Advait Kandiyoor, Jindal Global Law School, JGU
ABSTRACT
Privacy as a concept has long been envisioned through different lenses, however, with the rapid advancement in technology and the value being assigned to ‘data’, the notion of privacy has had to evolve and encompass a broader set of possibilities. India has only recently solidified the position of privacy within the constitutional framework, recognizing it as a fundamental right. The Puttaswamy judgement is a great example of the judiciary attempting to highlight the importance of privacy and the need to safeguard it. Despite these judicial developments, the government appears to traverse between the lines and implement privacy protection regulations which appear to favour them heavily. The Data Protection Bill, which was first introduced in 2019 is yet to be passed as an Act and implemented in India, although the bill manages to address several privacy concerns and brings forth a much-needed legislative framework, it also brings with it certain short comings. This paper aims to observer the development of privacy as a right in India and its need and subsequently identifying issues which need to be addressed along with the efficacy of the Data Protection Bill that is in the woodworks.
Introduction
The conceptualization of privacy has had relevance from a sociological and anthropological viewpoint since quite an early stage in history, such as Aristotle’s work on political philosophy which invigorates the idea of ‘private’ and creates a distinction of the same from the public sphere. Sir Edward Coke famously said, “the house of every one is to him as his Castle”[1], in a ruling regarding the forcible entry of sheriffs into a person’s home. This judgment was among the very first to legally highlight the concept of privacy, albeit indirectly, and in an era where the scope of privacy was limited to a more physical sense, a much simpler time for the enforcement and recognition of privacy due to the lack of activities such as surveillance states, data leaks or data mining. In the information age, the scope of privacy goes beyond just physicality, as data emerges to be one of the most valuable and utilitarian assets, with some calling it the new oil[2]. India has been rather slow in its recognition of the right to privacy as a fundamental right. Nevertheless, the recognition of this fundamental right came at quite an opportune time with the development in technology and a shift in the paradigm of what privacy meant and how it must be dealt with, giving the concept a more robust constitutional backing.
Development of case law
The right to privacy in India is extended from Article 21 of the constitution and this extension was brought up in Kharak Singh vs The State of U. P.[3] where it was suggested by Justice Subba Rao that privacy could be encompassed under the concept of liberty. In reference to Lord Coke’s words, he said “It embodies an abiding principle- which transcends mere protection of property rights and expounds a concept of "personal liberty" which does not rest on any element of feudalism or on any theory of freedom which has ceased to be of value”[4]. Kharak Singh’s case was important as it delved into the discussion regarding the right to privacy as more than just a right recognized by common law, however, Subba Rao was the only dissenting judge who held the infringement of Kharak Singh’s privacy unconstitutional. Justice Subba Rao’s dissent, in many ways can be considered the dawn of the development of privacy as a constitutionally recognized right in India. Following this, the legal landscape on privacy saw a few notable judgments which began to build on Justice Subba Rao’s line of thought, with R. Rajgopal v. State of Tamil Nadu[5] introducing the idea of privacy as a “right to be let alone” and People's Union for Civil Liberties vs. Union of India[6] which recognized the right to privacy as a part of Article 21’s right to life and liberty[7], while holding indiscriminate phone tapping under the Indian Telegraph Act, 1885 as unconstitutional. The most recent, and arguably most important judgment regarding the issue of privacy in terms of its constitutionality, came from Justice K.S. Puttaswamy v Union of India[8] (Puttaswamy), wherein a nine-judge bench was formulated to assess the right to privacy as a fundamental right during the debate regarding the constitutional validity of Aadhar. The bench found it to be integral to Part III of the constitution which lays down the fundamental rights. Though the bench was unanimous in its decision, the judges differed in their opinion regarding what privacy meant and the test that must be used in order to assess any violation of the right. Justice Chandrachud gave plurality opinion on behalf of four of the judges while Justices Bobde, Nariman, Chelameswar and Kaul gave their own individual opinions. The popular understanding of which test to use, is a combined understanding of the proportionality test “espoused by Chandrachud J. and elaborated by Kaul J.”[9] which consists of four elements:
· Legality- whether it is permissible under law
· Legitimate goal- it should seek to achieve a legitimate aim and must be necessary
· Proportionality- the degree of violation by the State should be proportional to the object in question.
