M: 153

Privacy can be defined as a human right enjoyed by every human being by virtue of his existence. The definition of privacy has been interpreted in various ways. According to Article 12 of the Universal Declaration of Human Rights, 1948, and Article 17 of the International Covenant on Civil and Political Rights, 1966, “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”[1] Article 8 of the Charter of Fundamental Rights of the European Union, 2012 mandates protection of personal data and its collection for a specified legitimate purpose, thus referring to the right to privacy.[2]

Earlier privacy was not helmed to be protected under the Constitution of India and was known to be a Common Law right. With the proposal of Aadhaar, the possibility of such personal information being leaked to third parties arose. Thus, the President of the Unique Identification Authority of India (UIDAI) – Nandan Nilekani, who proposed the idea of Aadhaar, also brought up the need of establishing data protection and privacy laws that would prevent misuse of information at the hands of a third party without the individual’s consent.[3]

There was a great deal of conjecture regarding whether the right to privacy was a fundamental right guaranteed by the Indian Constitution or not.  MP Sharma v. Satish Chandra[4] and Kharak Singh v. State of Uttar Pradesh[5] were two landmark cases that held that the Indian Constitution does not specifically protect the right to privacy. On the other hand, in Govind v. State of Madhya Pradesh[6] the Hon’ble Supreme Court assumed that the right to privacy was protected under the Constitution, even though not in the absolute sense. The matter was finally settled by a nine-judge bench of the Supreme Court in the historic judgement of Justice K.S. Puttaswamy (Ret’d) and Anr v. Union of India and Ors[7], wherein it was held that the right to privacy is protected as an intrinsic part of the Right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitutionincluding Articles 14 (Right to Equality), Article 15 (Prohibition of Discrimination) and Article 19 (Right to Freedom).[8]It was a unanimous judgment in which six of the judges including Justice Bobde, Justice Chalemshwar, Justice Chandrachud, Justice Kaul, Justice Nariman and Justice Sapre wrote separate opinions that addressed various issues. Therefore, it was observed that the right to privacy incorporates the right to be left alone, preservation of personal intimacies, sanctity of family life, marriage, procreation, home and sexual orientation, safeguards individual autonomy, bodily integrity and so on. Furthermore, personal choices governing a way of life, protection of heterogeneity and recognition of plurality and diversity of culture are intrinsic to privacy. It is a natural and inalienable right that seeks to protect individuals from the scrutiny of the State, whether inside or outside their homes, over their reproductive choices, choice of partners, food habits and so on. Therefore, any action by the State that results in infringement of the right to privacy is subject to judicial review.[9]With the advent of this ruling, India joined the likes of the United States of America, South Africa, Canada, the United Kingdom and the European Union in recognizing privacy as a fundamental right.[10]

The Hon’ble Supreme Court emphasized the fact that despite being a fundamental right, the right to privacy is not an absolute right, as it is subject to reasonable restrictions that can be imposed by the State in order to safeguard legitimate State interests. It is only in exceptional circumstances that an individual’s right to privacy may be superseded to protect the national interest. According to Section 69 of the Information Technology (IT) Act, 2000, the Central Government has the power to impose reasonable restrictions on the right to privacy and intercept, decrypt or monitor internet traffic or data whenever there is a threat to national integrity, national security, security of the state, and friendly relations with other countries, or to prevent incitement to commission of an offence, or in the interest of public order and decency.[11] The Government was further given the power to block access to various websites under Section 69A of the IT Act. The Central Government had also passed the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that allows the Secretary in the Home Ministry to permit agencies to intercept or monitor electronic data.[12]

However, there were certain apprehensions regarding the fact that once personal data would be collected it would be at the risk of falling into the hands of private players who could misuse it for personal gains. Justice Chandrachud expressed his concerns by stating- “I don’t want the State to pass on my personal information to some 2,000 service providers who will send me WhatsApp messages offering cosmetics and air conditioners… That is our area of concern. Personal details turn into vital commercial information for private service providers.”[13] While the Supreme Court upheld the Aadhaar-pan linkage and permitted the unique number to be used for government subsidies and schemes, the Ministry of Home Affairs issued an order granting authority to ten central agencies including the Central Bureau of Investigation, the Delhi Commissioner of Police, and the Directorate of Revenue Intelligence, to pry on individual computers, their receipts and transmissions. The order was issued in the exercise of powers conferred to it under sub-section 1 of Section 69 of the Information Technology Act, 2000 (21 of 2000), read with Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. It authorized the above mentioned intelligence agencies to intercept, monitor and decrypt any information generated, transmitted, received or stored in any computer resource.[14]

