The right to control information and access to one’s body is a basic concept of privacy. Beyond this, there are many dimensions to privacy that are present in every society, and derived from a relationship between individuals and persons or entities, which include personal, cultural, business, governmental, technological, and familial dimensions. Embedded in the relationship between individuals and an entities or persons is the recognition that one’s data are valuable. The importance of privacy over one’s data has moved into the spotlight with the advent and increasing penetration of technology into societies. As technology has penetrated societies, cultures have been changed by the increase in communication, speed and transfer of information, and access to information by individuals and about individuals. According to the Department of Information and Technology in India, information technologies have created a level playing field among nations and have made positive impacts on the lives of millions who are poor, marginalized, and living in rural and far-flung topographies. In a policy Paper on privacy in India drawn up in 2009, the Data Security Council of India outlined the cultural shifts that India has gone through in the recent years. In the opinion of Sudhir Krishnaswamy, law Professor at the National Law School of India University, “traditionally India has always had a highly developed sense of status and sense of personal privacy; topics such as sex, family, and moral failings have been carefully protected from the public eye.” Economic growth and the spread of the Internet have worked to move the country toward urbanization, which has led to a greater sense of individualism and awareness of personal rights.
This heightened awareness of personal rights has accompanied a parallel movement of increasing significance of the IT sector. The IT sector in India currently employs 2.2 million professionals directly and another 8 million people indirectly. Technology and the Internet, the use of social networks, the introduction of mobile phones, global trade, etc have had a dual effect of loosening the sense of internal personal privacy as people expose more and more of their lives to others through the Internet, and at the same time has heightened the risk of privacy violations in India, because individuals are constantly leaving a trail of personal data.
Lawrence Friedman, a Professor at Stanford University, once said “Technology changes our world, and what changes our world, changes our law”. As Indian culture has shifted in the context of technology, it is important to ask as to how the data flow and data transfer are challenging the traditional Indian understandings of boundaries in a global, national, and individual self? Is the same thing happening for everyone? Or are some people in some nations affected differently than others? And in this context, how should privacy be recognized and protected in Indian society? To adequately address these questions, privacy must first be reflected in the organs of the law. Only at that point can privacy evolve from an emotional or intellectual response into a right. Protecting a right to privacy means that the law protects information from encroachment and offers remedies against persons who access, steal, infringe upon or misuse a person’s personal information and/or the data that a person generates. Currently, India does not recognise the right to privacy in its Constitution; nor does it have a distinct body of privacy law. This is not to say, however, that India has not recognized the right to privacy, or that privacy is not protected in other legislations, such as the Telegraph Act, the Indian Penal Code 1860, and the Information Technology Act 2000. It is, but the fact that it is protected in disparate places makes finding a strong cultural understanding of and protection for privacy a difficult thread to trace in Indian law, and thus in Indian society as well.
Though India does not directly legislate the parameters of an individual’s right to privacy, there have been many judicial rulings that have read Article 21 and Article 19 as justification to protect the common citizen’s right to privacy. Article 21 reads: “no person shall be deprived of his life or personal liberty except according to procedures established by the law.” Article 19 protects privacy in the context of defamation, decency, and morality by protecting the fundamental rights of freedom of speech and expression relating to (i) defamation; (ii) contempt of court; (iii) decency or morality; (iv) security of the State; (v) friendly relation with foreign states; (vi) incitement to an offence; (vii) public order; and (viii) maintenance of the sovereignty and integrity of India (refer to Articles 19 and 21, Constitution of India). For instance, an important case in Indian law is Kharak Singh v. State of Uttar Pradesh (reported as AIR 1963 1295), in which the courts concluded that Article 21 includes the “right to privacy” as a part of the right to “protection of life and personal liberty.” The Court equated “personal liberty” with “privacy” and observed that “the concept of liberty in Article 21” was comprehensive enough to include privacy, and that a person’s house where he lives with his family is his “castle” and that nothing is more demeaning to a man’s physical happiness and health than a premeditated interference with his privacy.
Stanly Mcgovern Masters of Political Science and Public Policy, University of California (Los Angeles)
The greatest challenge to privacy in America is fear – I see privacy as an inherent right that is not just government mandated. It is essentially a human right. The challenges of the modern world in terms of security have put these privacy rights, and these very human values in question. The Constitution only puts a legal structure to what is an essential human right. Making privacy the culprit for security issues is shortsighted.”
Though India does not directly legislate the parameters of an individual’s right to privacy, there have been many judicial rulings that have read Article 21 and Article 19 as justification to protect the common citizen’s right to privacy.
