Data Protection – A Privacy Concern

Introduction

For the past two years, privacy has become a big concern. Reason? Because a click on the mouse can let you know about anyone, living at any corner of the world his/her all details that are considered private or not meant to be shared. Various social media websites and app are either demand personal information from the user. While they signup or one had to agree to the terms and conditions of various apps before using them/. They ask permission to access to phones gallery, contacts and so on.

Since last two years, the news floate in all the leading newspapers and online print Media regarding the biggest company owner Mark Zukerberg. Allegation him of stealing the data of its millions of users from all around the world. Then selling it to other companies. While privacy became a global topic. India was nowhere behind questioning the mandatory adhere policy claiming that the data was being stolen. Also it was not in the right hands.

This article throws light on the brining issue of privacy in India and data protection laws

Right to Privacy

Back in Aug 2017, nine benches of the Supreme Court upheld that Article 21 does include Right to privacy. Hence it has to be consider as a fundamental right. The attention towards this issue up by Mukul Rohatgi who was the attorney general in 2015. He say that citizens are not give any right to privacy by the Constitution. The 2017 judgement lead to striking down of the two very famous judgements M.P Sharma and the Kharak Singh judgement. Right to privacy was consider in two parts of the constitution. Article 21 that takes about life and personal liberty and the Fundamental Rights, (Part III). Also any reasonable restriction will not be involve under the right to life and liberty article.

The Supreme Court had this observation in the following case:

• If the right to privacy is restrain to any person then it can be done by the procedure establish by the law. The procedure had to be fair and just and not arbitrary as held in Maneka Gandhi v. Union of India (1978 AIR 597, 1978 SCR (2) 621)
• The grounds on which there can be reasonable restriction can be there when there is a question of modernity, and integrity of the country. Or there are matters that relate to the security of the sate, its friendly relations with other nations, public order, decency and morality, contempt of court as in Article 19(2)
• Another way in which right to privacy can be prohibited. Only if there is a contradiction between the right to privacy and another matter. It seems to be more superior than the right to privacy as held in Govind v. Ste of M.P (1975 AIR 1378, 1975 SCR (3) 946)
• If the state’s interest is involved than the right can be prohibited as held in the above-mentioned case
• Anyone who intentionally puts oneself into controversial that may lead to infringement of his /her privacy. It will not be given any sort of protection under this article as held in R. Rajagopal v. Union of India (1995 AIR 264, 1994 SCC (6) 632)

Observation by the Judges in the Landmark Case of K.Puttaswamey

The bench of 9 judges gave a unanimous decision and thereby overruled the MP Sharma and the Karak Singh judgement. It was observe that what a person consumes; his reproductive rights, marital life and other personal record are to be kept confidential. It was further observe by the Justice Chandrachud; that even if an individual in a public space does not mean he had no privacy. Right to Privacy has both positive and negative aspects. Negative, when there is the criminalization of homosexuality and the duty of the state to protect this right has a positive aspect. Thus an aspect of Data Protection was also observe. It was said that permission was an important aspect in case of personal records related to health, body, personal choices, etc

There were other judgements made by the Indian judiciary from time to time which is as follows;

• Kharak Singh v. The State of U.P. (1962) -Back in 1962  a minority of the judges opinion to make right to privacy a fundamental right; under Article 21 and 19(2)
• Govind v. the State of M.P. (1975 AIR 1378, 1975 SCR (3) 946)– It was held that the Right to Privacy is a fundamental right which came from the Article 21 and article. It was suppose to protect the intimate matters of a person, relating to household, disease. Also family though it was that the right to privacy is subject to “compelling state interest”.
• R. Rajagopal v. Union of India (1995 AIR 264, 1994 SCC (6) 632 )– In this case right to privacy was consider as a tort and as well as a right is give by the constitution.  A person is free to keep his family, children, educational standards, etc. In private and no person without his due permission can take or reveal any of the information anywhere. Unless involve in a criminal case or if he/she is a public servant and those matters are relate to the discharge of the work assign to
• People’s Union for Civil Liberties v. Union of India  AIR 1997 SC 568, JT 1997 (1) SC 288,  (1996) this case ease gave a broader taking it unto communication. Guidelines for check and balance was issue such as;
• Only the Home Secretary at Center and State level had the power to give inception order.
• Decisions regarding how important the information is or it can be acquired with the help of other. Its means should be discuss before allowing inception
• The interception should not be generic
• Petronet LNG LTD vs. Indian Petro Group and another (2006). The Delhi HC held that companies and corporation are not give the right to privacy
• Selvi and others v. State of Karnataka and others (2010) 7 SCC 263. The SC in this very famous case held that bodily, mental and physical privacy tare different from one another. At times the criminal and the evidence law makes it a compulsory to get into someone’s physical right. But that should not force a person to give information on the relevant fact. An individual cannot be force to give a statement against him. Physiological tests taken against the permission of a person’s harms his mental privacy.

