The concept of Privacy dates back to the dawn of human civilization. However, the idea of Privacy is difficult to grasp. The term “Privacy” has taken on a variety of meanings for different academics, and those definitions shift as society itself does. It is possible to trace back its history by looking at arguments in the Constituent Assembly, when Privacy and secrecy were debated. It is clear from the debates in the Constituent Assembly that the Right to Privacy was purposefully omitted from the Constitution. Legislators’ motivations for doing this remain a mystery. Post-independence India’s Constitution does not explicitly acknowledge the Right to Privacy, but precedents in the courts have allowed it to develop. it was acknowledged for the first time. The “Indian Evidence Act, the Information Technology Act, the Indian Penal Code, Criminal Law, Indian Telegraph Act, Indian Easement Act, and Family Law” are all examples of legislation that include provisions that pertain to Privacy. In this article, we’ve explored these Laws in great length. There are many different types of Privacy that have developed through time: the Privacy of one’s physical space, one’s bodily identity and information, and the Privacy of one’s personal preferences. And this Right is even more important to safeguard in the digital age we live in today. There has been some discussion over the impact of social media on Privacy Rights in today’s digital age. To that end, we’ll take a close look at the Laws in place to safeguard individuals’ Privacy, and whether or not they go far enough to address concerns like invasions of Privacy, which are protected by Article 21.
Definition of Privacy Rights
When discussing its definition, the term “Privacy” is difficult to comprehend. It has been interpreted in several ways. “Right to Privacy,” according to Black’s Law Dictionary, includes “various Rights recognized as inherent in the concept of ordered liberty.” These freedoms protect people’s Right to fundamentally choose how they want to live their lives and interact with their families, other people, and their interpersonal connections and activities. It’s also been said that Privacy is about a person’s Lawful claim to decide how much of himself he wants to disclose with others, as well as his control over when, where, and under what conditions he does so. It refers to his unrestricted ability to engage or not participate in whatever way he chooses. It also refers to the freedom of the individual to decide what information about him or her is made public; he or she is the exclusive owner of that information. A person’s “Right to be left alone,” on the other hand, signifies that he or she is entitled to Privacy. All the Rights that have been recognized as inherent in the idea of ordered liberty fall under the umbrella phrase “Right to Privacy.” Freedom of assembly and free speech may be seen as essential components of the Right to Privacy, since they allow people to do both.
In R. Rajgopal v State of T.N[3], the Apex recognized a person’s Right to safeguard his Privacy in a plethora of matters. In PUCL v UOI[4], the Right to Privacy was recognized in the light of Article 17 of ICCPR and Article 12 of UDHR. In Ram Jethmalani v UOI[5], the SC recognized the Right to Privacy as an integral part of Article 21. The Right to Privacy is a fundamental Right covered within the ambit of Right to life and personal liberty under Article 21 which can be curtailed via procedure established by Law which is just, fair and reasonable as laid down in Maneka Gandhi v UOI[6]. In State of Maharashtra v Bharat Shanti Lal Shah[7], the Supreme Court laid down that the Right to Privacy can be curtailed in accordance with the procedure validly established by Law. In Govind v. State of MP[8], it was held that the fundamental Right explicitly guaranteed to a citizen has plethora of zones and that the Right to Privacy is itself a fundamental Right , and it must be subject to restriction on the basis of compelling public interests. From all the case Laws discussed, it is clear that the Indian judiciary has developed the concept of Privacy as a wide term. Privacy is to be understood in a wide sense- it includes bodily autonomy, making choices in matters understood as being personal and off course one’s personal information. Being encompassed within the limit of Article 21, Right to Privacy can be curtailed only in exceptional circumstances that is in lieu of compelling state interest and if it fulfills the benchmark of proportionality test laid in the Puttaswamy judgment.
