Right to privacy and data protection in digital age: Possibility of myth?

Introduction:

Data protection is a legal safeguard, adopted in order to prevent misuse of personal information. Every individual has a right to exercise fundamental degree of control over its personal data or information. Privacy and data protection are two major internet governance issues in this digital age and are interrelated to each other. Making individual personal data or information easily available to others (interested parties) can lead to invasion in privacy. Issues pertaining to data protection and privacy of critical personal information are concerned towards the automatic and easy availability of the required information about an individual to other individual or public or private entity.

How the digital age stands in violation of Right to privacy?

With more data becoming digitized, personal information becomes easily accessible to others and that is why there exists an inherent conflict between the two major internet governance issues of today i.e., Privacy and data protection. Data protection is a legal safeguard that ensures privacy and data privacy suggests how personal information of an individual to be handled based on its perceived importance. Individual’s data or information should be protected in a manner that their privacy is not compromised.

It is more advisable to be aware of the privacy rights when it comes to sharing of personal information and avoid multiple risks. This information are easily available from the credit card numbers, Aadhar or PAN cards, bank accounts, social security numbers and etc. History reminds that the data that should remain private when gets into questionable hands, bad things might follow.[1] Therefore, there is a need for the Data Protection Law mainly for[2] -

• Regulation and processing of data
• Protection of both individual’s rights as well as subject matter
• Enforcement of privacy and security rules against unauthorized access
• Imposing penalties upon failure of compliance with the prescribed policies.

The recent technologies are vulnerable to interception and surveillance. The United General Assembly passed sa resolution in 2018 on ‘The right to privacy in the Digital Age’.[3] The central idea behind the resolution was clear that when anything one say or do can be intercepted, it can led to chilling effect on what one feel free to say or do and therefore it calls for the global concern on human rights.

Right to Privacy

It is believed that the legal concept of Privacy was originally coined in an essay published in 1890.[4] The jurisprudence of privacy suggests it has fragmented history. The core sense of privacy, the central interest which is proper to be defended by law is the field of personal information.[5] Privacy is a fundamental human right as recognized in the Universal Declaration of Human Rights,[6] the International Covenant on Civil and Political Rights[7] and other human right conventions. It is known as right of any citizen to exercise substantial degree of control over their personal information. The appointment of 1st UN Special Rapporteur in 2015 on the Right to Privacy in the Digital Age reflects its rising importance and need to address privacy rights issues at global as well as national levels.[8] In the age of digitalization, the right to privacy has become a challenging issue as personal data is routinely collected and traded in the new economy.

CURRENT SCENARIO OF INDIAN LAW

As on date, India does not have a specific and comprehensive regulatory regime dealing with privacy rights and data protection. However, the constitution of India provides privacy rights guaranteed under the scope of Article 21 but it is not enough to provide adequate protection to the data in this digital age because of the essentially sectoral nature of the existing frameworks. The relevant provisions of Information Technology Act, 2000 regulates the use of sensitive personal information. Recently, in 2019 legislature has introduced a new bill called ‘The Personal Data Protection Bill, 2019’ with an aim of protecting the autonomy over the personal data of the concerned individual and to further set up a specific regulatory body that will deal with personal data infringement activities.

Approach towards Data Protection and Privacy Issues

The International Covenant on Civil and Political Rights is the main global legal instrument for the protection of privacy. There has been recent changes around the around towards one step closer to data protection and infringement issues in consonance with right to privacy. Two of the major changes brought are as follows:

The report released by UN Human Rights Council in 2017 was in attempt to address the responsibility of companies to respect the privacy rights of an individual in the digital age.[9] It requires companies to adopt policies, procedures and remedies and conduct human rights impact assessments of their operation.

The EU General Data Protection Regulation[10] (hereinafter referred as GDPR) is the most important change in the regulation of data privacy in 20 years. The change was brought with an aim of reshaping the manner data is being handled in various sectors and likewise as the report of UN council made companies liable for the mishandling of the personal information of the customers.

