Menu
hacker, silhouette, hack

RIGHT TO PRIVACY AND ITS IMPLICATIONS ON DATA PROTECTION LAWS

Publications, Research paper

Abstract

The capacity of oneself or a particular group to seclude themselves or particular information and expressing it in a chosen way can be termed as ‘privacy’. In words of law, the right of a person to live without any external interference in matters that the public may not necessarily be concerned with. Constitution of India also deals with Right to privacy. In recent times, where technology is striding at a very faster rate, data protection is the prime concern of the crowd. As the amount of data being created and stored is increasing at an unprecedented rate, making data protection increasingly important. Data protection deals with protecting of sensitive information from data leakage, damages or corruption which is also correlated with right to privacy. This research paper attempts to scrutinize data protection laws of other countries, data protection laws in India and right to privacy and its implications on data protection laws. Although India now has a well-defined legal system in place, the nation didn’t have any data protection regulations 2 years back. Indian law does not address current developments like offshore and the internet; in fact, the emergence of the internet gave rise to a whole new set of complicated legal challenges.

Keywords

Data Protection legislation, Cyber Security, fundamental right, data privacy, personal information

Introduction

According to Article 21 “Protection of Life and Personal Liberty: No person shall be deprived of his life or personal liberty except according to procedure established by law.”. One of the most crucial rights that the Constitution protects is the fundamental right outlined in Article 21. This right has been referred to as the “heart of fundamental rights” by the Supreme Court of India. The right to life encompasses more than just the ability to survive. It also includes having the ability to live a full life with dignity and purpose.

The Information Age’s data pollution problem and the environmental challenge are data protection and privacy. As more social and business activities move online, the need of privacy and data protection is being more acknowledged by the general public. Out of 194 nations, 137 have laws in place to ensure the protection of personal information and data. The ‘California Privacy Rights Act’ (CPRA) is the state with the most comprehensive data privacy legislation to date, whereas the ‘General Data Protection Regulation’ (GDPR), which governs the collection, use, transmission, and security of information obtained from 28 member countries of the European Union, is the most significant data protection law enacted to date.

Research Methodology

This paper is of descriptive nature and the research is based on different sources for in-depth analysis of right to privacy and its inference in data protection laws. Different sources of information include websites, law journals, case laws are used for research.

Review of Literature

Privacy is not a new concept. Ancient Greece was divided in two spheres:

  • Polis – the public or political sphere
  • Oikos – the private or familial sphere

With the emergence of newspapers, televisions and more importantly internet, right to privacy is not limited to physical privacy, now the concept is more about information privacy or privacy of data. The attack on privacy takes the form of overreaching intrusion on confidential conversations, as seen in the recent Pegasus scandal. It is important to remember that the right to privacy encompasses much more than just the freedom to communicate privately. The SC acknowledged the Right to Privacy as a crucial component of Article 21 in Ram Jethmalani v. Union of India[1]. According to Maneka Gandhi v. Union of India[2], the Right to Privacy is a basic Right that is covered by the ‘Right to Life and Personal Liberty’ under Article 21 and that may be restricted through a legal process that is just, fair, and reasonable.

Data Protection Laws in India

In the case of Justice K.S. Puttaswamy (Retd) v. Union of India(2017) [3], the right to privacy was regarded to be a fundamental right. The nine-bench judges unanimously held that ‘the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedom guaranteed in Part III of the Constitution’. Since that time, India has upheld the right to privacy as a basic right. This resulted in the creation of a comprehensive Personal Data Protection Bill 2019 (the PDP Bill), although the bill was subsequently withdrawn in August 2022. On November 18, 2022, the Ministry of Electronics and Information Technology (MeitY), Government of India, issued a draught of the Digital Personal Data Protection Bill, 2022 (the DPDP Bill), replacing the PDP Bill. The goal of the 2022 Bill is to provide guidelines for processing digital personal data in a way that recognises both the need to handle personal information for legal reasons and the right of persons to privacy protection. Personal information protection is not governed by autonomous laws in India. However, there are protections, they are dispersed over a number of laws, rules, and policies. Information Technology (Sensitive Personal Data or Information) Rules of 2011 and Information Technology Act, 2008 both have provisions that address such offences in the instance of cybercrime or online trading. All laws and regulations pertaining to the IT Act of 2000 were exempt from the protections and restrictions necessary to protect sensitive personal information online when it originally went into force on October 17, 2000. As a result, the Information Technology Bill, 2006, and the following IT (Amendment) Act, 2008, both of which had provisions that became effective on October 27, 2009, were introduced. Sec 72A of the act[4] states punishment for disclosure of information in breach of lawful contract, as per which ‘any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both’.

