Introduction to Digital Privacy
Additionally, stringent data protection laws and ethical practices by tech companies are crucial. Respecting digital privacy not only preserves individual dignity but also fosters trust in the online world, ensuring a secure and respectful digital environment for all.
The mankind has benefited greatly from technological advancement. Even so, as technology develops, many of our liberties are now under jeopardy. The right to privacy is a growing concern as the technological era progresses and includes data that is constantly gathered and processed in the marketplace. Several illicit behaviours, such as data fraud, hoax contacting, cyber harassment, etc., have emerged as a result of the digitalisation.
User ‘s private data can frequently be mishandled when it is supplied to websites for digital networking, business, interaction intelligence firms, state agencies, and others. Despite numerous administrative initiatives, hardly a legislation protecting data, or a data safeguarding agency exists in India currently. However, India has come a long way in recognising privacy of an individual.
Finally, digital privacy is pivotal in circumventing potential data breaches. With cybercriminal activities on the rise, ensuring an individual’s digital privacy is not just desirable, but a vital necessity. The threats posed by malicious hackers and cybercriminals make the protection of personal data of utmost importance, thereby emphasizing the imperative need for digital privacy.
How Is Data Privacy a Human Right?
The right to privacy in India is recognized as a fundamental right under the Constitution and also aligns with international human rights standards. Several landmark cases affirm this dual character:
Justice K.S. Puttaswamy (Retd.) v. Union of India (2018)
The Supreme Court of India held Right to Privacy under Article 21 of Constitution of India as fundamental right focusing on its correlation with dignity, choice and freedom. The judgment also stated and affirmed that privacy, also data privacy, is enshrined under the principles of a democratic society. Concerning the Aadhaar scheme with respect to the biometric data, the Court placed conditions that would check misuse of such data while at the same time giving a person control over their information. This judgment also placed India in accordance with global human rights instruments such as the UDHR on which privacy as a universal right is enshrined.Also, Get to Know Data Privacy As A Fundamental Right
PUCL v. Union of India (1997) (Phone Tapping Case)
In this case, the Supreme Court highlighted privacy as a fundamental right necessary for personal liberty and freedom of expression. The judgment recognized that unauthorized surveillance infringes upon an individual’s dignity and autonomy, resonating with the human right to be free from arbitrary interference.
Constitutional Status of Right to Privacy in India
Right to Privacy has not explicitly mentioned as a fundamental right in the Constitution of India. The framework of right to privacy lies within the ambit of Article 21 guarantees the right to life and person liberty to every person. Article 21 runs as “No Person shall be deprived of his life or personal liberty except according to the procedure established by law”. Through the various judicial pronouncements, the Court have recognised the right to privacy as a fundamental right which is implicit in “Personal Liberty” guaranteed under Article 21.
The issue whether the right to privacy is a fundamental right or not arose for the first time in the case of “Kharak Singh v. State of Uttar Pradesh”3The main question which arose in this case was regarding the constitutionality of certain police regulations which allowed police to do domiciliary visits and surveillance of persons with criminal record. Petitioners challenged the domiciliary visits and surveillances by the police as unconstitutional as they are violative of the right to privacy as implicit under ‘personal liberty ‘of Article 21 of the
Constitution of India. Majority if the Judges observed that “Right to Privacy does not lie within the ambit of the fundamental right to life and personal liberty as enshrined under Article 21 but the domiciliary visits into a person’s house were unconstitutional”. The dissenting view was expressed by Justice Subba Rao who recognised right to privacy as a fundamental right. He held that “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.”
In “M.P Sharma v. Satish Chandra”4, the courts were to deliberate on the issue of constitutional restrictions which can be imposed on the government’s power to exercise the right of search and seizure and whether such right infringes the right to privacy of an individual. The Court remarked that “The power of search and seizure is an overriding power of the State for the protection of social security and that power is necessarily regulated by law. Constitution makers did not expressly recognise the right to privacy as a fundamental right and there is no need at this stage to interpret right toprivacyRight was given a new direction in the case of “Justice Puttaswamy (Retd.) and Anr. v Union of India and Ors”5.
