Menu
cyber, security, internet

PRIVACY: THE PERSONAL DATA PROTECTION BILL, 2019

Uncategorized

Abstract

“I can’t in good conscience allow the U.S. government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building”.  -Edward Snowden

Privacy is the interest that individuals have in sustaining ‘personal space’, free from interference by other people and organizations.

While no brief book can hope to provide a comprehensive account of the manifold features of a concept as complex and controversial as privacy, this one introduces readers to the main features of what has become one of the most important rights or interests in contemporary society. People often think of privacy as some kind of right. Unfortunately, the concept of a ‘right’ is a problematical way to start, because a right seems to be some kind of absolute standard. What’s worse, it’s very easy to get confused between legal rights, on the one hand, and natural or moral rights, on the other. It turns out to be much more useful to think about privacy as one kind of thing (among many kinds of things) that people like to have lots of.

During the first decade of the 21st century, reading and viewing activities have migrated to screens, are performed under the control of corporations, and are recorded; most conversations have become ‘stored electronic communications’, each event is recorded and both ‘call records’ and content may be retained; many individuals’ locations are tracked, and correlations are performed to find out who is co-located with whom and how often; and events tickets are paid for using identified payment instruments. This massive consolidation of individuals’ personal experience is available for exploitation, and is exploited.

Keywords

Right To Privacy, Data Privacy, Fundamental Rights, Article 21, Reasonable Restrictions.

Introduction

Data privacy, primarily the privacy of individuals, is emerging as a major issue in India. The recent controversy on Pegasus, though some of it was politically instigated, occupied more space in public debate because of rising concerns on privacy, but international data surveillance is also worrying for national security reasons.

The right to privacy has evolved across nations. It encapsulates obligations of the State concerning the protection of personal data. The Constitution of India does not specifically provide for privacy as a Fundamental Right. According to the Supreme Court of India, the Right to Privacy is a part of the Right to Life and Liberty under Article 21 of the Constitution. It is interpreted as a vertical right against the State under Article 12 of the Constitution, and not against private citizens.

India, however, does not have comprehensive privacy law, and limited data protection standards are defined under the Telegraph Act, 1885, and the Information Technology Act, 2000. The collection and use of data are also regulated under different sector-specific laws and regulations, such as the Right to Education Act, 2005, the National Food Security Act, 2013, the Aadhar Act, 2016, and the Reserve Bank of India Act.

The jurisprudence of Right to Privacy has evolved and developed through a series of judgments over the past 67 years, culminating with the Puttaswamy-I judgment in 2017 which reaffirmed that it is very much a fundamental right.

The judgment stated that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.

Research Methodology

Doctrinal method has been used throughout the research paper. In this type of methodology secondary material and sources are being used such as books, Journals, Articles, websites, etc. Its scope is very narrow and there is no such need of field work.

Literature Review

The Right to Privacy in India: Concept and Evolution by Gaurav Goyal and Ravinder Kumar

In this book Gaurav Goyal and Ravinder Kumar argue that privacy laws in India are weak because politicians have failed to pass laws to protect it. Even in the West, it’s not always clear what’s protected in terms of privacy. They further argue that one’s private sphere is subjective and depends on one’s culture, environment, and economic condition.

Privacy And Big Data: The Players, Regulators, And Stakeholders

This eye-opening book explores the raging privacy debate over the use of personal data, with one undeniable conclusion: once data’s been collected, we have absolutely no control over who uses it or how it is used. Personal data is the hottest commodity on the market today truly more valuable than gold. We are the asset that every company, industry, non-profit, and government wants. Privacy and Big Data introduces you to the players in the personal data game, and explains the stark differences in how the U.S., Europe, and the rest of the world approach the privacy issue.

How Far Have We Come Since the Puttaswamy Judgment?

On 24 August 2017, a nine-judge bench of the Supreme Court in Justice KS Puttaswamy vs Union of India passed a historic judgment affirming the constitutional right to privacy. It declared privacy as an integral component of Part III of the Constitution of India.

Part III of the Constitution lays down our fundamental rights, ranging from rights relating to equality, freedom of speech and expression, freedom of movement, protection of life and personal liberty and others.

In this judgment, the court specifically upheld an individual’s right to data privacy and directed a special committee to be formed to study this matter at the earliest and propose a data protection framework to uphold the right to privacy.

In the absence of reforms to our laws on surveillance, we need a robust data protection law, which provides for adequate checks and balances when the government seeks to access data for national security purposes.

Additionally, since surveillance is predominantly driven by the political executive, we also need surveillance reforms that provide for parliamentary and judicial oversight of India’s intelligence agencies and police, conforming to the doctrine of separation of powers as enshrined in the Constitution of India in order to prevent abuse of power.