 Moreover, Section 43A of the IT Act deals with Compensation for failure to protect data which states “a corporate body, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”. The majority of laws solely concern sensitive personal data and information. The regulations only apply to corporate organisations that engage in automated Data processing, and only a small percentage of the limits may be enforced by consumers. But the major concern is that Data localization which has not been addressed by the Indian government and that was one of the reasons to ban Chinese applications in India. India needs comprehensive Data Privacy legislation like developed countries to get overcome these limitations.  

General Data Protection Regulation (GDPR)

The toughest privacy and security regulation in the world is the General Data Protection Regulation (GDPR). Although it was created and approved by the European Union (EU), it imposes duties on any organisations that target or gather information about individuals residing in the EU. The rule becomes effective on May 25, 2018. The GDPR will impose severe fines up to tens of millions of euros—on those who break its privacy and security criteria.

 The 1950 European Convention on Human Rights declares that ‘Everyone has the right to respect for his private and family life, his home, and his correspondence’. The right to privacy is covered by this provision. Through laws built on this basis, the European Union has attempted to ensure the maintenance of this liberty. With the advent of the internet and the advancement of technology, the EU realised the need for additional protections. As a result, in 1995, it enacted the ‘European Data Protection Directive’, which defined fundamental standards for data security and privacy and served as the basis for enacting laws in each of the member states. But the Internet was already evolving and becoming into the information powerhouse that it is today.  The GDPR went into effect on May 25, 2018, after being passed by the European Parliament in 2016. All enterprises were required to comply. There are severe penalties for breaking the GDPR. The combined maximum sanction for the two categories is €20 million or 4% of worldwide sales (whichever is greater), and data subjects also have the ability to seek damages compensation. The data processing rules introduced by the GDPR are built on the seven fundamental privacy principles.:-

  • Lawfulness fairness and transparency
  •  purpose limitation
  • data minimization
  • accuracy
  • storage limitations
  • integrity and confidentiality
  • accountability

 Although new data privacy-related regulations have recently been established in the EU, like the Digital Services Act and Digital Markets Act, the EU General Data Protection Regulation still reigns supreme. To inform orders and punishments, EU data protection authorities may contact, inquire upon, and examine service providers. A company may be penalised up to 6% of its annual global revenue for the prior fiscal year if found in breach. The maximum fine for breaking a DSA information duty is 1% of the preceding year’s earnings or global turnover. Globally, nations have developed their data protection legislation based on a structure comparable to the GDPR.

Data Protection in Other Countries

China :-

  • In order to safeguard the legal rights and interests of both organisations and individuals in China, the China Cybersecurity Law (the “CSL”), which is applicable to the operation, maintenance, and use of information to the operation. China Cybersecurity Law imposes a number of significant cybersecurity obligations on the operators of network. This helped China to secure development of technology and the digitization of the economy in the country.
  • China introduced China’s Data Security Law (DSL) governs data processing operations carried out outside of China that may harm China’s national security, the general welfare, or the legal rights of Chinese individuals and organisations. It imposes a multitude of requirements on businesses and people, including those situated outside of China, relating to data classification, cross-border data transfers, data export rules, data risk management, and risk assessments.
  • China implemented its main data protection law, the Personal Information Protection Law (PIPL), on August 20, 2021. It went into effect on November 1 of that same year. PIPL is applicable to businesses operating in China that process and analyse personal data of Chinese nationals coming from both inside and outside of the country. It gives people a wide range of rights and imposes stronger restrictions on data controllers and processors.

Australia:-

  • In Australia, the Privacy Act of 1988 has been in effect for more than 20 years. The Privacy Act was created to safeguard data subjects’ privacy. The 13 Australian Privacy Principles (APPs) contained in the Australia Privacy Act are also applicable to most Australian Government bodies as well as to organisations in the private sector.
  • These 13 Australian Privacy Principles govern standards, rights and obligations around:
    • the gathering, use, and dissemination of personal data
    • the responsibility and governance of a company or agency
    • the accuracy and reliability of personal data
    • the liberty for people to view their personal data
  • 13 privacy principles under the Australia privacy act includes:- An open and transparent management of personal information, Cross-border disclosure of personal information, Anonymity and pseudonymity, Adoption Use or disclosure of Government Related Identifiers, collection of solicited personal information, quality of Personal Information, Unsolicited personal information , Security of personal information, Notification of collection of personal information, Access to personal information, Use or disclosure of personal information, Correction of personal information, Direct marketing.
  • Australian privacy laws are based on a few fundamental ideas. Because of this, an organisation or agency has the ability to modify how it handles personal information to suit its commercial objectives and the desires of different groups of individuals. Since they are technology agnostic, they can adapt to new technologies. A breach of the Australian privacy principle known as ‘interference with an individual’s privacy’ is sanctioned by regulatory action.

