Privacy And Data Protection Laws In India

9th November, 2022 - 5:22 am Categories: Data Protection 0 Comments

Introduction

The concept of Privacy dates back to the dawn of human civilization. However, the idea of Privacy is difficult to grasp. The term “Privacy” has taken on a variety of meanings for different academics, and those definitions shift as society itself does. It is possible to trace back its history by looking at arguments in the Constituent Assembly, when Privacy and secrecy were debated. It is clear from the debates in the Constituent Assembly that the Right to Privacy was purposefully omitted from the Constitution. Legislators’ motivations for doing this remain a mystery. Post-independence India’s Constitution does not explicitly acknowledge the Right to Privacy, but precedents in the courts have allowed it to develop. In the instance of Kharak Singh[1], it was acknowledged for the first time. The “Indian Evidence Act, the Information Technology Act, the Indian Penal Code, Criminal Law, Indian Telegraph Act, Indian Easement Act, and Family Law” are all examples of legislation that include provisions that pertain to Privacy. In this article, we’ve explored these Laws in great length. There are many different types of Privacy that have developed through time: the Privacy of one’s physical space, one’s bodily identity and information, and the Privacy of one’s personal preferences. And this Right is even more important to safeguard in the digital age we live in today. There has been some discussion over the impact of social media on Privacy Rights in today’s digital age. To that end, we’ll take a close look at the Laws in place to safeguard individuals’ Privacy, and whether or not they go far enough to address concerns like invasions of Privacy, which are protected by Article 21[2].

[Image source:Gettyimage

Definition of Privacy Rights

When discussing its definition, the term “Privacy” is difficult to comprehend. It has been interpreted in several ways. “Right to Privacy,” according to Black’s Law Dictionary, includes “various Rights recognized as inherent in the concept of ordered liberty.” These freedoms protect people’s Right to fundamentally choose how they want to live their lives and interact with their families, other people, and their interpersonal connections and activities. It’s also been said that Privacy is about a person’s Lawful claim to decide how much of himself he wants to disclose with others, as well as his control over when, where, and under what conditions he does so. It refers to his unrestricted ability to engage or not participate in whatever way he chooses. It also refers to the freedom of the individual to decide what information about him or her is made public; he or she is the exclusive owner of that information. A person’s “Right to be left alone,” on the other hand, signifies that he or she is entitled to Privacy. All the Rights that have been recognized as inherent in the idea of ordered liberty fall under the umbrella phrase “Right to Privacy.” Freedom of assembly and free speech may be seen as essential components of the Right to Privacy, since they allow people to do both.

Right to Privacy: Constitutional Essence

In R. Rajgopal v State of T.N[3], the Apex recognized a person’s Right to safeguard his Privacy in a plethora of matters. In PUCL v UOI[4], the Right to Privacy was recognized in the light of Article 17 of ICCPR and Article 12 of UDHR. In Ram Jethmalani v UOI[5], the SC recognized the Right to Privacy as an integral part of Article 21. The Right to Privacy is a fundamental Right covered within the ambit of Right to life and personal liberty under Article 21 which can be curtailed via procedure established by Law which is just, fair and reasonable as laid down in Maneka Gandhi v UOI[6]. In State of Maharashtra v Bharat Shanti Lal Shah[7], the Supreme Court laid down that the Right to Privacy can be curtailed in accordance with the procedure validly established by Law. In Govind v. State of MP[8], it was held that the fundamental Right explicitly guaranteed to a citizen has plethora of zones and that the Right to Privacy is itself a fundamental Right , and it must be subject to restriction on the basis of compelling public interests. From all the case Laws discussed, it is clear that the Indian judiciary has developed the concept of Privacy as a wide term. Privacy is to be understood in a wide sense- it includes bodily autonomy, making choices in matters understood as being personal and off course one’s personal information. Being encompassed within the limit of Article 21, Right to Privacy can be curtailed only in exceptional circumstances that is in lieu of compelling state interest and if it fulfills the benchmark of proportionality test laid in the Puttaswamy judgment.

