POLITY

Privacy

Introduction

While there is no universally accepted and legal definition of privacy, it broadly relates to the diverse modes by which people, personal information, certain personal property, and personal decision-making can be made less accessible to others.
It is a Human and Natural Right enjoyed by every human being by virtue of their existence.
It is a Fundamental Right emerging from guarantee of life and personal liberty under Article 21 of the Constitution.
The Right to Privacy is determined on a case-to-case basis due to the dynamic meaning of privacy.

Types of Privacy:

International Legal Framework on Privacy

The Framework:

Article 7 and 8 of the Charter of Fundamental Rights of the European Union, 2012, recognizes the respect for private and family life, home and communications. Article 8 mandates protection of personal data and its collection for a specified legitimate purpose.
Around 80 countries in the world have enacted laws regarding privacy including Australia, Canada, UK, and South Africa. While there is no separate law and the term privacy is not mentioned in the United States constitution, right to privacy is seen as a part of Fourth Amendment rights.

Privacy in India

Evolution of Privacy as a Fundamental Right

In MP Sharma v. Satish Chandra, 1954 the SC questioned and disagreed to the existence of a constitutionally protected right to privacy.
In Kharak Singh v. State of Uttar Pradesh, 1962 while the SC invalidated a Police Regulation for nightly domiciliary visits on the grounds that it constituted “unauthorised intrusion into a person’s home and a violation of ordered liberty”, it held that the right to privacy was not guaranteed under Article 21.
Supreme court judgments in 1975 (Gobind v. State of M.P) and 1978 (Smt. Maneka Gandhi v. Union of India) held that right to privacy should be denied only on account of superior reasons which allow for infringement of such a right, and that the law and procedure authorising interference with right of privacy must also be right and just and fair and not arbitrary, fanciful or oppressive respectively. The 1975 judgment also held that right to privacy should go through the process of case-by-case development.
The court held in the R.M. Malkani v. State of Maharashtra case, 1972 that telephonic conversations are private in nature which make phone tapping a violation of privacy.
The Harvinder Kaur v. Harmander Singh, 1983 judgment extended right to privacy to gender priority wherein private life is protected from public portrayal.
The Right to Privacy Bill, 2011.
Justice AP Shah Committee on Privacy – 2012
In the landmark judgment in case of Justice K.S. Puttaswamy v. Union of India, 2017 the SC declared Right to Privacy as a fundamental right under Article 21. The court held that privacy is the constitutional core of human dignity.

Meaning of the Right to Privacy

The Right to Privacy is an important ingredient of the Right to Life and Personal Liberty embodied under Article 21 of the Constitution.
It is also recognized under various other laws viz. Law of torts, Criminal Laws as well as Laws relating to Property.
It includes preservation of personal intimacies, the sanctity of family life, marriage, procreation, home and sexual orientation.
Privacy is not surrendered when a person is in public place.
It is justiciable, but not absolute.

Government Efforts to Strengthen Privacy

Information Technology Act, 2000

The IT Act provides for safeguard against certain breaches in relation to data from computer systems. It contains provisions to prevent the unauthorized use of computers, computer systems and data stored therein.
The Act provides for payment of compensation (in civil cases) and punishment (criminal cases) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Rules deal with protection of "Sensitive personal data or information of a person", including information relating to: passwords; financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; and biometric information.
It provides for rules and guidelines to be followed by corporate bodies while dealing with personal sensitive data or information of people, disclosure of which is punishable under section 72A of the IT Act.

Justice B N Srikrishna Committee Report, 2018

The committee was formed in August 2017, after the 2017 SC Judgment.

The report on A Free and Fair Digital Economy highlighted that the relationship between service provider and the individual must be viewed as a fiduciary relationship, which implies obligation on part of service provider to deal fairly with personal data and use it only for authorised purposed.
Its recommendations include creation of Data Protection Authority; restrictions on processing and collection of data; right to be forgotten; data localization, explicit consent requirements for sensitive personal data, etc.
The committee recommended amendment of related laws including Information Technology Act, 2000, the Census Act, 1948, and the Aadhaar Act, 2016 to bolster their data protection framework.

The Personal Data Protection Bill, 2019

After deliberations, the Personal Data Protection Bill, 2018 was approved by the Cabinet in December 2019, and tabled as The Personal Data Protection Bill, 2019 in Lok Sabha. It was referred to the Standing Committee, and is currently pending in the Lok Sabha.

The Bill provides a framework for safeguarding the privacy of personal data of individuals (data principals) which is processed by entities (data fiduciaries). Data processing requires express consent of the data principal except in cases of medical emergency or when the State provides benefits or services.
The Bill allows exemptions from many of its provisions when the data is processed in the interest of national security, or for prevention, investigation or prosecution of offences.
Issues with the Bill:
The provision exempting processing of personal data from most provisions of the Bill for prevention, detection, investigation and prosecution of an offence is too broad.
Mandatory local storage of data may lead to extra costs for the fiduciaries.
Fiduciaries are required to inform the Data Protection Authority of data breach in cases where the data principal may be affected. The fiduciaries may not do so to protect their reputation.
Important concerns about internet privacy arise due to social media companies being required to identify their users with the prescribed aim of combating fake news. This will lead to massive scale of data transfer to private entities, which violates user privacy and anonymity, thus defeating the original purpose of data protection.