A 9-j Supreme Court bench in Justice K.S. Puttaswamy v. UOI[9], stated that “the Right to Privacy” is an essential component of our Constitution. One may be forgiven for wondering why a bench of nine judges was tasked with deciding whether or not the “Right to Privacy” falls within Art 21 of our Constitution. In 2017, a 5 Judges bench of Supreme Court made the announcement that they wanted a 9 Judges panel to first assess whether “the Right to Privacy” is a fundamental Right before deciding on the primary issue regarding Aadhaar. The case that included the Aadhaar card and “Right to Privacy” was being considered by the court. The A.G. in Aadhaar matter stated that even though previous rulings had acknowledged the “Right to Privacy”, they did not explicitly recognize it like in Kharak Singh[10] and M P Sharma rulings[11]. As a result, a 9 Judges bench must be constituted to analyze whether “the Right to Privacy” qualifies as a basic freedom. A flurry of Legislative initiatives to pass Personal Data Protection Laws were triggered by the Supreme Courts broad interpretation.
The sharing or receiving of personal information in spoken, writing, or electronic form is not protected by a stand-alone legislation in India. Although there are safeguards, they are spread over a variety of Laws, regulations, and policies. IT (Amendment Act of 2008) and IT (Sensitive Personal Data or Information) Rules of 2011 include the most significant clauses. For online trade and cybercrime, this is India’s most important Law in the country. Because of their name, SPDI Rules only cover Data and information sent electronically; they do not cover Data and information obtained via non-digital methods.[12] All rules and regulations pertaining to the IT Act, 2000 were devoid of the safeguards and restrictions necessary to secure sensitive personal information submitted electronically when it first went into effect on October 17, 2000. The Information Technology Bill, 2006 was finally introduced as a result, and the IT (Amendment) Act, 2008 followed, with its provisions taking effect on Oct 27, 2009. It inserted Sec 43A in IT Act, as per which, if: “a corporate body possesses or deals with any sensitive personal Data or information, and is negligent in maintaining reasonable security to protect such Data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.” Also Sec 72A, as per which: “the punishment for disclosure of information in breach of Lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both, in case disclosure of the information is made in breach of Lawful contract.” Punishment for it is stated in Sec 72. It says that: “any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such electronic record, book, register, correspondence, information, document or other material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.” Anyone who commits an offense or violation outside of India shall be held to the same standards as anyone who commits an offense or violation in India. This is stated in Section 75 of the Act. The IT Act and Rules’ reach and breadth, however, are constrained. Most of the rules only cover “sensitive personal Data and information” that is gathered using “computer resources.” Only a tiny portion of the restrictions may be enforced by consumers, and the provisions are only applicable to business organizations that carry out automated Data processing. Data localization is not covered, which was the main worry and the basis for the Indian government’s decision to prohibit Chinese applications. India need a thorough Data Privacy legislation to overcome these restrictions.
In UK, the Data Protection Act, 2018 regulates as to how one’s personal information is to be used by organizations and the government. The Data Protection Act, 2018 is United Kingdom’s extension of the General Data Protection Regulation (GDPR) which is followed in all member countries of the EU. All liable for using personal Data must obey specific guidelines called ‘principles of Data security’. They must make sure that the Data is:[13]
One is enabled to be acquainted with what knowledge the government and other institutions keep on one as per the Data Security Act , 2018.[14]
These includes the Right to:
One gets some sort of Protection if an agency utilizes his or her personal details for:
Quite surprisingly, it is noted that United States has no Data Protection Laws. There is no Law at the Centre which shall deal with Data Privacy and breach at the central level unlike the GDPR Law of the European Union. There are instead several Laws dealing in Privacy issues like Privacy Laws focused upon consumers enacted in various states of the country. Somewhat like the Companies Act of 2013 in India, one has the Federal Trade Commission Act in the United States. Within its jurisdiction, the Federal Trade Commission Act has immense power over private enterprises to avoid discriminatory or deceiving marketing practices. Although, the FTC does not specifically dictate what Data can be used in Privacy policy for websites, it uses its power to impose rules, implement Privacy Laws, and take compliance steps to protect the consumers. FTC has often taken actions against the companies in matters of Data Privacy:[15]
Comparative Analysis
Out of these three countries, it is only the United Kingdom which has a central Law on personal Data Protection. It is surprising to note that United States despite being the land of origination of Facebook and WhatsApp has no central level legislation on Data Privacy. The Law on the issue varies from state to state in the country. However, FTC acts a national level body for tackling Data Privacy issues concerning the business world. Hence this situation as prevalent in India is much sadder and appalling as India neither has central level Data Protection Laws, state level Data Protection Laws or a central level authority which deals in this issue. UK has its own Data Protection Law making it easier to establish to culpability and so is the case in US due to presence of state level Laws. In India, it is the judiciary which has propounded upon the subject of Privacy a number of times and the same has developed to form perceptions on Data Privacy.
