This paper aims to bring out the concept of the right to privacy and data protection in the Indian scenario. As it is a known fact the right to privacy has not been given express declaration under the Constitution but it forms a part of Article 21 of the Constitution of India within the broad ambit of the right to life and personal liberty. A difference can be perceived between what falls within the privacy and what data protection remains. Data protection includes within its ambit the bank or account details of a person, business plans or intellectual property rights of a person, etc. data protection and privacy is a serious issue that has been dealt with under Information Technology (Amendment) Act, 2008, but not in an exhaustive manner, because of which there arises a need to have distinct legislation for it.
The right to privacy, if we see it in the modern world has been granted recognition under both the law and in fact. The right to privacy has been granted protection under Article 21 in the sense of promoting the dignity of an individual. A recent trend can be observed whereby a threat has been perceived by people regarding their information being stored in computer devices. The concept of the right to privacy includes within its ambit the right over the collection, usage, and dissemination of one’s data. Harm to an individual arises when one’s data in the sense of being his records related to health, financial status, medical status, family status, accounting status, to name a few reach the unauthorized third party without any protection and at a very low price. It can be used misleadingly by the third party who could cause harm to the individual, thereby leading to many problems. With the emergence of the advancement of technologies, a new set of issues have arisen in the sense of data being communicable at a faster pace without much protection. This is where the conflict stands between privacy and data protection, that the data must be protected in a manner not to be detrimental to the privacy rights of an individual.
UNDERSTANDING THE CONCEPT OF PRIVACY
It gets difficult to put in concepts the terms like privacy and right to privacy because the term’ meaning changes according to various situations. In the words of Jude Cooley, it can be termed as a ‘right to be let alone’. If we talk about reality, then we can perceive that recognition of privacy has been granted both under the law and in fact but its variation can be seen in various jurisdictions. Its application differs from society to society.
Under Indian Constitution, a person has been granted a right to have freedom of speech and expression which implies that a person is at leverage to speak things that he believes in and has been granted the liberty to express his desires. Such a right can only be taken under the law by a prescribed procedure. Not only this, but a person is even granted protection from unlawful arrest under the writ of habeas corpus and the right of professing any religion of one’s choice. Also, a person is granted protection from unlawful deprivation of his property except according to the requirements of law. Personal liberty has been provided a very broad definition under Article 21 of the Constitution of India in the sense of maintaining one’s autonomy, living one’s life with dignity, etc. amongst which some have been granted fundamental protections such as the right to move freely, freedom of speech and expression, right to privacy, etc. privacy is granted protection under Article 21 in the sense of granting control over the dissemination of an individual’s personal information.
ANALYZING THE NUANCES OF DATA PROTECTION
Till now, only one legislation grants protection to data of an individual that is, the Information Technology Act, 2000 but it does not cover all aspects of it exhaustively. There are provisions contained under such Act for data protection, for instance, Section 2(1)(o) provide for the definition of the term ‘data’ in the following words, “Data means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed or is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”. The objective behind such provision is the fact that if any person has acquired access to any data, then such person cannot provide access to it to the third party unlawfully without acquiring the consent of the concerned individual. ‘Third-party information’ has been defined to be understood as ‘any information dealt with by an intermediary in his capacity as an intermediary’, and it may be arguable that this limitation also applies to ‘data’ and ‘communication’. According to Section 79 of the Act, an intermediary has not been rendered liable for the third party information except in the provisions or requirements met out under sub-section (2) and (3) thereof. Although, it must be noted that no definition of ‘personal data’ has been provided under the Information Technology Act, 2000. Provision related to ‘Data protection’ has been farmed in a manner to ensure that the data be handled in such a position that it stands protected against any misuse in any authorized manner.
DIFFICULTY WITH PRIVACY AND DATA PROTECTION
The basic objective of seeking privacy and data protection is that the information must not reach out to other persons in an automatic manner. A person must be capable of commanding control over it. Information of a person must not be used detrimentally to him for which laws provide safeguard in the form of data protection. When we talk about privacy, it seems in a close association with it. Many things personal to an individual like his personal details about his family, residence, profession, etc. are often available at many places, but if such information gets passed, it will be a hijacking of privacy for which provisions under the Information Technology (Amendment) Act, 2008, are provided attracting both civil and criminal liabilities for such breach.
