The right to privacy is a fundamental right embodied in many constitutions
across the world. Right to privacy is a multifaceted concept. Right to privacy
has been recognised in the eyes of law and common parlance in modern society
today. Right to privacy is one of the most basic and acceptable personal rights.
Right to privacy find references in the universal declaration of human rights
and International Covenants of Civil and political right. Right to privacy is
the most fundamental part of human life.
Personal information is a new wealth of this century. It is a wealth of person
which can be converted into monetary value to the others if not properly
controlled by the owner. Personal Information is a pool of large Data and still
growing rapidly and the corporate world is making a profit from this trend. This
information is considered as an asset for the companies. Once the personal data
become a commodity you cannot fetch or control your data from the market.
During the late 1970 decades, there has been a developing body of international
and regional laws and policy instrument relating to the protection of personal
data. Generally, the law requires that personal information must be collected or
obtained fairly and lawfully.
Personal information could be in the form of personal interest, habits and
activities educational, family and educational records, communication, medical
records and financial records. This growth in the use of personal data has many
benefits but it could also lead to many problems. Developments in the
technologies make personal information easily available and communicable.
There is an inseparable dispute between data protection and the right to
privacy. It is an essential tool of good democratic governance which protects
the privacy of an individual in the digital era. However, despite awareness of
data protection and its recognition across the world, there is the dearth of
legal and institutional frameworks, processes and infrastructure to helps the
protection of data and privacy rights.
Concept of Privacy
The concept of data protection laws has an important place in the world. It is
not easy to define the terms of privacy and the right to privacy. It has been
placed in different ways in different circumstances. The right to privacy can
also be synonymous like The right to be let alone
. Privacy is a formal
relationship between groups or persons. Privacy is a value, a cultural state or
condition directed towards individual on collective self-realization which
different from society to society.
The Indian Constitution provides a right to freedom of speech and expression,
which says that a person is free to express his will and consciences. A person
has the freedom of life and personal liberty, which can be taken only by the
procedure established by law. The European Union has a very refined data
protection law. Under European laws, personal information can only be gathered
in the strict compliances for the legal purpose.
Privacy and Data Protection
Data protection requires that Information regarding the person should not be
available to other individuals and organisation automatically. A substantial
degree of control and its use must be able to exercise by everyone on his/ her
data. Data protection is legal protection to prevent abuse of information about
an individual through the medium like computers.
To safeguard the personal data, it worked as a tool of adoption of
administrative, technical, or physical deterrents. Privacy is closely related to
data protection. Data of an individual such as name, address, telephone number
etc are often available at different places like school, colleges, bank etc and
on several websites. Disclosing of this information to the interested parties
will amount as an intrusion in the privacy of individual like endless marketing
What is Personal Data?
Any information that helps to relates to an identified or identifiable natural
person or an individual is known as personal data. A different set of
information which connects or collected together can direct to the
identification of a particular person will also amount as personal data. i.e.
name and surname of the individuals, a home address, and email address etc.
Concept of Data Protection
A law designed to protect your personal information is defined as data
protection. This law enables us to control our data and protect it from any
abuses in modern societies. Data protection laws control and restraint the
activities of the companies and governments authorities. With their repeated
activities, these institutions have shown many times that unless any laws which
restrict their actions, they will collect it all, mine that information it all,
keep it all and share and use it with others without telling us anything at all.
Why is Data Protection Needed?
Whenever any individual buys any goods online or use any service, or pay any
taxes, or enter into any contract or service or register email or visit to the
doctor, they have to give their personal information to use these things. Even
without the knowledge of the persons these data and information are generated
and captured by the companies and organisations without any interaction with the
persons. The only medium citizens and consumers have confidence in both the
business and the government through the statutory law over the data protection
practices which help in effective legislation to minimize corporate surveillance
and data exploitation.
During 1960 the expansion of information technologies capabilities across the
world, corporate business and the government has been storing this personal
information in their database. These databases can be searched by anyone,
edited, altered, and shared with other organisations of the globe. Once these
processed or collected data become available to the world, people started
concerns about was happening with their data once they give it. With these
rising concerns rapidly and questions from the people, data protection
principles were developed through various national and international
It has been reported that 90 per cent of data in the globe today has been
processed or collected within the last two years. As of January 2020, nearby 107
countries across the world had adopted data protections laws or pending bills or
in the process of implementing these laws. When many data protections laws were
drafted, the world seems like a very different place.
Data protection should ensure the following:
- There should be restrictions and limitation on the collection of
personal data along with that it should be collected and obtained in lawful
and fair means and transparent manner.
- The purposes of the collection of personal data should be specified at
the time of collection and strictly should be used for the agreed purposes.
- Personal data is processed and collected should be relevant, adequate
and limited to the purposes for which it is to be obtained.
- The measures should be taken to ensure that the data is up to date,
accurate and completed.
- A reasonable security or safeguards should be ensured to safe that data
from any loss, destruction, use, leakage, disclosure, modification and
unauthorised access by others.