Frequently, privacy has been melded together with the concept of data protection. This is a mistake, because they are two separate concepts despite the fact that they are inter-related. But often countries use the terms inter-changeably, perhaps because often countries do not read privacy into their constitutions, but instead focus on creating data protection policies – a signal that globally the Internet is the driving force in creating concerns about privacy. The most common breach in personal data is identity theft, but data breach extends to invasive telemarketing calls, wiretapping and monitoring, phishing, cyber terrorism, IPR violations (encompassing software piracy, copyright infringement, trademark violations, patent violations), cyber-squatting, credit card fraud, forgery, pornography, banking/credit card-related crimes, sale or purchase of illegal Articles, cyber-stalking etc. To pull apart the two concepts of privacy and data protection it helps to look at the differences in their restrictions. A report on “Privacy, Data-Gathering Technologies, and Human Rights” compiled by the International Council on Human Rights Policy draws the distinction by saying that privacy rules are concerned with tools that impose limits on power, which are prohibitive in nature and implemented judicially, while data protection rules are concerned with transparency and are oriented toward the control and channeling of legitimate power. These rules are procedural and regulatory, and are more readily enforced administratively rather than judicially.
In India, data protection falls under the Information Technology Act 2000 (ITA). The ITA focuses on protecting personal data in computer systems and places data protection in the hands of the Central Government. The legislation is based on United Nations’ Model Law on Electronic Commerce, which was earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL). In ‘The White Paper on Privacy Protection in India’, Vakul Sharma describes the creation of the ITA as “a means to facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure governing electronic contracting, security, and integrity of electronic transaction; to enable the use of digital signatures in the authentication of electronic records; and to showcase India’s growing IT prowess and the role of the Government in safeguarding and promoting the IT sector and attracting Foreign Direct Investment”. This statement shows that India has developed data protection laws as a means to combat the challenges posed by digital technologies and to create a safe environment in order to protect the interests of industry, as well as the people who will be using the technologies developed by the industry.
Though the ITA does enforce a level of data protection, it is far from flawless. The ITA in many ways falls short of international standards and data protections enacted in other countries in the world (refer Malavika Jayaram, Civil Liberties and the Amended Information Technology Act, 2000). For instance, it lacks in the following:
Returning to the question asked in the beginning of this Article– how is a changing culture impacting individuals and how does this in turn impact policy, the ITA is proof that the Internet has changed India. But it is important to recognize that due to India’s vast extremes between wealth and poverty, the use of data through technology has at the same time created a form of informational asymmetry. In a 2010 report on the Indian online landscape, it was found that there are 51 million active Internet users in India, 40 million of whom are urban, and 11 million of whom are rural. Thus, while the Internet is empowering, most of the rural populace does not have access to the Internet, or the knowledge of how to control data, or access to training to gain that knowledge. Thus, a relationship is created with where personal data are held in the private hands of a few, and protection is afforded to only those who are aware of their rights. Asymmetries that exist need to be considered during the implementation and enforcement of any policy, because even though privacy is a concern of every individual, understanding what is a violation and access to redress is frequently limited to the elite.
The exclusion of privacy protection to only those who are aware of their rights, or the formal recognition of privacy in a legal system is not a challenge faced only by India. Globally, privacy has been a challenge in many countries, and even now it has an uncertain status in many parts of the world. The two most popular schools of thought on privacy originate from the United States – which takes a sectoral approach to privacy – and Europe – which takes a more comprehensive approach to privacy. In the United States, privacy is protected under the Fourth Amendment of the U.S Constitution, which says “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures shall not be violated.” The US has a very clear history on privacy protection, with frequent reference being made to an 1890 Article by Samuel Warren and Louis Brandeis as the initial articulation of it. In 1928, the Supreme Court adopted their position on privacy in the renowned case of Olmstead vs. United States. The essence of Brandeis’s famously broad construction was that privacy rights extend beyond property alone. Many important cases such as Roe vs. Wade built on this foundation to establish the understanding of privacy in America today (refer Westby, Jody International Guide to Privacy, American Bar Association, 2006, pp 30-45).