· Procedural guidelines- following requisite guidelines to ensure there is no abuse by the State
Although the judgement expounds on State actors violating the privacy of individuals, the increasing use of data as an asset has blurred the lines between state and private actors, and this exponential increase in the value of data has resulted in a period of “surveillance capitalism”[10].
Surveillance: Post recognition of privacy as a fundamental right
The Puttaswamy judgment had bearing on the final decision regarding the Aadhar program, which found certain sections of the Aadhar act to be unconstitutional on the basis of the proportionality test. The court did, however, uphold the constitutional validity of the Aadhar program as a whole. The primary contention in the case was with regards to the potential of mass surveillance and creation of aggregate data silos. The court found Aadhar data collection to lack enough data to result in profiling[11] of individuals, since the only requisite data was demographic and biometric data. The court’s analysis of the same was based on the principles of data processing according to the EU General Data Protection Regulation (GDPR), which is Europe’s regulation on data protection and privacy. It found the Aadhar program to satisfy the principles set under the GDPR, namely, lawfulness, purpose limitation, data minimalization, accuracy, storage limitation and confidentiality. In the Puttuswamy judgment, the court found that the information silos could lead to profiling, which it held unconstitutional given a scenario where these silos are aggregated and following this opinion, the court found that these silos must remain integrated and additionally, it found that private parties were not allowed to access these silos or any Aadhar database. The barring of private parties into Aadhar databases was short lived. Aadhaar and Other Laws (Amendment) Act, 2019 snubs the orders of the court in finding private party access to the data bases as unconstitutional. The act manages to continue the “double speak on voluntary and involuntary”[12], as the amendment gives legitimacy to the concept of offline verification as a voluntary method, wherein individuals can bypass the Aadhar authentication systems through a UIDA QR system, and the amendment has no mention of limiting private entities from authentication as required in the Supreme Court’s judgement on Aadhar. Although it may be suggested that Section 57 of the AOLA was struck down on the basis of access through a contractual scenario, it would violate the test of proportionality laid down by Justice Chandrachud as well as GDPR’s purpose limitation which was expressly raised as a dispute against Section 57 in the Aadhar judgment.
Although the court found Aadhar to lack the potential of resulting in a mass surveillance system, the idea of state empowered surveillance is not new as we see from the PUCL case, where the notion of privacy went away from solely the physical sense and further evolved the notion of privacy to include personal communications and setting down guidelines to be followed to exercise surveillance powers. India already has a multitude of surveillance programmes set up, majorly : Network Traffic Analysis System (NETRA), Crime and Criminal Tracking Network System (CCTNS), Lawful Intercept and Monitoring Project (LIM), National Intelligence Grid (NAT-GRID), Crime and Criminal Tracking Network System (CCTNS), etc Central Monitoring System (CMS), System (CCTNS), etc Central Monitoring System (CMS), Network Traffic Analysis System (NETRA), Lawful Intercept and Monitoring Project (LIM), National Intelligence Grid (NAT-GRID) etc[13]. several of these programmes have been criticized as an “unclear regulatory regime” which lacks transparency by the AP Shah committee[14]. These programmes continue to exist post the Puttuswamy era and continue to develop in parallel to technological advancements. Evidently, the government is able to tip toe its way around both the Puttuswamy judgment as well as the Aadhar judgment, which leads us to question the efficacy of the right to privacy as a fundamental right in the current Indian context.
Importance of resolving the threat to one's right to privacy
Before analysing a likely reason for the inefficacy, it is crucial to understand the relevance of data privacy in the current socio-political and socio-economic sphere. Data about individual preferences on a variety of things has been shown to have drastic implications. This is evidenced in the Cambridge Analytics scandal which proved that voter data can prove to be a tool in manipulating elections[15]. In the world’s largest democracy, the potential for data mining and profiling is limitless, whether it be by state actors or non-state actors, thereby resulting in the significance of privacy going beyond just individual interests. A more recent privacy concern has been with regards to the Indian Government’s new policy regarding VPNs. The Indian Computer Emergency Response Team issued directions under the IT Act, which require companies offering virtual private networks to store and preserve a range of data relating to their customers, such as their contact information and IP addresses[16], it was however later clarified that corporate VPN service providers would not be required to maintain customer logs. Given that the function of a VPN is to provide its users with anonymity both during and after usage, through an emphasis on “no logs” policies and other methods to prioritise privacy, the new CERT rules which would effectively apply to all VPN providers who have servers in India is counterintuitive from a privacy stand point and does not appear to uphold user privacy, owing to this, multiple top VPN providers have been refusing to comply with the rules[17] which is set to be in effect by the end of June. Currently some of the countries that heavily regulate or altogether ban VPNs are those like China, North Korea, Russia, and a few middle eastern countries, none of which have been a bastion of privacy rights. India unfortunately appears to be moving away from the idea of privacy protection that the judiciary hoped to envisage, through the implementation of these new rules.