The issue which came before the Apex Court was regarding the constitutional validity of the Aadhar Card Scheme. The main contention of the petitioner was that the mandatory collection and processing of biometric vitals of the individuals violates the fundamental right of privacy which is protected under Article 21 of the Constitution. Judge Bench held that “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.But this right is subjected to the restrictions imposed by Article 21. State can curtail the right according to the procedure established by law as mentioned under Article 21”.
In this case, the validity of the Aadhar card was upheld and Court remarked that the required disclosures under the Act does not violate individuals right to privacy. Moreover, the Court gave a new interpretation to right to privacy through this judgment and overruled the previous decisions that right to privacy is not recognised as a separate fundamental right which was laid in M.P. Sharma case & Kharak Singh case. Right to privacy is not just restricted to the “right to be let alone”. It has wide amplitude.
It can also be extended to other aspects such as bodily integrity, personal freedom, data protection, protection from state surveillance, dignity, confidentiality, compelled speech, and freedom to express own opinions and thoughts. Tapping of telephone was always considered to the violation of the individual privacy. This issue has been considered by the courts in various cases. In “M. Malkani v. State of Maharashtra”6 the Supreme Court held that “Telephonic conversation of an innocent citizen will be protected by Courts against wrongful or arbitrary interference by the State by tapping the conversation telephone tapping is violative of Article 19(1)(a) and 21 of the Constitution”.
Challenges in Enforcing Data Privacy
- Data LocalizationBy requiring that certain categories of data be processed and maintained in India, the Act emphasizes data sovereignty. This rule calls into question whether businesses may still operate internationally, and more importantly, if doing so is feasible.
- Compliance and AwarenessSmall and medium-sized businesses are mostly concerned with general compliance and awareness problems. Some people aren’t even aware that they need to follow the terms of the DPDP Act of 2023, while others will be put into effect later. Additionally, compliance might be challenging, necessitating infrastructure modifications and the deployment of personnel for training.
- Balancing Innovation and PrivacyBig data is frequently essential to India’s booming IT sector, particularly in AI and big data analytics. Enabling and guaranteeing innovation while adhering to privacy standards is a challenging challenge.
- Cross-Border Data TransfersIt gets more and harder to maintain cross-border data transfers under the jurisdiction of the international frameworks that one wants to adhere to as globalization grows.
- Enforcement and MonitoringThe largest obstacle has been providing the Data Protection Board of India with an autonomous and efficient role. Given the crucial role the Board would play in creating a powerful Data Protection Authority, it is imperative that this exact difficulty be addressed for the Act to be implemented effectively.
Building capacity, collaborating with public-private partnerships, and implementing the required periodic reviews in terms of legal frameworks in light of technological advancements are all ways to try to resolve such issues.
Examples of Data Privacy Breaches in India
The necessity for stricter data privacy measures has been brought to light by many breaches: Facebook-Cambridge Analytica Scandal Indian users were also impacted by a worldwide event, which sparked a discussion about how to hold social media companies responsible for their content and how it related to user data.
BharatPay Hacked: August 2022
A significant data breach at digital financial services company BharatPay in August 2022 exposed the personal information of almost 37,000 customers. Sensitive information including hashed passwords, usernames, and transaction data from its backend database were among the exposed secrets. The event, which affected data from many years, highlights the fintech industry’s weaknesses and the urgent need for stronger security measures to safeguard consumer data.
RailYatri Data Breach: December 2022
In December 2022, Rail Yatri had a data breach which uncovered nearly 30 million customer details. Despite Rail Yatri’s claims that no critical client data was accessed, the breach was made public when a threat actor posted the material on a cybercrime site. This event brought to light the continuous cybersecurity issues that internet platforms in the transportation industry confront.
Aadhaar Data Leak (Oct, 2023)
As per the US cybersecurity company Resecurity survey, 815 million Indians’ personal data was uncovered on the dark web. Names, phone numbers, addresses, Aadhaar, and passport details were among the personal data that was compromised. A threat actor going under the handle “pwn0001” sold the complete breach database for $80,000.
The breach was being investigated by the Central Bureau of Investigation (CBI). There were hints that the Indian Council of Medical Research (ICMR) database may include the personal information. The government’s digitalization initiatives, which depend on Aadhaar and other digital infrastructures, have suffered a significant setback as a result of this hack.