It is important to note that America has two distinct understandings that contribute to their definition of privacy: (i) the protection of private freedoms entail state non-interference in the economy; and (ii) the protection of private freedom means a “mans house is his fortress.” These understandings are reflected in the sectoral approach that the states have implemented to protect privacy. According to the International Guide to Privacy, compiled by the American Bar Association in 2004, two (conflicting) themes are shaping the development of privacy law at the state level, viz, the ever-increasing impact of the electronic age on personal privacy; and the struggle to enhance security, especially following the terrorist attacks on September 11, 2001. These themes and understandings have led to important privacy legislations including the Privacy Act of 1974; Gramm Leach Bliley Act (regulating the use of personal information in the financial sector); the Health Information Portability and Accountability Act (regulating the use of personal information in the health sector); and the Patriot Act (protecting the National Security of the United States by increasing law enforcement’s ability to search telephone, e-mail communications, medical, financial, and other records with ease) (refer Westby, Jody International Guide to Privacy, American Bar Association, 2006, pp 45-48). The American justice system also recognizes four types of privacy torts, ie, false light, public disclosure of private facts, appropriation for commercial gain, and intrusion on an individual’s private affairs.
In contrast to the United States, Europe views privacy as a fundamental right, which it protects through a comprehensive privacy policy. The right to privacy is found under Articles 7 and 8 of the European Convention on Human Rights and Fundamental Freedoms. This Convention provides that everyone has the right of privacy to his private and family life, his home and his correspondence, and there shall be no interference by a public authority with the exercise of this right, except such as is in accordance with the law and is necessary in a democratic society, or in the interests of national security, public safety, or the economic well-being of the country, or for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Data in the EU, and flowing across EU borders, falls under the protection of the European Directive, which imposes uniform principles across member states, and aims, through international agreements, to secure acceptance of the same principles across the world. Though this is beneficial on one level, a challenge faced by the EU is that it is one entity, but it is comprised of different entities. Thus, when enforcing privacy, questions of jurisdiction and sovereignty are raised. If a country is not EU-compliant, it is not allowed to transfer data in or out of the EU. This poses a problem for the states, as well as for other countries which are not members, because data transfer must be negotiated contractually. As of this date, India, like the US, is not compliant with the EU directive. Nonetheless, technology, increase in trade, and the strength and comprehensive nature of the EU directive have convinced many countries to become EU compliant.
The fact that India is not EU-compliant brings to light the challenges that the world is facing today in terms of privacy. Cultures have varying understandings, interpretations, and protections of privacy – and yet cultures are in relationship with one another constantly via the Internet and global trade. How does one protect and represent the varying shades and colors of privacy? In other words, how can India address what its citizens need and at the same time protect India’s access to global transactions for its individuals and companies? A person breaking into a house is a basic violation of someone’s privacy and personal freedom that can be readily addressed through standard law enforcement mechanisms. But today violations of privacy have moved beyond one’s house, to one’s computer, to one’s account (which may or may not be “located” in the same country as the person), and a number of other variations. And some encroachments on privacy may be viewed as violations by some but not by others. For instance, if one is interacting on the Internet and a search engine feeds that person advertisements based on his searches, is this a violation of privacy because the search engine has essentially placed that person in a context without his consent?
India needs to address these questions, and the best place to start is through the creation of a comprehensive legislation that addresses privacy as a right, taking into consideration sectoral, institutional, and individual needs. A law in itself, though, is not enough in itself to protect privacy, because in the present age laws are constantly manipulated by interest groups such as the government or large corporations. In order to protect privacy as a basic right that confers dignity there must be adequate oversight from judicial/civil watchdog groups to bring understanding, initiate dialogue, and place the law into the larger context of the individual and institutional obstacles faced in the present world.
Kanu Priya Associate, Lall & Sethi Advocates, New Delhi
Data is the lowest level of abstraction, information is the next level, and finally, knowledge is the highest level among all three. “Data theft” is a term used when any information in the form of data is copied from another individual without his knowledge or consent. The Personal Data Protection Bill was introduced in the Rajya Sabha in the year 2006, the underlying objective being the protection of personal information to ensure that personal information of an individual collected for a particular purpose should be used for that particular purpose only and is not revealed to others for commercial or other purposes. However, we await its enforcement.
The Apex Court, in Kharak Singh vs. State of UP [AIR 1963 SC 1295] read the Right of Privacy to be within the ambit of Article 21 and construed it as a fundamental right. The Court had famously observed that, “the concept of liberty in Article 21 was comprehensive enough to include privacy and that a person’s house, where he lives with his family is his ‘castle’ and that nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy”.
The newly introduced Credit Information Companies (Regulation) Act, 2005 also contains certain provisions ensuring data protection but the scope, to my mind, is limited. It only imposes duties on credit information companies, credit institutions and specified users while processing credit information. India is not only a land of outsourcing industry, but also one of the major IT hubs in the world. The need of the hour is to pass the Personal Data Protection Bill and enforce it as a statute and also include all such issues within its ambit so as to meet the international standards of protection of civil rights.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