The missing link
This brings us to one of the most important issues that the application of privacy as a fundamental right in India: the lack of adequate legislation. “Case law is gold in the mine—a few grains of the precious metal to the tons of useless matter—while statute law is the coin of the realm ready for immediate use” These words of John Salmond strongly resonate with the current state of privacy in India. The constitutional recognition of privacy in India was a much-needed step with the advent of big data, yet currently any privacy concerns must be taken up in the form of a writ petition unless it comes under the much narrower and specific scope of legislation not intended to tackle privacy such as sections of the Information Technology Act[18] or the Indian Penal Code[19]. This makes addressing the needs of the masses a much slower and deliberated process, one that the state bodies as well as private entities are able to use to their advantage, given that they possess far more resources to undertake these legal battles. Therefore, while the fundamental right to privacy attempts to bring about a social change it falls short in its attempt to do so and it could be said that the tumbler is half full, requiring some legislation to fully realize and protect this novel fundamental right.
The legislation on the horizon
Fortunately, there does exist a Personal Data Protection (PDP) Bill[20] which was originally formulated by the Justice B.N Srikrishna committee in pursuance of the Puttuswamy judgment. Briefly, the PDP Bill primarily focuses on processing, storage, and collection of personal data of individuals by the government and corporations in India as well as any foreign company which handles the data of Indian citizens. The bill highlights and expands on certain key terms, such as a ‘data fiduciary’, a term that encompasses any person, company, or entity who either alone or in conjunction with others determines the means and purpose of processing personal data. Another salient term is ‘profiling’. Importantly, and in line with the recognition of privacy as a fundamental right, the bill grants data principles certain rights such as right to confirmation and access with regards to the data of the data principle, right to correction and erasure, right to data portability and the right to be forgotten. Except for the right to be forgotten, in order to exercise the rights of a data principle, they are required to make a writing in request to the data fiduciary and the latter must acknowledge the receipt of such a request. Apart from these rights, the data fiduciaries are required to adhere to certain transparency and accountability measures in order to further safeguard the data of users. These essentially require the safeguarding and maintenance of records in a transparent manner with reporting in case of a data breach. This is arguably the most important aspect of the bill in terms of building on ideas propounded in the Puttuswamy as well as the Aadhar judgement as it puts the individual at the centre of privacy, granting them more rights with regards to privacy. Though the bill certainly addresses quite a few problems and would bring in a necessary framework for the dealing of privacy in India, it does fall short in some of its avenues.
Potential issues that may arise from the proposed framework for privacy
The bill lays heavy emphasis on ‘consent’ and builds on the idea that more stringent consent mechanism could lead to a more adequate tackling of data privacy concerns. The Srikrishna committee’s report[21] goes on to suggest that the process of receiving consent is problematic to begin with due to the complexity in the agreements that individuals are asked to consent to, where users either often overlook the details or they are perplexed by the jargon. The bill lays down that “consent is valid if it is free, informed, specific, clear, and capable of being withdrawn”[22]. This definition raises problems in situations where individuals are obligated to provide personal data e.g., the collection of personal data for citizenship verification in assam, where it seems the residents have a choice in the verification process, when in fact noncompliance with the verification process would result in the citizens being placed in a precarious situation. This leads us to question whether a consent- centric approach is really the best strategy to solving data privacy issues. The problem of consent cannot be tackled unless there is a genuine desire amongst the populace to have their data protected over their needs for using the resource in question.
