PRIVACY AND DATA PROTECTION IN INDIA: A CRITICAL ASSESSMENT

Abstract

The aim of this paper is to initiate a serious debate on right to privacy and data protection in the Indian perspective. Privacy though not expressly provided under the Constitution; it impliedly takes into it the right to privacy as personal liberty guaranteed under article 21. There is an inherent conflict between right to privacy and data protection. The data protection may include financial details, health information, business proposals, intellectual property, and sensitive data. Data protection and privacy have been dealt within the Information Technology (Amendment) Act, 2008 but not in an exhaustive manner. The IT Act is not sufficient in protection of data and hence a separate legislation in this regard is required.

Introduction

THE RIGHT TO PRIVACY is a multi-dimensional concept. In modern society right to privacy has been recognized both in eyes of law and in common parlance. Article 21 protects the right to privacy and promotes the dignity of the individual. In recent years there has been a growing fear about the large amount of information about individuals held in computer files. The right to privacy refers to the specific right of an individual to control the collection, use and disclosure of personal information. Personal information could be in the form of personal interests, habits and activities, family and educational records, communications (including mail and telephone records), medical records and financial records, to name a few. An individual could easily be harmed by the existence of computerised data about him/her which is inaccurate or misleading and which could be transferred to an unauthorised third party at high speed and at very little cost. This growth in the use of personal data has many benefits but it could also lead to many problems.

Further, the convergence of technologies has spawned a different set of issues concerning privacy rights and data protection. Innovative technologies make personal data easily accessible and communicable. There is an inherent conflict between right to privacy and data protection. Data protection should primarily reconcile these conflicting interests to information. But, the data of individuals and organizations should be protected in such a manner that their privacy rights are not compromised.

Concept of privacy

The terms privacy and right to privacy cannot be easily conceptualized. It has been taken in different ways in different situations. Tom Gaiety opined that 'right to privacy is bound to include body's inviolability and integrity and intimacy of personal identity including marital privacy. Jude Cooley explained the law of privacy and has asserted that privacy is synonymous to 'the right to be let alone. Edward Shils has also explained privacy as 'zero relationship between two or more persons in the sense that there is no interaction or communication between them, if they so choose.' Warren and Brandeis have very eloquently explained that ' once a civilization has made distinction between the "outer" and "inner" man, between the life of the soul and the life the body. The idea of a private sphere is in which man may become and remain himself.' In modern society privacy has been recognized both in the eyes of law and in common parlance. But it varies in different legal systems as they emphasize different aspects. Privacy is a neutral relationship between persons or groups or between groups and person.

Privacy is a value

The cultural state or condition directed towards individual on collective self-realization varying from society to society. The Indian Constitution provides a right to freedom of speech and expression, which implies that a person is free to express his will about certain things. A person has the freedom of life and personal liberty, which can be taken only by procedure established by law. These provisions improvably provide right to privacy to individuals and/or groups of persons. The privacy of a person is further secured from unreasonable arrests, the person is entitled to express his wishes regarding professing and propagating any religion. The privacy of property is also secured unless the law so authorises i.e. a person cannot be deprived of his property unlawfully. The personal liberty mentioned in article 21 is of the widest amplitude and it covers a variety of rights which go constitute the personal liberty viz. secrecy, autonomy, human dignity, human right, self-evaluation, limited and protected communication, limiting exposure of man etc. And some of them have been raised to the status of fundamental right, viz life and personal liberty, right to move freely, freedom of speech and expression, individual and societal rights and are given protection under Article 19. Article 21 as such protects the right to privacy and promotes the dignity of the individual. Privacy relates to ability to control the dissemination and use of one's personal information.

Judicial activism: Right to privacy

Judicial activism has brought the right to privacy within the realm of fundamental rights by interpreting Articles 19 and 21. The judiciary has recognized right to privacy as a necessary ingredient of the right to life and personal liberty. The Supreme Court of India has interpreted the right to life to mean right to dignified life in Kharak Singh case,9 especially the minority judgment of Subba Rao J. In Govind v. State of M.P., Mathew J delivering the majority judgment asserted that the right to privacy was itself a fundamental right, but subject to some restrictions on the basis of compelling public interest. Privacy as such interpreted by the apex court in its various judgments means different things to different people. Privacy is a desire to be left alone, the desire to be paid for one's data and ability to act freely.

