The term 'Privacy' is derived from the Latin word 'Privatus' which means
separated from the rest. Though it is a variable concept and varies with
cultural or social context, but actually it means, the right to be left alone.
The need for Privacy is to create a balance between individual and social
interests, which is equally applicable to past, present and future society. In
this sense, the necessity of Privacy was found in the dawn of human
civilization. Also, the growth and expansion of Privacy varied according to the
variation in different stages of human civilization.
Hence, the description of origin and history of Right to Privacy should proceed
from the ancient period to the modern period. In fact, the idea of Privacy was
originated in the animal society and gradually it has been incorporated into the
human society. The world is witnessing rapid growth in technology, with the
internet becoming a ubiquitous presence and breaking down geographical
boundaries in terms of the flow of information Data has become an important part
of our daily lives, with almost every aspect of modern life connected to some
form of data.
Whether it's social media, banking, or retail, our daily routines are
intricately linked to the data. This increased interconnectedness brings with it
a number of new and complex challenges in terms of privacy and data protection,
making it crucial to ensure that individuals have control over their personal
data. India, as one of the largest growing economies, is at the forefront of
this digital transformation with various sectors being digitized and the launch
of the digital India program.
In response to the growing concern over the protection of personal data and
individual privacy rights, the Indian government has introduced a number of
legislations. The bill's preamble aims to provide a legislative outlook for
protecting personal data and individual rights in India's rapidly growing
digital landscape.
Introduction:
Privacy is a state of affairs where information regarding individual's life and
conditions that are private in nature is beyond the reach and knowledge of
others. In the current technological milieu where one can access the personal
details and information regarding individual's diverse affairs, all what privacy
means is that people want to have a control over what information needs to be
there in the public domain. Privacy ordains that the individual is at liberty to
avoid unsanctioned intrusions in his life and personal affairs and pre-supposes
that the individual will have unqualified control over the information
pertaining to him. Privacy is an interest of the human personality. It protects
the inviolate personality, the individual's independence, dignity and
integrity1.
The reason behind protecting one's privacy are varied. Some people want to
maintain anonymity, some others want to conceal facts about themselves that are
embarrassing, discreditable or which may put them under some risk to their life
and property, whereas a few may like to have peace and solitude. Thus, one can
safely argue that basically there are three elements in privacy: secrecy,
anonymity and solitude. It is a state which can be lost, whether through the
choice of the person in that state or through the action of another person.2
The Discourse on privacy interests and the corresponding legal rights have seen
drastic changes from one technological era to another. Privacy intrusions, in
the old legal order, when there was no telecom, communication and computational
technologies available were primarily treated as trespassing, assault, or
eavesdropping. Privacy in those days had not attained the intensity and
magnitude as it has achieved in today's modern world where we have telephone
wiretaps and microphones for overhearing, digital photography and spycams for
undercover and intelligence operations, computers, mass storage devices and
database software for storing, collating and circulating personal and financial
information.
With these inventions no one can be rest assured that his personal information
shall remain within the confines of his home or personal archives. New
technologies have made it possible to clandestinely transmit and broadcast
information pertaining to individual without his knowledge. Organized
collection, collation and storage of an individual's private and personal
information on databases, has made it possible to invade people's privacy.
The data storage and surveillance potential of computer systems has given a new
direction to the discourse on privacy rights. The question could no longer be
whether the information could be obtained, but rather whether it should be
obtained and, where it has been obtained, how it should be used. Technological
inventions such as data matching, profiling, data mining, smart cards, cookies
and spam have created an increased threat to the privacy of persons.
History and Background of Law of Privacy:
Fundamental rights are basic rights inherent in human being and such rights
should be entrusted to every citizen of the country along with proper remedial
mechanisms. "Right to privacy" has travelled a prolonged journey for the
obtainment of status of fundamental right under Indian constitution and how this
privacy right attained the status of fundamental right then elucidation of
certain prominent case laws is mandatory for substantiating the discussion and
for providing a clear and unambiguous idea about right to privacy. Right to
privacy was derived from "protection of life and personal liberty"
enshrined under article 21 of the Indian constitution and the discussion on case
laws is essential for better understanding of this utmost significant right in
the present scenario. In 1859, John Stuart in his essay "On Liberty" gave
expression to the need to preserve a zone within which the liberty of the
citizen would be free from the authority of the state.
In late 1890, Samuel D Warren and Louis Brandeis stipulated the need for the
right to enjoy life which included the 'right to be alone'. The right "to be let
alone" thus represented a manifestation of "an inviolate personality", a core of
freedom and liberty from which the human being had to be free from intrusion. It
justified the need of being left alone with the early developments in
technology, photography, and newspaperization.3
The primary protection is provided under the Constitution of India under article
19, article 21 and article 25. Privacy as a right for the first time came under
the judicial lens in M.P. Sharma v. Satish Chandra4, wherein the provision of
search and seizure as provided under the Criminal Procedural Code, 1973 was
challenged as fundamental rights of the petitioner under article 19 (1) (f) and
article 20 (3)5.
The court held that search and seizure does not infringe constitutional rights.
The court further observed that, "if the Constituent Assembly thought it fit not
to recognise fundamental right to Privacy, analogous to 4th Amendment of US
Constitution, then we have no justification to import it". In the case Kharak
Singh vs State of Uttar Pradesh6 where the appellant was being harassed by
police under regulation 236(b) of the UP regulation, which permits for
domiciliary, visits at night.
The supreme court held that the regulation 236 is unconstitutional and violative
of article 21. The court concluded by saying that article 21 of the constitution
to include "right to privacy" as a part of right to "protection of life and
personal liberty". Justice Subba Rao equated personal liberty with privacy and
he observed that concept of liberty in article 21 was comprehensive enough to
include privacy and that a person's house, where he lives with his family is his
castle and that nothing is more deleterious to a man's physical happiness and
health than a calculated interference with his right to privacy.
This was also re-strengthened by
Maneka Gandhi v. Union of India (1970),7
in which court ruled that enumeration in Article 19 does not deprive Article 21
of its expansive ambit. While analyzing the discordant view in the ADM Jabalpur
case, the court held that the constitution is not the sole repository of life
and liberty. Even if the rights were not granted under Article 21, the state
would not be permitted to suspend such rights. For example, as under the 44th
Amendment, Article 359, even in an emergency, the power to move to the court for
enforcement of rights shall not be suspend such rights. For example, as under
the 44th Amendment, Article 359, even in an emergency, the power to move to the
court for enforcement of rights shall not be suspended for Article 20 and 21.
Later, three judgments saw and acknowledged privacy as a constitutionally
protected fundamental right, namely, Gobind v. State of Madhya Pradesh8, PUCL v.
Union of India (telephone tapping case)9 and R. Rajagopal v. State of Tamil Nadu
(1994)10 (Court dealt with a conflict between the freedom of the press and the
right to privacy). However, all three judgments were of smaller benches and left
the stakeholders in dilemma.
However, all three judgments were of smaller benches and left the stakeholders
in dilemma with regards to the interpretation of Privacy under Article 21 of the
constitution of India or not. In Rajagopal Case (1994)11 the court held that the
right to privacy has two aspects: the first affords an action in tort in damages
for the unlawful invasion of privacy, and the second is a constitutional right.
Concept of Privacy:
The concept of 'Privacy' has been a matter of debate, discussions and
deliberations since its inception. However, the recent Judgement delivered by
the Supreme Court in the case of Justice K.S. Puttaswamy (Retd) v. Union of
India12 has gained more prominence to the concept of Privacy in India as it
dealt with the issues related to aadhaar database. The aadhaar is a database
containing intrinsic details of the citizens including their bio-metric
information.13 This creates a provision for privacy related to the person's
information i.e., informational privacy.
It was argued that the compulsory requirement of aadhaar for access to social
welfare schemes violates the right to privacy of an individual. As Aadhaar
includes bio-metric information and it is connected with bank accounts,
permanent account number (PAN) etc., there is every possible chance that the
information collected and connected through Aadhaar may get misused and will
eventually hamper the framework of interest associated with privacy of citizens.
Privacy is a subjective concept which varies from person to person. It
originates from the term "Privatus" which means separated from the rest of the
world. Steven Lukes, in his article on 'The Meanings of "Individualism" explains
that the concept of Privacy is evolved and developed through the perception of
"Individualism".14 Individualism is a moral stance, political philosophy,
ideology or social outlook that stresses "the moral worth of the individual".
The theory of individualism reflects that an individual is an independent entity
because the creator has granted life to him/ her and thereby an individual can
avail all the freedom including privacy. According to John Locke, privacy is
intrinsic to the notion of freedom. As per Locke's views, "a person who operated
within the confine of a social contract,
but is free within the confines of those contracts" and only in the state of war
he can give this freedom. Privacy allows every individual to be left alone in a
core which is sacrosanct. As discussed by Charles Warren and Louis D. Brandeis
in the famous article, "The Right to Privacy", "Once a civilization has made a
distinction between the 'outer' and the 'inner' man, between the life of the
soul and the life of the body, between the spiritual and the material, between
the sacred and the profane, between the realm of God and the realm of Caisar,
between Church and state, between rights inherent and inalienable and rights
that are in the power of government to give and take away, between public and
private, between society and solitude, it becomes impossible to avoid the idea
of privacy by whatever name it may be called- the idea of a private space in
which man may become and remain himself".15
Kinds of Privacy:
- Informational Privacy:
Informational privacy is an emerging phenomenon. With the advent of
technology and internet, new dimensions are being added to the traditional
notion of right to privacy like informational privacy or data privacy.
Technology allows an individual to generate both personal and non-personal
information about him in the cyberspace knowingly or unknowingly. According
to IITF Principle of the Unites States, Information privacy is "an
individual's claim to control the terms under which personal information
i.e., information identifiable to the individual is acquired, disclosed, and
used".16
The informational privacy does have the essence of privacy law which lies in
the claim of an individual to control disclosures, use, or access to
information pertaining to that person. Informational privacy or data privacy
is the relationship between accumulation and dissemination of data,
technology, legal and political issues surrounding them.
It covers information that links individual specifically with particular
events, background facts, or other information. The Informational privacy
rights depend on whether the subject matter consists of "personal
information" or non-personal information because every sort of non personal
information will not be able to claim right to privacy. Initially let's
evaluate the term personal information and then the non-personal
information17.
Under the regime of privacy rights, every individual wants to keep his or
her personal affairs to himself, but in the electronic transactions, variety
of individual's information are collected and stored, which can easily make
others to identify that individual. Technology enhances productivity and
provides opportunities, livelihood, recognition and social growth. It can be
said that an individual's autonomy in the information society can be
recognised as an "informational self-determination"18.
- Personal Information:
Here "Personal" does not mean especially sensitive. Rather, it describes a
relationship between the information and a person, namely that the
information whether sensitive or trivial is somehow identifiable to an
individual.
Personal information can include:
- any information which creates an ownership relation to the individual,
- any descriptive relation to the individual and
- any instrumental mapping relation to the individual.
An individual owns his personal information which as per his/her interest he/she
offers and describe to the society as a medium of identification. This
information may include the individual's biometric state, such as sex, height,
weight, blood type, fingerprint, retina pattern, DNA, or state of health. It may
relate to biographical facts, such as birth date, marital status, sexual
orientation, immigration status, criminal history, or educational degrees and
also identify social connections, such as membership in religious and political
organizations. The descriptive information includes records which are more
discrete wherein transient actions are taken by an individual. For example, it
contains information related to data footprints of individual visiting a
particular store online at a particular time to purchase a particular item. Such
information is regularly collected by undercover surveillance through
cyberspace19
- Medical Privacy:
The patient's anonymity regarding his/her treatment is critical and must be
protected. Individuals have the right to privacy and confidentiality about their
personal and medical
information. Such sensitive and secret information about an individual should
only be shared between him and his doctor, physician, healthcare provider, or
health insurance organization. The patient's medical information provided to a
health care practitioner will not be disclosed to outsiders unless the patient
grants his agreement to do so. The confidentiality of a patient should be
protected because the disclosure of personal information or records may cause
personal or professional problems, whereas patients rely on doctors to keep
their medical information private. Though it is extremely rare to keep medical
records or information fully private, a common violation of confidentiality
happens when doctors divulge medical information to others and use it as one of
their case studies. If this material is published in professional publications,
the patient's identity is never revealed, and if it appears in any manner, the
patient has the right to sue.20
- Internet Privacy:
Internet privacy refers to the control over personal information on the
Internet, including who can access it and how it is used. Many websites collect,
store, and potentially exchange personally identifying information about
visitors, which may raise concerns.
Internet email users value their privacy and would be concerned if third parties
accessed, read, saved, or forwarded their emails without their authorization.
Encryption and anonymizing services, such as I2P and Tor, are used to preserve
online privacy.21
- Financial Privacy:
Protecting personal financial information is crucial for preventing fraud and
identity theft. Purchase information can expose a person's interests, travel
history, contacts, medicine use, and habits. Financial privacy extends to
personal bank accounts. Sharing information on an individual's bank account,
even if it is in a non-sharing country, can aid in combating tax evasion22
Issues and concerns:
-
Violation of confidentiality and privacy: The terms violation of confidentiality and privacy are described under the IT Act. Section 66-E23 very eloquently explains violation of privacy as 'whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person.' Section 66-E explanation (e) has also explained violation of privacy as 'circumstances in which a person can have a reasonable expectation that—
- he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
- any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.'
Section 72 provides for penalty for breach of confidentiality and privacy as meaning 'any person securing access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to any other person.'
-
Absence of right to be deleted: Considering the potential of social media and the World Wide Web, Justice Kaul identifies the need for "right to be forgotten." He was of the view that, "the right to be forgotten refers to the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic." Due to the right to privacy, an individual must have control over his personal information, which means if he wishes to delete his information, then it must get erased from cyberspace. However, the data protection laws across the world support the right to be forgotten but not the right to be deleted. Forgotten means that the data will be there in cyberspace; the only thing is it will appear at the end of search pages, whereas the right to be deleted gives control to the owner of information to delete it permanently from cyberspace.
-
Telephone tapping: Right to privacy is affected by new
technologies. Right to privacy relating to a person's correspondence has
become a debating issue due to technological developments. There have been
cases of intercepting mails and telephonic communication of political
opponents as well as job seekers. Section 5(2) of the Indian Post Office Act
and section 26(1) of the Indian Telegraph Act empower the central and state
governments to intercept telegraphic and postal communications on the
occurrence of a public emergency in the interest of public safety.
-
No control over information: The RTI query on UIDAI revealed that the terms of the contract of UIDAI with US-Based biometric service providers like L-1 Identity Solutions Operating Company Private Ltd, Morpho, and Accenture Services Private Ltd used the Aadhar data. This is apparent from contract clauses 15.1, on 'Data and Hardware', as well as clause 3, which authorizes the collection, use, transfer, storage, and processing of data. The burning question here is, 'Do individuals have control over the manner in which information pertaining to them is accessed and processed by others?' Therefore, the Supreme Court has opened the opportunity for citizens to appeal against the government under certain established principles concerning these constitutional rights which can protect informational privacy.
Legal Introspection in India:
-
The Indian Telegraph Act, 1885
Early reference of protection of information can be traced way back in 1885 under the Indian Telegraph Act, 1885 wherein under section 5 (1) temporary possession of the message by the authority is permitted and under section 5 (2) the interception of messages by the authority is permitted only in case of any public emergency or in the interest of public safety. Thereby, state will interfere with information communicated in the form of message only in case of any public emergency or in the interest of public safety and in any other case the state cannot interfere, which is nothing but the protection of right to privacy over the message. Further section 24 provides for the consequences of attempting to learn the contents of messages unlawfully. Any unlawful access to message is a punishable offence, therefore the privacy in message was protected under this act.
-
The Information Technology Act, 2000
To counter the challenge of data privacy, another significant reference can be taken from the Information Technology Act, 2000. An amendment was made in the IT Act in 2008 by adding section 43A and section 72A for dealing with sensitive personal data. Section 43A creates a private right of action in civil law by which any person can sue a body corporate for negligent handling of its sensitive personal data or information.
- Body corporate possessing, dealing, or handling, any SPD or information in a computer resource.
- The body corporate has a duty to implement and maintain reasonable security practices.
- Causing wrongful gain or wrongful loss to any person.
- The body corporate shall be liable to pay compensation.
-
The Aadhaar Act, 2016
The Government of India through The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 has recently mandated the use of the biometric database known as aadhar card to deliver targeted subsidies, benefits and services. The biometric information of every individual is unique and this uniqueness makes the individual "only one in the world". Thus, the biometric information is extremely sensitive and personal in nature and attracts the right to privacy which needs to be protected. Section 28 of the act provides that the UIDAI shall ensure the security of identity information and authentication records of individuals. Section 29 prohibits the sharing of core biometric information collected or created under the Aadhaar Act, with anyone for any reason; or be used for any purpose other than generation of Aadhaar numbers and authentication under the Aadhaar Act. Also, under the Aadhaar Regulations, 2016 sharing of core biometric information by the authority is prohibited.
-
Personal Data Protection Bill, 2019
The Indian government introduced a Bill on December 11, 2019, aimed at drafting a data protection regime to address current issues and potential statutory protection. The Bill entrusts data intermediaries with the responsibility to execute security measures and inform individuals about data breaches. It also establishes data protection officers and a Data Protection Public Authority (DPPA) to address grievances and take action against data collectors or processors. The Bill also requires affirmative consent for processing sensitive or personal information. Although the Bill is yet to be enacted, it is considered a significant step towards data protection and could be considered effective legislation if it becomes an Act in the future.
Conclusion:
The concept of privacy has evolved significantly in the digital age. While
traditional concerns about physical privacy remain, the vast amount of personal
information collected and stored electronically poses new challenges. This
article explored the concept of privacy, its legal framework in India, and the
threats posed by technological advancements.
The Supreme Court of India
recognized privacy as a fundamental right under Article 21 of the Constitution.
This right encompasses informational privacy, protecting individuals from the
unauthorized collection, use, or disclosure of their personal data. With the
rise of the internet and digital technologies, the concept of privacy extends to
the control individuals have over their personal information. The Indian legal
system provides some protection for informational privacy through the
Information Technology Act (2000) and the Aadhaar Act (2016).
However, concerns
remain regarding the "right to be forgotten" and the potential for government
surveillance. Strengthening data protection laws and regulations is crucial to
ensure responsible handling of personal information by businesses and the
government. Technological solutions like encryption and anonymization can help
individuals maintain control over their data. Public awareness about privacy
rights and responsible data sharing practices is essential.
Reference:
Books:
- Gaurav Goyal, Ravinder Kumar, The Right to Privacy in India: Concept and Evolution, Oxford University Press, published on 2016
- Dr. Ankita Yadav, Privacy and Data Protection: Special Reference to India
Articles:
- Warren, Samuel D., and Louis D. Brandeis. "The Right to Privacy." Harvard Law Review 4 (1890): 193-203.
- Puttaswamy (Retd.), K.S. v. Union of India. [2017] 10 SCC 1.
Websites:
- https://en.wikipedia.org/wiki/Information_privacy#cite_note-1
- https://www.dailypioneer.com/2017/columnists/aadhaar-data-security-and-breach-of-privacy.html
- https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-India
End Notes:
- "Privacy as an Aspect of Human Dignity". New York University Law Review 39 (1964)
- "Privacy and the Limits of Law". Yale Law Journal 89 (1980)
- Warren and Brandeis, "The Right to Privacy", Harvard Law Review, Vol.4, No. 5, (1890)
- M.P. Sharma v. Satish Chandra, (1954) SCR 1077
- The Indian Constitution
- (1954) SCR 1077
- 1 SCC 248
- (1975 2 SCC 14)
- (1975 2 SCC 14)
- AIR 1997 SC 568
- SCC (6) 632
- AIR 2018 SC (SUPP) 1841
- R.Venkata Rao, Subha Rao (eds), "A Public Disclosure on Privacy – An Analysis of Justice K.S. Puttaswamy v. UOI"
- Steven Lukes, "The Meanings of Individualism" 32 (1) JHI, 45-66(1971)
- Samuel Warren, Louis Brandies, "The Right to Privacy" 4 HLR 193 (1890)
- Principles for Providing and Using Personal Information ("IITF Principles") issued by the Clinton administration's Information Infrastructure Task.
- "Information Privacy", available at: https://en.wikipedia.org/wiki/Information_privacy#cite_note-1
- http://docs.manupatra.in/newsline/articles/Upload/46D5708A-2C89-424B-91A2-1144BCD95C4D.pdf
- Jerry Kang, "Information Privacy in Cyberspace Transactions" 50(4) Stanford Law Review 1193-1294 (1998)
- https://code-medical-ethics.ama-assn.org/ethics-opinions/privacy-health-care
- https://www.techopedia.com/definition/24954/internet-privacy
- https://store.lexisnexis.com/products/the-law-of-financial-privacy
- Information Technology Act, 2000
- Government of India, Report: Committee on A Free and Fair Digital Economy Protecting Privacy, Empowering Indians (Union Ministry of Electronics & Information Technology, 2017)
- Data Security and Breach of Privacy, 2017, available at: https://www.dailypioneer.com/2017/columnists/aadhaar-data-security-and-breach-of-privacy.html
- The Indian Telegraph Act, 1885. S. 5. Power for Government to take possession of licensed telegraphs and to order interception of messages.
- https://en.wikipedia.org/wiki/Information_Technology_Act,_2000
- https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
- https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 last visit on 03/09/2024
Please Drop Your Comments