Right to Privacy in the Digital Age: Data Breach, Laws and Legal Challenges in India

Abstract

The right to privacy is slowly becoming a fundamental issue as the modern era progresses and considers data that is continuously gathered and processed in the market. Numerous illegal practices like data forgery, false contact, cyber bullying, etc., have gained momentum due to the digitization of society. When it comes to safeguarding their internet privacy, people face numerous challenges.

First of all, the widespread and often hidden data collection methods used online make it difficult for consumers to understand what data is collected and how it is used. Second, attempting to control how personal information is shared online is a challenging task.

In this article, right to privacy in the world of technology will be discussed as we don’t know when our privacy is being breached unless the matter gets heated. And what measures are taken to safeguard the same.

Introduction

Personal liberty and the preservation of human dignity depend on the right to privacy, which is a fundamental right that underpins many other human rights. Privacy allows individuals to set limits and barriers to protect themselves from extraneous influences, giving us the freedom to choose how we interact with the outside world and develop our identities.

Privacy makes it possible to set boundaries for who can access one’s bodies, spaces, and possessions, as well as messages and information. The right to privacy can be defined as an individual’s power over when, how, and how much of their personal information is made public and talked about by others. Such personal information may be one’s name, where they are, how to contact them, their online or offline behaviour.^[1]

As technology advances, the right to privacy becomes increasingly important, as data is continually captured and processed in the marketplace. As a result of digitalisation, certain criminal behaviours have evolved, including data fraud, hoax contacting, cyber harassment, and so on.

Individuals encounter numerous problems when attempting to safeguard their digital privacy. For starters, the broad and frequently disguised data collecting methods used online make it difficult for users to comprehend what information is gathered and how it is used. Second, attempting to regulate the distribution of personal data across the wide expanse of the internet is a difficult undertaking. Finally, many people lack the knowledge and tools to effectively maintain their digital privacy.^[2]

Digital Privacy Breach

The Internet is the primary environment for informational privacy since it transmits, collects, and stores the majority of information. There are always privacy concerns in the usage of the Internet due to the continuous transmission of personal information, both passively and actively, while they explore. Cookies, or automated recommenders, are intended to monitor and log the most accessed pages. This information can be sold to businesses to offer targeted advertising and is commonly used to create recommended search results. However, if there is a security breach, the same data can be easily viewed or even hacked.

Due to the prevalence of online data sharing, the majority of research on privacy issues has been on people’s perceptions of how companies and organizations obtain, preserve, and use their personal data.^[3]

The growth of privacy legislation in response to the demands of the digital age illuminates the challenges, tensions, and opportunities that exist at the interface of technology and human privacy. Privacy regulation is inextricably linked to the development of new technology. The entrance of the information age, with its emphasis on data-driven innovation, has resulted in a massive increase in the number of channels available for the gathering, analysis, and broadcast of private data.

A person’s digital footprint can now be found in a variety of online settings, including social networking sites and “Internet of Things” devices. This transformation necessitates an inquiry into the historical backdrop that informed the establishment of privacy legislation, laying the groundwork for a thorough investigation into the contemporary difficulties. In this day and age of advanced technology, there are numerous concerns that must be addressed. These problems affect the entire society.

Data breaches, which can result in widespread exposure of private information, have recently received a lot of attention and sparked debate on how to effectively protect such information. Data breaches can cause extensive exposure of sensitive information. Concerns have been raised about the balance of power between individuals and organisations that want to profit from data gathering and analysis, given the prevalence of surveillance technology and the advent of algorithmic decision-making. These people and institutions are known as data collectors and data analyzers, respectively.

The worldwide reach of digital communication has also sparked debates over the harmonisation of privacy legislation in various nations throughout the world. The challenge of finding a happy medium between people’s right to privacy and the need of technology advancement can be broken down into its many component parts. To ensure that individuals’ right to privacy is not violated while at the same time businesses, governments, and other entities are able to reap the benefits of data-driven insights, a delicate balance needs to be struck.^[4]

According to the IBM Cost of a Data Breach study, data breaches typically cost $4.88 million worldwide. Although breaches can happen to businesses of any size or shape, the extent of the damage and the cost of repair might differ. For instance, the average cost of a data breach within the United States is USD 9.36 million, which is more than four times the average cost of a data breach in India (USD 2.35 million).

Breach costs are significantly worse for organizations in heavily regulated environments including healthcare, financial services, and the public sector, as they could incur fines, penalties, and other costs that are not included in breach costs. According to an IBM report, the average healthcare data breach costs USD 9.77 million, which is more than twice that of the average cost of breaches overall.^[5]

Not only that, but data breaches violate the right to privacy because the right to data privacy belongs to Indian individuals, allowing them to control how their personal information is gathered, stored, and disseminated. It contains all types of data, such as bank records, health records, and information about an individual that he gives on shopping portals or social media.

Article 21 of the Constitution of India recognizes the right to privacy as a fundamental right, together with the rights to life and personal liberty. In the KS Puttaswamy vs Union of India decision, the Supreme Court decided to broaden the scope of Article 21 to include privacy, which was deemed critical to the protection of personal dignity.^[6] The legal aspects of the data breach as the violation of right to privacy will be discussed in the upcoming topic.

Data Breach as Violation of Right to Privacy and Its Exception

The concept of privacy is not new. However, the concept of privacy as a fundamental right is somewhat new. Ancient Greek society was divided into two spheres: Polis and Oikos, with the former referring to the public sphere, such as the city, and the latter to family concerns. In 19th-century America, there were constitutional and statutory protections for the right to privacy, as well as common law norms.^[7]

In India, Article 21^[8] of the Constitution guarantees the right to life and personal liberty to every person, whether a citizen or non-citizen residing in India. It is the foundation of all rights guaranteed by the Constitution because life is necessary for the enjoyment of other rights such as freedom, equality, and religion. This paper includes all other rights necessary for a human being to attain their full potential, such as the right to health, the right to a healthy environment, the right to sleep undisturbed, the right to work, the right to free legal aid and a fair trial, and the right to privacy.

In the case of Kharak Singh v. State of Uttar Pradesh^[9], the Supreme Court held that the right to life is not limited to animal life; it is also the right to live with all the faculties and limbs of a human body. It includes access to the resources that make life worthwhile. A person cannot be claimed to live his life when someone is keeping constant watch over him, even if he is not physically restricted.^[10]

But when right to privacy in the digital age is referred then it is also important to understand about the Information Technology Act, 2000 and The Digital Personal Data Protection Act, 2023 as any data or information or communication is floated over the internet. Therefore, it will be right if all the above things are referred to as ‘data’ here.

Privacy and Data under IT Act and DPDA

Under the IT Act, 2000, the idea of privacy is understood in a very traditional and liberal manner.^[11] According to Sec 2(1)(o) of the Information Technology Amendment Act, 2008, the term ‘data’ refers to a “representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”^[12]

Whereas, Section 2(h) of DPDA, 2023 defines “data” as “a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.”^[13]

Private data can potentially be creatively exploited for a variety of objectives, such as government monitoring and commercial profit generating. Although the Constitution of India does not expressly recognise “Right to Privacy” as a fundamental right, yet the Apex Judicial Authority decided it to be a fundamental right in K.S. Puttaswamy v. Union of India.^[14][15]

Case Laws on Right to Privacy

In the case of Aaradhya Bachchan and Another v. Bollywood Time and Another^[16], the complaint is about several videos circulating on social media, particularly YouTube, claiming the ill-health of minor Aaradhya Bachchan, and a few stories predicted her death based on her modified visage. The suit was filed by Aaradhya Bachchan through her father Abhishek Bachchan seeking permanent injunction and directions to YouTube and Union to take down objectionable content and videos as these videos are in violation of the plaintiff’s privacy and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

The Court also stated that every child, whether a superstar or a commoner, has the right to be treated with dignity and respect. Circulating information on a child’s mental and physical health is strictly prohibited under the law. The Court said that the recordings of the youngster demonstrate a pathological perversity on the part of those who are disseminating them with full disregard for the child’s best interests.^[17]

So, it is also important to focus on the content of the data. Data can include banking documents, Aadhaar card, PAN card, OTP, photos, trade secrets and so on. Data can be public or private. Public data is the one which is publicly available for the public at large, but private data involves an individual’s own information, such as bank account number, photos, identity proofs, OTP, etc.

The legislation under the DPDA defines “personal data”^[18] as “any data about an individual who is identifiable by or in relation to such data.” It becomes a personal data breach “when any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data” occurs.^[19]

Jurisdiction of DPDA

DPDA does not confine itself to processing of digital personal data within territorial limits of India only but, subject to some specific conditions, will extend to data processing outside India for consumption in providing services or products to individuals in India. The DPDP Act emphasizes the significance of user control over their personal data, requiring that consent be freely given, precise, informed, unconditional, unequivocal, and accompanied by a clear affirmative action.^[20]

Other Relevant Case Laws

In Toms College of Engineering v. Union of India, a writ of mandamus was filed seeking directions to formulate a “right to be forgotten policy” as it protects a person’s right to privacy. The court stated that the representation of news appearing on the internet in respect of the petitioner violated the petitioner’s right to privacy. Under Section 46^[21] of the IT Act, 2000, adjudicating officers are to be appointed.^[22]

