By Devesh Saxena, Faculty of Law, University of Allahabad
Editor’s Note: The term ‘privacy’ refers to the use and disclosure of personal information and is only applicable to information specific to individuals. As such, the right to privacy has been given paramount importance by the Indian judiciary and can only be fettered with for compelling reasons such as, security of the state, public interest or for preventing incitement to the commission of any cognizable offence. The author attempts to highlight the various pressing issues with respect to privacy laws in India.
“Gradually the scope of legal rights broadened; and now the right to life has come to mean the right to enjoy life – the right to be let alone.”
– Louis Brandeis, J. (1890)
With robust growth and comparatively stable economy, India continues to be a key and fast developing market across the world. Number of foreign companies operating in India grows 100% every year. Yet India is left to embark upon a law that matches to developed nations’ legal system and meets investors’ expectations. However, the courts in India have used existing laws to afford protection and confer rights to secure a fair privacy to everyone.
Legal Framework In India
Presently, there is no specific legislation dealing with privacy and data protection. The protection of privacy and data can be derived from various laws pertaining to information technology, intellectual property, crimes and contractual relations. Although there is no statutory enactment expressly guaranteeing a general right of privacy to individuals in India, elements of this right, as traditionally contained in the common law and in criminal law are recognized by Indian courts.
Privacy Under the Constitution of India
Under the Indian Constitution, Article 21 of the Indian Constitution is a fairly innocuous provision in itself i.e. “No person shall be deprived of his life or personal liberty except according to procedure established by law “. However, the above provision has been deemed to include within its ambit, inter-alia, the Right to Privacy – “The Right to be left alone”, as the Supreme Court termed it in many illustrious cases including Kharak Singh v. State of U.P. Further, in a detailed exposition on Right to Privacy, the Supreme Court in R. Rajgopal v. State of TN laid down that, the right to privacy is implicit in the right to life and liberty guaranteed to a citizen under Art.21 of the Constitution, a citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish (meaning “make known to the public”) anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical, unless they are part of public records.
• Privacy in Tort Law
The Right to Privacy is further encompassed in the field of Torts which include the principles of nuisance, trespass, harassment, defamation, malicious falsehood and breach of confidence. The tort of Defamation involves the right of every person to have his reputation preserved inviolate. It protects an individual’s estimation in the view of the society and its defenses are ‘truth’ and ‘privilege’, which protect the competing right of freedom of speech.
• Privacy in Contract Law
Under Indian laws, the governing legislation for contractual terms and agreements is the Indian Contract Act. There exist certain other means by which parties may agree to regulate the collating and use of personal information gathered, viz. by means of a “privacy clause” or through a “confidentiality clause”. Accordingly, parties to a contract may agree to the use or disclosure of an individual’s personal information, with the due permission and consent of the individual, in an agreed manner and/or for agreed purposes, but, any unauthorized disclosure of information, against the express terms of the agreement would amount to a breach of contract inviting an action for damages as a consequence of any default in observance of the terms of the contract.
• Privacy Obligations under Specific Relationships
There are instances of specific inter-personal relationships wherein one party might be obligated to maintain a certain measure of confidentiality. A doctor-patient, husband-wife, customer-insurance company or an attorney-client relationship; are instances where there exists a strong ethical obligation on the part of one party to protect the privacy of information relating to an individual which may expose him to social humiliation and/or ridicule. The above principle also receives legal recognition in Ss. 123-126 of the Indian Evidence Act, 1871.
1. Information Technology Act, 2000:
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. The said Act creates personal liability for illegal or unauthorized use of computers, computer systems and data stored therein. However, the said section is silent on the liability of internet service providers or network service providers, as well as entities handling data.
The liability of the entities is further diluted in Section 79 by providing the criteria of “knowledge” and “best efforts” before determining the quantum of penalties. This means that the network service provider or an outsourcing service provider would not be liable for the breach of any third party data made available by him if he proves that the offense or contravention was committed without his knowledge, or that he had exercised all due diligence to prevent the commission of such offense or contravention.
The law makes no differentiation based on the ‘intentionality’ of the unauthorized breach, and no criminal penalties are associated with the breach. Section 65 offers protection against intentional or knowing destruction, alteration, or concealment of computer source code while Section 66 makes alteration or deletion or destruction of any information residing in a computer an offense. Both sections 65 and 66 are punishable with criminal penalties including imprisonment up to 3 years or a monetary penalty of up to $440,000/-
2. Indian Penal Code:
The Indian Criminal law does not specifically address breaches of data privacy. Under the Indian Penal Code, liability for such breaches must be inferred from related crimes. For instance, Section 403 of the India Penal Code imposes a criminal penalty for dishonest misappropriation or conversion of “movable property” for one’s own use.
3. Intellectual Property Laws:
The Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter commensurate with the gravity of the offense. Section 63B of the Indian Copyright Act provides that any person who knowingly makes use on a computer of an infringing copy of computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.
4. Credit Information Companies Regulation Act, 2005 (“CICRA”):
As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data. CICRA has created a strict framework for information pertaining to credit and finances of the individuals and companies in India.
The Privacy Bill, 2011
A Bill to provide for the right to privacy to the citizens of India and regulate the collection, regulation, maintenance, use and dissemination of their personal information and provide for penalization for violation of such rights and for matters connected therewith or incidental/hereto.
Few broad heads under the privacy bill are as follows:
• Interception (S.4) (Exception S.5 of Indian Telegraphs Act)(S.14 Procedure for Interception).
• Surveillance (S.24); Includes thorough following a person on close circuit television or other electronic mode or by any other mode.
• Use of Photographs, DNA Samples, fingerprints, etc (S.25).
• Health Information (S.27).
• Collection, Processing and use of Personal Data (S.29).
There exists in India an impending need to frame a model statute which safeguards the Right to Privacy of an individual, especially given the emergence of customer-service corporate entities which gather extensive personal information relating to its customers. It’s evident that despite the presence of adequate non-mandatory, ethical arguments and precedents established by the Supreme Court of India, but, in the absence of an explicit privacy statute, the right to privacy remains a de facto right.
The urgency for such a statute is augmented by the absence of any existing regulation which monitors the handling of customer information databases, or safeguards the Right to Privacy of individuals who have disclosed personal information under specific customer contracts viz. contracts of insurance, credit card companies or the like. The need for a globally compatible Indian privacy law cannot be understated, given that trans-national business in the services sector, who find it strategically advantageous to position their establishments in India and across Asia. For instance, India is set to emerge as a global hub for the setting up and operation of call centers, which serve clients across the world. Extensive databases have already been collated by such corporates, and the consequences of their unregulated operations could lead to a no-win situation for customers in India who are not protected by any privacy statute, which sufficiently guards their interests.
In the privacy and data protection area, the winds of change are blowing across India, and they are likely soon to alter the landscape. But the new shape of that landscape is not yet clear. The near future is likely to see major modifications to the Information Technology Act 2000 and/or a proposal to the EU for a Safe Harbor–India regime. The long-term shape of Indian data protection law may depend on the success (or lack of it) that the short-term solution enjoys. But, one way or another, Indian privacy law is likely to change dramatically in the next few years.
Formatted on 13th March 2019.