Right to Privacy

The Supreme Court in M.P. Sharma and Others v. Satish Chandra[1] , the Supreme Court questioned the presence of a protected right to privacy. However, what the Supreme Court failed to answer is that whether given that right to privacy does form a separate fundamental right in the Indian Constitution, it is incorporated in any other fundamental right including the right to life and personal liberty guaranteed under Article 21 of the Constitution. In the case of Kharak Singh v. State of Uttar Pradesh[2], the Supreme Court upheld the same theory of the absence of the right to privacy as a separate right. Justice Subbarao however, put before a dissenting opinion proposing that though the right to privacy is not reflected as a separate right in the Indian Constitution, it forms an important part of the right to personal liberty. In the matter of People’s Union for Civil Liberties (PUCL) V. Union of India[3], The privacy interest in the content of communications over the telephone was first recognized. It said that arduous standards are necessary for the law that derogates or degrades privacy and that such mechanism used should be targeted, based on specific suspicion of identifiable individuals and be the only means to fulfil the government’s goals of public safety and crime prevention.

In recent years, the right to privacy argument was brought in light because of its close linkage with the issuance of Aadhar cards by the government. In 2012, Justice (retired) Puttaswamy filed a petition in the Supreme Court questioning the authenticity of Aadhar cards and the subsequent violation of the right to privacy. During the case proceedings, the then Central Government opposed to the right to privacy being recognized as a separate fundamental right a unanimous judgment by the bench endorsed the right to privacy as a fundamental right under the Constitution. The order signed by the bench of nine judges declared-“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”

The Right to Privacy and the Personal Data Protection Bill, 2019

The Personal Data Protection Bill was introduced in the Parliament on 11th December 2019 by Mr Ravi Shankar Prasad, Minister of Electronics and Information Technology. 

Section 43-A of the Information Technology Act, 2000 deals with the provision of the obligation of corporates processing any personal data or handling any such sensitive data in a computer resource which it uses, to maintain reasonable and necessary security practices and procedures for its protection, failing to do which they would be liable to pay compensation to the individual so affected due to this negligence. The Data Protection Bill, 2019 apart from protecting personal data and establishment of the Data Protection Authority, also seeks to supersede the provisions of Information technology Act, 2000 and delete this provision.

Analysis and Solution

The Data Protection Authority (DPA)

The DPA would be set up to regulate the provisions of the Bill and look for its successful implementation. The DPA would work upon the issues of obtaining consent, limiting the use of data and take charge of the cross- border data exchange. Security safeguards and maintenance of transparency by the businesses would be kept on check by the Data Protection Authority (DPA). DPA covers a wide horizon to mandate the same and the successful and effective implementation of the regulatory mechanisms might be difficult.

Clause 86 of the Bill impedes the independence of DPA in carrying out its regulatory mechanisms by giving the Central Government to impose binding directions. Lack of decentralization to reach the State Authorities might result in delays in the long term. The mandate given to the DPA must be in correlation with the constraints of State capacity in India. A consultative process facilitating decision-making, removing the ambiguity of the clauses must be followed by the Government and the DPA together. It should be ensured that its composition should enable it to avail of independent inputs in an institutional manner.

Collection of Personal Data

The Right to Privacy and the Personal Data Protection Bill, 2019 serves as a preventive framework that directs and regulates the receiving of informational data by the companies in respect of their employees in the form of their personal data but fails to consider the importance of analyzing a situation in case of violation of such privacy and the subsequent harms. However, the Bill fills the gap between the consumers or the employees and the data fiduciaries as to how the personal data so collected is put into use. This is done by enabling the consumers to access their personal data and comprehend information as to their usage. The data fiduciaries must assure that the consumers are made aware of their rights in concern of their data before the collection of the same.

The Srikrishna committee regarded these provisions as foundational to the legislation:

The notice and choice framework to secure an individual’s consent is the bulwark on which data processing practices in the digital economy are founded. It is based on the philosophically significant act of an individual providing consent for certain actions pertaining to her data.[4]

The Problem of Consent

The PDP Bill sets out certain rights of a “data principal”, i.e., ‘the individual whose personal data is collected, including to correct incomplete or inaccurate personal data, erase personal data that is no longer required for the consented purpose and the right to be forgotten.’

Collection and processing of data without consent should be prohibited. The Indian Constitutional norms in the context of informational privacy should stand violated when the industries or businesses violate this principle. Apart from this, the individuals who have consented must be responsible for their decision of sharing the data to the fiduciary.

Strengthening the State

The Bill strengthens the state’s interference in data economy with Clause 35 which gives the State the power to not apply the provisions of the Act to any agency of the Government in the process of regulating the personal data so received if it thinks that such an exception is in the interest of the sovereignty and the integrity of India. The state can prevent the provisions of the Act to be applied to any agency of the Government in concern of the processing of the personal data so collected if it thinks it necessary for the sovereignty and the integrity of the state. It also permits them to enforce safeguards they think are necessary to the use of data.

This efficiently constitutes a new source of power for constitutional agencies to conduct surveillance and could ultimately end up diluting the privacy instead of its role of strengthening it.

Compliance Costs

The Bill requires the various businesses and companies to bring into force operational and structural changes for compliance with the provisions of the bill. Huge logistical costs may result from the migration of data to local data centres for companies of Indian origin. “Some short-term disruptions are possible, but the answer to this would be a significant investment in data governance. It will impact smaller providers more because they have to create special provisions, change processes and systems of transferring data,” said DD Mishra, Senior Director Analyst at technology research house Gartner.

Mishi Choudhary, Tech lawyer and Managing Partner at Mishi Choudhary and Associates, said, “The data localization requirements of the government showcase a misplaced understanding of the cloud architecture, companies store their data wherever it’s the most cost and time-efficient. A data centre is a high electricity consuming, minimal employment generating and a highly self-sufficient facility. That’s why many companies have their servers in countries like Iceland, for cost and climate factors.”[5]

Hence preventive regulatory mechanisms should be encrusted while closely examining their costs and benefits.

Conclusion

The design of the Right and Privacy and Personal Data Protection Bill,2019 can be revised to enable a more clear and practical framework for the protection of personal data of individuals while providing flexibility enough to let the Indian economy benefit from the changes in the technology of data processing of personal data. The regulatory landscape of the Indian Economy must be pragmatically scrutinized to implement the regulatory framework so tailored. A pragmatic assessment of the costs and benefits that suit the Indian demographical set-up could only ensure that. The Bill highlights the key components to achieving its goal of data protection but certain changes need to be made to guarantee the expected results.


[1] M.P. Sharma and Others v. Satish Chandra [1954 AIR 300, 1954 SCR 1077]

[2] Kharak Singh v. State of Uttar Pradesh [1963 AIR 1295, 1964 SCR (1) 332]

[3]People’s Union for Civil liberties v. Union of India [ AIR 1997 SC 568]

[4] Committee of Experts under the Chairmanship of Justice B. N. Srikrishna, “Report of the Committee of Experts under the Chairmanship of Justice B N Srikrishna,” Committee Report (India: Ministry of Electronics & Information Technology, Government of India, July 27, 2018), 32, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report-comp.pdf.

[5] Personal Data Protection Bill, 2019: Compliance cost to rise for India Inc. by Diksha Munjal, Infotech

Shailza Agarwal from Symbiosis Law School, Noida

You can find her here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: