Home | Feedback | Contact Us
Legal Articles  
 
Right to Privacy in India

Arjun Uppal comments on the possible invasion of citizen’s right to privacy guaranteed by the Constitution of India under Article 21 and the regulatory regime proposed for safeguarding the right.
 
 
I. INTRODUCTION

The implementation of national programmes like Unique Identification Number, National Intelligence Grid, DNA profiling, privileged communications, Crime and Criminal Tracking Network and System,brain mapping etc.and the rampant use of technology by the masses for day-to-day affairs, there have been concerns expressed on the possible invasion of a citizen’s right to privacy guaranteed under Article 21 of the Constitution of India (hereinafter referred to as the "Constitution").

The Department of Personnel and Training(hereinafter referred to as the "DoPT") had prepared a draft bill on right to privacy in the year 2011,the Rightto PrivacyBill, 2011 (hereinafter referred to as the "Draft Bill 2011"). Although, there had been several discussions on the Draft Bill 2011, however the same has failed to materialize into a comprehensive legislation on privacy.

The need for stand-alone privacy legislation was felt in the wake of leak of the Nira Radia tapes in the year 2010, raising serious threats and concerns over the privacy of individuals and its protection. Subsequent to this infamous leak, Mr. Ratan Tata, the then Chairman of the Tata Group had approached the Supreme Court for a violation of the fundamental right to privacy.

In order to effectively address the privacy issues, the Planning Commission of India had directed the constitution of a ‘Group of Experts’ on December 26, 2011, to identify the privacy issues and prepare a report on the same to facilitate authoring of privacy bill for India. The Group was constituted under the Chairmanship of Justice A.P. Shah, Former Chief Justice, High Court of Delhi with 11 other members (hereinafter referred to as the "Shah Committee").

The key terms of reference of the Shah Committee included study of the privacy laws and related bills promulgated by various countries, in-depth analysis of programmes being implemented by the Government from the perspective of their impact on privacy and specific suggestions for consideration of the DoPTfor incorporation in the proposed draft bill onprivacy.The Shah Committee submitted its report to the Planning Commission of India on October 16, 2012 (hereinafter referred to as the "Committee Report").

II. Evolution of the Rightto Privacy

Prior to going into discussions on provisions of the Draft Bill 2011 or the Committee Report, it would be interesting to take a note of the evolution of the right to privacy under the Indian legal regime.

The Supreme Court of India (hereinafter referred to as the "Supreme Court") had the opportunity to first decide and lay down the contours of the right to privacy in India in the case of Kharak Singh v. State of Uttar Pradesh . This case did not witness the recognition of the right to privacy as a fundamental right under the ‘personal liberty’ clause of Article 21 of the Constitution. Majority of the judges in this case refused to interpret Article 21 in a manner to include within its ambit the right to privacy, however two of the seven judges asserted that the right to privacy does form an essential ingredient of personal liberty. Subsequently, the Supreme Court while deciding the case of Govind v. State of Madhya Pradesh laid down that a number of fundamental rights of citizens can be described as contributing to the right to privacy. Although the Supreme Court also stated that the right to privacy will have to go through a process of case by case development.The Supreme Court in the case of R. Rajagopal v. State of Tamil Nadu , for the first time directly linked the right to privacy to Article 21 of the Constitution and laid down:

"Theright to privacy is implicit in the right to life and liberty guaranteed to thecitizens of this country by Article 21. It is a "right to be let alone". A citizen has aright to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters. None can publishanything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so,

1. Kharak Singh v. State of Uttar Pradesh, cited at: (1964) SCR (1) 332.
2. Govind v. StateofMadhyaPradesh, cited at: AIR 1975 SC 1378.
3. R. Rajagopal v. State of Tamil Nadu, cited at: 1994 SCC (6) 632.
he would be violatingthe right to privacy of the person concerned and would be liable in an action fordamages."

Further, while deciding on the issue of telephone-tapping in the case of PUCL v. Union of India , the Supreme Court observed that telephone-tapping would be a serious invasion of an individual’s privacy.Thus, telephone-tapping would infract Article 21 of the Constitution, unless it is permitted under the procedure established by law.