Thereafter, the issue raised was whether this amounted to infringement of the right to privacy of the people. Some legal experts were of the opinion that such a measure denied people their right to privacy by hindering their sense of security. Though internal security was the main reason that was given for taking such measures, however general elections being around the corner at the time when the order was issued and the Government’s unquenchable thirst for information that consequently created skepticism within the general populace as to whether the information on their social media accounts is really encrypted or not, were also speculated. Moreover, privacy policies formulated by websites tend to be “take it or leave it” affairs, leaving the user in a dilemma of completely surrendering his privacy or not being permitted to use that application at all. While technically such user consent does constitute “informed consent”, it is extracted without leaving the user much room in terms of choice.[15] Such cloak and dagger surveillance is not only a threat to our country’s democracy but also poses a possibility that India may soon adopt the character of a police state with bureaucrats having access to personal information of almost every citizen.

Such apprehensions are not just limited to India as it is a worldwide concern. In 2014, reports of illicit surveillance had emerged after the disreputable whistleblower, Edward Snowden’s revelation that USA’s National Security Agencies were spying on people through their social media activities.[16] Now, one may dismiss such actions as a violation of the right to privacy but a question that raises is that if by monitoring and keeping a constant check on the suspicious activities of some people, even one terrorist attack or tragedy can be avoided, what is there to lose? A number of past terror attacks were reportedly planned and executed through electronic devices, which if timely monitored, could have been prevented and innocent lives would have been saved. 

Having said that, fake news and illegal activities such as cyber terrorism, cyber stalking, phishing, malware, and child pornography are on the rise.[17] In the advent of such issues, the importance to conduct surveillance cannot be overlooked. The infamous Cambridge Analytica case of 2018 is an unambiguous example of how valuable personal data can be misused by private parties for their personal and political gain. In this case, Facebook and London-based elections consultancy firm – Cambridge Analytica were under scrutiny for having improperly acquired personal data of over 50 million Facebook users in order to influence 2016 U.S. Presidential elections and the Brexit vote. Having accepted the breach of trust and violation of privacy, Mark Zuckerberg pledged that he would not allow third-party app developers to access its users’ data and would also reduce the amount of personal information that people are required to hand over to the third parties.[18] Such cases underscore the need to prevent personal data from falling into the wrong hands. In fact, Social media giants like Facebook, Twitter, Google and YouTube have pledged to reduce fake news on their respective platforms.[19]

In 2019, a petition had been filed by the People’s Union for Civil Liberties (PUCL) seeking safeguards and judicial oversight of government surveillance. It had further challenged Section 69 of the Information Technology Act, 2000 along with the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, as well as Section 5(2) of the Indian Telegraph Act, 1885, read with rule 419-A of the Indian Telegraph rules. The petition contended that any order for phone tapping should be sanctioned by the judicial authority to safeguard arbitrary and politically motivated decisions.[20] In People’s Union for Civil Liberties (PUCL) v. Union of India[21] , the Supreme Court had set rules for the judicious exercise of surveillance and interception in phone tapping cases. The same fundamental principles should hold good in cyberspace as well.

It is pertinent to mention that there have been instances in the past where official websites and accounts of corporations and government organizations have been hacked by anonymous groups. As per information reported to and tracked by the Indian Computer Emergency Response Team, 172 and 105 government websites, which includes 74 and 31 websites hosted on NICNET managed by National Informatics Centre (NIC) were hacked during the year 2017 and 2018, respectively. [22]  Under such circumstances, the concern of confidential and vital information being hacked from government agencies is justified. This is a matter of concern among individuals as well, who may not even know when their electronic communications are being monitored. If they do become aware of such surveillance due to the obligation to maintain confidentiality and encryption, they would not be able to ascertain the rationale for such surveillance, thus making surveillance provisions prone to misuse.