Telephone tapping and privacy

Right to privacy is affected by new technologies. Right to privacy relating to a person's correspondence has become a debating issue due to the technological developments. There have been cases of intercepting mails and telephonic communication of political opponents as well as of job seekers. Section 5(2) of the Indian Post Office Act and section 26(1) the Indian Telegraph Act empower the central and state governments to intercept telegraphic and postal communications on the occurrence of public emergency in the interest of public safety. In R.M. Malkani v. State of Maharashtra, the Supreme Court observed that the court will not tolerate safeguards for the protection of the citizen to be imperilled by permitting the police to proceed by unlawful or irregular methods. Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of articles 21 and 19(l)(a) of the Constitution. Kuldip Singh J opined in People's Union for Civil Liberties v. Union of India that right to hold a telephonic conversation in the privacy of one's home or office without interference can certainly be claimed as right to privacy. In this case Supreme Court laid down certain procedural guidelines to conduct legal interceptions, and also provided for a high-level review committee to investigate the relevance of such interceptions. But such caution has been thrown to winds in recent directives from government bodies as is evident from phone tapping incidents that have come to light. In State of Maharashtra v. Bharat Shanti Lai Shah, the Supreme Court said that interception of conversation though constitutes an invasion of an individual's right to privacy it can be curtailed in accordance with procedure validly established by law. The court has to see that the procedure itself must be fair, just and reasonable and not arbitrary, fanciful or oppressive. An authority cannot be given an untrammelled power to infringe the right to privacy of any person. In Neera Radia tape case to use phone tapping as a method of investigation in a tax case seems to be an act of absurd overreaction. For so many journalists, politicians and industrialists to have their phone tapped without a rigorous process of oversight represents a gross violation of basic democratic principles.

Women's liberty and privacy

The right to privacy implies the right not merely to prevent the incorrect portrayal of private life but the right to prevent it being depicted at all. Even a woman of easy virtue is entitled to privacy and no one can invade her privacy as and when he likes.The modesty and self-respect may perhaps preclude the disclosure of such personal problems like whether her menstrual period is regular or painless etc? The basic right of female is to be treated with decency and proper dignity. But if a person does not like marriage and lives with another it is entirely his or her choice which must be respected. Sense of dignity is a trait not belonging to society ladies only, but also to prostitutes. Rape is not only a crime against the person of a woman it is crime against the entire society. As a victim of sex crime, she would not blame anyone but the culprit. Rapist not only violates the victim's privacy and personal integrity, but inevitably causes serious psychological as well as physical harm in the process. Rape is not merely assault- it is often destructive of the whole personality of the victim. Right to privacy is an essential requisite of human personality embracing within it the high sense of morality, dignity, decency, and value orientation.

The question of relation between the right to privacy and conjugal rights arose for the first time in Sareetha v. Vankta Subbaih, wherein the Andhra Pradesh High Court held the provisions of section 9 of the Hindu Marriage Act 1955 i.e. the restitution of conjugal rights, as unconstitutional as it is violative of article 21 of the Constitution of India vis-à-vis right to privacy. But in Harvinder Kaur v. Harmander Singh , the Delhi High Court held that though sexual relations constitute most important attribute of the concept of marriage but they do not constitute its whole content. Sexual intercourse is one of elements that goes to make up the marriage but it is not summum bonum. In Saroj Rani v. Sudarshan Kumar Chandha , the Supreme Court agreed with Delhi High Court and thereby upheld the constitutionality of section 9. This right is within the right to marry and it does not violate the right to privacy of wife. It has been generally felt that the Supreme Court in this case lost an ideal opportunity for changing law in this regard in accordance with the changing spirit of the times. The right of the husband or the right of wife to the society of the other is not a creation of statute. The Law Commission of India in its 71st report stated that the essence of marriage is the sharing of common life, the sharing of all the happiness that life has to offer and all the miseries that have to be faced in life, an experience of the joy that comes from enjoying the common things of the matter. Once the woman enters into the marriage relation, her right to privacy must be seen in the context of family life.

The other question that may be raised regarding the appropriateness of giving legislative judgment about abortion. The objective in prohibiting abortion is to protect the societal interest in procreation. If women were given the ultimate right of privacy to terminate pregnancy whenever they wish to do so, such right if exercised by the women could effectively threaten the life of the unborn child and the societal interest in procreation. The question is whether the right to privacy encompasses woman's decision or not? A woman's right to make reproductive choices is also a dimension of personal liberty as understood under article 21 of the Constitution. Reproductive choices can be exercised to procreate as well as to abstain from procreating. The crucial consideration is that a woman's right to privacy, dignity and bodily integrity should be respected. Reproductive rights include a women's entitlement to carry pregnancy to its full term, to give birth and to subsequently raise children. A woman's right to terminate her pregnancy is not absolute and may to some extent be limited by the state's legitimate interests in safeguarding the woman's protecting potential human life. Recognizing that the sanctity of life has a supreme value in the hierarchy of values, it is nonetheless true that the human foetuses cannot claim any rights superior to that of born persons because of the following reasons:

a. A foetus is not a person;
b. The court does not know 'when life begins', it does know that 'the unborn have never been recognized in the law as persons in the whole sense;
c. We do not agree that life begins at conception and is present throughout pregnancy.