Therefore, the concept of privacy of an individual has evolved over the years and has been held to be a fundamental right by the Supreme Court. In the case of Selvi v. State of Karnataka the Supreme Court held that an involuntary subjection of a person to narcoanalysis, polygraph examination and BEAP tests violates the right to privacy.

It is to be noted that even with the enlarged scope of Article 21 of the Constitution covering right to privacy, the right to an individual’s privacy is not an absolute one and comes with certain exceptions. The Supreme Court observed that the right to privacy may be restricted for the prevention of crime, disorder or protection of health or morals or protections of rights and freedom of other.

The Supreme Court has articulated an implicit right to privacy derived from the language set out in Article 21 of the Constitution. However, India does not have a separate and specific legislation that explicitly recognizes therightto privacyand sets out the contours of its applicability.

III. Recommendations of the Shah Committee

In general, the Shah Committee recommended that the legislation on right to privacy must harmonize all statutory provisions that relate to privacy. As perthe Committee Report submitted in October 2012, the major recommendations of the Shah Committee were as follows:-
  1. The regulatory framework will consist of privacycommissioners at the Central and Regional levels;
  2. 4. PUCL v. Union of India, cited at: (1997) 1 SCC 30.
    5. Selvi v. State of Karnataka, cited at: AIR 2010 SC 1974.
    6. ‘X’ v. Hospital ‘Z’, cited at: (1998) 8 SCC 296.
  3. A system of co-regulation granting the selfregulating organizations at industry level the choice to develop privacy standards. These standards should be approved by a privacycommissioner;
     
  4. Individuals would be given the choice (opt-in/opt-out) with regard to providing their personal information and the data controller would take individual consent only after providing inputs of its information practices;
     
  5. The data controller shall only collect that personal information from data subjects as is necessary for the purposes identified for such collection as well as process the data relevant to the purpose for which they are collected;
     
  6. The data collected would be put to use for the purpose for which it has been collected. Any change in the usage would be done only with consent of the person concerned;
     
  7. Data collected and processed would be relevant for the purpose and no additional data elements would be collected from the individual;
     
  8. Interception orders must be specific and all interceptions would only be in force for a period of 60 days and may be renewed for a period of up to 180 days. Records of interception must be destroyed by security agencies after 6 months or 9 months and service providers must destroy after 2 months or 6 months; and
     
  9. Infringement of any provision under the Act would constitute an offence forwhich individuals may seek compensation.
     
IV. The Proposed Privacy Regime

(a) Privacy– Rule and Exceptions

The right to privacyproposedby the Draft Bill 2011 has been granted to all citizens.The term ‘personal data / information’ has been ascribed the meaning of any data that relates to a living or natural person, if such person can be identified from the data, either directly or indirectly in conjunction with the other data in possession or likely to come in possession of the person controlling the said data. Additionally, it has also been clarified that personal information includes any expression of opinion about a person as well. Further, the principles of data protection contemplated under the Draft Bill 2011 have been made applicable on all persons processing data using equipment located in India or collecting, processing or using the personal data in India, whether having a place of business in India or not.

Since every rule comes with certain exceptions, so does the right to privacy. The Draft Bill 2011 contemplates the following instances, where the right to privacy of an individual may be infringed:-

  1. Sovereignty, integrity and security of India, strategic, scientific or economic interest of the state; or
     
  2. Preventing incitement to the commission of any offence; or
     
  3. Prevention of public disorder or the detection of crime; or
     
  4. Protection of rights and freedoms of others; or
     
  5. In the interest of friendly relations with foreign states; or
     
  6. Any other purpose specifically mentioned in the Act.
     
In line with the Draft Bill, the Shah Committee too recommended the above exceptions, with certain additional exceptions, such asdisclosure in public interest, journalistic purposes, historic and scientific research and protection of the individual rights and freedom etc. In order to measure the extent and validity of the said exception to the right to privacy, the Committee Report put forth the parameters of proportionality, legality and necessity in a democratic state, as the yardstick of such determination.

Infringement of an individual’s right to privacymay be constituted by acts of collection, processing, storage and disclosure of personal data, interception or monitoring individual’s communication, surveillance of the individual and sending unsolicited commercial communication to an individual.