Therefore, the Government of India should enhance accountability and exercise reasonable checks and balances while exercising its’ surveillance powers. The Intermediary Rules of 2011 will have to be implemented on the grounds of fairness, reasonableness and judicious exercise of powers because if such information gets leaked to a third party, then there is not much that the Government will be able to do to prevent greater damage.

It is vital to understand the importance of data privacy which can be described as the appropriate use and storage of data. The need for data protection laws was realized worldwide with escalating instances of online crime including identity theft, cyber stalking, hacking, cyber bullying, e-commerce fraud and so on. Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of personal data.[23]  Personal data includes such information that can be used to identify an individual from the information collected by a private organization, agency or even the Government. The Information Technology Act, 2000 lays down certain rules, penalties including punishment or compensation for mishandling or wrongfully disseminating personal data. For example, Section 43A of the Information Technology Act, 2000 states that if a corporate body is proven to be negligent in maintaining or exercising reasonable security practices while dealing or handling any sensitive personal data, such a body may be held liable to pay the prescribed damages to that individual. There is no upper limit for the amount of compensation that a corporate body may be liable to pay for such an act of callousness. The government also plans to revamp the IT act in order to cater to the rising cyber crimes in the country.[24]

Despite such measures, there have been copious reports intimating violation of right to privacy in various parts of the world. With a plethora of social media platforms and online applications, more and more individuals are falling prey to cyber crimes by voluntarily disclosing personal information without realizing the repercussions of their actions. Widespread hacking and the compromising of user accounts across social media platforms have raised fears that the largest internet giants, prominently social networks, maybe mining user information and selling them to third party entities to generate revenue and to promulgate targeted advertising.Furthermore, it must be noted that the current data privacy laws of India are not applicable to entities situated abroad. This means that the personal data of individuals that are collected and stored by major social media platforms like Facebook, Twitter and Google, on servers and databanks situated abroad would not fall within the jurisdiction of India. This seems to be rather unsettling and calls for stringent legislation aimed at protecting the personal data of individuals at an international level.

Data Security Council of India (DSCI), NASSCOM and other such primary bodies of the IT industry have repeatedly emphasized the need for strict data privacy and protection laws in India. The Hon’ble Supreme Court further underscored the need to enact comprehensive legislation on privacy in order to prevent ambiguities. Finally, a ten-member expert committee with retired Supreme Court judge, Justice B.N Srikrishna as the chairman, submitted a draft of the Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology. According to the draft bill ‘Personal Data’ means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.[25] The committee made several recommendations including jurisdiction of processing personal data, setting up an independent regulatory body for enforcing the data protection law and heavy penalties for violating this law, among other clauses. Moreover, this draft bill is expected to apply to data collected by private and government entities in India.[26]

The Bill proposes to make it mandatory for users to give their explicit consent to allow the sharing of their personal data. Moreover, Indian citizens and internet users shall have the last word in determining the purpose and mode of using their personal data. They would also have the option of withdrawing their consent or exercising their ‘right to be forgotten’. In case of personal data being collected by organizations outside India, a copy of the data must be stored in India, while critical personal data shall be kept at the local level, although there is lack of clarity over what constitutes ‘critical personal information’. Such guidelines are aimed at ensuring that personal data is processed in a fair and reasonable manner.  Another recommendation made by the Committee requires huge data processing companies to register themselves with the Data Protection Authority as data fiduciaries. A ‘data fiduciary’ includes any individual, company, juristic entity or even the State that determines the means and purpose of personal data. On the other hand, ‘data principal’refers to the natural person, such as an individual, a Hindu undivided family, a company, a firm, the state, an association of persons or a body of individuals and every artificial judicial person. ‘Data processor’ means any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary.[27] The Bill shall be applicable not only to private individuals and corporations but also to public authorities including Government agencies and State entities. However, this Bill does not preclude the Aadhaar scheme to have access to people’s personal data for providing social welfare benefits. Furthermore, processing of personal data to prosecute, prevent or investigate the occurrence of an offence or contravention of law shall be permitted as long as it is authorized by a law made by the Parliament and State Legislature. Legal experts are of the view that the Bill borrows significantly from the recently implemented General Data Protection Regulation (GDPR) in Europe.[28] Even though the Personal Data Protection Bill, 2018 has certain ambiguities, it has been very much required to protect the citizens of India and safeguard national interest.

