Right to Privacy
The right to privacy is inextricably bound up with all exercises of human
liberty both as it is specifically enumerated across Part III, and as it is
guaranteed in the residue under Article 21. It is distributed across the various
articles in Part III and, mutatis mutandis, takes the form of whichever of their
enjoyment its violation curtails.
Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors.
It's the cornerstone of the 'Right to Privacy' jurisprudence in India. The
nine Judge Bench in this case unanimously reaffirmed the right to privacy as a
fundamental right under the Constitution of India.
The Court held that the right to privacy was integral to freedoms guaranteed
across fundamental rights, and was an intrinsic aspect of dignity, autonomy, and
liberty.
The case began with the question of whether the right to privacy was a
fundamental right, which was raised in 2015 in the arguments concerning the
legal validity of the Aadhaar database.
The Attorney General appearing for the State argued that the existence of the
right to privacy as a fundamental right was in doubt in view of the two
decisions in the cases of
M.P. Sharma vs. Satish Chandra, District
Magistrate, Delhi ((1954) SCR 1077), rendered by an eight Judge Bench, and
Kharak Singh vs. State of Uttar Pradesh ((1964) 1 SCR 332), rendered by a
six Judge Bench. Both the cases, the State argued, contained observations that
the Constitution did not specifically protect the right to privacy as a
fundamental right. At the same time, several subsequent judgments over the years
had recognised the right to privacy as a fundamental right.
However, these subsequent decisions that affirmed the existence of the right to
privacy were rendered by benches of a smaller strength than M.P. Sharma and
Kharak Singh. Due to issues relating to the precedential value of judgments and
noting the far-reaching importance of the right to privacy, this case was
referred to a nine Judge Bench of the Supreme Court.
The Bench unanimously held that "the right to privacy is protected as an
intrinsic part of the right to life and personal liberty under Article 21 and as
a part of the freedoms guaranteed by Part III of the Constitution". In doing so,
it overruled previous judgments of the Supreme Court in M.P. Sharma and Kharak
Singh, insofar as the latter held that the right to privacy was not recognised
under the Indian Constitution.
In addition to cementing the place of the right to privacy as a fundamental
right, this case also laid down the need for the implementation of a new law
relating to data privacy, expanded the scope of privacy in personal spaces, and
discussed privacy as an intrinsic value.
Why There is a Necessity of the Data Protection Act
- Rise of the Internet
- Platform for goods & services
- Consumer Data for marketing
- Chance of misuse and Fraud
- Target Social Unrest
Personal Data Protection
The Act provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
- The Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following:
- The obligations of Data Fiduciaries (that is, persons, companies, and government entities who process data) for data processing (that is collection, storage, or any other operation on personal data)
- The rights and duties of Data Principals (that is, the person to whom the data relates)
- Financial penalties for breach of rights, duties, and obligations
- The Act also seeks to achieve the following
- Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data.
- Enhance the Ease of Living and the Ease of Doing Business.
- Enable India's digital economy and its innovation ecosystem.
Seven Principles of the Act:
- The principle of consented, lawful, and transparent use of personal data
- The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining the consent of the Data Principal)
- The principle of data minimization (collection of only as much personal data as is necessary to serve the specified purpose)
- The principle of data accuracy (ensuring data is correct and updated)
- The principle of storage limitation (storing data only till it is needed for the specified purpose)
- The principle of reasonable security safeguard
- The principle of accountability (through adjudication of data breaches and provisions of the Act and imposition of penalties for the breaches)
The Act has few other innovative features:
- The Act is concise and SARAL, that is, Simple, Accessible, Rational & Actionable Law as it-
- Uses plain language
- Contains illustrations that make the meaning clear
- Contains no provisos
- Has minimal cross-referencing
- By using the word "she" instead of "he" for the first time acknowledge women in Parliamentary law-making.
Rights to Individuals:
The Act provides for the following rights to individuals:
- The right to access information about personal data processed.
- The right to correction and erasure of data;
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
To enforce his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.
Obligations of Data Fiduciary:
- To have security safeguards to prevent personal data breach:
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board:
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent:
- To have in place a grievance redressal system and an officer to respond to queries from Data Principals;
- To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure a higher degree of data protection.
Protection of Children's Personal Data:
- The Act allows Data Fiduciary to process the personal data of children only with parental consent.
- The Act does not permit processing which is detrimental to the well-being of children or involves in tracking, behavioral monitoring, or targeted advertising.
Exemptions Provided in the Act:
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- For research, archiving, or statistical purposes;
- For startups or other notified categories of Data Fiduciaries;
- To enforce legal rights and claims;
- To perform judicial or regulatory functions.
- To prevent, detect, investigate, or prosecute offenses;
- To process in India personal data of non-residents under a foreign contract.
- For approved merger, demergers, etc.
- To locate defaulters and their financial assets etc.
Key Functions of the Data Protection Board:
- To give directions for remediating or mitigating data breaches;
- To inquire into data breaches and complaints and impose financial penalties;
- To refer complaints for Alternate Dispute Resolution and to accept Voluntary Undertake from Data Fiduciaries; and
Issues and Concerns:
- Central government will have the right to exempt any instrumentality of state.
- It will widen the government's existing powers of censorship in the interest of the general public.
- Act does not grant the right to Data probability and the right to be forgotten to the Data principal.
- It will dilute the Right To Information Act (RTI) as personal Data of the government functionaries will be protected under it.
- Control of the center in appointment members of the Data Protection Board has been retained.
- Private companies have been afforded the privilege to deal with employment-related matters.
Benefits/Advantages:
- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
- The schedule to the Act specifies penalties for various offences such as up to:
- (i) Rs 200 crore for non-fulfilment of obligations for children, and
- (ii) Rs 250 crore for failure to take security measures to prevent data breaches.
- It eases the Cross-border data flows except the Blacklisted countries.
It will apply to data collected in India as well as data processing outside the
country.
Conclusion
Personal data protection in 2023 reflects a shifting paradigm where privacy
rights are respected, in the advancements of technological are embraced
responsibly, and individuals are empowered to control their own digital
identities. This ongoing evolution requires continuous collaboration among
governments, businesses, and individuals to create a safer and more secure
digital world.
Reference:
- Indian constitution
- Personal Data protection
- RTI Act
- IT act 2000
Please Drop Your Comments