Legislative Framework for Data Protection
There is no proper legislative regime for the data protection in India. There is no specific legislation which deals with the protection of data. However, the Information Technology Act, 2000 deals with the transactions which are carried through the electronic data interchange and electronic communication. The Act contains provisions to safeguard the data from the unauthorized use of computer systems or networks.9 Section 43 of the said Act provides that “Where any person without the permission of the owner or any other person who is in in-charge of the computer, computer system or computer network accesses, downloads any information or introduces any virus on computer system or cause any damage to the data or computer network and deletes or tamper with the information stores in a computer resource shall be liable to pay damages by way of compensation not exceeding 1 crore rupees to the affected party.”10 Section 72 of the Information Technology Act, 2000 talks about the breach of confidentiality and privacy.
It provides that “Any person who has secured access to any electronic record, book, information, document or other material without the consent of the person concerned discloses such electronic record, book, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both”.11
Compensatory rights are available against the improper disclosure of the personal information under the Information technology (Amendment) Act, 2008. Section 43 A of the said Act provides for the compensation in case of the failure to protect the data. It mentions that “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.”12
Section 72 A which has been added by the Amendment Act of 2008 provides for the punishment for disclosure of the information in breach of the lawful contract. It mentions that “Any person including an intermediary who while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both”.
The Information Technology Act, 2000 only provides the power to the authorities to monitor and collect the data. “Personal Data” has not been defined under the Act anywhere. The Act also lacks in the mechanism of the data quality obligations in relation to sensitive data or personal information. Moreover, it does not impose any kind of obligations on private sectors to disclose the details of the practices in handling and managing the content or personal information stored over the internet.
Personal Data Protection Bill, 2018
Pursuant to the decision of the Supreme Court in K.S Puttaswamy v. Union of India which holds that right to privacy is a fundamental right of the citizen, the Government appointed a committee headed by Justice B. N Srikrishna to examine the issues linking the privacy and data protection and to propose a draft legislative framework relating to the data protection. The Committee drafted a Bill popularly known as “Personal Data Protection Bill, 2018.” The Bill has laid out the framework for data protection and mentions the limits for the collection and processing of personal data of the individuals.
The main objective of the Bill is to create the accountability and prevent the unauthorized use of the sensitive data available on the computer networks. The Bill is applicable to both the Government and Private sectors. The aim is to provide the individuals the control over their personal data. The individuals must give explicit consent to process their personal information, and they must be notified by the private authorities.
Since the right cannot be made absolute, the Bill also provides the extent of government regulations over certain kinds of data. Government can access and control the information for reasonable purposes such as “national security, whistleblowing, unlawful activity, health services and legal proceedings, etc.” The Act also provides for the establishment of a national-level Data Protection Agency for supervising and regulating the private entities. It also mentions the stiff penalties in case of the misuse of the data.
Personal Data Protection Bill, 2019
To overcome the shortcomings in the Draft Protection Bill of 2018, the Parliament revised the Bill, and it was named as Personal Data Protection Bill, 2019. The purpose of the Bill is to ensure the protection of the personal data of individuals and establish a Data Protection Authority for the same. Data is categorised under 3 heads under the Personal Data Protection Bill, 2019:
- Personal Data – It identifies the personal details of the individuals such as name, address, and identity of a person
- Sensitive Personal Data – It relates to the finances, health, sexual orientation, Biometric, genetics or the religious beliefs of the individual
- Critical Personal Data – It is concerned with the information related to national or military security.
The Personal Data Protection Bill 2019 applies to the Government Companies incorporated in India and Foreign Companies that deal with the personal data of individuals in India. Data fiduciaries are entities that decide the purposes for processing the personal data. Personal Data can be processed only for a clear, lawful, and legitimate purpose. All the data fiduciaries must undergo the transparency and accountability measures while processing the data. They are bound to implement the security safeguards, such as data encryption, to prevent the misuse of the data. Also, a grievance redressal mechanism can be opted for to address the complaints of the individuals. These entities must also institute the mechanisms for age verification and parental consent when processing sensitive personal data of children.14
The Bill provides certain rights to the individual to ensure the data privacy. These include36-Right to obtain the confirmation from the fiduciary about the processing of the personal data Right to rectify the inaccurate, incomplete, or outdated personal data Right to restrict the disclosure of the information if it is no longer necessary or relevant. The Bill also mentions that “Data Processing is based on the notion of the consent, and it is allowed only when the individual gives the consent for the same. Provided that the personal data can be processed without the consent if it is required by the State for the benefits of the individuals or in medical emergencies or it is required for the legal proceedings”.
