.in/court-in-review/right-to-privacy?slug=m-p-sharma-v-satish-chandra