In India, a detailed legislation on Data protection is yet to come in force but it is believed that it is going to be equally stringent as GDPR is. Primary IT industry bodies such as NASSCOM and Data Security Council of India have always backed rigorous data privacy for years in the country and ever since the Apex Court declared right to privacy being deemed as a fundamental right,[11] the focus on data privacy and protection to enhance citizen safety and security has increased.

The Government has recently appointed Jus. Srikrishna Committee to have a detailed study of issues pertaining to data protection laws in India. The committee main work was to propose necessary suggestions to the Central government for its consideration on the principles of Data protection in India and suggest a draft data protection bill accordingly.[12]

Role of Digital India Initiative

The significance of digital revolution around the world is no doubt has been recognized by Government of India as well resulting in implementation of ‘Digital India’ Initiative. The revolution promises to bring disruptions in almost all sectors of the society. In accordance to ‘Digital India’ initiative, a ‘White paper’ has been drafted by the legislature to achieve the seven principles[13] based on which a comprehensive data framework for the country shall be drafted. The White paper is divided into three parts[14] that are mentioned below:

Scope and Exemptions- The territorial reach of the law; the contours of personal data; the application of the law to the private and the public sector; the entities regulated by the law; the activities regulated by the law; cross border flow of data; and data localization.

Grounds of Processing, Obligation on Entities and Individual Rights- This part basically focus on the requirement of individual’s prior consent to data processing and the need to legally demarcate other grounds than consent based on which personal data maybe processed.

It also examines the manner in which an entity can obtain valid and informed consent.

Regulation and Enforcement- Regulatory models including: (a) the command-and-control approach; (b) the self regulation approach; and (c) co-regulation approach. This Part also mentions about the need for a separate and independent authority to oversee the efficient enforcement of a data protection law in India.

CHALLENGES TO EXISTING FRAMEWORK IN INDIA

The Information Technology Act, 2000 when brought, lacked provisions for safety of sensitive personal information of an individual that led to several changes, amendments and bills. Until in 2008, Section 43A was inserted in the IT Act that released the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, applicable on body corporate and persons located in India. Civil and criminal remedies are available in the IT Act with respect to data protection but there are several limitations to those provisions that is posing legal challenges. Some of them are discussed below:

Remedies for Data protection under IT Act, 2008

Civil remedies

Section 43A of the act provides for compensatory liability of the body corporate on failure to protect sensitive information. It reads as follow:

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.”[15]

It is settled principle that person in ‘control’ of the data is hold liable for any consequences subsequent to loss, disclosure or unauthorized access to such data and hence we can compute that the liability is restricted to those who are able to control the manner of the use of such data. However, the amendment has made changes and now the mere possession of information would render the person liable to pay damages. But the main question still remains as to what constitutes ‘possession’ and how it is different from ‘control’.

Criminal Remedies

Section 72A of the act provides for punishment for disclosure of personal information in breach of lawful contract with the intention or knowledge likely to cause wrongful loss or wrongful gain.[16] The provision includes term ‘personal information’ and provides for its protection but the term itself has not been defined in the act that makes it difficult to understand the scope of the subject matter. Moreover, the bare reading provision suggests that it only talks about information obtained under a contract for services and hence is not applicable on confidential agreement (not of personal nature). However, there are several other limitations under the various provisions of IT Act that could affect the development of data protection and privacy jurisprudence in India.[17]

Aadhaar Card and Right to Privacy

Aadhaar is a nationwide biometric identification system in which the citizens were mandated to get an Aadhaar card that required sharing of personal information. The scheme was introduced with the aim of distribution of subsidies but now is used for variety of other purposes, for example, KYC guidelines and transaction authentication.

Since the introduction of the scheme, there has been debate lately as to whether Aadhaar and Right to privacy can co-exist in the country without Aadhaar being in violation of the Constitutional provisions. The government cannot ignore its responsibilities and obligation towards the protection of citizens from cybercrime under the zeal to aggregate data in electronic form and target subsidies better.

