A nine-judge bench of the Supreme Court headed by Chief Justice JS Khehar,
ruled on August 24, 2017 that the Right to Privacy is a fundamental right for
Indian citizens under the Constitution of India (mostly under Article 21 and
additionally under Part III rights). Thus no legislation passed by the
government can unduly violate it.
A right to privacy is explicitly stated under Article 12 of the 1948 Universal
Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honor and reputation. Everyone
has the right to the protection of the law against such interference or attacks.
While the Centre had argued that right to privacy is not a fundamental right,
the petitioners had contended that when a citizen gives his biometrics and
personal details to the government and when in turn it is used by commercial
organisations, it is a breach of privacy.
The trigger is the government's Aadhaar scheme, which collects personal details
and biometrics to identify beneficiaries for government welfare schemes. A bunch
of petitions was filed in the Supreme Court in 2015 terming Aadhaar a breach of
privacy. The petitioners argued that Aadhaar enrolment was the means to a
totalitarian state and an open invitation for personal data leakage.
The apprehension expressed by the Supreme Court about the collection and use of
data is the risk of personal information falling into the hands of private
players and service providers. The apprehension is best expressed in the words
of Justice Chandrachud on the nine-judge Bench:
I don't want the state to pass
on my personal information to some 2,000 service providers who will send me WhatsApp
messages offering cosmetics and air conditioners... That is our area of concern.
Personal details turn into vital commercial information for private service
Both the government and service providers collect personal
data. This adds to the danger of data leakage.
Privacy being a protection from possible abuses of personal information or
searches by the state, while Data Protection is the tool the law uses to make
sure that an individual is protected from abuse of his personal information by
Article 21 protects the right to privacy and promotes the dignity of the
Telephone tapping is an invasion of right to privacy and freedom of speech and
expression and also
Government cannot impose prior restraint on publication of defamatory materials
against its officials and if it does so, it would be violative of Article 21 and
Article 19(1)(a) of the Constitution.
Privacy and data protection require that information about individuals should
not be automatically made available to other individuals and organizations. Each
person must be able to exercise a substantial
degree of control over that data and its use. Data protection is legal safeguard
to prevent misuse of information about individual person on a medium including
computers. It is adoption of administrative, technical, or physical deterrents
to safeguard personal data.
Privacy is closely connected to data protection. An
individuals data like his name, address, telephone numbers, profession, family,
choices, etc. are often available at various places like schools, colleges,
banks, directories, surveys and on various websites.
Passing of such information
to interested parties can lead to intrusion in privacy like incessant marketing
calls. The main principles on privacy and data protection enumerated under
the Information Technology Act, 2000 are defining data, civil and criminal
liability in case of breach of data protection and violation of confidentiality
Data protection is one of the most important part of the right to privacy as a
data protection law will protect your personal information, which is collected,
processed and stored by automated means or intended to be part of a filing
Unlike the European Union, India does not have any separate law which is
designed exclusively for the data protection. However, the courts on several
occasions have interpreted data protection
within the ambit of Right to
as implicit in Article 19 and 21 of the Constitution of India
The strongest legal protection provided to personal information in India is
through section 43A of the Information Technology Act and the Information
Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011 developed under the section.
The provision requires a body corporate who 'receives, possesses, stores, deals,
or handles any sensitive personal data
to implement and maintain ‘reasonable
security practices', failing which they are held liable to compensate those
affected. The Rules under section 43A contain the following major requirements:
(Rule 4); They must obtain consent in letter, fax, or email from the provider
before collecting, using or disclosing any sensitive personal
information (Rule 5(1));
Sensitive personal information may only be collected for lawful and necessary
purposes (Rule 5(2)(a))
While collecting the information, they must ensure that the individual is
informed of the:
- fact that the information is being collected;
- the purpose for which the information is being collected;
- the intended recipients of the information; d) the name and the address
of the agency collecting information, and the agency that will retain the
information (Rule 5(3));
Information should only be used for stated and agreed to purposes (Rule 5(5));
Individuals should be provided with the option to opt in or out of services
prior to the collection of sensitive personal information and should have the
ability to withdraw consent at any point in time (Rule 5(7));
Individuals should be allowed to review, update, and correct any sensitive
personal information that they have provided wherever necessary (Rule 5(6));
Body corporate are allowed to retain sensitive personal information only as
long as is lawfully necessary (Rule 5(4));
Before a body corporate is allowed to disclose or publish sensitive personal
information to a third party, consent must be obtained from the individual who
the information belongs.
The only circumstances under which a body corporate may disclose information is:
Body corporate must implement security practices and standards which require:
- If it is required to do so by a contract with the provider of the
information or through the law; or
- If it is to be disclosed to a governmental agency mandated under law
(Rule 6(1)); and
- Comprehensively documented information security programme;
- Information security policies must contain managerial, technical,
operational and physical security control measures that are commensurate
with the information assets being protected (Rule 8)
The IT Act does not provide any definition of personal data. Data protection
consists of a technical framework of security measures designed to
guarantee that data are handled in such a manner as to ensure that they are safe
from unforeseen, unintended, unwanted or malevolent use.
Civil liability and data protection The Information Technology Act, 2000
provides for civil liability in case of computer database theft, computer
trespass, unauthorised digital copying, downloading and extraction of data,
privacy violation, etc.
Criminal liability and data protection The Information Technology Act, 2000
provides for criminal liability in case of computer database theft, privacy
Violation of confidentiality and privacy The terms violation of confidentiality
and privacy are described under the IT Act.
very eloquently explains violation of privacy as whoever,
intentionally or knowingly captures, publishes or transmits the image of a
private area of any person without his or her consent, under circumstances
violating the privacy of that person.
provides for penalty for breach of confidentiality and privacy as
meaning any person securing access to any electronic record, book, register,
correspondence, information, document or other material without the consent of
the person concerned discloses such electronic record book, register,
correspondence, information, document or other material to any other person
Privacy is a basic human right and computer systems contain large amount of data
that may be sensitive.
Chapters IX and XI of the Information Technology Act define liabilities for
violation of data confidentiality and privacy related to unauthorised access to
computer, computer system, computer network or resources, unauthorised
alteration, deletion, addition, modification, destruction, duplication or
transmission of data, computer database, etc. The data protection may include
financial details, health information, business proposals, intellectual property
and sensitive data.
However, today we can access any information related to anyone from anywhere at
any time but this poses a new threat to private and confidential information.
Globalisation has given acceptance to technology in the whole world. As
per growing requirement different countries have introduced different legal
framework like DPA (Data Protection Act), 1998 UK, ECPA (Electronic
Communications Privacy Act of 1986) USA, etc. from time to time.
In USA some
special privacy laws exist for protecting student education records, children
online privacy, individuals medical records and private financial information.
In both countries self-regulatory efforts are facilitating to define improved
The right to privacy is recognised in Indian Constitution but its growth and
development is entirely left at the mercy of the judiciary. In today's connected
world it is very difficult to prevent information to escape into the public
domain if someone is determined to put it out without using extremely repressive
methods. Data protection and privacy has been dealt with in the Information
Technology Act, 2000 but not in an exhaustive manner.
The IT Act needs to establish setting of specific standards relating to the
methods and purpose of assimilation of right to privacy and personal data. We
may conclude by saying that the IT Act is facing the problem of protection of
data and a separate legislation is much needed for data protection striking an
effective balance between personal liberties and privacy.