There is no doubt that the Supreme Court’s decision to explicitly declare the right to privacy as a fundamental right was a major breakthrough for our country. However, it also implies that the State has the responsibility of ensuring that this right is not violated or misused in any way that could harm the citizens or pose a peril to the security of the nation. Therefore, proper safeguards need to be instituted for safeguarding the constitutionally guaranteed right to privacy.

[1] The Universal Declaration of Human Rights, 1948, and the International Covenant on Civil and Political Rights, 1966, available at: https://privacy.sflc.in/universal/ (last visited on February 28, 2020).

[2] The Charter of Fundamental Rights of the European Union, 2012, available at: https://www.europarl.europa.eu/charter/pdf/text_en.pdf (last visited on February 28, 2020)

[3] Anirban Sen, “Law on privacy, data protection should apply to everyone, says Nandan Nilekani”, Livemint, July 25, 2018.

[4] 1954 AIR 300

[5] 1963 AIR 1295

[6] AIR 1975 SC 1378

[7] (2017) 10 SCC 1

[8] Ibid

[9] “Supreme Court Declares Right to Privacy a Fundamental Right”, available at: http://www.mondaq.com/india/x/625192/Data+Protection+Privacy/Supreme+Court+Declares+Right+To+Privacy+A+Fundamental+Right (last visited on February 15, 2020)

[10] One India staff writer, “How other countries look at right to privacy”, OneIndia, August 24, 2017

[11] The Information Technology Act, 2000, s. 69

[12] “Government allows 1o central agencies to monitor, decrypt any computer data”, available at: https://www.bloombergquint.com/politics/government-allows-10-central-agencies-to-monitor-decrypt-any-computer-data (last visited on January 29, 2020)

[13] Supra note 7

[14] “All computers can now be monitored by government agencies”, The Hindu, December 21, 2018

[15] “Right To Privacy: The Next Step Supreme Court On Data Privacy On Social Media”, available at http://www.mondaq.com/india/x/636306/data+protection/Right+To+Privacy+The+Next+Step+Supreme+Court+On+Data+Privacy+On+Social+Media (last visited on January 31, 2020)

[16] Paul Szoldra, “This is everything Edward Snowden revealed in one year of unprecedented top-secret leaks”, Business Insider India, September 16, 2016

[17] “7 biggest privacy threats”, available at: https://www.pocket-lint.com/apps/news/143404-7-biggest-privacy-threats-online (last visited on January 31, 2020)

[18] Julia Carrie Wong, “The Cambridge Analytica scandal changed the world- but it didn’t change Facebook”, The Guardian, March 18, 2019

[19] Natalia Drozdiak, “Google, Twitter and Facebook agree to fight fake news in the EU”, Bloomberg, September    26, 2018

[20] “People’s Union for Civil Liberties (PUCL) PIL Challenging Surveillance Powers Under The Telegraph And IT Act admitted by Supreme Court”, available at: https://inbaviewpoint.org/peoples-union-for-civil-liberties-pucl-pil-challenging-surveillance-powers-under-the-telegraph-and-it-act-admitted-by-supreme-court/ (last visited on February 20, 2020)

[21] (1997) 1 SCC 301

[22] “Over 100 government websites hacked during January-November 2018, says IT ministry”, Hindustan Times, December 19, 2018

[23] “Data Protection Laws In India – Everything You Must Know”, available at http://www.mondaq.com/india/x/655034/data+protection/Data+Protection+Laws+in+India (last visited on February 27, 2020)

[24]Centre to revamp IT act”, The Hindu, February 26, 2020

[25] “The Personal Data Protection Bill, 2018” available at http://www.mondaq.com/india/x/750792/Data+Protection+Privacy/The+Personal+Data+Protection+Bill+2018 (last visited on February 29, 2020)

[26] “India Finally Has A Data Privacy Framework – What Does It Mean For Its Billion-Dollar Tech Industry?”

available at https://www.forbes.com/sites/sindhujabalaji/2018/08/03/india-finally-has-a-data-privacy-framework-what-does-it-mean-for-its-billion-dollar-tech-industry/#46550b6270fe (last visited on February 29, 2020)

[27] Supra note 22

[28] Supra note 23