Right to privacy has been the integral part of the human life. Through the use of modern technology, intrusion into human existence has become commonplace. In the Supreme Court Judgement of R. Rajagopal Vs The State of Tamil Nadu; it stated that The freedom and right to life that are guaranteed to all citizens of this nation by Article 21 inherently include the right to privacy. A “right to be left alone” exists. A citizen has a right to protect his personal space. Similarly, in case of PUCL Vs Union of India the Supreme Court said that “Determining that the right to privacy is a component of the rights to “life” and “personal liberty” guaranteed by Article 21 of the Constitution” In the judgement Justice K.S. Puttaswamy Vs Union of India, Supreme Court of India gave the historic judgement on the Right to Privacy- stating that the right to privacy as a fundamental right under Part III, Article 21 of the Indian Constitution. This judgement overruled the judgement in the case M.P. Sharma Vs Satish Chandra and in Kharak Singh Vs. The state of Uttar Pradesh where it stated that the Constitution of India does not specifically protect the right to privacy. The constitutional bench of the Supreme Court in the Puttaswamy case also held that “A constitutionally guaranteed right, privacy, derives primarily from the Constitution’s Article 21 guarantee of life and personal freedom. The other aspects of freedom and dignity recognised and protected by the fundamental rights listed in Part III also include aspects of privacy that arise in various contexts.”
Privacy has two broader connotations, namely negative and positive content. The negative content prevents the state from violating a citizen’s life and personal liberty. While the positive content requires the State to take all necessary steps to safeguard the individual’s privacy. Human rights encapsulate the fundamental principle that each human being can always assert their rights. Rights and the claims appeal mostly to non-social norms, whereas Entitlements refers to the recognition of these rights and claims within the institutions and social norms. Therefore, the protection of data is a component of the state’s obligation to uphold the human rights.
Data protection and individual privacy have been related. If a person has the right to privacy, they also have the right to data protection. Personal data protection regulations have been based on these ideas in many different jurisdictions. A more sophisticated vision of personal data protection has been able to emerge as a result of the practical application of such regulations. This vision balances the rights of the individual, the public interest, and the practicality of conducting business, especially for start-ups. The areas—Right to Information, right to privacy, Information Technology, Intellectual Property, National Security, Indian Penal Code, Corporate Affairs, Consumer, etc.—are the ones that have drawn the most attention to the data protection issue.
The major principles in Digital Personal Data Protection (DPDP Bill) 2022 includes- first Usage of the data in the lawful way (fair and transparency to an individual) second, Usage of the data for the reason it was collected third, data minimisation fourth, Accuracy of the personal data fifth, storage limitation sixth, reasonable safeguards and lastly accountability.
Personal data protection regulations have been based on the above blocks in many different jurisdictions. The practical application of such regulations has allowed a more sophisticated vision of personal data protection to emerge, one that balances the rights of the individual, the public interest, and the convenience of conducting business, particularly for start-ups. Section 2(1)(o) of the Information Technology Act, 2000 (known as “IT Act”) has defined “data” as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.” The Bill provides India’s entire legal framework for protecting digitally stored personal data. In accordance with the Bill, digital personal data will be processed while taking into account societal rights, individual privacy rights, and the requirement to process personal data lawfully. The DPDP Bill 2022, contains the major strength, as per the recommendation by Graham Greenleaf, in his paper “Data protection: a necessary part of India’s fundamental, inalienable right of privacy – submission on the white paper of the committee of experts on a data protection framework for India.” The Data Protection Bill includes- first, Technology agnosticism which means law should incorporate with the changing technological nature- as the advancement in the technology is fast moving the law should accordingly introspect and well defined as DPDP Bill 2022 like inclusion of special provisions, compliance framework. Secondly, The Holistic approach which has been a keystone in DPDP which incorporates both private and the government aspects. Thirdly, the consent of an individual which has been defined in DPDP. Fourthly, the Structured Enforcement has been defined in the DPDP- for instance the Bill makes the provision of the Data protection Board. Lastly the deterrence penalties, the bill makes the provision of data breach even in the accidental disclosures, destruction or loss of personal data liable for the punishment. Others include Data minimisation and Controller accountability. The purpose of the bill is to control how both public and commercial organisations with domestic and international corporate structures process personal data about individuals. Data processing is only permitted with the consent of the subject, in the event of a medical emergency, or when necessary for the State to provide advantages to its inhabitants.