A 9-j Supreme Court bench in Justice K.S. Puttaswamy v. UOI[9], stated that “the Right to Privacy” is an essential component of our Constitution. One may be forgiven for wondering why a bench of nine judges was tasked with deciding whether or not the “Right to Privacy” falls within Art 21 of our Constitution. In 2017, a 5 Judges bench of Supreme Court made the announcement that they wanted a 9 Judges panel to first assess whether “the Right to Privacy” is a fundamental Right before deciding on the primary issue regarding Aadhaar. The case that included the Aadhaar card and “Right to Privacy” was being considered by the court. The A.G. in Aadhaar matter stated that even though previous rulings had acknowledged the “Right to Privacy”, they did not explicitly recognize it like in Kharak Singh[10] and M P Sharma rulings[11]. As a result, a 9 Judges bench must be constituted to analyze whether “the Right to Privacy” qualifies as a basic freedom. A flurry of Legislative initiatives to pass Personal Data Protection Laws were triggered by the Supreme Courts broad interpretation.

Statutory Provisions on Data Privacy in India

The sharing or receiving of personal information in spoken, writing, or electronic form is not protected by a stand-alone legislation in India. Although there are safeguards, they are spread over a variety of Laws, regulations, and policies. IT (Amendment Act of 2008) and IT (Sensitive Personal Data or Information) Rules of 2011 include the most significant clauses. For online trade and cybercrime, this is India’s most important Law in the country. Because of their name, SPDI Rules only cover Data and information sent electronically; they do not cover Data and information obtained via non-digital methods.[12] All rules and regulations pertaining to the IT Act, 2000 were devoid of the safeguards and restrictions necessary to secure sensitive personal information submitted electronically when it first went into effect on October 17, 2000. The Information Technology Bill, 2006 was finally introduced as a result, and the IT (Amendment) Act, 2008 followed, with its provisions taking effect on Oct 27, 2009. It inserted Sec 43A in IT Act, as per which, if: “a corporate body possesses or deals with any sensitive personal Data or information, and is negligent in maintaining reasonable security to protect such Data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.” Also Sec 72A, as per which: “the punishment for disclosure of information in breach of Lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in breach of Lawful contract.” Punishment for it is stated in Sec 72. It says that: “any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.”  Anyone who commits an offense or violation outside of India shall be held to the same standards as anyone who commits an offense or violation in India. This is stated in Section 75 of the Act. The IT Act and Rules’ reach and breadth, however, are constrained. Most of the rules only cover “sensitive personal Data and information” that is gathered using “computer resources.” Only a tiny portion of the restrictions may be enforced by consumers, and the provisions are only applicable to business organizations that carry out automated Data processing. Data localization is not covered, which was the main worry and the basis for the Indian government’s decision to prohibit Chinese applications. India need a thorough Data Privacy legislation to overcome these restrictions.

Data Breach and Privacy in Other countries

In UK, the Data Protection Act, 2018 regulates as to how one’s personal information is to be used by organizations and the government. The Data Protection Act, 2018 is United Kingdom’s extension of the General Data Protection Regulation (GDPR) which is followed in all member countries of the EU. All liable for using personal Data must obey specific guidelines called ‘principles of Data security’. They must make sure that the Data is:[13]

1. Reasonably, legally and transparent used.
2. Used for well-defined purposes only.
3. Used in such a way which is acceptable and such usage is restricted within the ambit of necessity.
4. Precise and if possible also up to date.
5. Not retained for such time period after its requirement ceases.

One is enabled to be acquainted with what knowledge the government and other institutions keep on one as per the Data Security Act , 2018.[14]

These includes the Right to:

1. Be aware of the use of one’s personal Data.
2. Access personal Data.
3. Make changes if Data being used is wrongful.
4. Get the Data deleted.
5. Ceasing and Prohibiting the transmission of one’s Data.

One gets some sort of Protection if an agency utilizes his or her personal details for:

1. Procedures relating to automatically making of decisions (without involving humans).
2. Profiling, like anticipating one’s actions or wishes.