- There should not be any secret processes of data, use, etc. Individuals
must be aware of their data about their collections and processing and the
purposes of their use.
- Individuals whose data is collected or obtained must have a range of
rights which enables them to control their data and any processing.
- Those organisations that use or obtained that data must be accountable
and ensure the compliance with the above principles and also abide by the
laws which enshrined these principles.
Privacy and Data Protection under the Indian Legal System
The constitution of India has provisions like freedom of speech and expression
under Article 19 and right to life and liberty under Article 21. These Articles
has its effects on the right to privacy as fundamental rights guaranteed under
part III of the constitution. There are various cases which deal with the right
to privacy as a fundamental right. The parameters of this concept have connected
with the new aspects of data protection. The relationship between privacy and
data protection are interdependent to each other. The right of data protection
is related to the information of the individual. The rights of the individual
emerged naturally so that the right to privacy has also emerged naturally.
The Hon'ble Supreme Court considered the first time the right of privacy is a
fundamental right in case of M.P. Sharma And Ors. v/s Satish Chandra,
District Magistrate, Delhi1
where search and seizure warrant was issued
under Section 94 and 96 of code of criminal procedure and was challenged. It was
held by the court that power of search and seizure was not in contravention of
any constitutional provision.
Thereafter In case of Kharak Singh v/s State Of Uttar Pradesh And Ors
Supreme Court considered the matter, whether the surveillance by domiciliary
visits at night against accused would constitute an abuse of the right to
privacy under Article 21 of Indian constitution. Thus, a question arises whether
Article 21 includes right to privacy? It was held by the Supreme Court that
surveillance was, in fact, in contravention of Article 21. The majority of
judges ruled that Article 21 did not specifically provide for privacy provision,
thus right to privacy should not be interpreting as a fundamental right.
In the case of K.S. Puttaswamy V Union of India
, the concerns of privacy
were once again raised before the Supreme Court in case of Aadhar card scheme.
In which it was challenged on the ground that the collection and compilation of
biometric and demographic data of the citizens are used for the other purposes
is the violation of the fundamental right guaranteed under Article 21. Supreme
Court held that the right to privacy is integral and indivisible from the human
element in human being and the core of human dignity. Thus, it was held that the
right to privacy is a fundamental right guaranteed under Article 21 of the
The judgement of the Supreme Court in Puttaaswamy constituted privacy as worth
to protecting and conceptualized it as a right. These arguments lead to a focus
on the actual harm that an individual suffers from the violation of privacy.
This concept of privacy also lines up with the already existing regulatory
frameworks relating to the data protection in other countries.
Meanwhile, in July 2017, The Indian government has appointed a committee of
experts on the laws for the data protection in India under the chairmanship of
Justice B.N. Srikrishna. This committee constituted to study the aspects related
to data protection in India. The committee submitted its comprehensive reports
on laws on law protection on 27th July 2018 as well as a Draft Personal Data
Protection Bill, 2018. The report and the draft bill formed the basis of the
bill tabled in parliament.
The proposed data protection bill incorporated many provisions from the European
Law on privacy, General Data Protection Regulations (GDPR). The bill defined
legal frameworks for the collections and uses of personal data. In addition of
that, the bills also creating a set of right, duties and responsibilities for
the collections and maintenance of personal data along with that bills creates a
DPA for regulations and enforcement for the legal framework. If it implemented,
it will apply to all the organisations across India apart from the organisation
which are expressly exempted.
It would include any organisation that collects data through any automated
means. It proposes that data should be collected only based on free and specific
consent, informed with the method that permits such consent can be withdrawn in
a reasonable time. Any data which collected and obtained without free consent or
by means of evil intention would be a violation and would attract penalties. It
also focuses on data localization requirements and the appointment of data
protection officers in the organisations. The bill provides a robust, cross
border and sectorial privacy and data protection frameworks for India.
Key Point of the Data Protection Bill
- Data processing that is the collection and analysis of personal data and
the data principles persons or organisations that provide personal data.
- Notice and free consent requirements for the processing and obtaining of
- Restrictions/ Limitations over to the processing of personal data that
is only the relevant data must be collected or obtained by the organisation
to provide the services of the data processor.
- The requirement of the compliances for data processors such as the
appointment of data protection officers to conduct the audits and
assessments, incorporating privacy designs.
- Enables the rights to the individuals such as the data portability that
is to migrate their data from one service provider to the others of their
choice or the right to be forgotten or deleted.
- One of the important points about data protection bill that is data
localization means that the personal data must be stored on the servers
within India and there are limitations over to the transfer of personal data
- Regulation and supervision by a proposed Data Protection Authority
constituted by the central government.
- Penalties for the non-compliance of privacy in the form of financial
consequences including the prohibition of data processing.
Data Protection Under Foreign Law
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a comprehensive privacy law
that was originated by European Union in 2016 and come into effect on 25 May
2018. It was drawn up to replace the outdated data protection directive from
1995. GDPR aims to create more consistent protection and personal information
across nations of the EU. The objective of GDPR is to upgrade digital security
that requires businesses to protect their personal information and privacy of EU
citizens by giving them more control over the personal data they share online.