Hence, many countries in the world have reformed their laws to allow abortion in a variety of circumstances, usually abnormality in the foetus, or the pregnancy being a result of rape or incest or danger to the life of the mother. In fact, an abortion decision involves competing interests of the society, that of the woman and also that of the foetus. Abortion should not be recognized as a matter of personal privacy and must be prohibited unless there is an urgent necessity.

Press, E-media and Privacy

The freedom of press has not been expressly mentioned in article 19 of the Constitution of India but has been interpreted that it is implied under it. In R. Rajagopal v. State of Tamil Nadu, the Supreme Court held that the petitioners have a right to publish what they allege to be the life-story/ autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorization. But if they go beyond that and publish his life story, they may be invading his right to privacy. The Constitution exhaustively enumerates the permissible grounds of restriction on the freedom of expression in article 19 (2); it would be quite difficult for courts to add privacy as one more ground for imposing reasonable restriction. So, a female who is the victim of sexual assault, kidnapping, abduction or a like offence should not further be subject to the indignity of her name and the incident being published in press media. The freedom of speech and expression as envisaged in article 19 (l)(a) of the Constitution also clothes a police officer to seize the infringing copies of the book, document or newspaper and to search places where they are reasonably suspected to be found, impinging upon the right to privacy. Newspaper or a journalist or anybody has the duty to assist the state in detection of the crime and bringing criminal to justice. Withholding such information cannot be traced to right to privacy in itself and is not an absolute right. Regarding protection of privacy vis-a-vis encroachment by press the judicial approach is not very clear. There is no specific legislation in India which directly protects right to privacy against excessive publicity by press.

E-media includes television, radio, internet broadcast, and all electronic journalism which are used by today's media. Main purpose of media is to bridge the gap between government policy and public grievances. In Destruction of Public & Private Properties v. State of A.P of the Supreme Court held that media should base upon the principles of impartiality and objectivity in reporting; ensuring neutrality; responsible reporting of sensitive issues, especially crime, violence, agitations and protests; sensitivity in reporting women and children and matters relating to national security; and respect for privacy. Casting couch is very popular tool used by media nowadays which directly hammers the individual privacy. There is no guideline to handle this issue. Information privacy Information privacy or data privacy is the relationship between collection and dissemination of data technology, the public expectation of privacy, and the legal and political issues surrounding them. The extent to which confidentiality is to be protected could be understood from a few cases.

In Union of India v. Association of Democratic Reforms, the Supreme Court has put its stamp on the issue. The right to get information in a democracy is recognized all throughout and it is a natural right flowing from the concept of democracy. Article 21 confers on all persons a right to know which include a right to receive information. The ambit and scope of article 21 is much wider as compared to article 19(1) (a). In People's Union for Civil Liberties (PUCL) v. Union of India, the Supreme Court observed that right to information of a voter or citizen is thereby promoted. When there is a competition between the right to privacy of an individual and the right to information of the citizens, the former right has to be subordinated to the latter right as it serves larger public interest. The question arises to what extent a voter has a right to know about a candidate's privacy. The voter's right to know about a candidate’s privacy can be protected and flourished by removing the drawbacks of laws relating to voters right to information. Privacy means the right to control the communication of personally identifiable information about any person. It requires a balancing attitude; a balancing interest. Thus, it ultimately requires a healthy and congenial inter-relationship between the social good and the individual liberty. Thus, it is concluded that one has to maintain a balance between the right to information of a citizen and the right of privacy of a candidate seeking election.

Health and Privacy

Health sector is the important concern in privacy. Your health information includes any information collected about your health or disability, and any information collected in relation to a health service you have received. Many people consider their health information to be highly sensitive. The right to life is so important that it supersedes right to privacy. Under medical ethics, a doctor is required not to disclose the secret information about the patient as the disclosure will adversely affect or put in danger the life of other people. The Supreme Court held that the doctor patient relationship though basically commercial, is professionally a matter of confidence and therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation public disclosure of even true private facts may sometimes lead to the clash of one person's right to be let alone with another person's right to be informed. In another case the apex court said that46 the hospital or doctor was open to reveal such information to persons related to the girl whom he intended to marry and she had a right to know about the HIV-positive status of the appellant. The court also held that the appellant's right was not affected in any manner in revealing his HIV-positive status to the relatives of his fiancée.