An individual will have a number of rights over personal data, such as the ability to request a correction or request access to the data that is kept by private businesses. The measure permits exemptions from certain types of data processing, such as processing necessary for legal procedures or in the interest of national security.
The debate of Data protection and is one of the spoken and discussed phenomenon. Across the world, majorly the developed world had consciousness about the importance of data protection- so that the big businesses couldn’t have monopoly and intrude the personal liberty of an individual. Article 12 of the Human Rights (Universal Declaration of the Human rights) states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Similarly, The International Covenant on Civil and Political Rights’ (ICCPR), Article 17 states that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” UNCTAD states that around 107 (including 66 developing nation-states) countries – have had the secure legislation for the data protection and privacy. Developed countries like Canada which has enacted PIPEDA (The Personal Information Protection and Electronic Documents Act), The federal state of USA has CalOPPA (California online Privacy Protection Act). European Union has one of the strictest data protections acts GDPR (General Data Protection Regulation). It is built on the tenets of consent, openness, protection, and user control and carries a 4% annual revenue fine threat. Other developing states like South Africa, China, Philippines, Argentina has enacted their own data protection act. The government of India have considered the global best practices like that of European Union, federal states of America, Singapore while drafting the DPDP Bill, 2022.
The Bill has been withdrawn in the year 2019 by Ministry of Electronics and Information Technology stating that the comprehended bill will be released soon, Later the bill was referred to the Standing Committees. Even though the current DPDP Bill still has not pleased everyone and has major loopholes. The IFF (Internet Freedom Foundation) said that the bill lacks independence and autonomy. The duration of user data storage and whether or not it will be shared with third parties are no longer required disclosures by data fiduciaries. In the Chapter 16 clause (4) it is stated that “Data Principle shall furnish only such information as is verifiable and authentic.” The bill does not talk about the What is authentic and how information can be verifiable. Delegated legislation shall determine the duties and membership of the Board. Given that this is a case of excessive delegation, it may be challenged under the constitution. Even the appointment of the board members is not clear- as the chairperson of Data Protection Board of India, will be one of the powerful public office. Not involving the leader of opposition and chief justice in the selection committee- it may not function well and be a caged parrot (like CBI). It is important that Data Protection Board remain an autonomous body and remain impartial in the proceedings and trials.
The Data Protection Bill requires data fiduciaries to collect data in a reasonable and fair manner that respects the individual’s right to privacy, but the bill does not explicitly define what constitutes a reasonable and fair manner of personal data processing. As a result, fairness and reasonability principles may vary among data fiduciaries and those processing similar types of data within the same business may evolve and follow different fairness and reasonability standards. The Data Fiduciary is given discretionary authority under the Bill to decide whether to report data breaches and whether the data breach has affected the data principal in a negative way. This might lead data fiduciaries to report data breaches selectively, preventing the Data Processing Agreement (DPA), even when a data breach involves some personal information about an individual. The bill does not say anything about the non-personal data- the judicious use of non-personal data is also important and vital.
There is no place of giving additional protections to the sensitive data. The data protection law in Japan, Korea, Macau gives an additional protection for the sensitive data. The bill talks nothing about data localization, the bill of 2019 did mention of data localization. Many Supreme court judgements have cited the importance of data localization. The Bill suggests that any state function may process an individual’s personal data for that purpose. If it’s done to give the person a service or benefit, it can be done without getting their permission. This directly contradicts the Puttaswamy decision’s 2017 assertion that informed consent is essential to informational privacy.
It is important to know that “Rome wasn’t built in a day” Regulation of data is the time taking, stringent and lengthy process. Improper regulation will result in the failure of an institution. There shouldn’t be hidden agenda and clientelism in the process of law-making. In order to function properly it is important that the board members work in an autonomous way and in fair manner. It is also important that institutions, industries and corporate world have their own self-regulatory mechanism for data protections. This self-regulatory mechanism can be achieved through impartial office of grievances redressal mechanisms. The Regulation of data is important in current scenario. The bill talks about the regulation of data through rules and laws, governing the collections, storage and use of personal data. In a way the bill brings the idea of data regulation into picture. The DPDP bill may not be an ideal one but a step towards the protection of the individual personal data.
Further Reading: Regulating Artificial Intelligence: The Need for Effective Policies
(The article was published in Telangana Today on 20th Feb 2023)
