This article has been written by Diva Rai, a student of Symbiosis Law School, Noida.

Introduction

We live in an era when we no longer have to stand in lengthy queues in front of banks for banking services and after putting an online order, we can get any item at our doorstep. That is the information technology boon. With the evolution of the internet and its extension in accessibility, we are seeing a new world where communication, accessibility, sharing of information and transparency are better. But as it is said, there will be some disadvantages for every good. As technology is increasingly developing, so is a rise in its misuse, which is largely inevitable in addition to the increasing use of the internet for exchange of sensitive, private and commercial information.

Several issues are raised: to whom does this information belong? Who will be able to access it? What, if any, are the limitations on the use of this information? The law pays for catch-up as it does in all things technology. Jurists around the globe struggle to combine traditional law ideas and the absurdly invasive moments in which we find ourselves. Several governments demanding and seeking access to information from their people and corporations complicate this stance further. On the other side, what are the privacy limitations? Can information be requested for fundamental services, travel or even advantages from the government? Is national security overriding all privacy issues?

Privacy was a key element of human life at all times. But as more data is digitized and more information is communicated online, more importance is attached to data privacy. Data privacy refers to how to manage data based on its perceived significance. It’s not just a company issue, when it comes to the privacy of their information, people have a lot at stake.

Privacy of Data

“Privacy on the internet? That’s an oxymoron” –Catherine Butler

In nearly everything we do, data surrounds us and is produced. One sort is information that we can willingly share, and the second sort is information that is produced literally whenever we do something–whether it’s traveling, ordering a meal, or using transport. There is no doubt that this information is tremendously important and that several businesses are prepared to pay for access to this information. Indeed, information is the fresh currency in this era of universal and virtually free internet access. What’s even more intriguing is that you don’t know the complete information potential. As technology advances, the value of the information is enhanced by new apps.

Over the past few years, the quantity of information produced by the use of multiple electronic instruments and apps has increased substantially. By evaluating the’ large information, today’s companies derive a significant value and often determine their business strategies based on such assessment. While the business efficiency concerned is not denied, the burning question is – Do people have control over how other people access and process data related to them?

Several issues are raised: to whom does this information belong? Who will be able to access it? What, if any, are the limitations on the use of this information? The law pays for catch-up as it does in all things technology. Jurists around the globe struggle to combine traditional law ideas and the absurdly invasive moments in which we find ourselves. Several governments demanding and seeking access to information from their people and corporations complicate this stance further. On the other side, what are the privacy limitations? Can information be requested for fundamental services, travel or even advantages from the government? Is national security overriding all privacy issues?

Privacy is the right to be left alone or free from character violence or misuse. The right to privacy is the right to be free of unwarranted advertising, to live a secluded life, and to live without unwarranted public interference in matters not necessarily concerned with by the public. 

There’s no new right to privacy. It was a notion of common law, and an invasion of privacy provides the person the right to claim damages based on tort. One of the first cases on the said topic was Semayne’s Case (1604). The case concerned the London Sheriff’s entry into a property to perform a valid writ. Sir Edward Coke, while acknowledging the right of a man to privacy said, “the house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose”. In the 19th century, the notion of privacy continued to develop in England and has been well established in the world. The court ruled in the case of Campbell v. MGN3, “There is an intrusion in a situation where a person can reasonably expect his privacy to be respected, that intrusion will be capable of giving rise to liability unless the intrusion can be justified”.

Indian Jurisprudence on Right to Privacy

Article 21 of the Indian Constitution offers that “No person shall be deprived of his life or personal liberty except according to procedure established by law”. The Supreme Court ruled on 24 August 2017 that the right to privacy is a fundamental right guaranteed by Part III of the Indian Constitution. This decision on the legislation and regulations will have far-reaching ramifications. New regulations will now be tested on the same parameters on which the laws that violate personal freedom are tested in accordance with Article 21 of the Indian Constitution. The right to privacy is now unambiguously accessible–its contours and boundaries are the issue that remains exceptional.

India has no extensive data protection and privacy legislation. The current laws and policies are of a sectoral nature in essence. As of now, in addition to other sectoral legislation, the appropriate regulations of the Information Technology Act, 2000 and its regulations govern the collection, processing and use of’ private information’ and’ delicate private data or information by a corporate body in India.

The Supreme Court first regarded whether the ‘right to privacy’ is a basic right in the case of M. P. Sharma and Ors. v Satish Chandra, District Magistrate, Delhi and Ors. where the warrant granted for search and seizure was questioned pursuant to Sections 94 and 96(1) of the Criminal Code of Procedure. The Supreme Court ruled that the search and seizure authority was not contrary to any constitutional provision. The Court also refused to recognize the right to privacy as a basic right guaranteed by India’s Constitution.

Thereafter, in the case of Kharak Singh v State of Uttar Pradesh and Ors. the Court regarded whether it would be an abuse of the right guaranteed under Article 21 of the Constitution of India to monitor an accused’s home visits at night, thus raising the question of whether Article 21 included the right to privacy. The Supreme Court ruled that, in reality, such monitoring was contrary to Article 21. Moreover, the majority judges held that Article 21 did not expressly provide for a provision of privacy, and therefore the right to privacy could not be interpreted as a fundamental right.

Subsequently, in the case of Gobind v State of M.P. Police’s right to housekeeping was questioned to be incompatible with the right to privacy enshrined in Article 21 of the Indian Constitution. The Supreme Court ruled that the laws of the police did not comply with the principle of private liberty and also acknowledged the right to privacy as a basic right guaranteed by the Indian Constitution, but supported the development of the right to privacy on a case-by-case basis and denied it as an absolute right.

This issue was once again raised before the Supreme Court in the case of K. S. Puttaswamy (Retd.) v Union of India, in that case, the Aadhaar Card Scheme was questioned on the ground that the collection and compilation of population and biometric information of citizens of the nation to be used for different reasons infringed the basic right to privacy enshrined in Article 21 of the Indian Constitution. Given the ambiguity surrounding the constitutional status of the right to privacy from previous judicial precedents, the Court referred the matter to a constitutional panel composed of nine (nine) judges.

The Supreme Court ruled that the right to privacy is inherent to the human element and the core of human dignity and is inseparable from it. Accordingly, privacy was kept to have both beneficial and negative content. The adverse content functions as an embargo on the State by intruding into a citizen’s life and private freedom, and its beneficial content imposes a duty on the State to take all needed steps to safeguard the individual’s privacy.

Therefore, the constitutional protection of privacy may give rise to two inter-related protection:

(i) Against the world at large, to be respected by all including the State: the right to choose what personal information is to be released into the public space.

(ii) Against the State: as necessary concomitant of democratic values, limited government and limitation on power of State.

As a consequence of this judgement, the right to privacy has become more than just common law and more solid and sacrosanct than any statutory right. Thus, an invasion of privacy must now be justified in the context of Article 21 of the Constitution on the grounds of a law stipulating a fair, just and sensible procedure.

Current Issues

The Supreme Court set a threefold necessity to interfere with fundamental rights by the state. While the State may intervene to safeguard the lawful interests of the State: 

(a) There must be a law in place to justify an infringement of privacy which is an express requirement of Article 21 of the Constitution; 

(b) The nature and content of the law imposing the limitation must fall within the reasonableness area prescribed by Article 14; and 

(c) The means taken by the legislatures.

Therefore, any regulations aimed at infringing an individual’s right to privacy would have to satisfy the proportionality and reasonableness criterion. It will take a couple of years for jurisprudence to settle momentarily what constitutes sensible and proportionate state interference.

In contrast to today’s consent-based model, it is often asserted that India should embrace rights-based information privacy models. The information controller is free to process, use and share the information with any third party under the consent-based model once the user’s consent has been acquired. However, not many are conscious at the moment of approval of the real effects of indiscreet data sharing. The rights-based model, on the other side, enables consumers to have higher rights over their information while requiring the information controller to guarantee that users’ privileges are not infringed. This results in the customers being more autonomous about their private information.

In the above judgments, the Supreme Court’s judgment empowers Indian citizens to seek judicial relief in the event of infringement of their data privacy rights. This could have an effect on India’s tech companies privacy and security policies. Not only can consumers increase allegations based on torture, they can also invoke their fundamental right to privacy.

Concerns and difficulties 

Nature of data protected by the Indian legislature

Since India lacks an extensive data protection mechanism, the primary act dealing with data protection is the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011. Under the IT Act and the IT Rules, what is primarily intended to be protected are personal data and sensitive personal data or information, i.e. password-related information, financial information such as bank account or credit card or debit card or other payment tool details, physical, physiological and mental health condition, sexual orientation, medical records and history.

The information freely available in the public domain, however, is not considered within the scope of sensitive personal data or information. In addition, the regulations deal only with a corporate body collecting and disseminating data. 

Who can collect the personal data

Rules 5 of the IT Rules stipulate that no corporate body or individual on its behalf shall gather delicate private data or information unless:

(a) The information is obtained for a legitimate purpose related to the function or activity of the corporate body.

(b) It is deemed appropriate to obtain such information for that purpose.

In addition, the person sharing the information must be made aware of the fact that the information is being collected, the purpose for which the information is being collected, the intended recipients of the information, the name and address of the agency collecting the information and the agency retaining the information.

Duration of storing the personal data

Any company or persons holding sensitive personal data or information on their behalf cannot maintain it for longer than is necessary for the reasons for which the information may be legally used or is otherwise needed for the time being under any law and such information may only be used for the purpose for which it is gathered.

Further the body corporate or any person on its behalf collecting the information, prior to the collecting of information, is required to provide an option to the provider of the information to not to provide the data or information sought to be collected. The data supplier has the choice to withdraw its permission provided previously, whenever the services are available or otherwise.

Extend to which personal data can be shared with third parties

The corporate body receiving the information may disclose sensitive personal data or information to any third party, provided that prior authorization has been received from the provider of such information, or such disclosure has been agreed in the contract between the recipient and the information provider, or where disclosure is necessary to comply with a legal obligation.

However, no such approval from the information supplier is needed if the information is shared with government organizations mandated by legislation to acquire information including sensitive private data or information for identity verification purposes, or to prevent, detect, investigate, including cyber occurrences, prosecute, and punish offenses. 

Obligations of employers in relation to the personal data collected of the employees

Employers regularly gather their employees’ sensitive private data such as health records, economic data, etc. If the employer stores such personal information on a computer resource, such employer, if a corporate body is required to have a comprehensive documented information security program and information security policies in place that contain managerial, technical, operational and physical security control measures commensurate with the protected information assets. The employers alternatively can implement ‘the international Standard IS/ISO/IEC 27001 on Information Technology – Security Techniques – Information Security Management System – Requirements’.

Furthermore, in accordance with Rule 4 of the IT Rules, the employer, being a corporate body that gathers, receives, possesses, shops, and employee data, is needed to have a privacy policy in place to handle or distribute such private data. The employer is also required to provide employees with the privacy policy for review and publish the same on their website.

Analysis and Conclusion

From above, it is obvious that the need for the hour is an extensive legislature governing the collection and dissemination of private information. There are no extensive laws governing the handling of private data that are not private data or information that is per se sensitive. WhatsApp Inc. has altered its privacy policy after being acquired by Facebook Inc. and users have been notified that users’ WhatsApp account data will be shared with Facebook to enhance Facebook ads and product experiences, and users have been requested to agree to the updated terms for ongoing use of WhatsApp on or before September 25, 2016. 

In perspective of this growth, Karmanya Singh Sareen and others submitted a written petition before the Delhi High Court arguing that removing the privacy of WhatsApp users’ information and exchanging it with Facebook was in violation of users’ basic freedoms guaranteed by Article 21 of the Constitution.

While deciding on the situation, the Delhi High Court instructed that if users opt to delete the WhatsApp account entirely, WhatsApp will delete user data entirely from its servers and refrain from exchanging user data with Facebook, and as far as users who choose to stay in WhatsApp are concerned, the current information/ data/ details of such users will not be communicated until 25 September 2016. The court also instructed the government to consider whether bringing messaging applications such as WhatsApp under some statutory legislative framework is viable.

Personal information protection is inextricably related to privacy, i.e. every person’s right to enjoy his life and freedom without arbitrary interference with his private life, family, home or correspondence, etc. In contrast to the public, the term private must be grasped. Therefore, in the current obtrusive era of information technology, the right to be let alone and its security is highly essential. Since there is no single law that governs data protection in India comprehensively, it is necessary to derive the legal clauses regulating the same from multiple legislative acts.