(b) Privacy Principles

The Draft Bill 2011 prescribes certain principles for privacy. The Shah Committee also provided for certain ‘National privacy Principles’ for dealing with personal information. Such National privacy Principles are the extension and improvisation of the similar principles laid down by the Draft Bill 2011.The principles lay down the requirement and compliances for collection, processing, storage, retention and disclosure of the personal data. These principles prescribe specific conditions, such as notice, prior consent of the provider of information and purposes for each of such acts concerning the personal data, including the sharing and security of the data.

These principles have been drafted in line of theprovisions of Information Technology Act, 2000 (hereinafter referred to as the "IT Act") and the rules thereunder in respect of sensitive personal information or data.The privacy principles are intended to be applicable to the collection, processing and use of personal information, through any mode including interception, as well as audio and video recordings. In cases where individuals are mandated under law to share information, the said process is also to be carried out in accordance with the national privacy principles and that the information, if shared in public databases, is not retained in an identifiable form longer than is necessary.

The principles for the privacy regime have been discussed in the following paragraphs:-

  1. Notice: A data controller shall give simple-to-understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. This allows the individual to hold the data controller accountable to the practices describedin the notice.
     
  2. Choice and consent: A data controller shall give the individual choiceto opt-in or opt-out with regard to providing their personal information. It is only after consent has been obtained will the data controller collect, process, use or disclose such information to third parties, except in the case of authorized agencies. The data subject shall at all times have the option to withdraw his/her consent given earlier to the data controller. Thiswould ensure that data controllers, prior to collection, provide simple choices to the data subjects allowing them to make informed decisions about the extent to which they would like to share their personal information.
     
  3. Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified,the object stated for such collection andfor which notice has been provided to and consent obtained from the individual.This shall reducepossibility of misuse of an individuals’ personal information.
     
  4. Purpose limitation: Personal data collected and processed by the data controller should be adequate and relevant to the purposes of processing. After personal information has been used in accordance with the identified purpose,the information should be destroyed as per the identified procedures. In case of any change of purpose, the same is to be notified to the data subject. This principle ensures that personal information is retained by data controller, only as long as is necessary to fulfil the stated purposes.
     
    7. The Draft Bill 2011 provides a definition for ‘data controller’, which means any person who processes personal data and shall include a body corporate, partnership, society, trust, association of persons, government Company, government department, urban local body, agency of instrumentality of the state.
    8. A ‘data subject’ has been defined under the Draft Bill 2011 as any living individual, whose personal data is processed by a data controller in India.
  5. Access and correction: Individuals shall have access to the personal information relating to them, held by a data controller. The individual shall be able to seek correction, amendments or deletion such information, where it is inaccurate and also obtain from the data controller a copy of the personal data.
     
  6. Disclosure of information: A data controller shall not disclose personal information to third parties, except with notice to and informed consent of the individual for such disclosure. Such third parties shall be bound to adhere to the relevant and applicable privacy principles. Any disclosure for law enforcement purposes must also be in accordance with the laws in force.
     
  7. Security: A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, unauthorized disclosure, either accidental or incidental or other reasonably foreseeable risks.
     
  8. Openness: The data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope and sensitivity of the data collected, in order to ensure compliance with the privacy principles. Such practices and policiesshall be made in an intelligible form, using clear and plain language and be made available to all individuals.
     
  9. Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including tools, training and education and regular external and internal audits etc.
     
The above National privacy Principles are intended to be applicable to both the public and private sector. The said principles are enhanced provisions of the presently existing principles for data protection in India and are intended to form the basis of the privacy legislation being drafted, for handling and dealing with personal data.

(c) National Data Controller Registry

The Draft Bill 2011 provides for the establishment of the National Data Controller Registry (hereinafter referred to as the "NDCR"), an online database to facilitate the effective entry of particulars by data controllers. In order to be able to process any personal data, the data controller shall have to register itself with the NDCR. The data controllers would also be able to make amendments to such particular, as per the procedureprescribed.

(d) Data Protection Authority of India

As part of the Draft Bill 2011, the Government hadproposed the establishment of Data Protection Authority of India (hereinafter referred to as the "DPAI") to look into the matters of protection of data in India and penalizing the violations of the same.The Draft Bill 2011 entrusts extensive administrative responsibilities upon the DPAI, such as to monitor and enforce compliance of applicable provisions relating to data protection by all persons and to monitor developments in data processing and computer technology to ensure that such developments do not adversely affect protection of data.

