The Right to Privacy is a differentiated Notion. The data protection and right to privacy has been acknowledged in modern culture, both constitutionally and in everyday speech. Article 21 safeguards the right to privacy and supports human dignity. In recent years, there has been an increasing concern about the vast amount of personal information stored in computer files. The right to privacy applies to an individual’s ability to monitor how personal information is collected, used, and disclosed. Personal information may include but is not limited to, personal preferences, behaviours, and hobbies, family and educational records, correspondence (including mail and telephone records), medical records, and financial records. A person could be easily damaged by the presence of incorrect or deceptive computerised data about him or her that could be transmitted to an unauthorised third party at high speed and for a low cost. This increase in the use of personal data has a lot of advantages, but it also has a lot of drawbacks. Furthermore, the integration of technology has spawned a new range of privacy and data security concerns. Personal data is readily available and communicable thanks to revolutionary technology. The right to privacy and data security are inherently at odds. The primary objective of data security should be to balance these competing informational interests. Individual and organisations’ data, on the other hand, should be covered in such a way that their privacy rights are not jeopardised.
Right to Privacy is a Fundamental Right in India
Article 21 of the Indian Constitution which outlines our human rights recognises the right to privacy as a fundamental right. In Justice K.S. Puttaswamy vs Union of India, a nine-judge bench of the Supreme Court upheld this in a landmark judgement dated August 24, 2017, in which they declared “the right to privacy” to be an integral part of Part III of the Indian Constitution. I
One would ask why the issue of whether or not the right to privacy is a constitutional right was brought before a nine-judge panel. In 2017, a Supreme Court bench of five judges hearing the Aadhaar Card case and the right to privacy requested that a nine-judge bench first determine whether privacy is a fundamental right before ruling on the main Aadhaar case. In the Aadhaar case, the Attorney General argued that while many Supreme Court decisions had accepted the right to privacy, they had refused to recognise that it was a fundamental right in the Kharak Singh (passed by a six-judge bench in 1960) and M P Sharma decisions (delivered by an eight-judge Constitution bench in 1954).
As a result, a nine-judge jury was created to determine whether or not the right to privacy is a constitutional right. The Supreme Court’s expansive interpretation prompted a flurry of government policies aimed at enacting Personal Data Protection laws.
Current Law in India
Personal data and information exchanged or obtained in a verbal, written, or electronic form are not covered by a stand-alone personal data security law in India. Though there are safeguards in place, they are spread across a variety of laws, regulations, and guidelines.
- Information Technology Act, 2000
The Information Technology Act of 2000 (as amended by the Information Technology Amendment Act of 2008) and the Information Technology [Reasonable Security Practices and Procedures and Sensitive Personal Data Or Information] Rules, 2011 contain the most important provisions (SPDI Rules). It is India’s primary legislation governing cybercrime and electronic commerce. As the name implies, SPDI Rules only refer to data and information exchanged electronically, not to data and information obtained through non-electronic communication.
When the Information Technology Act of 2000 went into effect on October 17, 2000, all of the laws and procedures relating to the Act lacked the necessary safeguards and protections to protect one’s confidential personal information transmitted electronically. This resulted in the Indian Parliament passing the Information Technology Bill, 2006, which was followed by the Information Technology (Amendment) Act, 2008, whose provisions took effect on October 27, 2009. It added Section 43A to the Information Technology Act, which states that if:
If a corporate body possesses or handles any sensitive personal data or information, and fails to maintain reasonable security to protect such data or information, causing wrongful loss or gain to any person, that corporate body shall be liable to pay damages to the person(s) so affected.
Section 72A of ITA 2000: According to section 72A of ITA 2000, In the case of disclosure of information in violation of a lawful contract, any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding five lakh rupees, or with both.
Penalty for the same is mentioned in Section 72 of the IT Act. The Section provides that:
any person WHO, in pursuance of any of the powers presented underneath the IT Act Rules or laws created under it, has secured access to any electronic record, book, register, correspondence, info, document, or different material while not the consent of the person involved, discloses such electronic record, book, register, correspondence, info, document or different material to the other person, shall be punishable with imprisonment for a term which can touch 2 years, or with fine which can touch Rs 1,00,000, (approx. US$ 3,000) or with each.