It extends to businesses across the globe. If there is a possibility that any
business or website may gather personal information of EU member state citizen
then they are required to comply with GDPR. The GDPR focus on newer areas like
privacy rights, data security, data control and governance. The GDPR also
regulates the transfer of personal information outside the EU.
The Children's Online Privacy Protection Act (COPPA), is an important privacy
law of USA’s children. This aims to protect the privacy of the children below
the age of thirteen years and limits the use and collections of their personal
information online. It was passed by the US congress in 1998 and was effective
in 2000. It was enforced and administered by the federal trade commission of
USA. it was especially enforced for the internet marketers business that
controls the website on the internet which specially visited by the children
below the age of 13 years and collected personal information from those kids.
The purpose of this law is to regulate the collection of that information. In
addition to the COPPA compliances required that the website operator must have
obtained the verifiable parental consent from the parent of the kids who visited
the website, in advance before collecting or using that personal information. It
also applies to the companies that situated or operated outside the USA but
provides the services or access of website to the children within the USA.
The California Online Privacy Protection Act (CalOPPA) was drafted to protect
the privacy rights and the personal data of the resident of California in the
USA. This comes into force as a law on 1st July 2004. It applies to the
operators of the websites or online services who collect or obtains personally
identifiable information of the residents of California. It applies to another
country if your business or website or online services have chances of
processing personal information from the California residents. Then the business
in another country also needs to abide by the CalOPPA guidelines. This law
applies to commercial websites and mobile applications that can access the
mobile and tablets.
The health insurance portability and accountability act 1996 is a federal law
was signed in the year 1996 by president bill Clinton. It implements with the
aims of the privacy and the security of the patient health information is a
priority for the patient itself along with their families and the hospital,
health care service providers, health professionals and the governments. It
required the creations of national-level standards to protect sensitive
information relating to patient health without the patient's consent or
knowledge. HIPPA applies to the entities that are dealing with health care
services. It required that there should be balance that maintains the uses of
personal information while protecting the privacy of the patient who seeks
health care and healing. HIPAA violations can be very costly for a health care
organization in the form of civil monetary or criminal penalties.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a
privacy law of Canada for the private sector organisation that deals in the
commercial activity. It comes into force on 13th April 2000 with aims to protect
the consumer personal information collected by the private organisations. It
also provide security to the personal information of the consumer and strength
them when they share their personal information with the private organisations
through the online services and e-commerce. The private organisations under
PIPEDA are required to take the consent by the consumers before collection, use
and disclosure of any personal information. The organisations cannot deny the
services or goods to the consumers regardless of whether they give their consent
to personal data collection.
The Personal Data Protection Act 2012 is a privacy law of Singapore which was
approved by their parliament on 15th October 2012. This comes into force on 11th
January 2013. This provides the full strength for the data protection for
Singapore. It has provided a minimum standard for the collection, obtaining and
use of personal data. It applies to the private sector organisations in
Singapore irrespective of their size and location. It applied to the personal
data in question which collected in Singapore. The public sector organisations
are exempted to comply with personal data protection Act.
In African Countries
In the Africa continent, 19 countries have enacted data protection and privacy
laws. Six countries have laws on data protection in the drafting stage. The
remaining other countries don't have any legislation for data protection and
privacy. The African Union adopted the progressive convention on Cyber Security
and personal data protection in 2014. Only ten countries are signatories of this
convention and two countries have ratified the convention.
Both Australia and New Zealand have laws on data protection and privacy. In
Australia, the government has amended the laws relating to the Australia Privacy
Act 1988 to fulfil the requirement of the digital era and to include the
mandatory requirements to report of any breach of personal data to the data
protection authority and to inform the affected customers immediately. In New
Zealand, the Privacy Act control the activity of organisations to collect, use,
store, disclose or give access to personal data.
In the Asia region, 15 countries have legislation of data protection and privacy
and four countries are in the process of drafting the privacy laws.
Privacy is a basic human right and the computer network contains a vast amount
of personal data that be sensitive. The utility and degree of importance of data
are not the same, it differs from one another on the basis of its utility. With
the increasing monetary value and importance of personal data by the companies
across the world.
It is becoming an urgent need for effective legislation to afford its
protection. However, with the development of the cyber world, anyone can access
any information relating to the others from any corner of the world at any point
of time and this poses a great threat to the personal and confidential
information. Globalisation makes the world into a computer system and anyone can
control any information with just one click.
The right to privacy is recognised as fundamental rights in the constitution
through various cases but its protection and implementation are left on the
mercy of the legislature. The lack of a robust law relating to data protection
and privacy has been a matter of concerns today.
This matter of concerns has been expressly raised by the companies that are
doing business in India but their data are controlled and transmitting into
another country. The government are keeping in mind the concerns of the
companies and focusing the implementing of data protection bill in future that
will cater to the need for data protection in the country.
- 1954 SCR 1077
- AIR 1963 SC 1295