In Selvi v. State of Karnataka, the Supreme Court held that narco-analysis, lie-detection and BEAP tests in an involuntary manner violate prescribed boundaries of privacy. A medical examination cannot justify the dilution of constitutional rights such as right to privacy. If DNA test is eminently needed to reach the truth, the court must exercise the dissector of medical examination of a person. Therefore, the Supreme Court was of the view that though the right to personal liberty has been read into article 21, it cannot be treated as an absolute right. To enable the court to arrive at a just conclusion a person could be subjected to test even though it would invade his right to privacy. It concluded that one has to maintain a balance between the rights of a citizen and the right to privacy. It ultimately requires a healthy and congenial enter- relationship between the social good and the individual liberty.

Privacy and Data Protection

Privacy and data protection require that information about individuals should not be automatically made available to other individuals and organizations. Each person must be able to exercise a substantial degree of control over that data and its use. Data protection is legal safeguard to prevent misuse of information about individual person on a medium including computers. It is adoption of administrative, technical, or physical deterrents to safeguard personal data. Privacy is closely connected to data protection. An individual's data like his name address, telephone-numbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various web sites. Passing of such information to interested parties can lead to intrusion in privacy like incessant marketing calls. The main principles on privacy and data protection enumerated under the Information Technology (Amendment) Act, 2008 are defining data, civil and criminal liability in case of breach of data protection and violation of confidentiality and privacy.

Concept of Data Protection

The Information Technology Act which came into force in the year 2000 is the only Act to date which covers the key issues of data protection, albeit not every matter. In fact, the Information Technology (Amendment) Act, 2008 enacted by the Indian Parliament is the first legislation, which contains provisions on data protection. According to section 2(1) (o) of the Act, "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed or is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer". The IT Act does not provide for any definition of personal data and, the definition of "data" would be more relevant in the field of cyber-crime. Further, the IT Act defines certain key terms with respect to data protection, like access, Computer, Computer network, Computer resource, Computer system, Computer database, Data, Electronic form, electronic record, Information, Intermediary, Secure system, and Security procedure. The idea behind the aforesaid section is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the concerned party. 'Third party information' is defined to mean 'any information dealt with by an intermediary in his capacity as an intermediary', and it may be arguable that this limitation also applies to 'data' and 'communication'. Section 79 provides that an intermediary shall not be liable for any third-party information, data, or communication link made available or hasted by him except in the conditions provided in sub-section (2) and (3) thereof. The IT Act doesn't provide any definition of personal data. Furthermore, the definition of "data" would be more relevant^ in the field of cyber-crime. Data protection consists of a technical framework of security measures designed to guarantee that data are handled in such a manner as to ensure that they are safe from unforeseen, unintended, unwanted or malevolent use.

Civil Liability and Data Protection

The Information Technology (Amendment) Act 2008 provides for civil liability in case of computer database theft, computer trespass, unauthorized digital copying, downloading and extraction of data, privacy violation etc.

Furthermore, section 43 provides for penalty for a wide range of cyber contraventions such as:
(a) related to unauthorised access to computer, computer system, computer network or resources;
(b) unauthorised digital copying, downloading and extraction of data, computer database or information, theft of data held or stored in any media;
(c) introduced any computer contaminant or computer virus into any computer system or computer network;
(d) unauthorised transmission of data or programme residing within a computer, computer system or computer network;
(e) computer data/ database disruption, spamming etc.; (f) denial of service attacks, data theft, fraud, forgery etc.;
(g) unauthorised access to computer data/computer databases; (h) instances of data theft (passwords, login IDs) etc.;
(i) destroys, deletes or alters any information residing in a computer resource etc and
(j) steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.

Explanation (ii) of section 43 provisions definition of computer database as "a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network."

Section 43A provides for 'compensation for failure to protect data', it provides:

"Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected". There is no limitation imposed on the compensation that can be awarded. Section 43A which provides for civil action for security breaches is based on the concept of 'sensitive personal information'. Other than that, there is no special protection in Indian law for sensitive personal information. Section 43A provides for compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by a company, during the time it was under processing with the company, for failure to protect such data whether because of negligence in implementing or maintaining reasonable security practices.

This provision, therefore, provides a right of compensation against anyone other than the person in charge of the computer facilities concerned, effectively giving a person a right not to have their personal information disclosed to third parties, or damaged or changed by those third parties. The section is equally able to be used by data controllers or the subjects of personal information against third parties. It is only that they will be 'affected' in different ways which justify compensation. It also provides that accessing data in an unauthorized way is a civil liability.