The landmark judgment of K. S. Puttaswamy v Union of India[18] , in 2017 settled the position of privacy rights in India. The use of scheme of Aadhar card for various purposes was challenged on the constitutional ground that the collection and compilation of personal data of the residents stands in violation of fundamental right to privacy falling under Article 21.

JUDICIAL PRONOUNCEMENTS

In the case of M. P. Sharma v Satish Chandra[19], wherein the warrant issued for search and seizure under provisions[20] of Code of Criminal Procedure, 1908 was challenged. The Hon’ble Court refrained from giving recognition to right to privacy as one of the fundamental right under the Constitution by observing as under: -

“When the constitution makers have thought fit not to subject regulation of search and seizure to constitutional limitations by recognition of a fundamental right to privacy,

analogous to the Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction.”

The Apex Court of India has made it clear that even though right to personal liberty is read as one of the fundamental rights under Article 21 of the constitution, it cannot be treated as an absolute right. In order to arrive at a just conclusion the court may even allow a person to be subjected to a test that would invade his right to privacy and hence a balance between the public rights at large and privacy right of an individual is required to be maintained.[21]

In the case of Gobind v. State of M.P.[22] , the court was of the view that right to privacy is a fundamental right but subject to restrictions based on compelling public interest. Privacy requires a balancing interest between and individual and public at large. Later, in People’s Union for Civil Liberties (PUCL) v. Union of India[23] , the issue contested was that whether calling upon contesting candidate to disclose assets and liabilities of their spouses is an infringement of right to privacy of the candidates or not. The Supreme Court held that by doing the same, right to information of voter is promoted and due to compelling public interest rights of the voters will prevail over the privacy rights of the candidates.

Moreover, in 2017, the majority judgment given by the Constitutional bench of 9 Judges held privacy as the constitutional core of human dignity. This was a landmark judgment because the inclusion of privacy right as one of the fundamental right in the constitution would mean that no institution can enforce their authority unless in accordance with procedure established by law. Hence, the decision of MP Sharma stands overruled and the court held:

“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”[24]

CONCLUSION

The government of India needs to adopt Data protection legislation to prevent exploitation of data by public or private entities. In order to do that the government can regulate the treatment of personal data or information by limiting the actions of those entities to only unquestionably relative and necessary information. Although India has made certain timely amendments in IT Act, 2000, the lack of stringent and separate data protection legislation has made the situation only worse. This necessitates passing of a new legislation that will deal specifically with the personal data privacy issues and challenges in the country. However, while drafting the legislation, caution has to be made to balance the interests of common public and to overcome the increased rate of cybercrimes so that people are not under constant fear of their personal information getting misused or leaked. However, in general it is considered that despite the efforts put by the government to preserve basic human rights of citizens there always exists a question as to the possibility of myth that privacy and data protection could be promised in this digital age.

Following are few suggestions pertaining to the data protection laws in India:

Suggestions

Firstly, there is a need of clarity and codifications as to the Data Protection Laws in India. The remedies provided consequent to the data protection rights are often neglected and hence it calls for recognition of the provisions of law that will assure those rights. Thus, analysis of the safeguard mechanism set out for their efficient implementation could be the first step towards protection of personal data or information. This will eventually help in formulation of a more comprehensive legislation.

Secondly, then there is a need for revamping the existing data protection laws to be dealt in more exhaustive manner. Despite the presence of Information Technology (Amendment) Act, 2008 dealing with data protection and privacy issues, in order to mitigate the complexity arising out of the digital revolution, necessitates for a far more comprehensive legislation. This could be done by establishing specific standards for purpose of assimilation of data protection and privacy.

Thirdly, Indian Contract Act can also provide relief from infringement of personal information. Although the act is nowhere related to Data protection issues but the fact that it permits parties to enter into a legally enforceable agreement, it can offer an alternative solution to our issue in hand. This can be done by including data protection as one of the condition for legally enforceable contracts.

• [1] FileCloud Blog, Data Privacy in a digital Age, Available at https://www.getfilecloud.com/blog/2019/02/data-privacy-in-a-digital-age/#.XWfVVOMzbIU, Last visited Aug 29 2019.