United States of America:-

  • The European Union has robust data privacy laws(the General Data Protection Regulation), in contrast to the United States, which has less stringent laws, however several states have implemented extensive data privacy laws that have garnered parallels to the EU system.
  • The ‘Gramm- Leach- Bliley Act’, which Clinton signed into law in 1998, governs data privacy for financial companies. According to the Federal Trade Commission, the legislation compels these institutions, which include  firms that provide loans, investment guidance, insurance, and other financial products or services to customers, to secure sensitive data and explain how they utilise client data.
  • The California Consumer Privacy Act (CCPA), was passed in 2018 and this is considered as the country’s strictest data privacy law, applies to any business that gathers private information about customers and explains particular rights the consumers are having.
  • Consumers have rights under the CCPA, including the right to know what personal information businesses collect and to whom they sell it like the right to have their personally identifiable information deleted by corporate organisations, the right to object to the sale of their information, and the right to fair treatment while enforcing their privacy rights. The California Privacy Rights Act was modified the CCPA, which was approved in 2020 and went into effect in 2023. As a result, customers now have more rights, such as the power to restrict how sensitive data is used and disclosed and the right to have inaccurate information about them that businesses have collected corrected.
  • Virginia, the second state this year after California to enact a comprehensive state-level data privacy law, and later this year, similar measures will take effect in Utah, Connecticut and Colorado.

Japan:-

  • The Personal Information Controller (the “PIC”) is a person or company that provides personal connected information for use in conducting business in Japan. The Japan’s act on the protection of personal information (APPI) is the law in Japan that governs the use of personal related information. The APPI also applies to foreign PICs that manage personal data of data subjects (or “principals”) in Japan in order to provide such people with products or services. The legislation guarantees both the right of the individual to privacy and the legitimate use of personal information for economic growth.

Singapore:-

  • The Personal Data Protection Act (the “PDPA”) was passed by Singapore in 2012 and went into effect in phases; the data protection provisions were effective on July 2, 2014. The PDPA recognizes people’s rights to more control over their personal data as well as organization’s obligations to collect, use, and disclose personal data for legitimate business purposes. The PDPA applies to both electronic and non-electronic types of personal data storage. The PDPA does not apply to anonymized data, which is data that cannot be used to identify the data subject.

Turkey:-

  • One of the first nations to adopt data protection legislation was Turkey. Turkey issued ‘Law on the Protection of Personal Data (LPPD) covering personal data protection on April 07, 2016’. The GDPR and the LPPD have many characteristics and are both based on the European Union Data Protection Directive. It explains the responsibilities that businesses and people handling personal data must meet and attempts to give data subjects control over their personal data. No matter where they are physically located, both Turkish companies and any foreign natural or legal entity that collects or processes data of Turkish origin or the personal information of Turkish data subjects is subject to the LPPD.

Italy:-

  • A member of the European Union, Italy, where the GDPR is fully effective. On December 19, 2018, Italy adopted the GDPR by amending the Personal Data Protection Code since certain of its provisions directly contravened the GDPR. To put it simply, the outdated legislation has been revised to comply with the GDPR’s obligations.

Brazil:-

  • Brazil’s ‘Lei Geral de Proteço de Dados’ (LGPD) is a thorough data protection law, which took it’s inspiration from the EU’s GDPR. All Brazilian residents who receive various goods or services from businesses based within or outside of Brazil as well as Brazilian governmental entities are covered by the data protection legislation. The legislation defines 10 legal basis for the lawful holding and processing of data, as well as accountability obligations, required breach notifications, and DSRs – imposing harsh penalties upon infringement.

United Kingdom:-

  • The Data Protection Act that was introduced in 1998 has been modified and is now known as the UK Data Protection Act (DPA) 2018. The GDPR is implemented by the DPA 2018 with a number of modifications and limitations. Three categories of processing are included in the DPA 2018: general data processing, processing done by law enforcement, and processing done by intelligence services. It is necessary to read the DPA 2018 in conjunction with the UK GDPR, which is the GDPR in effect as of December 31, 2020, and any relevant case law at that time.

Suggestion

Since India has been engaged in a protracted and laborious process to develop a data privacy policy that is comparable to other significant international rules in terms of its reach and the protection it offers to its citizens like the right to information, the right to data access, the right to make corrections, the right of deletion , the right to limit processing, the right to transfer data, the right to disagree.

 India may develop their data protection legislation based on a structure comparable to the GDPR as it is the toughest privacy and security regulation in the world.

Conclusion

In the 21st century where data transmission is getting simpler and important than never before, security of data is the main concern not of a particular state but of the whole world. However, due to it’s simplicity data are being more exploited. Since this is a recent issue, proper law has not been introduced. A comprehensive central level law on the subject was intended to be implemented with the introduction of  ‘The Personal Data Protection Bill’ of 2019 in Parliament but this has not yet happened in many areas of life, but particularly in the business sector did a privacy is crucial. India has to address the problem seriously because it lags behind other developed countries in terms of data privacy concerns.

Manha Aimen

Department of Law, Calcutta University

[1] (2011) 8 SCC 1

[2] AIR 1978 SC 597

[3](2017 1 SCC 10)

[4] The Information Technology Act