CIVIL LIABILITY ATTACHED TO DATA INFRINGEMENT
Under the amended Information Technology Act of 2008, civil liability has been imposed upon an individual by way of Section 43, such as liability has been imposed for copying digital data of an individual in an unauthorized manner, extracting the data from a computer resource, committing theft concerning database stored in a computer, violating the privacy of any individual, copying of data in an unauthorized manner, bringing any virus to any computer resource or the introduction of such virus to any document or network, transmitting data outside the computer resource to any third person in an unauthorized manner, committing fraud or forgery concerning data services, disrupting the password of any document, altering, deleting or adding any data to any document, etc. all this has been granted protection against any substantial damage or harm caused to the concerned person. Under Section 43-A, compensation has been granted to an individual whose personal sensitive information has been leaked by the corporate body who was under the responsibility of handling it with care, by its negligent act in storing or granting protection to such sensitive information. In other words, a civil action is invoked by way of Section 43A. Section 43 A of the Information Technology Act has been worded in the following words, “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected”. It needs to be mentioned here that other than Section 43-A under IT Act, 2000, nowhere under any other statute, protection has been conferred against such data breaches of any personally sensitive information. Thus it can be seen that a right has been granted to a person to invoke civil action against any person who is unauthorized using the other person’s information detriment to the concerned person, other than those to which responsibility has been provided by the owner of information himself for the protection or handling of such data.
DATA INFRINGEMENT INDUCING CRIMINAL LIABILITY
Under the Information Technology Act, 2000, the criminal liability has been sanctioned against a person who is found guilty of committing theft concerning any computer database or found violating the privacy of an individual. Under Chapter XI, major amendments have been made with respect to Sections ranging from 65 to 74 and these Sections include within its ambit the act of tampering with the documents stored in a computer device in an unauthorized manner, sending offensive messages with the help of any communication service, committing theft of one’s identity, committing cyber terrorism, involved in dissemination of any obscene material in any electronic form or doing the same with any sexually explicit material, involved in material transmission of any children involved in the sexual act, engaged in receiving the stolen computer resource, to cheat by using computer resource by way of personation, and even attaches liability to the intermediary who is found intentionally violating the provisions of Section 43(1) or if the same is found acting in non-compliance of any order of the controller, found engaged in activities such as decryption of any material information, involved in blockage of any public access to any information by way of any computer resource
intermediary intentionally or knowingly contravening the provisions of sub-section (1) of section 43, any person intentionally or knowingly failing to comply with any order of controller, interception or monitoring or decryption of any information through any computer resource, blocking for public access of any information through any computer resource, intermediary contravening the provisions of sub-section (2) of section 69-B by refusing to provide technical assistance to the agency authorized by the Central Government to monitor and collect traffic data or information through any computer for cyber-security, securing access or attempting to secure access to any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, any misrepresentation to or suppressing any material fact from the Controller or the Certifying Authority, breach of confidentiality and privacy disclosure of information in breach of lawful contract, publishing electronic signature certificate false in certain particulars, and electronic signature certificate for any fraudulent or unlawful purpose.
India does not have specific data protection legislation, other than the IT Act, which may give the authorities sweeping power to monitor and collect traffic data, and possibly other data. The IT Act does not impose data quality obligations about personal information and does not impose obligations on private sector organizations to disclose details of the practices in handling personal information.
To conclude, it can be said that the concept of privacy stands as a basic human right, and storage of data in the computer resource might be sensitive. Liabilities for the infringement of data of an individual and protection against unauthorized use and access to such data has been granted under Chapters IX and XI of the Information Technology Act. It has become easier for a person to have access to any information related to any person which has emerged as a new risk for persons whose information contains a significant amount of confidentiality in it. With the advancement of globalization, access to information has been made worldwide for which several jurisdictions have accorded protection by way of several legislative provisions or statutes, for instance, the United States of America has legislation in the name of the Electronic Communications Privacy Act of 1986, the United Kingdom sets forth the Act on Data Protection, 1998, to name a few. Coming to the Constitution of India, protection has been granted under Article 21 but its applications and scope, or in other words, the development of the doctrine have been left completely in the hands of the Indian Judicial System. With the emergence of cyberspace, protecting one’s information has become a serious and threatening issue since once the information leaks out in the domain, it gets almost impossible to retrieve it back or put the clock back in its original position. Therefore, the Information Technology Act must establish certain standards prescribing the protection of both privacy and data, without any harm being posed to the fundamental right of the person of his privacy. Hence, separate legislation is much needed in the area of data protection to simultaneously balance the rights between both.
Author(s) Name: Eshita Jain (Himachal Pradesh National Law University, Shimla)
- Alan F Westin, “Science, Privacy, and Freedom” 66 Columbia Law Review 1003 (1996).
- Michael Warner, Publics and Counterpublics, quarterly Journal of Speech, Vol. 88, No.4, November 2002, pp. 413-425.
- Louis Henkin, “Privacy and Autonomy” 74 Columbia Law Review 1410 (1974).
- Parvathi Menon, SnajayVashishtha, Vitriolage, and India – The Modern Weapon of Revenge.
- Akhil Gupta Blurred Boundaries: The Discourse of Corruption, the Culture of Politics, and the Imagined State, American ethnologist, Vol.22, No. 2 (May 1995), pp.375-402.
- Samuel Warren & Louis D. Brandies, “The Right to Privacy” Harvard Law Review 193 (1980).