Personal Data Protection Bill, 2019
The Supreme Court’s 9-judges bench upheld the “Right to Privacy” in K.S. Puttaswamy v. UOI[16] in August 2017. According to Article 21, the Court highlighted the Rights to life and personal freedom. The Indian government established a Committee of Experts, headed by Justice B.N. Srikrishna, to investigate Data Privacy problems in India during the case. This report and draft Personal Data Protection Bill were given to Ministry of Electronics and Information Technology in July 2018 after the white paper’s open consultation. Expert Committee suggestions and stakeholder input were used to draft Personal Data Protection Bill 2019. A further set of three critical elements is outlined in the text:[17]
The above-mentioned bill was developed following extensive engagement and consultation with a variety of stakeholders, including Indian Law enforcement, which opposes “Data colonialism” by significant Western technology companies like Google and Facebook and wants access to Data stored in the US for national security investigations. As a replacement for Sec. 43-A of the IT Act of 2000, this bill would eliminate all provisions pertaining to company liability for Data breaches and Privacy violations.
Before processing personal Data, Data fiduciaries and processors are obliged by Law to get permission from Data principals. Regardless of whether they are representatives of the State, a corporation, a government agency, or an individual, whomever decides the reason for and the method of processing personal Data. An individual who administers personal Data on behalf of a Data fiduciary is known as a Data processor. This includes the government, corporations, people, and other legal bodies. Data collectors must now comply with new reporting standards, such as the obligation to get parental or guardian consent before collecting children’s Data. The persons whose Data is being gathered, or the “Data principals,” are also given Rights under the Law.
In the event that the legislation is passed, Data fiduciaries and Data processors will need to:
Additionally, the Law stipulates that all “sensitive personal Data” must be kept in India and that “essential personal Data” cannot be sent outside. As it would disrupt market-driven choices and compel businesses to utilize local Data storage service providers, this has been condemned as being Protectionist.
Criticism of the Bill
Since its inception, the Bill has come under scrutiny for being skewed in favor of the company collecting the Data and for potentially having serious problems with user Rights. Globally, Data Privacy Laws have properly given users primary control over Data gathering and permission. The Laws provide users the freedom to choose how and when their Data may be gathered, processed, kept, and shared by providing them with the necessary Rights and ability to do so. Despite explicitly granting people certain Rights and safeguards, the DP Bill makes it near impossible for users to exercise their Rights.
The Data Protection Bill makes it more difficult for users to exercise their Right to withdraw permission by declaring that if the withdrawal is made without a “valid cause,” the Data subject would be responsible for any resulting legal ramifications. This eliminates the individual’s ability to exercise a Right to withdraw consent by making it prohibitively difficult to exercise, as well as unnecessary demanding and burdensome. This is complicated further by the fact that the legislation doesn’t specify what constitutes a “good cause” or the nature and scope of the legal repercussions that are intended by the provision. In addition, the legislation establishes circumstances in which it permits the processing of Data without the Data principals’ permission. Given the many layers and complexities that technological processes and products currently have, the regulations that allow for these grey zones simply make things worse for unwary consumers.
Conclusion
MCA Expert at TAXAJ
TAXAJ is a consortium of CA, CS, Advocates & Professionals from specific fields to provide you a One Stop Solution for all your Business, Financial, Taxation & Legal Matters under One Roof. Some of them are: Launch Your Start-Up Company/Business, Trademark & Brand Registration, Digital Marketing, E-Stamp Paper Online, Closure of Business, Legal Services, Payroll Services, etc. For any further queries related to this or anything else visit TAXAJ
Watch all the Informational Videos here: YouTube Channel
TAXAJ Corporate Services LLP
Address: 1/11, 1st Floor, Sulahkul Vihar, Old Palam Road, Dwarka, Delhi-110078