Violation of Privacy Guidelines by the Government: Case Studies

Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

The issue –
The scheme issued a 12-digit identity number to every citizen of India based on his/her biometric information and demographic data on a voluntary basis.
The government then made Aadhaar card mandatory for every person in India and planned linking it to various government benefit schemes.

Criticism –
Although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information – there is no upper limit.
There is no clear basis to refuse an Aadhaar card holder access to their core biometric information (defined as fingerprints, iris scans or other biological attributes).
The individual’s rights to edit or update information are very limited.
There are concerns over sanctity and safety of data.

Court Judgment, 2018 –
The SC upheld the overall validity of the Aadhaar Card.
However, it disallowed the use of individual Aadhaar numbers by any private entities for establishing the identity of the individual concerned for any purpose pursuant to a contract, on the basis that it was contrary to the fundamental right to privacy.
It also ruled on a number of laws, circulars and directions, which required the mandatory linking of Aadhaar for receiving relevant services.

2. Monetization of Citizens’ Data by Government

1. Vehicle-Registration Data

The Issue –
The government sold data of approximately 25 crore vehicle registrations and 15 crore driving licenses (to create the Vahaan and Sarathi Databases), which can be accessed by 87 private companies and 32 government entities.

Government’s Position –
A notification titled “Bulk Data Sharing Policy & Procedure” mentioned that sharing data can “support the transport and automobile industry” in addition to benefiting the country’s economy, and improving services and benefits for citizens.
The Economic Survey 2018-19 also presented a strong defense for sale of data to earn revenue.

Criticism –
No consent was taken from data principals – suggestive of violation of 2017 Puttaswamy Judgment.
Issues of demand for data and benefits from revenue only concern the buyers and sellers of data, not the data principals.
The Motor Vehicles Act has no provisions which enable the use of the data for commercial purposes.

2. Monetizing the Central Welfare Database of Citizens

The Issue –
The 2019 Economic Survey suggested monetizing citizen’s data by creating of a centralized database that would merge all existing data sets maintained by different ministries and departments.
Access to a selected database can be provided to the private sector for a fee.

Government’s Position –
The argument presented was that such a database would streamline the government’s delivery of services and subsidies.

Criticism –
There are flawed assumptions on consent by the state on two accounts – it assumes that the data in its database at present was obtained through consent; and it further assumes that the consent extends to the further use of this data by private entities.
This goes against the Puttaswamy Judgment which recognizes individual’s autonomy over personal information.

3. DNA Technology (Use and Application) Regulation Bill, 2019

The issue –
The Bill allows for creation of indices on crime scenes, suspects, undertrials, offenders, missing persons and unidentified deceased persons.
It provides for national as well as regional DNA database banks. The DNA collection centres have to hand over all data to the national and regional databases.

Criticism –
Issues of consent have been only partially addressed – the final decision in case of refusal lies with the Magistrate.
There is no provision for removing DNA profiles collected for medical or civil cases.
The bill makes provisions for removal of data from the database, but has not made rules for removing profiles from the collection centres, which makes DNA data vulnerable to misuse.

4. Automated Facial-Recognition System

The Issue –
The NCRB has proposed the use of an artificial intelligence technology called neural networks—which establishes patterns and matches—to identify missing and dead persons, and criminals.

Government’s Position –
The records are to be utilized for crime prevention.

Criticism –
No consent; the process amounts to surveillance.
There is a constant danger of misuse of data for surveillance and targeting of individuals other than criminals. Since free speech is bolstered by privacy, this technology will have implications for expression without fear of persecution.

5. Access to Social-media Accounts, 2019

The issue –
Ministry of Higher Education directed students to connect their social media accounts to their respective higher education institutes as well as the ministry of human resource development.
While the students will not be compelled to share their data with the government, it will become mandatory for them to provide access to their personal space with implied consent.

Criticism –
Students’ personal data comes under direct purview of the government.
If used for surveillance, the data can result in quelling student activism, help in identifying activists on campus, lead to moral policing and push students to anonymize their online activities, thereby curbing their freedom of expression.

Recommendations

The crucial observation of privacy as a dynamic concept should define understanding of right to privacy at all levels.
A rights-oriented data protection legislation which includes comprehensive surveillance reform prohibiting mass surveillance and institution of a judicial oversight mechanism for targeted surveillance should be implemented. The legislation should also recognize the principle that the state ought to be a model data controller as it deals with its citizens’ personal information.
There is a need for firm, binding judgments that keep the political executive within clear, limited constitutional boundaries.
Ordinary consumers should be empowered to bring their own lawsuits against the companies that violate their privacy rights.
Companies must not be able to punish consumers for exercising their privacy rights. New legislation should include non-discrimination rules, which forbid companies from denying goods, charging different prices, or providing a different level of quality to users who choose more private options.
Users should have an affirmative “right to know” what personal data companies have gathered about them, where they got it, and with whom these companies have shared it (including the government).
Issues over internet privacy should be addressed at by international organizations keeping in mind the interests of various stakeholders including states, individuals, and private entities.

States should review their own national laws, policies and practices to ensure full conformity with international human rights law