Section 75 of ITA, 2000: Section 75 mandates that provisions of this Act shall also apply to an offence/contravention committed outside India by any person if the conduct constituting an offence involves a computer/computer network located in India.
The IT Act and Rules, on the other hand, have restricted scope and coverage. The majority of the provisions only refer to ‘sensitive personal data and information’ gathered through ‘computer resource. Consumers may only take compliance action concerning a small subset of the provisions, which are limited to corporate organisations that participate in the automated data processing. There is no provision for data localization, which was a major source of concern and the reason for the Chinese apps’ ban in India.
To address these limitations, there was a need of comprehensive data privacy law. A body corporate (including a company, sole proprietorship, or other groups of persons engaged in commercial or professional activities) that holds, deals, or manages any confidential personal data or information in a computer resource that it owns, regulates, or operates is liable to pay damages to the person affected under Section 43A of the Information Technology Act if any person suffers a wrongful loss or benefit as a result of the failure to enforce and maintain fair security practises and procedures to protect the person’s personal information.
Section 69 of ITA, 2000: It should be noted that section 69 of the Act, which is an exception to the general rule of protecting information privacy and confidentiality, provides that if the Government is satisfied that it is required in the public interest, it can disclose information:
- the sovereignty or integrity of India;
- defence of India;
- security of the State;
- friendly relations with foreign States; or
- public order; or
- for preventing incitement to the commission of any cognizable offence relating to above; or
- for investigation of any offence
It can direct any appropriate government agency to intercept, track, or decrypt, or cause to be intercepted, monitored, or decrypted any information produced, transmitted, obtained, or stored in any computer resource through an order. This section gives the government the authority to intercept, track, or decrypt any information in any computer resource, including personal information.
The government can require disclosure of information when it is in the public interest to do so. This category can include information about anti-national activities that are against national security, law or statutory duty violations, or fraud.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, have been published by the government. The Rules only include the privacy of “sensitive personal data or details of an individual which includes personal data such as information about a person’s health.
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological, and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information
The rules provide fair security practises and procedures that the body corporate or any person collecting, receiving, possessing, storing, dealing, or handling information on behalf of the body corporate must obey when dealing with “Personal sensitive data or information.” In the event of a violation, the body corporate or any other person acting on its behalf can be held liable to pay damages to the person who has been injured.
IT Amendment Act, 2008
The latest amendments to the Information Technology Act of 2000, which were passed by the Lok Sabha in December, are worth reading carefully. There are a lot of good things happening, but there are still a lot of bad things happening. Positively, they reflect the government’s effort to establish a complex, technology-neutral approach. This is shown by its acceptance of electronic signatures rather than digital signatures. However, there should have been more done in this area (for instance, section 76 of the Act still talks of floppy disks). There have also been efforts to cope proactively with the Internet’s many new problems.
Section 69A and the Blocking Rules: Allowing the Government to block content under certain circumstances: The Central Government can block material under Section 69A of the Information Technology (Amendment) Act, 2008 if it believes that it threatens the state’s protection, sovereignty, dignity, or defence, friendly ties with foreign states, public order, or incitement to commit a cognisable offence related to any of the above. The Blocking Rules provide a collection of protocols and protections that the government must follow while doing so.
Section 79 and the IT Rules: Privatising censorship in India: The liability of a wide range of intermediaries in India is regulated by Section 79 of the Information Technology (Amendment) Act, 2008. The section gained notoriety primarily as a result of the notorious Intermediary Guidelines Rules, or IT Rules, promulgated under it. The IT Rules constitute an important and troubling step towards the privatisation of censorship in India.
Sections 67 and 67A: No nudity, please : In India, the vast amount of ‘obscene’ content that circulates on the Internet has long been a source of discussion. It’s not surprising, then, that just as obscenity is prohibited offline in the country, it has also prohibited online. Sections 67 and 67A of the IT Act, which prohibit pornographic and sexually explicit content, are the most relevant tools for limiting it.