In Muthumalar v. P.A Gayathri Devi, the court awarded compensation of Rs. 1,00,05,000/- crore for the plaintiff’s injury caused by the defendant’s defamatory words published on social media. The defamatory statement, widely distributed online, affected the plaintiff’s reputation and lowered his character in the eyes of the public.^[23]

In Subhranshu Rout v. State of Odisha, the petitioner created a bogus Facebook account and posted offensive photos of the victim. The victim had the right to delete the images under her Right to Privacy, but the IT Rules 2011 failed to capture the right to be forgotten in legislation.^[24]

The IT Act was amended in 2008 to add offences involving data misuse, such as fraudulently utilising passwords and unique identifying numbers. However, there is no existing regulation that protects personal information sent into India or places restrictions on information moved out.

Exception

The reasonable limitations outlined in Article 19^[25] serve as qualifications to the rights to freedom of speech and expression, the formation of groups, and peaceful protest. Even the right to privacy is not absolute and can be rightfully restricted when it relates to the security of the nation and to promote the interests of the state.

The question is whether the justifiable limitations set forth in Article 19(2)^[26] are sufficient to limit or weaken the E2E encryption offered by OTT communication services. In the case of Modern Dental College and Research Centre v. State of Madhya Pradesh^[27] the court issued guidelines when the state can interfere, subject to the following criteria:

• The goal must be legitimate.
• It must be an appropriate way to accomplish the objective.
• There should be no less rigorous yet equally effective alternatives.
• The right holder shouldn’t be disproportionately affected by the legislation.

Therefore, if state measures restricting the right to privacy fail the aforementioned conditions, they would constitute a fundamental right infringement.^[28]

The Information Technology (Amendment) Act of 2008 grants the Central Government the authority to create regulations for encryption over a digital channel in Section 84A.^[28] According to the clause, the state will have access to this authority in order to advance network security and e-governance. The Government issued two preliminary proposal encryption strategies. First, for weakening the requirements for robust encryption, and second, for the government’s complete disregard to the harm to users’ right to privacy and freedom of speech. After that, the authorities revoked the guideline, and no new one has been released since then.

It would be reasonable to state that legal rights should be harmoniously construed with the broader public interest and should not be allowed to interfere with preserving national security. A strict encryption policy that forbids E2E encryption from allowing the government access to any data might potentially have an adverse effect on national security by preventing the State from taking action against terrorists by withholding the records of such individuals.

That is the reason why India requested RIM’s Blackberry to decrypt the data and share it on behalf of the terrorists responsible for the 26/11 terror acts. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 put forward a significant incentive for OTT communication platforms to comply with them since, if they don’t, the “safe harbour” statute no longer applies to them. In essence, safe harbour law declares that platforms won’t be held liable for user-posted content.

One of the most significant changes brought from the IT Rules, 2011 is that the government now requires intermediaries, such as OTT communications platforms, to respond to data requests from “any government agency” within 72 hours after receiving court orders.^[29][30] However, what type of information can be requested has not been limited, which again poses a hurdle in protecting the privacy of users.

The Concept of Right to Be Forgotten

Historically, Right to Be Forgotten was used in 2014 in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González[31], where a guy asked Google to erase links to an old newspaper article discussing his past bankruptcy. Because his debts had been paid in full, the article’s presence online was of little relevance. Consequently, the European Court of Justice made a ruling against Google, concluding that it was, in some cases, possible to remove a member of the public’s private information from a publicly accessible database, if the member of the public was a European Union citizen. Of course, this ruling has no relevance to someone not a citizen of the European Union.[32]

If a person’s personal information is outdated, irrelevant, or injurious to his or her privacy, he or she can have it erased from the internet as a right to be forgotten. The “Right to Be Forgotten” also referred to as the “Right to Erasure”, is a discussed concept under the purview of privacy and digital rights in India without any formal regulatory basis for the right to be forgotten.

In the case of Justice K.S. Puttaswamy v. Union of India the court recognised under the Constitution the right to privacy is importantly valued and value of the right to be forgotten is included in that right. In acknowledging the right to be forgotten, the Court recognised that the right could not be viewed in an absolute manner. The Court provided illustrations of instances in which the right to be forgotten would not apply including where the public interest, public health, archiving, research or legal claims follow the first publication. The Court further noted that the recognition of such a right would mean a person could simply delete their personal information when it no longer had value, or legitimate purpose.[33]

In Dharamraj Bhanushankar Dave Vs. State of Gujarat[34], before the Gujarat High Court in its ruling, the court did not recognize the “right to be forgotten.” The Sessions Court, in this case, ruled the petitioner not guilty despite the fact that the petitioner was charged with criminal conspiracy, murder, kidnapping, and a variety of other crimes.

This was decided by the Division Bench of the Gujarat High Court. The petitioner argued that the respondent should not be allowed to circulate the judgment on the internet since it was non-reportable and it would threaten the petitioner’s personal and professional lives. However, the High Court found that the petitioner did not breach Article 21 of the Indian Constitution by publishing such a thing provided no legal basis to restrict the respondents from publishing the verdict.[35]

The concept of the right to be forgotten was also applied in the case of Jorawer Singh Mundy v. Union of India & ors.[36] where the petitioner was acquitted by the court from all the charges filed in the case of Custom v. Jorawar Singh Mundy[37]; the plaintiff prayed for the removal of the judgment given in the case of Custom v. Jorawar Singh Mundy from Google, Indian Kanoon and vLex.in. The issue raised in this case, whether an order of the Court can be taken down from online platforms, raises consideration of the applicants Right to Privacy, and the public Right to Information, as well as the constitution of transparency within the Courts record.

The court determined that the plaintiff’s personal and professional lives had been irrevocably harmed, and that additional harm is foreseeable if proper relief is not granted. As a result, it is important to recognize the plaintiff’s privacy interest which contained the right to be forgotten and the right to be left alone. For this reason, a stop was to be issued to Stop any publication of the matter in print media and further and as a result of the plaintiff was ultimately found not guilty of the charges against him.

Accordingly, the plaintiff’s private social life, and future career aspirations has already very much been jeopardized consequently the plaintiff is entitled to some interim relief.[38]

In the case of Zulfiqar Ahman Khan v. M/S Quintillion Business Media[39], the petitioner requested the Delhi High Court for the removal of articles published on a famous news publishing website – “TheQuint” – the court acknowledged a petitioner’s right to privacy pursuant to Article 21. The petitioner was displeased with the publications making allegations that the petitioner had a sexual misbehaviour against certain people. The Court acknowledged petitioner’s right to privacy, and directed the publisher to remove the content.[40]

Further in Subhranshu Rout v. State of Odisha[41] When examining the “right to be forgotten” as a remedy for victims of sexually explicit images or pornography, the Odisha High Court declared that–

“…information in the public domain is like toothpaste, once it is out of the tube one can’t get it back in and once the information is in the public domain it will never go away”.

The court recognized the right to be forgotten in such instances and the need to preserve persons’ privacy in the era of the internet.[42] Also, in Virginia Shylu v. Union of India[43]; the right to be forgotten was balanced with the reasonable constraints that would be considered when deciding on data deletion. The court held in this case that –

“a claim for the protection of personal information based on the right to privacy cannot co-exist in an open court justice system. It is for the legislature to fix grounds for the invocation of such a right. However, the Court, having regard to the facts and circumstances of the case and duration involved related to a crime or any other litigation, may permit a party to invoke the above rights to de-index and to remove the personal information of the party from search engines. The Court, in appropriate cases, is also entitled to invoke principles related to the right to erasure to allow a party to erase and delete personal data that is available online.”[44]

Conclusion

Right to Privacy is one of the most vital parts of an individual’s life. Though it is not a fundamental right but the same has been raised as important aspects of right to life in the Puttuswamy case. Every right if it is absolute can lead to frauds, crimes, terror etc. therefore the court has made sure that the same right does have exception through which a check and balance is maintained in the nation for peace and security. But the technology has widely advanced which demands for more strict and stringent laws. Though there are laws but there is lack in the proper implementation of the law.

There are ample of cases involving fake nudity identity of women in the social media. Which is certainly a breach of right to privacy. Hacking of phone for money laundering, sexual harassment, are one such example of data breach. In this article, the term data holds a wide ambit. And the information containing in one’s computer or mobile may be sensitive in nature. And breach or hacking or leaking of such kind of information will hamper one’s life and dignity.

The Constitution recognizes privacy but the growth and development are in the hands of judiciary. The court is proactive in these kinds of cases but still the IT Act, 2000 or IT (Amendment) Act, 2008 is not sufficient enough to cover all kind of cases. Because IT (Amendment) Act, 2008 though addresses data protection but not exhaustively. Hence, IT Act poses problems in terms of protecting data and stringent laws is required. So, it is essential to respect data privacy due to the space, choice and dignity this gives people their lives.

Therefore, it is also important to recognize that the concepts of privacy, and the right to be forgotten, are very different but equally critical to society. To summarize, the right to privacy protects privately held information, while the right to be forgotten protects privately held information that is readily available to third parties. The “right to be forgotten” also means “the right to have public personal information removed from search engines, databases, websites and other patterned information when the information is deemed irrelevant or no longer necessary.”[45]