Examine the Constitutional Right to Privacy in relation to Technology and Data Collection Practices

Tejal Garg

Introduction

In its literal sense, "privacy" refers to the ability of an individual or group of individuals to keep information private and manage their schedules.[i] “Several international treaties and conventions, as well as various national laws worldwide, have recognised the right to privacy as a fundamental human right. Article 12 [ii]of the Universal Declaration of Human Rights and Article 17[iii] The International Covenant on Civil and Political Rights states, “No one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor unlawful attacks on his or her honour and reputation”.[iv] As per the Black’s Law Dictionary[v], ‘Right to Privacy’ has been defined as the “right to be let alone; the right of a person to be free from any unwarranted publicity; the right to live without any unwarranted interference by the public in matters with which the public is not necessarily concerned.” One of the essential components of existence is privacy. To survive in this world, one needs privacy. Without one's solitude, nothing can be accomplished.”[vi] 

Right to Privacy in India

In India, the Right to Privacy was not envisaged by the makers of the Indian Constitution. As a result, the Indian Constitution does not mention the right to privacy as a fundamental right. However, after careful consideration by the Indian judiciary, Article 21[vii] of the Indian Constitution—which guarantees the right to life and liberty—now recognises the right to privacy as a fundamental right. A unanimous verdict in the well-known and historical case of K.S. Puttaswamy & Anr. v. Union of India & Ors.[viii] established that privacy is a fundamental right. Part III of the Indian Constitution guarantees rights, including the right to life and personal liberty, which include the right to privacy as an inalienable component. The Bench further decided that, like all other fundamental rights in India, the right to privacy is not unqualified and is instead subject to reasonable limitations[ix]. 

Before this case, at various points in time, the Indian judiciary had already maintained the right to privacy over others in many instances. The cases in the series are as follows:

1.     Kharak Singh v. State of UP & Ors.[x] – The six-judge panel decided that unlawful intrusion into a person's home infringes their right to privacy and that surveillance violates their right to personal liberty.

2.     PUCL v. Union of India[xi] - In this case, the division bench concluded that tapping a phone constitutes an invasion of privacy, but having a phone call is an exercise in freedom of expression. This case is also known as the "Phone Tapping Case."

3.     Mr X v. Hospital Z[xii] - The court determined that the right to privacy is not unqualified. In the present case, a doctor disclosed to the patient's spouse the patient's HIV status; the court ruled that the physician was permitted to provide such information when necessary.

4.     Jamiruddin Ahmed v. State of West Bengal[xiii] - In the present case, the court ruled that a person's right to privacy is violated when a search or seizure is carried out without a warrant.

5.     Ram Jethmalani & Others v. Union of India[xiv] - The Black Money case is the colloquial name for this case. The Indian Supreme Court decided in this case that disclosing a person's bank account information without first providing evidence to support a criminal charge against them is a violation of their right to privacy.

6.     Supreme Court takes suo moto notice of the Ramlila Maidan Incident – In the present case, the Supreme Court suo moto heard the issue about Baba Ramdev's crackdown on anti-corruption demonstrators sleeping at Ramlila Maidan. Since the right to privacy is inalienable to the right to life and liberty, the court recognised the right to sleep as a component of the right to dignity and privacy and refused to allow "illegitimate intrusion into a person's privacy."[xv]

As a result, the right to privacy has been acknowledged as a fundamental right under Article 21 of the Indian constitution following a protracted legal battle that ended with the K.S. Puttaswamy case. This recognition comes under the established right to life and personal liberty.

Technology and Need for Data Protection

Science and technology have made significant strides recently. Organisations must gather vast amounts of data from them to provide customers with improved services that meet their wants and demands. Data processing, communication, data storage, and collecting are all involved in this process. However, users accessing their personal information to these institutions or organisations' information exposes them vulnerably to privacy violations. This invasion of privacy also originates from an individual domain.[xvi]

In India, the government has passed laws specifically designed to safeguard individuals' private digital information provided to these institutions via online platforms. The Digital Personal Data Protection Act of 2023[xvii] and the Information Technology Act of 2000[xviii] These are the two most significant laws.

The recently passed Digital Personal Data Protection Act 2023 is a meaningful and transformative move in Indian history because it protects users' data who provide information online on arbitrary platforms; safeguarding the right to privacy is a big step forward.[xix]  Here are a few of the Act's most important highlights:

1.     Purpose of the Act – The primary goal of the Digital Personal Data Protection Act is to enable the processing of digital personal data in a way that respects individuals'      right to have their personal data protected and the necessity of processing such data for lawful purposes.

2.     Obligations on Data Fiduciary - Data fiduciaries must process the data principal's personal information only for authorised purposes and only for those approved by the principal. This guarantees that the data will not be used for purposes unapproved by the data principal. To process the principal's information and specify why, the data fiduciary must first get the principal's consent. It must take all necessary precautions to protect the data principal's personal information. It must notify the affected parties and the Board of the incident in a breach. They must guarantee appropriate channels for redressing grievances. 

3.     Right of the Data Principal - Under the Act, a Data Principal who provides his personal information for processing is entitled to several rights. Among these rights is the freedom to grant, manage, review, and withdraw consent as required. Additionally, it gives the Data Principal the ability to update, add, remove, or modify any personal information that the data fiduciary has obtained about them. In the event of a complaint, the data principal is entitled to request a grievance remedy from the Board.”