Section 66A: Do not send offensive messages: The Information Technology (Amendment) Act of 2008, Section 66A, makes it illegal to send offensive messages via a communication device (i.e. through an online medium). This includes offensive messages with a threatening tone, as well as messages that are false but are sent with the intent of causing irritation, inconvenience, threat, interference, insult, injury, criminal coercion, enmity, hate, or ill will. You could face up to 3 years in jail and a fine if you’re charged under Section 66A.
The Personal Data Protection Bill, 2019
The MEITY formed a 10-member committee headed by retired Supreme Court judge B.N. Srikrishna to make recommendations for a draught Bill on personal data security after the Supreme Court’s landmark judgement in the Justice KS Puttaswamy case, which held that privacy is a fundamental right. The committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with a draught bill on personal data security after working on it for a year. Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, introduced the updated Personal Data Protection Bill, 2019 (Bill) in the Lok Sabha on December 11, 2019. The Bill regulates the processing of personal data by the following entities: (i) the government, (ii) Indian companies, and (iii) international companies dealing with the personal data of Indian citizens. Personal data is information about an individual’s features, qualities, or attributes of identity that can be used to classify them. Certain personal data is classified as sensitive personal data under the bill. Financial data, biometric data, caste, religious or political views, or any other type of data defined by the government in consultation with the authority and the relevant sectoral regulator are all examples of this.
C The MEITY formed a 10-member committee headed by retired Supreme Court judge B.N. Srikrishna to make recommendations for a draught Bill on personal data security after the Supreme Court’s landmark judgement in the Justice KS Puttaswamy case, which held that privacy is a fundamental right. The committee submitted its report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with a draught bill on personal data security after working on it for a year. Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, introduced the updated Personal Data Protection Bill, 2019 (Bill) in the Lok Sabha on December 11, 2019. The Bill regulates the processing of personal data by the following entities: (i) the government, (ii) Indian companies, and (iii) international companies dealing with the personal data of Indian citizens. Personal data is information about an individual’s features, qualities, or attributes of identity that can be used to classify them. Certain personal data is classified as sensitive personal data under the bill. Financial data, biometric data, caste, religious or political views, or any other type of data defined by the government in consultation with the authority and the relevant sectoral regulator are all examples of this.
Thus, there is currently no explicit law in India regulating data security or privacy. India lacks a comprehensive law on data and privacy law. India has also not ratified any international privacy or data security treaties. The Information Technology Act of 2000 includes unique privacy protections (IT Act). The Indian Supreme Court ruled in 2017 that people of India have a fundamental right to privacy, which is protected by Article 21 of the Indian Constitution. This right, according to the Court, requires, among other things, the right to informational privacy. The government appointed a 10-member committee under the chairmanship of Justice BN Srikrishna, a former Supreme Court Justice, to give this judgement meaning in the form of comprehensive legislation. The Srikrishna committee was tasked with compiling an in-depth study of the subject’s current rules. The Srikrishna committee issued a report in 2018 that was over 200 pages long. The Srikrishna report looked at India’s existing patchwork of applicable legislation, looked at other countries’ regulatory approaches to privacy and data security, and set out a detailed case for a better legal system. The draught Personal Data Security Bill 2018 was included with the study. Privacy is a fundamental human right, and computer systems store vast quantities of potentially sensitive data. A codified data protection legislation is set to be implemented in India soon. The right to privacy is protected by the Constitution, but its expansion and extension are solely at the discretion of the courts. It is exceedingly difficult to prevent information from leaking into the public domain in today’s connected world if anyone is willing to do so without resorting to extremely repressive methods. The Information Technology (Amendment) Act, 2008 dealt with data security and privacy, but not in a comprehensive way. The Information Technology Act must define strict guidelines for the methods and purposes of assimilation of the right to privacy and personal data. To sum up, the IT Act has an issue with data security, and separate legislation is desperately needed to strike an appropriate balance between personal liberty and privacy.