This article has been written by Shrikar Vantrapragada, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Every individual expects his/her personal space because a person doesn’t usually share and everything with other people. In fact, with the current pace at which people work, nobody really doesn’t want to talk much about their personal life. Every individual expects his/her privacy to be respected, similarly, every person wants their side of the story to be private as far as possible until and unless they agree upon sharing it voluntarily.
Privacy can be defined as the freedom from being under surveillance all the time, or the superpower to isolate themselves or their information from the rest of the world. Privacy can be applicable to all kinds of situations even in cases of the digital world.
Whereas confidentiality can be stated as the personal information shared with a lawyer, physician, or therapists, or any other individual that does not leak any such sensitive information without the prior expressed consent of the individual. The term ‘confidentiality’ is normally used when there is an attorney-client privilege situation.
There are millions of internet users who are connected at the same time, all over the world. The Internet has brought tremendous changes in the world today. However, you never know who you might trigger online, that is when protecting vital, personal information becomes essential. Ironically, there are many people on social media who tend to share their personal lives every single day, not noting the fact that how much they are exposing themselves.
On one hand, confidentiality is a duty of ethics and privacy is a right given in common law. Understanding the difference between the two can spare us a lot of confusion while signing contracts, creating an attorney-client relationship and at times it is good to know your rights at a given situation in hand.
Difference between privacy and confidentiality
BASIS |
PRIVACY |
CONFIDENTIALITY |
Meaning |
The state wherein the person secluded from the public |
A situation of trust, where we expected that the person wouldn’t share the information with any other person. |
Basic understanding |
It is a right to be left alone |
It is a fiduciary relationship between two people to maintain the secrecy of sensitive information and documents. |
Concept |
Restricts access to the public |
Information and documents cannot be accessed without proper authorization. |
Nature |
Privacy is a Right |
Confidentiality is an agreement. |
Applicable to |
Individual(s) |
Information/ documents |
Obligation |
No, it’s the personal preferences of an individual |
Yes, when the information is formal and legal. |
Boundary |
Everyone is forbidden from being involved with the personal matters of an individual. |
Only the people without proper authorization are forbidden from using the information |
Examples |
Medical examination Activities within your home Using a public bathroom |
Doctor-patient relationship Attorney-client privilege Financial institutions – customers. |
How is the privacy and confidentiality of individuals maintained on the internet?
In October 2012, a report was established by a committee of experts on privacy in regards to the internet in India. The committee, led by Justice A.P. Shah, recommended a set of principles for the privacy framework and legislation in India. The report mainly focused on recognizing privacy as a fundamental right and defined Nine National privacy Principles that would be followed by all the data controllers irrespective of them belonging to the private sector or the public sector. The principles laid down by the committee were in adherence to the guidelines given by the global standards which include the EU (European Union), OECD (Organisation for Economic Co-operation and Development), and the APEC (Asia-Pacific economic cooperation) principles on privacy.
The Nine National privacy principles are as follows:
- Notice: A data controller shall provide a simple, understandable notice of their information practices to all individuals. The notice so provided shall be in clear and concise language. The notice shall be provided before any personal information is collected from the individual.
Example: A telecom service provider should first give notice to the individual for the use of their personal information. The notice should provide all the necessary details of the personal information that will be collected from the individual.
2. Choice and consent: The data controller should provide two options to individuals- to opt-in or to opt-out, in regards to providing their personal information. The data controller shall provide notice of the information practices before taking the consent of the individual. Only after taking such consent, the controller can further provide their information to any third party for further processing of their personal information.
Example: In the case of an individual opting for a service, the data provider shall only begin collecting, processing, and utilizing the data only after consent has been taken. In case of a medical emergency, consent before processing the information is not mandatory.
3. Collection limitation: A service provider shall only be allowed to collect a data subject’s data if it is necessary for the purpose of collection. Such a collection can be fulfilled only after a notice has been provided for the same. Such a collection, by all means, should be fair and lawful.
Example: If a bank is collecting information for opening an account for an individual, they should only be collecting the data that is relevant for opening the bank account.
4. Purpose limitation: The personal data collected by the service provider shall only be used for the purpose as stated in the notice after taking the consent for the use of personal information from the individual. If there is a change in the purpose of the data mentioned in the notice, such personal information should be destroyed by the service provider as per the procedures. Retention of data is strictly prohibited by the government in compliance with the National Privacy Principles.
Example: A bank is collecting information from its potential customer for opening a bank account. After the purpose for which the data is collected is fulfilled, any such data shall be destroyed by the bank. The bank can only retain the personal information of an individual for a specific purpose, provided they have the consent from the individual, with the ability for the individual to access and make changes to their information at any given point of time.
5. Access and correction: Any individual shall have the access to the personal information they have provided to the service provider. They shall be able to correct, make changes or delete any such information, in case they wish to do so. The individual shall be able to keep a track of their personal data, they shall be able to check the status of their personal information.
Example: An individual who has opened a bank account shall have the right to access the information that was provided at first, or subsequently generated thereof. If there is an error, he/she shall be able to rectify such an error.
6. Disclosure of information: A service provider shall only pass on personal information to any third party after taking permission and giving clear notice to the data subject. On the role of the third parties, they shall stay within the limits of the privacy principle and respect the personal information of the individual. They shall adhere to rules, such as they were a party to the agreement. The third party is not allowed to publish or in any other manner make the personal information accessible to the public.