4.     Penalties for breaches - The Act specifies the following grounds that can be used to determine the penalty that can be imposed in the event of a violation or other grievance of the data principal:

a.      The nature, gravity and duration of the breach,

b.     The type and nature of the personal data affected by the breach,

c.      Repetitive nature of the breach,

d.     Whether the person, as a result of the breach, has realised a gain or avoided any loss,

e.      Whether the person took any action to mitigate the effects and consequences of the breach and the timeliness and effectiveness of such action,

f.      Whether the monetary penalty to be imposed is proportionate and adequate for the need to secure observance of and deter breach of the provisions of the Act,

g.     The likely impact of the imposition of the monetary penalty on the person.” [xx]

Concerns

The Digital Personal Data Protection Act of 2023 is a historic step towards guaranteeing the right to privacy in India and for Indian individuals; however, for the Act to be adequately implemented and ultimately achieve its goals, some issues and shortcomings must be solved. “

1.     Unlimited powers and zero liability of the State - The Central Government has unrestricted discretionary powers and is not liable for any actions the State takes. This allows them to hold a significant amount of public information, which they may misuse for political purposes or in the name of security. When the government exempts any "instrumentalities of the State" from the Act's provisions, the Act grants the government more authority.  [xxi]

2.     Application to non-digital data - The Act covers digital and non-digital data that is later digitalised     . However, how will an individual determine whether or not the data fiduciary has digitised      information that was provided in hard copy?

3.     Does not adhere to international standards - The Act does not adhere to international standards, particularly those about "sensitive personal data" and "anonymisation of data."

4.     Data Protection Board of India - With the responsibility of safeguarding the privacy of the whole country, the Board is anticipated to be among the most potent and autonomous organisations. Regretfully, the Central Government has complete authority over it.”

Conclusion

As we are well aware, the Indian Constitution recognises the right to privacy as a fundamental right. Furthermore, several international conventions and treaties acknowledge it as a human right. The intrinsic human right to privacy has also been articulated and is the foundation for this right.[xxii] Organisations are now required by law to protect the personal information of those from whom they have obtained it and to adhere to all social and legal norms.

The Indian government created laws such as the Digital Personal Data Protection Act of 2023 and the Information Technology Act of 2000 to guarantee the same. The Act has several good aspects. For example, it is pretty simple, making it easy for laypeople to understand and apply, and it effectively restricts the activities of enterprises and organisations. It also guarantees the preservation of people's right to privacy. To the extent that it was intended when the Act was being created, the primary goal of the Digital Personal Data Protection Act must be realised, notwithstanding a few shortcomings that must be remedied. The remaining portions of the Act do a great job of protecting Indian residents' right to privacy.

REFERENCES

[i] https://timesofindia.indiatimes.com/readersblog/the-daily-roam/right-to-privacy-an-indian-context-55047/

[ii] Article 12, Universal Declaration of Human Rights, Dec. 8 1948.

[iii] Article 17, International Covenant on Civil and Political Rights, Dec. 16, 1966.

[iv] https://www.ohchr.org/en/privacy-in-the-digital-age/international-standards#:~:text=Article%2012%20of%20the%20Universal,his%20or%20her%20honor%20and 

[v] Right to Privacy Definition, Black’s Law Dictionary (9th ed. 2009), available at Westlaw.

[vi] Kush Kalra, Right to privacy under Indian Constitution, GIBS Law Journal, 45, 45, 2020, https://gitarattan.edu.in/wp-content/uploads/2020/11/giBS-Law-Journal-2020-Research-Paper-5.pdf.

[vii] INDIA CONST. art. 21..

[viii] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., (2017) 10 SCC 1, AIR 2017 SC 4161.

[ix] https://loksabhadocs.nic.in/Refinput/New_Reference_Notes/English/Right%20to%20Privacy%20as%20a%20fundamental%20Right.pdf 

[x] Kharak Singh v. State of UP & Others, 1963 AIR SC 1295.

[xi] PUCL v. Union of India, AIR 1997 SC 568.

[xii] Mr X v. Hospital Z, 1998 (8) SCC 296.

[xiii] Jamiruddin Ahmed v. State of West Bengal, Criminal Appeal No. 1535 of 2008.

[xiv] Ram Jethmalani & Others v. Union of India, (2011) 8 SCC 1.

[xv] https://loksabhadocs.nic.in/Refinput/New_Reference_Notes/English/Right%20to%20Privacy%20as%20a%20fundamental%20Right.pdf 

[xvi] Privacy and Its Protection in Informative Technological Compass in India, (2019) 12 NUJS L Rev 287.

[xvii] Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).

[xviii] Information Technology Act, 2005, No. 21, Acts of Parliament, 2000 (India).

[xix] The Digital Personal Data Protection Bill, 2022, 2023 SCC OnLine Blog OpEd 82

[xx] Digital Personal Data Protection Act, 2023, § 33, No. 22, Acts of Parliament, 2023, (India).

[xxi] The Digital Personal Data Protection Bill, 2022, 2023 SCC OnLine Blog OpEd 82.

[xxii] Soli J. Sorabjee, Creative Role of Indian Judiciary in Enlarging and Protecting Human Rights, 17 JOURNAL OF THE NATIONAL HUMAN RIGHTS COMMISSION 21 (2018), 22.