Quite surprisingly, it is noted that United States has no Data Protection Laws. There is no Law at the Centre which shall deal with Data Privacy and breach at the central level unlike the GDPR Law of the European Union. There are instead several Laws dealing in Privacy issues like Privacy Laws focused upon consumers enacted in various states of the country. Somewhat like the Companies Act of 2013 in India, one has the Federal Trade Commission Act in the United States. Within its jurisdiction, the Federal Trade Commission Act has immense power over private enterprises to avoid discriminatory or deceiving marketing practices. Although, the FTC does not specifically dictate what Data can be used in Privacy policy for websites, it uses its power to impose rules, implement Privacy Laws, and take compliance steps to protect the consumers. FTC has often taken actions against the companies in matters of Data Privacy:[15]

1. On the occasion of failure to impose and maintain various measures relating to Data security.
2. Failure to adhere to the relevant self-regulatory standards of the business of the company.
3. Failure in adhering to a Privacy policy which has been published.
4. Dissemination of Data in undisclosed mannerisms.
5. Misleading the consumers by supplying them with wrongful information regarding usage of their Data.
6. Failure to keep the personal information of the consumers secured from instances of Data intrusion.
7. Violating the Privacy Rights of consumers by way of collecting, tackling, or exchanging their Data is an infringement of the Privacy benchmark set by the FTC or of the rules and regulations of national Privacy.
8. Indulging in unlawful and unethical marketing practices.

Comparative Analysis

Out of these three countries, it is only the United Kingdom which has a central Law on personal Data Protection. It is surprising to note that United States despite being the land of origination of Facebook and WhatsApp has no central level legislation on Data Privacy. The Law on the issue varies from state to state in the country. However, FTC acts a national level body for tackling Data Privacy issues concerning the business world. Hence this situation as prevalent in India is much sadder and appalling as India neither has central level Data Protection Laws, state level Data Protection Laws or a central level authority which deals in this issue. UK has its own Data Protection Law making it easier to establish to culpability and so is the case in US due to presence of state level Laws. In India, it is the judiciary which has propounded upon the subject of Privacy a number of times and the same has developed to form perceptions on Data Privacy.

Personal Data Protection Bill, 2019

The Supreme Court’s 9-judges bench upheld the “Right to Privacy” in K.S. Puttaswamy v. UOI[16] in August 2017. According to Article 21, the Court highlighted the Rights to life and personal freedom. The Indian government established a Committee of Experts, headed by Justice B.N. Srikrishna, to investigate Data Privacy problems in India during the case. This report and draft Personal Data Protection Bill were given to Ministry of Electronics and Information Technology in July 2018 after the white paper’s open consultation. Expert Committee suggestions and stakeholder input were used to draft Personal Data Protection Bill 2019. A further set of three critical elements is outlined in the text:[17]

• Personal Data Protection is a crucial component of “informational Privacy and Right to Privacy.”
• As the digital economy has grown, people are increasingly using Data as a vital form of interpersonal connection.
• The establishment of a collective culture that promotes a free and equitable digital economy, respects the Privacy of individuals’ personal information, and ensures these things is necessary to ensure empowerment, advancement, and innovation through digital governance and inclusion, as well as matters related or incidental to those.

The above-mentioned bill was developed following extensive engagement and consultation with a variety of stakeholders, including Indian Law enforcement, which opposes “Data colonialism” by significant Western technology companies like Google and Facebook and wants access to Data stored in the US for national security investigations. As a replacement for Sec. 43-A of the IT Act of 2000, this bill would eliminate all provisions pertaining to company liability for Data breaches and Privacy violations.

Before processing personal Data, Data fiduciaries and processors are obliged by Law to get permission from Data principals. Regardless of whether they are representatives of the State, a corporation, a government agency, or an individual, whomever decides the reason for and the method of processing personal Data. An individual who administers personal Data on behalf of a Data fiduciary is known as a Data processor. This includes the government, corporations, people, and other legal bodies. Data collectors must now comply with new reporting standards, such as the obligation to get parental or guardian consent before collecting children’s Data. The persons whose Data is being gathered, or the “Data principals,” are also given Rights under the Law.