Additionally, the DPAI can receive and investigate into complaints regarding matters related to collection, processing, storage and disclosure of personal data. Appeals from orders and directions of DPAI shall lie with the ‘Cyber Appellate Tribunal’ (hereinafter referred to as the "CAT"). Further, as a part of its investigative powers, the DPAI has the power to investigate any data security breach and to issue appropriate orders as may be required in order to safeguard the security interests of all affected individuals in the personal data that has or is likely to have been compromised by such breach.

The authority has also been empowered to issue directions for inspection of records of the data controller, to make an inquiry into the affairs of data controllers or to issue directions to the data controllers to furnish information or explanations. The DPAI would be empowered to examine the law and policy existing for data protection and make suggestions to the Government on related issues.

(e) Resolution of disputes

Presently, the adjudicatory functionsare entrusted on the ‘Adjudicating Officers’ and the CAT, constituted under the IT Act. However,under the Draft Bill 2011 the adjudicatory functions relating to data protection have been proposed to be assigned to the DPAI, with the CAT functioning as the appellate authority for the decisions and orders of the DPAI.

With regard to the mechanism for resolution of data protection disputes, the Shah Committee under the Committee Report proposes the following three-tier structure:-

  1. Privacy commissioners: an office of privacycommissioner must be established at both the central and regional levels to oversee the implementation of the privacy legislation. The concerned commissioner shall be primarily responsible for enforcement of the legislation.
     
  2. Courts: the individuals would have the option of making a complaint directly before the courts, which will act as an alternative route of redressal, separate from the commissioner. The complaints may relate to a data breach or violation or physical privacy violation.
     
  3. Self Regulation Organizations and Co-regulation: a system of co-regulation through Self Regulation Organizations (hereinafter referred to as the "SROs") should be established by the privacy legislation. The SROs shall supplement the role played by the privacycommissioners to ensure implementation and enforcement of policies for a wide range of sectors and industries. This selfregulation system will create a baseline legal framework that protects and enforces an individual’s right ofprivacy. The standards shall not be lower than those set forth in the national privacy principles and the SROs that choose not to develop industry level privacy standards will be held accountable for violation ofthe national level privacy principles.
     
The Shah Committee specifically provided that if a particular sector / industry does not have an SRO, the data controllers shall be responsible to comply with the National privacy Principles, apart from the additional norms and standards prescribed by the privacy Commissioners. Such norms may include the appointment of a privacyofficer at an organisation levelto address complaints raised and take steps to resolve the same, in turn reducing the burden of the judicial system.

(f) Penalisation of offences

The current data protection regime contained under the IT Act and the rules thereunder, provide for the grant of compensation in case any wrongful gain or wrongful loss is caused to any person, for a negligence in implementing the reasonable security practices and procedures by the body corporate handling sensitive personal data.However, a shift from the present mechanism of award of damages is proposed under the Draft Bill 2011. This modification also finds place in the Committee Report.

In terms of the Draft Bill 2011, any person who suffers damage by reason of any contraventionof any of its obligations by the data controller shall be entitled to compensation from the data controller to the full extent of the damage suffered. The Draft Bill 2011proposes to impose financial penalties and imprisonment for the following acts or omissions, i.e. in other words the offences created under the Draft Bill 2011 include:-

  1. The disclosure any information obtained by lawful interception of communication, in a manner otherwise than in the execution of duties under law, orders of court or for the purpose of the prosecution of an offence;
     
  2. Interception by any person of any communication made by or sent to any citizen of India in contravention of the rules in this regard;Obtaining personal information on false pretences;
     
  3. Violation of the conditions of licence by the service providers, pertaining to maintenance of secrecy and confidentiality of information and unauthorized interception of communication;
     
  4. Undertaking surveillance in contravention of the provisions of the applicable law;
     
  5. Disclosure of personal information in contradiction of the provisions of the Draft Bill 2011 by any officer or employee of a service provider or the government, who by virtue of his positionpossesses has possession ofpersonal informationof individuals;
     
  6. Violation of directions of the DPAI;
     
  7. Acquisition of personal data by any person intentionally and without authorization from the data subject; and
     
  8. Unauthorised collection, processing or disclosure of personal information, in violation of the privacy principles.
     
  9.  
In relation to the above offences, the Draft Bill 2011 has proposed a maximum punishment of five years and/or fine of INR 700,000 for the first offence and INR 1,000,000 for every subsequent offence.