Criminal Liability and Data Protection

The Information Technology (Amendment) Act, 2008 provides for criminal liability in case of computer database theft, privacy violation etc. The Act also make wide ranging amendments in chapter XI enfacing sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised tempering with computer source documents, dishonestly or fraudulently doing any act referred to in section 43, sending offensive messages through communication service etc., dishonestly receiving stolen computer resource or communication device, identity theft, cheating by personation by using computer resource, violation of privacy, cyber terrorism, transmitting obscene material in electronic form, transmitting of material containing sexually explicit act, etc., in electronic form, transmitting of material depicting children in sexually explicit act, etc., in electronic form, any intermediary intentionally or knowingly contravening the provisions of sub-section (1) of section 43, any person intentionally or knowingly failing to comply with any order of controller, interception or monitoring or decryption of any information through any computer resource, blocking for public access of any information through any computer resource, intermediary contravening the provisions of sub section (2) of section 69B by refusing to provide technical assistance to the agency authorised by the Central Government to monitor and collect traffic data or information through any computer for cyber security, securing access or attempting to secure access to any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, any misrepresentation to or suppressing any material fact from the Controller or the Certifying Authority, breach of confidentiality and privacy, disclosure of information in breach of lawful contract, publishing electronic signature certificate false in certain particulars, and electronic signature certificate for any fraudulent or unlawful purpose.

India does not have specific data protection legislation, other than the IT Act, which may give the authorities sweeping power to monitor and collect traffic data, and possibly other data. The IT Act does not impose data quality obligations in relation to personal information and does not impose obligations on private sector organizations to disclose details of the practices in handling personal information.

Violation of confidentiality and privacy

The terms violation of confidentiality and privacy are described under the IT Act. Section 66-E very eloquently explains violation of privacy as 'whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person.' Section 66-E explanation (e) has also explained violation of privacy as 'circumstances in which a person can have a reasonable expectation that- (i) he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii) any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.' Section 72 provides for penalty for breach of confidentiality and privacy as meaning 'any person securing access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to any other person.' Section 72A also explains the law of privacy and asserts that disclosure of information in breach of lawful contract -'save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person' amounts to breach of privacy and provides for punishment for the same.

Sections 66E, 72, and 72A require the consent of the concerned persons but, within limited scope as it would be difficult to consider that it could provide a sufficient level of personal data protection. Indeed, these sections confine themselves to the acts and omissions of those persons, who have been conferred powers under the Act. These sections provide for monitoring violation of privacy, breach of confidentiality and privacy, and disclosure of information in breach of lawful contract. Breach of confidentiality and privacy is aimed at public and private authorities, which have been granted power under the Act. In District Registrar and Collector v. Canara Bank, u the Supreme Court said that the disclosure of the contents of the private documents of its customers or copies of such private documents, by the bank would amount to a breach of confidentiality and would, therefore, be violative of privacy rights of its customers.

Conclusion

Privacy is a basic human right and computer systems contain large amounts of data that may be sensitive. Chapters IX and XI of the Information Technology Act define liabilities for violation of data confidentiality and privacy related to unauthorized access to computer, computer system, computer network or resources, unauthorized alteration, deletion, addition, modification destruction, duplication or transmission of data, computer database, etc. The data protection may include financial details, health information, business proposals, intellectual property and sensitive data.

However, today one can access any information related to anyone from anywhere at any time but this poses a new threat to private and confidential information. Globalization has given acceptance to technology in the whole world. As per growing requirement different countries have introduced different legal framework like DPA (Data Protection Act) 1998 UK, ECPA (Electronic Communications Privacy Act of 1986) USA etc. from time to time. Some special privacy laws exist for protecting student education records, children's online privacy, individual's medical records and private financial information. In both countries self-regulatory efforts are facilitating to define improved privacy surroundings. The right to privacy is recognized in the Constitution but its growth and development is entirely left to the mercy of the judiciary. In today's connected world it is very difficult to prevent information to escape into the public domain if someone is determined to put it out without using extremely repressive methods. Data protection and privacy has been dealt within the Information Technology (Amendment) Act, 2008 but not in an exhaustive manner. The IT Act needs to establish setting of specific standards relating to the methods and purpose of assimilation of right to privacy and personal data. To conclude it would suffice by saying that the IT Act is facing the problem of protection of data and a separate legislation are much needed for data protection striking an effective balance between personal liberties and privacy.