Right To Privacy:

On 24 August 2017, the Supreme Court of India in a historic judgement declared the right to privacy as a fundamental right protected under the Indian Constitution. In declaring that this right stems from the fundamental right to life and liberty, the Court’s decision has far-reaching consequences.

A nine-judge bench of the Supreme Court in the case of Puttuswamy v. Union of India has declared that the right to privacy is a fundamental right protected under Part III of the Constitution of India. While primarily focused on the individual’s right against the State for violations of their privacy, this landmark judgement will have repercussions across both State and non-State actors and will likely result in the enactment of a comprehensive law on privacy.1

The key points of the judgement are summarized below:

(a) Right to Privacy – A Fundamental Right:

The Supreme Court confirmed that the right to privacy is a fundamental right that does not need to be separately articulated but can be derived from Articles 14, 19 and 21 of the Constitution of India. It is a natural right that subsists as an integral part to the right to life and liberty.2 It is a fundamental and inalienable right and attaches to the person covering all information about that person and the choices that he/ she makes. It protects an individual from the scrutiny of the State in their home, of their movements and over their reproductive choices, choice of partners, food habits, etc. Therefore, any action by the State that results in an infringement of the right to privacy is subject to judicial review.3

(b) Not an Absolute Right – Subject to Reasonable Restrictions:

The Supreme Court was at pains to clarify that the fundamental right to privacy is not absolute and will always be subject to reasonable restrictions.

____________________________

1. https://www.financialexpress.com/opinion/personal-data-protection-bill-what-are-the-causes-for-concern/2390058/

2. https://www.hindustantimes.com/cities/chandigarh-news/changing-data-privacy-landscape-in-india-

3. https://www.mondaq.com/india/privacy-protection/625192/supreme-court-declares-right-to-privacy

 It held that the State could impose restrictions on the right to privacy to protect legitimate State interests but it can only do so by following the three-pronged test summarized below:

  1. Existence of a law that justifies an encroachment on privacy;
  2. A legitimate State aim or need that ensures that the nature or the content of this law falls within the zone of reasonableness and operates to guard against arbitrary State action; and
  3. The means adopted by the State are proportional to the objects and needs sought to be fulfilled by the law.

Consequently, all State action that could have an impact on privacy will now have to be measured against this three-fold test.4 This is likely to have an impact on several ongoing projects including most importantly, the Aadhaar identity project.

(c) Other Incidental Implications:

There are several additional implications of this judgement on matters incidental to the principal issue decided by the Court:

  1. By expressly recognizing an individual’s right to privacy regarding his sexual choices, the judgement is likely to have an impact on the petition pending before the Supreme Court on the de-criminalization of homosexuality in India.
  2. To the extent that the judgement has stated that the State cannot interfere in the food choices of an individual it will have an impact on the various cases protesting the ban on beef imposed by certain States.
  3. The judgement has also made several observations on the complex relationship between personal privacy and big data, particularly in the context of how the judicious use of these technologies can result in the State achieving its legitimate interests with greater efficiencies.5

________________________________

4. https://internetfreedom.in/key-takeaways-the-jpc-report-and-the-data-protection-bill-2021-saveourprivacy-

5. https://www.natlawreview.com/article/privacy-data-protection-capsule-india-s-turn-world-stage

  1. It has also recognized the impact that non-State actors can have on personal privacy particularly in the context of informational privacy on the Internet. While fundamental rights are ordinarily only enforced against actions of the State, given the broad language of the judgement and the extent to which informational privacy has been referred to in the judgement, there is concern amongst certain experts that these principles will extend to the private sector as well.

Recognizing the complexity of all these issues, the Court highlighted the need to enact a comprehensive legislation on privacy and noted that the government has already appointed a committee under the chairmanship of retired Justice BN Srikrishna to look into these matters. Given this strong direction from the Supreme Court, it is likely that the Government of India will double down on its efforts to enact a comprehensive privacy legislation.

The Srikrishna Committee (2017),

Pursuant to the directions of the SC in the Puttaswamy judgment, regarding the regulation of informational privacy, a committee headed by retired Supreme Court judge Justice BN Srikrishna was tasked with the responsibility of studying the key issues and relaying recommendations.

Nearly a year later, the Committee submitted its report on 27 July 2018 titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, along with a draft Data Protection Bill, to the Ministry of Electronics and Information Technology

The Personal Data Protection Bill, 2019


The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same. 

  • Applicability: The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.  The Bill categorises certain personal data as sensitive personal data.  This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
     
  • Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations.  For instance, personal data can be processed only for specific, clear and lawful purpose.  Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals.  They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
     
  • Rights of the individual: The Bill sets out certain rights of the individual (or data principal). These include the right to: (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
     
  • Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent.  These include: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
     
  • Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
     
  • Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.  Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme Court.
     
  • Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India.  Certain personal data notified as critical personal data by the government can only be processed in India. 
     
  • Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes.  However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
     
  • Offences: Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.  Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.
     
  • Sharing of non-personal data with government: The central government may direct data fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where it is not possible to identify data principal) for better targeting of services.
     
  • Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

 Issues in Personal Data Protection Bill, 2019:

The Personal Data Protection Bill, 2019 was intensely critiqued for providing large exemptions to Government from compliance under the law. However, the Draft Data Protection Bill, 2021 marks a worrying progression and makes it easier for the government to completely evade the jurisdiction of a data protection law.

Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance. Moreover, some lawyers contend that security and government access are not achieved by localization. Even if the data is stored in the country, the encryption keys may still be out of reach of national agencies.

Technology giants like Facebook and Google and their industry bodies, especially those with significant ties to the US, have slung heavy backlash. Many are concerned with a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit. Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders. Opponents say protectionism may backfire on India’s own young startups that are attempting global growth, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.

Case Laws:

  • In India the Constitution does not expressly recognize the right to privacy. But after the case of Kharak Singh v. State of U.P the Supreme Court for the first time recognized the right to privacy which is implicit in the Constitution under Article 21. The Court held that the right to privacy is an integral part of the right to life, but without any clear cut laws, it still remains in the gray area. The view was based on the conclusion that the infringement of a fundamental right must be both direct as well as tangible that the freedom guaranteed u/a 19(1)(a)- a right to freedom of speech and expression was not infringed upon by a watch being kept over the movement of the suspect.
  • In R. Rajagopal v. State of T.N., the apex Court held that the right to privacy is a ‘right to let alone’. No one can publish anything concerning the above matters without his consent, whether truthful or otherwise whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in the action of damages.
  • Privacy is something that deals with individual privacy and also which was needed to be protected earlier before the passing of a landmark case, i.e., K.S. Puttaswamy v. Union of India in 2017 as it was, previously, not considered a fundamental right under the Indian Constitution. However, our Indian judiciary has, at present, carved out a distinctive precinct regarding privacy and an upshot of that is Right to Privacy, it is, now, recognized as a fundamental right, which is intrinsic under Article 21.

Recent Cases,

  1. Judicial probe into the Pegasus spyware issue:

The Supreme Court of India delivered a significant judgment on October 27, 2021 following certain reports of a spyware called ‘Pegasus’ (developed by an Israeli security firm i.e. the NSO Group) being deployed as a surveillance tool on Indian citizens. The petitions prayed for an independent investigation to be conducted into the alleged deployment of Pegasus by certain foreign governments and Indian government agencies.

The Supreme Court noted that the impact of the alleged use of Pegasus on the right to privacy and freedom of speech need to be examined, while forming the three-member expert technical committee. The committee is directed to make recommendations on enactment or amendment to existing surveillance laws to ensure an “improved” right to privacy, improved cyber security and threat assessment measures. The recommendations of the committee are yet to be submitted.

  • Antitrust concerns with WhatsApp’s privacy policy update:

WhatsApp LLC, which operates the messaging platform WhatsApp updated its privacy policy and terms of service in January 2021. While previous updates to WhatsApp gave its users the choice to ‘opt-in’ to the data sharing with Facebook, this privacy policy update required users to agree to data sharing with Facebook in order for the user to continue using the WhatsApp service. In an order dated March 24, 2021, the Competition Commission of India, which is India’s antitrust regulator initiated an investigation against WhatsApp, Inc. and Facebook, Inc. assessing the potential impact of the WhatsApp update on competition in the Indian market. It noted that the unilateral requirement on users to accept the update to WhatsApp’s privacy policy vitiates their voluntary agreement and primarily appears to be unfair and unreasonable for its users.

Facebook, Inc. and WhatsApp, Inc. in separate petitions before the Delhi High Court challenged the order of the Competition Commission of India initiating an investigation. It was argued that the WhatsApp update does not negate the choice of users and is aimed at providing further transparency on WhatsApp data sharing practices with Facebook. The Delhi High Court dismissed these petitions and additionally, upheld the impalement of Facebook, Inc. deeming it to be an integral part of the investigation.

Conclusion:

Right to privacy is a requisite of right to life and personal liberty under Article 21 of the Indian Constitution. Right to privacy is not an absolute right, it may be subject to certain reasonable restrictions for prevention of crime, public disorder and protection of others but, it may, apart from contract, also arise out of a specific relationship that may be commercial, matrimonial or even political and also where there is a conflict between these two derived rights, the one, which advances public morality and public interest, will prevail.

Privacy should be protected in every aspect but it is subjected to reasonable restrictions under the provision of Constitution of India and other relevant statutory provisions in force. One needs to understand that privacy should be keep in mind and within the confined limits not to explain to rest of the world.          

Sourabh Bose

Ramaiah Institute of Legal Studies, Bengaluru