In addition to prosecution for the above offences, a person who-

  1. contravenes the provisions of the Draft Bill 2011,adversely affecting an individual’s right of privacy;
     
  2. on request, fails to maintain or correct a record concerning any individual with such accuracy, relevance, timeliness and completeness as is necessary to assure fairness in determination relating to qualifications, character, rights or opportunities of or benefits to the individual that may be made on the basis of such record; and
     
  3. consequently a determination is made which is adverse to the individual
     
shall become liable to be face civil action for compensation.

This right to initiate civil action shall be in addition to any other action, including criminal proceedings or damages for defamation. The courts in such civil actions have been empowered to order the concerned person to issue a public notice for having wrongly disclosed the personal information and to pay compensation to the concerned individual.On the issue of penalisation for the offences, the Committee Report provided that infringement of privacy would constitute an offence by which individuals may seek compensation and organizations would be held accountable for the same.

The Shah Committee states that in line with the (United Kingdom)Data Protection Act, 1998 and the (Australian)Privacy Act, 1988, (a) non-compliance with the privacy principles;(b) unlawful collection, processing, disclosure, access and use of personal data; (c) obstruction of commissioner;(d) failure to appear or comply with notification issued by the commissioners; (e) sending false or misleading information; and (f) failure to produce documents required by the commissioner etc. should constitute an offence under the proposed legislation for privacy in India.

V. Present Day Status of the Proposed Legislation

Pursuant to the Committee Report issued by the Shah Committee in 2012, the DoPT had, earlier this year, carried out certain modifications to the Draft Bill 2011 in line with the suggestions made therein. The said modified draft has however not been made available to the public.

Recently, the revised draft of the privacy legislation was submitted to the Law Ministry for consideration. Once the Law Ministry gives its nod to the draft, the bill on right to privacy would be sent to the Union cabinet for enacting the legislation.

VI. The Path Ahead

The call for a comprehensive legislation for protection of an individual’s right of privacy is a need of the hour, especially with the rampantly increasing number internet users in India year on year. As an inevitable consequence, the there have also been an increase in the number of registration of cases and arrests in cases of breach of confidentiality and privacy under provisions of Section 72A of the IT Act.

The Supreme Court in the case of Ram Jethmalani v. Union of India categorically held that the right to privacy also requires the state not to make public any private information about an individual, which would violate her privacy.

Although, the DoPT had formulated the Draft Bill 2011 to deal with privacy related issues, the wait for the legislation continues. Based on the recommendations of the Shah Committee, despite the submission of a modified draft of the legislation for the approval of the Law Ministry, the legislation is yet to see light of the day. Recently, a Standing Committee on Information Technology (hereinafter referred to as the "IT Standing Committee"), Lok Sabha Secretariat in the 52nd Report on "Cyber Crime, Cyber Security and Right to Privacy" strongly emphasized the need to institute a legal framework on privacy. In the report, the IT Standing Committee was of the view that the Government should not jeopardize privacy of Indian citizens on basis of self-regulation provisions of the IT Act and must evolve a framework for the protection of an individual’s privacy.

Concerns were expressed by the IT Standing Committee that the Department of Electronics and Information Technology should be vigilant to avoid interception of meta-data by other countries in the name of surveillance. For this purpose, caution should be taken for safety and in policies with other countries for the prevention of such leakage.

The IT Standing Committee expressed its desire that the Department of Electronics and Information Technology in coordination with the DoPT, multi-disciplinary professionals and experts, should come out with a comprehensive and people friendly policy for protection of the privacy of citizens and which is also foolproof from the security perspective.

9. Ram Jethmalani v. Union of India, cited at: (2011) 8 SCC 1.
 
Arjun Uppal is an Associate at New Delhi and can be reached at arjun.uppal@sethdua.com.
 
© 2007 India Law Journal   Permission and Rights | Disclaimer