DATA PROTECTION AND RIGHT TO PRIVACY
Updated: Oct 4, 2021
Author: Rahul Matharu, III year of LL.B. from Faculty of law Delhi University.
Digital technology has profoundly changed the way we learn, work communicate and enjoy culture. It has such ubiquitous part of our lives. The role that personal computer play in our lives may be the most dramatic shift in the way most people in industrialized countries lives, work, and interact. Thirty year ago, computer were hobbyist and big business, and now most of us carry in our pocket, however bringing this new device deep into our routine has also provided tool that outside agencies use to watch and record our lives. They can capture nearly every significant decision we make, from when we drive to work to how we pay our bills.
Data Privacy is crucial to protect and support the many freedom and responsibilities that we possess in a democracy. When your privacy is protected, you are free to choose how much of your sensitive information to expose, to whom to expose and how other can use the information. Philosophical such Jhon Locke thought that private information is a type of property, and as with other property, we have the choice about how it can be used and whether to profit from it.
British scholar and law dean Timothy Macklem argues that “isolating shield of privacy enables people to develop and exchange ideas, or to foster and share activities, that the presence or even awareness might stifle. For better and for worse, then privacy is a sponsor to the guardian to the creative and the subversive “
Why someone wants to intrude on your privacy?
Simply because the more he knows about you, the more he can influence your decisions. This ability to influence personal choices need not be so dramatic as to destroy your privacy. For example, a company that knows much about your private choices can influence your future choices. An apparently benign example of this influence is the subtle pull of Amazon’s recommendations after you make a purchase. You bought a book about kite-flying and then you are presented with a list of similar books on the same topic that might appeal to you. Have you considered the new music by that singer whose previous three sets of mp3s are in your collection? Amazon fully expects that it will be rewarded for making these suggestions by your purchase of additional items from its store.”
An entire new field of technology called “Big Data” has appeared on the scene recently. Big Data refers to the practice of companies collecting millions of facts about customers and using those facts to predict trends and develop better sales and marketing strategies.
A store could consider that the technology is simply providing ways to serve its customers better; in reality the store is trying to influence spending decisions by analysing the often-private information they gather about their customers. Others besides government and business are interested in influencing your decisions, and so they learn as much about you as possible. For example, the two major political parties in the United States brag about the sophistication of their “voter-identification efforts,” which dig up information on all registered voters and send propaganda to those voters to influence them on Election Day.”
Right to Privacy in India
In keeping with the general trend of growth of Information technology worldwide, in India there has been tremendous growth in use of Information Technology. The internet user base has increased to 400 million and total broadband subscriber has increased to 12.69 million. Such phenomenal growth in access to information and connectivity has on the one hand empowered individual and on the other hand posed new challenges to government relating to right to privacy.
The recognition of privacy as a fundamental constitutional value is a part of India’s commitment to a global human right regime. Article 51 of the constitution, which forms part of the Directive Principle, require the state to endeavour to foster and respect for international law and treaty obligation.
Article 12 of Universal Declaration of Human Rights, recognises the right to privacy: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
The International Covenant on Civil and Political Rights in its Article 17 provides that ‘No one shall be subjected to an arbitrary and unlawful interference with his/her privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation, and that everyone has right to the protection of the law against such interference or attacks’.
In this regard the Government of India had on 08 May 2013 approved a National Cyber Security Policy whose stated mission to protect information and information infrastructure in in cyber space, build capabilities to prevent and respond to cyber threat, reduce vulnerability.
The Information Technology Act 2000 contain provision to deal with various cyber related offenses as well as protection of privacy of individual.
Section 43 and section 66 of the Information Technology Act, 2000 provides penalty and stringent punishment for hacking of website.
Section 43A of the act, provide compensation to affected person for failure to protect data
The Information Technology (Reasonable Security Practice and Procedure and Sensitive Personal Data or Information) Rules, notified on 11 April 2013 under section 43A of the information Technology Act defines sensitive personal data and reasonable security practice and procedure. The rules require body corporate to provide to provide policy and privacy and disclosure of information (Rule 4), obtain consent of user for collection of information (Rule 5), prior permission is required from provider of information before disclosure of sensitive personal information (section 6)
Section 72 of Information act 2000 provides penalty for breach of confidentiality and privacy
Section 72A of the Act provides punishment for disclosure of information in breach of lawful contact
Judicial Interpretation of Right to privacy
In 2017 in the land mark decision of KS Puttaswamy vs Union of India, Supreme court recognised the privacy of individual as a Fundamental right under the Indian Constitution and highlighted the need for comprehensive privacy legislation. The government of India decided to provide all citizen a unique identity card called Adhar containing 12-digit number. The registration of this card was mandatory as to enable people to file tax return, opening bank account, etc, the registration of card require citizen to give biometrics such as fingerprints.