Example: Social media platforms or websites such as Facebook/Instagram, which collects our personal information shall not further sell or give our data without our clear and specific consent for the same.
7. Security: The service provider at all costs protects/ secures the personal information collected by them or even the data in their custody, for the purpose of processing. Such data shall be strictly protected from the use of any unauthorized entity.
Example: If a social media platform such as Facebook, leaks the data of its users, with or without their knowledge shall be held liable for any such conduct. The service provider must at all costs prevent any such security breach and claim full responsibility for any such breach of security if in case of a data leak.
8. Openness: A data provider shall make sure that they ensure the maximum measure of necessary steps that need to be implemented or practiced in order to protect the data from being leaked. The data provider needs to ensure that the intensity of their security needs to be as high as the sensitivity of the personal information being collected by them.
Example: If a hospital is collecting and processing personal information of say, 500 patients, their policies and practices must be applied to the amount, sensitivity, and nature of the information they collect.
9. Accountability: The data controller shall make sure that their systems are up to date and in constant check in order to avoid any cyber threat to them. If in case of a breach, they shall claim the whole accountability and will be liable for a breach in their security measures.
Example: In the data leak scandal between Facebook-Cambridge, Facebook took accountability for such a breach and ensured that there were no such errors in the future. This breach caused Facebook to lose 1000s of its users.
Case laws
In India, in recent years, awareness about confidentiality has grown tremendously. There is a very close, vague relationship between the violation of the right to privacy and breach of confidentiality. Breach of confidentiality is directly linked to the violation of the right to privacy.
The Constitution of India does not explicitly guarantee the right to privacy. In fact, the right to privacy is not granted as a constitutional right in any country in the world. The Supreme Court of India has derived the right to privacy using the provisions of Article 21, Article 19(1)(a), and Article 19(1)(g) [Golden triangle of the Constitution] of the Indian Constitution.
The SC defined the relationship between the above-stated articles in the case of Kharak Singh Vs. The state of U.P and others, wherein the plaintiff was arrested on the charges of dacoity but was later released due to lack of evidence. After his release, the state put him under surveillance as a Class A ‘History Sheeter’. He had to report about his whereabouts, whenever he visited any other village. He claimed that after this, he was consistently disturbed by the policemen regularly, who would visit him on a regular basis.
The state took the defense that the restrictions imposed by the police were valid and did not violate any of his freedom, which is stated in the constitution. The state later argued that this was done in order to protect the public at large since he was ‘History Sheeter’.
The court held that regulation 236(b) of the Uttar Pradesh police regulation, which provided for the domiciliary visits was in contradiction to Article 21 of the constitution of India and said that the right to privacy is not a right that is guaranteed under the constitution and hence the attempt to track the movements of a person is a merely a manner of invasion of his privacy and hence it is not an infringement of his fundamental rights.
In another case of breach of confidentiality of data namely, American Express Bank Ltd. Vs. Ms. Priya Puri the defendant was working with the plaintiff as the head of the wealth management program for the plaintiff’s Northern Region. The plaintiff claimed that the defendant, who at the time the suit was filed had quit her job with the plaintiff and joined a competitor bank and used the data collected from the clients of the plaintiff and tried to get them to join the competitor bank. The plaintiff bought a permanent injunction against the defendant in order to restrict her from using the data collected from the plaintiff’s customers.
The defendant claimed that being a relationship manager, she had the access to many names and phone numbers of her potential clients. And this did not constitute a breach of any confidential data. She further claimed that she had obtained the data from directories of various organizations which were accessible to the public.
The court observed that the defendant could not have induced the customers to change their banks by merely having the names and contact numbers of clients as alleged by the plaintiff. And the court stated- “The option of the customers/clients to bank with anyone cannot be curtailed on the plea of confidentiality of their details with any particular bank. Creating a database of the clients/customers and then claiming confidentiality about it, will not permit such a bank to create a monopoly about such customers that even such customers cannot be approached.”
Conclusion
Privacy is still a growing and very important field in India’s internet society. As many companies and organizations collect huge amounts of information from and about the internet users and the government of the country still seeks to get better access and surveillance capabilities, it is very crucial that India prioritizes privacy and it places us in a place where we can strongly protect the privacy of both Indians and foreigners. The first step towards such a change should be a massive change in the privacy legislation recognizing privacy as a fundamental right.
After going through a lot of case laws in various fields of law relating to confidentiality and privacy in the internet regime. I have come to the opinion that the right to privacy is given in our constitution in Article 21 which states the right to life and the right to liberty.
The courts recognize the cases of breach of confidentiality under normal circumstances. In the case of public morality, the right to confidentiality is often revoked. However, I would suggest that the courts in India start to recognize the right to confidentiality separately as in other countries because by doing so, they would also put some light on cases that are not a part of the right to privacy and are subject to claim damages due to the breach of confidentiality alone.
References
- https://www.findlaw.com/criminal/criminal-rights/is-there-a-difference-between-confidentiality-and-privacy.html
- https://keydifferences.com/difference-between-privacy-and-confidentiality.
- https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india#fn26
- https://www.ohchr.org/documents/issues/digitalage/a-hrc-27-37_en.doc
- http://www.legalservicesindia.com/article/1541/Confidentiality,-An-Emerging-Tort-In-India.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: