The right to privacy is a fundamental right embodied in many constitutions across the world. Right to privacy is a multifaceted concept. Right to privacy has been recognised in the eyes of law and common parlance in modern society today. Right to privacy is one of the most basic and acceptable personal rights. Right to privacy find references in the universal declaration of human rights and International Covenants of Civil and political right. Right to privacy is the most fundamental part of human life.

Personal information is a new wealth of this century. It is a wealth of person which can be converted into monetary value to the others if not properly controlled by the owner. Personal Information is a pool of large Data and still growing rapidly and the corporate world is making a profit from this trend. This information is considered as an asset for the companies. Once the personal data become a commodity you cannot fetch or control your data from the market.

During the late 1970 decades, there has been a developing body of international and regional laws and policy instrument relating to the protection of personal data. Generally, the law requires that personal information must be collected or obtained fairly and lawfully.

Personal information could be in the form of personal interest, habits and activities educational, family and educational records, communication, medical records and financial records. This growth in the use of personal data has many benefits but it could also lead to many problems. Developments in the technologies make personal information easily available and communicable.

There is an inseparable dispute between data protection and the right to privacy. It is an essential tool of good democratic governance which protects the privacy of an individual in the digital era. However, despite awareness of data protection and its recognition across the world, there is the dearth of legal and institutional frameworks, processes and infrastructure to helps the protection of data and privacy rights.

Concept of Privacy

The concept of data protection laws has an important place in the world. It is not easy to define the terms of privacy and the right to privacy. It has been placed in different ways in different circumstances. The right to privacy can also be synonymous like The right to be let alone. Privacy is a formal relationship between groups or persons. Privacy is a value, a cultural state or condition directed towards individual on collective self-realization which different from society to society.

The Indian Constitution provides a right to freedom of speech and expression, which says that a person is free to express his will and consciences. A person has the freedom of life and personal liberty, which can be taken only by the procedure established by law. The European Union has a very refined data protection law. Under European laws, personal information can only be gathered in the strict compliances for the legal purpose.

Privacy and Data Protection

Data protection requires that Information regarding the person should not be available to other individuals and organisation automatically. A substantial degree of control and its use must be able to exercise by everyone on his/ her data. Data protection is legal protection to prevent abuse of information about an individual through the medium like computers.

To safeguard the personal data, it worked as a tool of adoption of administrative, technical, or physical deterrents. Privacy is closely related to data protection. Data of an individual such as name, address, telephone number etc are often available at different places like school, colleges, bank etc and on several websites. Disclosing of this information to the interested parties will amount as an intrusion in the privacy of individual like endless marketing calls.

What is Personal Data?

Any information that helps to relates to an identified or identifiable natural person or an individual is known as personal data. A different set of information which connects or collected together can direct to the identification of a particular person will also amount as personal data. i.e. name and surname of the individuals, a home address, and email address etc.

Concept of Data Protection

A law designed to protect your personal information is defined as data protection. This law enables us to control our data and protect it from any abuses in modern societies. Data protection laws control and restraint the activities of the companies and governments authorities. With their repeated activities, these institutions have shown many times that unless any laws which restrict their actions, they will collect it all, mine that information it all, keep it all and share and use it with others without telling us anything at all.

Why is Data Protection Needed?

Whenever any individual buys any goods online or use any service, or pay any taxes, or enter into any contract or service or register email or visit to the doctor, they have to give their personal information to use these things. Even without the knowledge of the persons these data and information are generated and captured by the companies and organisations without any interaction with the persons. The only medium citizens and consumers have confidence in both the business and the government through the statutory law over the data protection practices which help in effective legislation to minimize corporate surveillance and data exploitation.

During 1960 the expansion of information technologies capabilities across the world, corporate business and the government has been storing this personal information in their database. These databases can be searched by anyone, edited, altered, and shared with other organisations of the globe. Once these processed or collected data become available to the world, people started concerns about was happening with their data once they give it. With these rising concerns rapidly and questions from the people, data protection principles were developed through various national and international consultations.

It has been reported that 90 per cent of data in the globe today has been processed or collected within the last two years. As of January 2020, nearby 107 countries across the world had adopted data protections laws or pending bills or in the process of implementing these laws. When many data protections laws were drafted, the world seems like a very different place.

Data protection should ensure the following:

• There should be restrictions and limitation on the collection of personal data along with that it should be collected and obtained in lawful and fair means and transparent manner.
• The purposes of the collection of personal data should be specified at the time of collection and strictly should be used for the agreed purposes.
• Personal data is processed and collected should be relevant, adequate and limited to the purposes for which it is to be obtained.
• The measures should be taken to ensure that the data is up to date, accurate and completed.
• A reasonable security or safeguards should be ensured to safe that data from any loss, destruction, use, leakage, disclosure, modification and unauthorised access by others.
• There should not be any secret processes of data, use, etc. Individuals must be aware of their data about their collections and processing and the purposes of their use.
• Individuals whose data is collected or obtained must have a range of rights which enables them to control their data and any processing.
• Those organisations that use or obtained that data must be accountable and ensure the compliance with the above principles and also abide by the laws which enshrined these principles.

Privacy and Data Protection under the Indian Legal System

The constitution of India has provisions like freedom of speech and expression under Article 19 and right to life and liberty under Article 21. These Articles has its effects on the right to privacy as fundamental rights guaranteed under part III of the constitution. There are various cases which deal with the right to privacy as a fundamental right. The parameters of this concept have connected with the new aspects of data protection. The relationship between privacy and data protection are interdependent to each other. The right of data protection is related to the information of the individual. The rights of the individual emerged naturally so that the right to privacy has also emerged naturally.

The Hon'ble Supreme Court considered the first time the right of privacy is a fundamental right in case of M.P. Sharma And Ors. v/s Satish Chandra, District Magistrate, Delhi1 where search and seizure warrant was issued under Section 94 and 96 of code of criminal procedure and was challenged. It was held by the court that power of search and seizure was not in contravention of any constitutional provision.

Thereafter In case of Kharak Singh v/s State Of Uttar Pradesh And Ors 2., Supreme Court considered the matter, whether the surveillance by domiciliary visits at night against accused would constitute an abuse of the right to privacy under Article 21 of Indian constitution. Thus, a question arises whether Article 21 includes right to privacy? It was held by the Supreme Court that surveillance was, in fact, in contravention of Article 21. The majority of judges ruled that Article 21 did not specifically provide for privacy provision, thus right to privacy should not be interpreting as a fundamental right.

In the case of K.S. Puttaswamy V Union of India, the concerns of privacy were once again raised before the Supreme Court in case of Aadhar card scheme. In which it was challenged on the ground that the collection and compilation of biometric and demographic data of the citizens are used for the other purposes is the violation of the fundamental right guaranteed under Article 21. Supreme Court held that the right to privacy is integral and indivisible from the human element in human being and the core of human dignity. Thus, it was held that the right to privacy is a fundamental right guaranteed under Article 21 of the Indian constitution.

The judgement of the Supreme Court in Puttaaswamy constituted privacy as worth to protecting and conceptualized it as a right. These arguments lead to a focus on the actual harm that an individual suffers from the violation of privacy. This concept of privacy also lines up with the already existing regulatory frameworks relating to the data protection in other countries.

Meanwhile, in July 2017, The Indian government has appointed a committee of experts on the laws for the data protection in India under the chairmanship of Justice B.N. Srikrishna. This committee constituted to study the aspects related to data protection in India. The committee submitted its comprehensive reports on laws on law protection on 27th July 2018 as well as a Draft Personal Data Protection Bill, 2018. The report and the draft bill formed the basis of the bill tabled in parliament.

The proposed data protection bill incorporated many provisions from the European Law on privacy, General Data Protection Regulations (GDPR). The bill defined legal frameworks for the collections and uses of personal data. In addition of that, the bills also creating a set of right, duties and responsibilities for the collections and maintenance of personal data along with that bills creates a DPA for regulations and enforcement for the legal framework. If it implemented, it will apply to all the organisations across India apart from the organisation which are expressly exempted.

It would include any organisation that collects data through any automated means. It proposes that data should be collected only based on free and specific consent, informed with the method that permits such consent can be withdrawn in a reasonable time. Any data which collected and obtained without free consent or by means of evil intention would be a violation and would attract penalties. It also focuses on data localization requirements and the appointment of data protection officers in the organisations. The bill provides a robust, cross border and sectorial privacy and data protection frameworks for India.

Key Point of the Data Protection Bill

• Data processing that is the collection and analysis of personal data and the data principles persons or organisations that provide personal data.
• Notice and free consent requirements for the processing and obtaining of personal data.
• Restrictions/ Limitations over to the processing of personal data that is only the relevant data must be collected or obtained by the organisation to provide the services of the data processor.
• The requirement of the compliances for data processors such as the appointment of data protection officers to conduct the audits and assessments, incorporating privacy designs.
• Enables the rights to the individuals such as the data portability that is to migrate their data from one service provider to the others of their choice or the right to be forgotten or deleted.
• One of the important points about data protection bill that is data localization means that the personal data must be stored on the servers within India and there are limitations over to the transfer of personal data outside India.
• Regulation and supervision by a proposed Data Protection Authority constituted by the central government.
• Penalties for the non-compliance of privacy in the form of financial consequences including the prohibition of data processing.

Data Protection Under Foreign Law

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that was originated by European Union in 2016 and come into effect on 25 May 2018. It was drawn up to replace the outdated data protection directive from 1995. GDPR aims to create more consistent protection and personal information across nations of the EU. The objective of GDPR is to upgrade digital security that requires businesses to protect their personal information and privacy of EU citizens by giving them more control over the personal data they share online. It extends to businesses across the globe. If there is a possibility that any business or website may gather personal information of EU member state citizen then they are required to comply with GDPR. The GDPR focus on newer areas like privacy rights, data security, data control and governance. The GDPR also regulates the transfer of personal information outside the EU.

COPPA

The Children's Online Privacy Protection Act (COPPA), is an important privacy law of USA’s children. This aims to protect the privacy of the children below the age of thirteen years and limits the use and collections of their personal information online. It was passed by the US congress in 1998 and was effective in 2000. It was enforced and administered by the federal trade commission of USA. it was especially enforced for the internet marketers business that controls the website on the internet which specially visited by the children below the age of 13 years and collected personal information from those kids. The purpose of this law is to regulate the collection of that information. In addition to the COPPA compliances required that the website operator must have obtained the verifiable parental consent from the parent of the kids who visited the website, in advance before collecting or using that personal information. It also applies to the companies that situated or operated outside the USA but provides the services or access of website to the children within the USA.

CalOPPA

The California Online Privacy Protection Act (CalOPPA) was drafted to protect the privacy rights and the personal data of the resident of California in the USA. This comes into force as a law on 1st July 2004. It applies to the operators of the websites or online services who collect or obtains personally identifiable information of the residents of California. It applies to another country if your business or website or online services have chances of processing personal information from the California residents. Then the business in another country also needs to abide by the CalOPPA guidelines. This law applies to commercial websites and mobile applications that can access the mobile and tablets.

HIPAA
The health insurance portability and accountability act 1996 is a federal law was signed in the year 1996 by president bill Clinton. It implements with the aims of the privacy and the security of the patient health information is a priority for the patient itself along with their families and the hospital, health care service providers, health professionals and the governments. It required the creations of national-level standards to protect sensitive information relating to patient health without the patient's consent or knowledge. HIPPA applies to the entities that are dealing with health care services. It required that there should be balance that maintains the uses of personal information while protecting the privacy of the patient who seeks health care and healing. HIPAA violations can be very costly for a health care organization in the form of civil monetary or criminal penalties.

PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law of Canada for the private sector organisation that deals in the commercial activity. It comes into force on 13th April 2000 with aims to protect the consumer personal information collected by the private organisations. It also provide security to the personal information of the consumer and strength them when they share their personal information with the private organisations through the online services and e-commerce. The private organisations under PIPEDA are required to take the consent by the consumers before collection, use and disclosure of any personal information. The organisations cannot deny the services or goods to the consumers regardless of whether they give their consent to personal data collection.

PDPA
The Personal Data Protection Act 2012 is a privacy law of Singapore which was approved by their parliament on 15th October 2012. This comes into force on 11th January 2013. This provides the full strength for the data protection for Singapore. It has provided a minimum standard for the collection, obtaining and use of personal data. It applies to the private sector organisations in Singapore irrespective of their size and location. It applied to the personal data in question which collected in Singapore. The public sector organisations are exempted to comply with personal data protection Act.

In African Countries

In the Africa continent, 19 countries have enacted data protection and privacy laws. Six countries have laws on data protection in the drafting stage. The remaining other countries don't have any legislation for data protection and privacy. The African Union adopted the progressive convention on Cyber Security and personal data protection in 2014. Only ten countries are signatories of this convention and two countries have ratified the convention.

Asia Pacific

Both Australia and New Zealand have laws on data protection and privacy. In Australia, the government has amended the laws relating to the Australia Privacy Act 1988 to fulfil the requirement of the digital era and to include the mandatory requirements to report of any breach of personal data to the data protection authority and to inform the affected customers immediately. In New Zealand, the Privacy Act control the activity of organisations to collect, use, store, disclose or give access to personal data.

In the Asia region, 15 countries have legislation of data protection and privacy and four countries are in the process of drafting the privacy laws.

Conclusion
Privacy is a basic human right and the computer network contains a vast amount of personal data that be sensitive. The utility and degree of importance of data are not the same, it differs from one another on the basis of its utility. With the increasing monetary value and importance of personal data by the companies across the world.

It is becoming an urgent need for effective legislation to afford its protection. However, with the development of the cyber world, anyone can access any information relating to the others from any corner of the world at any point of time and this poses a great threat to the personal and confidential information. Globalisation makes the world into a computer system and anyone can control any information with just one click.

The right to privacy is recognised as fundamental rights in the constitution through various cases but its protection and implementation are left on the mercy of the legislature. The lack of a robust law relating to data protection and privacy has been a matter of concerns today.

This matter of concerns has been expressly raised by the companies that are doing business in India but their data are controlled and transmitting into another country. The government are keeping in mind the concerns of the companies and focusing the implementing of data protection bill in future that will cater to the need for data protection in the country.

End-Notes:

1. 1954 SCR 1077
2. AIR 1963 SC 1295