Retired Justice K.S Puttaswamy filed petition challenging constitutional validly of this Adhar card, contending that there was a violation of right to privacy of the citizen, since the registration of privacy was mandatory. One of the contention was that there was a lack of data protection laws in India and hence, there are chances that private information of people may be leaked if proper care is not taken. It was held that privacy is a constitutionally protected right which not only emerges from guarantee of life and personal liberty in Article 21 of the constitution, but also arises in varying context from other facet of freedom and dignity recognised and guaranteed by the Fundamental Right contained in Part 3 of the Indian constitution.
In National Legal Service Authority vs Union of India 2013, a bench of two judges while dealing with right of transgenders, held that, adverted to international convention acceded to by India including the UDHR and ICCPR. Provision in these convention a protection against arbitrary and unlawful interference with a person’s privacy, family, home and would be read in a manner which harmonize the fundamental right contained in Article 14, 15, 19 and 21 of the constitution.
In Govind vs State of Madhya Pradesh (1975), In this case, the Supreme court confirmed that the right to privacy is a fundamental right. The right was said to include and protect personal intimacies of the home, marriage, motherhood.
Data Protection Bill 2019
The Personal Data Protection Bill 2019 was introduced in Lok Sabha by the Minister of Electronics and Information and Technology by Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill seek to provide protection of personal data of individual. The Bill retains the core structure of the previous draft, which closely adheres to the model provided by GDPR. The Bill include requirement that did not appear in first draft such as an enhanced right to erasure, obligation that attach to anonymous data and specific requirement for social media intermediaries.
The key features of the bill are: -
Right of Individual: The Bill set out certain right of the individual these include the right to (a) to obtain confirmation from the fiduciary on whether their personal data has been processed (b) seek correction of inaccurate, personal data (c) have personal data transferred to any data fiduciary in certain circumstance (d) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer or consent is withdrawn
Prohibition of processing of personal data: Clause 4 of the draft bill seek to prohibit processing of personal data without any specific, clear and lawful purpose. In earlier draft, the concept of reasonable processing was categorically prescribed, which could have resulted in possible processing of data without consent.
Restriction on retention of personal data: Clause 9 of the draft prescribe that the data fiduciary shall not be retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the data at the end of processing.
Ground for processing of personal data without consent in certain case: Clause 12 of the draft bill lists out certain cases which provide processing of data without consent. However, if such data meets the criteria of being sensitive data, then such processing can not be done without prior consent.
Processing of data for other reasonable purpose: Clause 14 seeks to provide for the reasonable purpose for which personal data may be processed. One such newly introduced purpose is the operation of search engine.
Obligation of data fiduciary: A data fiduciary is an entity or individual who decide the means and purpose of processing of personal data. Clause 26 seeks to provide for the classification of certain data fiduciaries as significant data fiduciaries, including certain social media intermediaries. Further, clause 26(3) of the Draft Bill details that if the authority is of the opinion that any processing accomplished by any data fiduciary or class of the same carries a significant risk, then it will apply the same obligations as those applicable to a significant data fiduciary.
Social Media intermediaries: The Bill defines social media intermediaries which enable online interaction between user and allow sharing of information. All such intermediaries, whose action can impact electoral democracy or public order, have certain obligation which include providing a voluntary user verification mechanism for user in India.
Offences: Offences under the bill include (a) processing or transferring of personal data in violation of the Bill, punishable with a fine of 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher (b) failure to conduct a data audit, punishable with a fine of five crore rupee or 2% of the annual turnover of the fiduciary, whichever is higher.
Many of our essential liberties from free speech to free assembly, from security in our person to freedom of religion depend on privacy, obscurity and anonymity to reach their full expression. Privacy is important for human dignity, for freedom from coercion, and for true freedom of action, as we all behave differently when we someone is watching us.
Data protection Bill 2019 seeks to provide for protection of personal data of individual, create a framework for processing of data and establishes the data protection authority. The bill provides for certain obligation of data fiduciaries with respect of processing of personal data. Such processing should be subject to certain purpose, the data can be processed for clear and lawful purpose, further Draft bill incorporate important aspect such as consent, reasonable purpose processing of personal data only with consent.