Another underlying issue in the bill is with regards to the exceptions and exemptions granted to the State towards data processing. Though the draft bill only granted an exception in case of national security issues “provided that it satisfies the internationally recognised principles of necessity and proportionality” the bill however lays down broad exceptions such as in cases of national security interests, prevention of incitement of cognizable offenses, and activities such as research, archiving and statistics. The Justice Srikrishna committee had suggested that there must be efforts “to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception”[23]. The bill also allows for the central government to exempt its agencies from the provisions of the Act given that it is in the interest of the nation’s sovereignty and integrity, security of the state, public order etc. as well as prevention of incitement of crimes relating to the same. The bill prescribes that the rules regarding the “procedure, safeguards and oversight mechanism to be followed by the agency”, this effectively gives the government the power to independently create rules and the bill lays down no guidelines with regard to the exercise of this power. This considerable autonomy and power to the central government as well as the Data Protection Authority of India[24] in controlling the behaviour of users online as well as directing data fiduciaries how to process the data. However, the granting of such power is not unexpected as there exists no data protection law which does not give the government a higher level of autonomy. `
Conclusion
India is in dire need for solid legislature regarding the regulation of data online, and the PDP Bill appears to be the only solution on the horizon. The development of privacy has certainly been in the right direction, but the autonomy and control that the State is able to exercise over the handling of privacy is concerning. As a fundamental right, privacy certainly seems to have quite a few caveats and some even suggest that the right to privacy is being diluted further with the introduction of the PDP bill[25]. The application of recognizing privacy as a fundamental right has undoubtedly been revolutionary from a social standpoint and has also played a role in the decision of Navtej Singh Johar v. Union of India[26] and is likely to be at the heart of more constitutional debates to come. Unfortunately, in terms of data privacy the right is proving to be rather inefficacious, and as noted by Compritech, India is the third largest surveillance state (scale excluded European countries) and boils it down to “Systematic failure to maintain safeguards”[27]. Although it acknowledges the development of measures to protect privacy, it remains sceptical about their success.
[1] Semayne v Gresham [1604] Yelverton 29 [2] Amol Mavuduru, Is Data Really the New Oil in the 21st Century?, Dec 12th 2020, [3] Kharak Singh vs The State Of U. P. & Others, 1963 AIR 1295 [4] Kharak Singh vs The State Of U. P. & Others, 1963 AIR 1295, (Subba Rao J, dissenting) [5] R. Rajgopal v. State of Tamil Nadu, 1994 SCC (6) 632 [6] People's Union for Civil Liberties vs. Union of India, (1997) 1 SCC 301 [7] INDIA CONST. art. 21 [8] Justice K.S. Puttaswami v Union of India, 2017 10 SCC 1 [9] Bhandari, V et al, An Analysis of Puttaswamy: The Supreme Court's Privacy verdict, 11 IndraStra Global ,4 (2017) [10] Shoshana Zuboff, Big Other: Surveillance Capitalism and the Prospects of an Information Civilization, 30 Journal of Information Technology 75 (2015). [11] Profiling as defined in the Personal Data Protection Bill 2019 is any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of a user [12] Raghu, Six Reasons Why the Aadhaar Amendment Ordinance Undermines Democracy, The Wire, Mar 12th 2019 [13] Akshi Gill & Aditi Jaiswal, DATA SURVEILLANCE: NEED FOR A POLICY TO ACHIEVE EQUILIBRIUM BETWEEN STATE AND INDIVIDUAL INTEREST, 8 Nirma University Law Journal, 57 (2018) [14] Planning Commission of India, Report of the Group of Experts on Privacy, 7: 19, p. 60-61, Oct 16 2012 [15] Adrian Chen, Cambridge Analytica and our Lives Inside the Surveillance Machine, The New Yorker Mar 21st 2018 [16] Indian Computer Emergency Response Team, Ministry of Electronics and Information Technology, Govt. of India, No. 20(3)/2022-CERT-In [17] Tech Desk, The Indian Express, Express VPN, SurfShark shuts down India servers: Here’s everything that happened so far, June 8th 2020. [18] Information Technology Act, 2000 [19] Indian Penal Code, 1860 [20] THE PERSONAL DATA PROTECTION BILL, 2019, Bill No. 373 of 2019 [21] A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (July 2018) [22] Ibid 16 [23] Ibid 17 [24] the bill mandates the establishment of an authority known as the Data Protection Authority of India and sets down the requirements for the formation of the same while also dictating the duties of the authority and the regulations it must abide by. [25] Renjith Mathew, Personal Data Protection Bill, 2019 –Examined through the Prism of Fundamental Right to Privacy – A Critical Study, SCC Online, May 22nd 2020 [26] Navtej Singh Johar v. Union of India, 2018 10 SCC 1 [27] Paul Bischoff, Data privacy laws & government surveillance by country: Which countries best protect their citizens?, Oct 15th 2019
Comments