The Bill provides that the Central government can exempt its agencies from the provisions of the Bill in the interest of the security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states, and for preventing incitement to the commission of any cognizable offence. Also, stricter penalties are mentioned for violation of the provisions of the Bill. It states that “Processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher”
Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Bill, 2023, received presidential assent on August 11, 2023. The previous Personal Data Protection Bills from 2019 and 2022 were withdrawn by the Central Government due to several amendments and issues regarding data localisation, transparency, and compliance. The primary objective of this Act is to create a comprehensive framework for the protection and processing of personal data. It applies to the processing of personal data in India, including both online and digitised offline data. Furthermore, it extends to the processing of such data outside India when it relates to the offering of goods or services in India.40
This Act defines “Data” as any representation of information, facts, concepts, opinions, and instructions that is capable of being communicated, interpreted, and processed by human beings or by automated means. Further, any data about an individual who is identifiable by or in relation to such data has been referred to as Personal Data in the Act. This Act does not apply to the personal data when such data is processed by an individual for any personal or domestic purpose and is made or caused to be made publicly available by the Data Principal herself or any other person under an obligation to make such Personal Data publicly available.
It has been provided in Section 6 of the Act that Personal Data may be processed only for the specified purpose and after obtaining the consent of the individual. Such consent must be free, specific, informed, unconditional, and unambiguous. Moreover, notice under Section 5 of the Act must be given by the Data Fiduciary before seeking consent, containing details about the Personal Data to be collected and the purpose of processing. The individual whose data is being processed can withdraw her consent at any time. For individuals with disabilities or below eighteen years of age, the Act provides that their consent will be provided by their parents or legal guardians.
This Act also discusses the rights and duties of the data principal in detail. It provides that an individual whose data is being processed shall have the following rights –Can obtain information about processing Seeking correction and erasure of Personal Data Nominating another person to exercise rights in the event of death or incapacity Withdrawing consent at any time during or after the processing of Personal Data. Further, Section 15 of the Act states that the Data Principals will be under an obligation not to register a false complaint or suppress any material information while providing their personal data; and furnish any false particulars or impersonate in specified cases. The breach of said duties will attract a penalty as per the Schedule to the Act. This Act also provides for the obligations of a data fiduciary.
Section 8 of the said Act provides that the data fiduciary must process the personal data only for which the consent has been provided by the data principal or for a certain legitimate use. He must make reasonable efforts to ensure the accuracy and completeness of data and implement appropriate measures to protect Personal Data in his possession or under his control.
Moreover, he must inform the Data Protection Board of India and affected persons in the event of a personal breach and erase Personal Data as soon as the purpose has been met. According to Section 17 of the Act, the provisions related to ‘Obligations of Data Fiduciaries’ and ‘Rights & Duties of Data Principal’ have been made inapplicable in specified cases, which include: Prevention, investigation or prosecution of offences Enforcement of legal rights or claims Processing to ascertain financial information, assets, and liabilities.
Processing of Personal Data by the State or any other instrumentality of the State in the interest of the security and public order, and necessary for research, archiving, or statistical purposes.
Conclusion
The Right to Privacy was recognized as a fundamental right in India through the landmark Aadhaar judgement in 2017, where the Supreme Court stated it falls under Article 21. This right ensures individuals can make private choices and protects their personal data from exploitation, including the right to be forgotten.
To support these rights, the Central Government passed the Digital Personal Data Protection Act in 2023. This law aims to prevent the misuse of personal data by online businesses, similar to the European Union’s General Data Protection Regulation (GDPR), which has been in place since April 2016. These protections are important, and efforts must be made to implement them effectively. As privacy issues grow in the internet age. government regulations must keep you with new challenges.