In the event that the legislation is passed, Data fiduciaries and Data processors will need to:

• Inform the Data principals of the collecting of their Data.
• Request permission before processing a Data subject’s personal information.
• Gather and maintain proof that a notification was made and permission was obtained.
• Enable users to access, amend, and delete their Data as well as withdraw their permission.
• Permit customers to transmit their Data to other firms, including any conclusions drawn by such businesses from that Data.
• alter organizational procedures to safeguard Data, such as by adhering to Privacy
• by-design principles and putting in place security measures

Additionally, the Law stipulates that all “sensitive personal Data” must be kept in India and that “essential personal Data” cannot be sent outside. As it would disrupt market-driven choices and compel businesses to utilize local Data storage service providers, this has been condemned as being Protectionist.

Criticism of the Bill

Since its inception, the Bill has come under scrutiny for being skewed in favor of the company collecting the Data and for potentially having serious problems with user Rights. Globally, Data Privacy Laws have properly given users primary control over Data gathering and permission. The Laws provide users the freedom to choose how and when their Data may be gathered, processed, kept, and shared by providing them with the necessary Rights and ability to do so. Despite explicitly granting people certain Rights and safeguards, the DP Bill makes it near impossible for users to exercise their Rights.

The Data Protection Bill makes it more difficult for users to exercise their Right to withdraw permission by declaring that if the withdrawal is made without a “valid cause,” the Data subject would be responsible for any resulting legal ramifications. This eliminates the individual’s ability to exercise a Right to withdraw consent by making it prohibitively difficult to exercise, as well as unnecessary demanding and burdensome. This is complicated further by the fact that the legislation doesn’t specify what constitutes a “good cause” or the nature and scope of the legal repercussions that are intended by the provision. In addition, the legislation establishes circumstances in which it permits the processing of Data without the Data principals’ permission. Given the many layers and complexities that technological processes and products currently have, the regulations that allow for these grey zones simply make things worse for unwary consumers.

Conclusion

In the current era of globalization, it has become much easier than it was ever earlier to save and transfer Data. However, this has had not only positive results but also several negative implications like the infamous WhatsApp Data leak case. It has become easier to exploit Data and breach the Privacy of the masses. Since it is a relatively new concern, there is no concrete Law on the topic. The Personal Data Protection Bill of 2019 was introduced in Parliament as an attempt to bring in a comprehensive center level Law on the issue but the same has not yet become a reality. Data Privacy is extremely important in all spheres of life but most importantly in the corporate world. India needs to take the issue seriously as it is not at par with other leading nations of the world when it comes to Data Privacy issues.

Author: VIDHI CHOURADIA,  BA LL.B (4^TH YEAR ), GH RAISONI LAW COLLEGE, NAGPUR, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

[1] Kharak Singh v. State of UP, 1964 SCR (1) 332.

[2] The Constitution of India, 1950.

[3] 1994 SCC (6) 632.

[4] AIR 1997 SC 568.

[5] (2011) 8 SCC 1.

[6] AIR 1978 SC 597.

[7] (2008) 13 SCC 5.

[8] 1975 SCR (3) 946.

[9] (2017) 10 SCC 1.

[10] Supra note 1.

[11] MP Sharma v Satish Chandra, (1954) 1 SCR 1077.

[12] Puttaswamy v. Union of India (I). Global Freedom of Expression. (2021, December 10). Retrieved October 6, 2022, from https://globalfreedomofexpression.columbia.edu/cases/puttaswamy-v-india/

[13] Service, G. D. (2015, September 16). Data protection. GOV.UK. Retrieved October 6, 2022, from https://www.gov.uk/data-protection

[14] Ibid.

[15] Harrington, D. (2022, September 9). U.S. Privacy Laws: The complete guide. Varonis. Retrieved October 6, 2022, from https://www.varonis.com/blog/us-privacy-laws

[16] Supra note 9.

[17] Akhil Deo and Arjun Jayakumar and Samir Saran and Trisha Ray and Akhil Deo and Arjun Jayakumar. (2020, March 16). The Personal Data Protection Bill 2019: Recommendations to the Joint Parliamentary Committee. ORF. Retrieved October 6, 2022, from https://www.orfonline.org/research/the-personal-data-protection-bill-2019-61915/