Data Protection Laws

IT Act 2011

One of the key law in the aspect of Data Protection is section 43 A of the IT Act. In which rules regarding were framed in the year 2011. The section states that whosoever gets, keeps, deals or uses any information or data. That is sensitive or private and fails to keep such data secure will be held liable. The rules are as per follows:

• As per the (Rule 4), a policy has to be established by the body corporate regarding providers of all information ,
• Also as per Rule 5(1), a permission letter has to be obtained before taking, using and revealing any personal information.
• As per the Rule 5(2) if in case some private and sensitive information is being take. Then it should be only for lawful and highly important purposes only.
• As per the Rule 5(3), whosever’s information is being extract has to be inform regarding the purpose of extracting info. Who receives that info, the name and the location of the agency involved in extracting the info.
• As per Rule 5(5)the information so obtain has to be use for the specific purpose only.
• As the Rule 5(7) at any point of the time, the person can step back from the process of extracting information.
• As per Rule 5(8), the individuals  have the full right to be allow to review, update. And correct  the information where ever he wants.
• As per Rule 6(1)  if the body corporate wants to reveal or publish the information so obtain then the consent has to be take. The body corporate can be allow to reveal the information. Only if the contact has been there btw the information provider or is reveal to a govt agency under a law.
•   (A criminal liability shall be imposed under Section 72A of the IT Act if the body corporate reveals sensitive information with a mala fied intention.

If the rules are ignore and not follow then a case of civil liability case be file. As the provision itself states that if anybody corporate fails to abide by the above-mention laws; then they will be liable to pay compensation. Not only that, if these body corporate revel personal information of people to attain wrongful gain or with wrongful intention. Then criminal liability can be impose on them as well.

Consumer Protection Act

Back in the year 2015, the Consumer Protection Act was enacted. This Act became another way in which private data can be stop from any sorts of misuse for commercial purposes. As that may lead to the unfair trade practises under section 2(r) and causing mental and emotional distress due to damage done to the property.

The Justice AP Shah Committee on Privacy

In the year 2012, various meetings were regarding the issues of Privacy by the Planning Commission of the Government of India in which Justice AP Shah. The former Chief Justice of the Delhi High Court was the chairperson. A report was submit that enlist and recommend the various national privacy principles to be kept in mind; while creating any law regarding privacy. Those principles are as follows:

• Principle of Notice: This principle meant that the data controller had to inform the individual beforehand he begins collecting their data.
• Principle of Choice and Consent: This principle states that the person whom data is collect has to be given choices by the data collector whether they want to choose the process of data collection or they want to opt-out from it and that due permission has to be taken unless the authorized agencies are involved in it.
• Also, Principle of Collection Limitation: This principle states that only that information should be obtained that is necessary and it requires for the purpose and should be done through fair and lawful means.
• Principle of Purpose Limitation:  only to the extent notify It requires that the collection or processing of information be restrict to only as much information as is adequate and relevant.
• Also, Principle of Access and Correction: This principle states that the person whose data is extract has full right to access it, correct it, change it or delete as per his choice.
• Principle of Disclosure of Information: This principle ensures that the data so extract will be disclose to the third party as well and the person whose information has been share is aware of it.
• And, Principle of Security: To protect the personal data there should be a reasonable set of standards for security to protect from risks and dangers like loss of data, wrongful use of data, modification of data, destruction of data, and unauthorise disclosure of data either due to an accident or due intentional.
• Principle of Openness: All the necessary information regarding rules, regulations, workings, practise, the policy has to be public so that it is ensure that  the data controller are complying with those rules.
• Principle of Accountability: This principle makes the data controller responsible to implement all the above-mentioned principles. Important measures like better implementation of policy, interim audits, training programmes, external audits, and providing full support to the organization as well as the follow the orders of other authoritative bodies like the commissioner.

Right to be forgotten

 Right to forgotten lacks a clear legal picture like deleting any information from the social media or Google search. It does not exist anymore and relating to it, still, there is a lot of confusion in India. A case came in front of the Gujarat High Court where he contend that he was acquit in a murder case. He was not able to remove his name from the Google record. In another case in another case came in front of the Karnataka High Court. The petitioner wants to remove the names of his daughters involve in a case from the internet sating that it was easily accessible. It harm the dignity, reputation and modesty of women and his petition was also upheld. 

The court held that they derive this right from the Western Countries in those cases which are sensitive in nature like rape, molestation, generally which involves a woman and are sensitive in nature. Though it has often been argued that such ruling is not correct as its basis is modesty and image of a woman and not as a fundamental right given under right to privacy.

 The Accountability mechanisms

Currently, there is no such law that lets a person who is affected by privacy breach; figure out what information has take away from him.

 Other accountability mechanisms pertaining to data protection include: 

Freedom of obtaining Information

The IT Act allows the person to demand any information that the government or the public body holds. Though there are certain restrictions like no information that is personal will not be disclose. If the information demand to be disclos had no relation with public interest or it could invade a person’s private life. Though these conditions can also be consider void if the larger public interest is involve.

The Section 6 till Section 8 tries to indicate that the legislature aims to balance and create harmony btw the public and the private rights by setting up safeguards and providing to the principles of disclosing of private information under the Act of  (Public Information Officer v. Andhra Pradesh Information Commission, 2009 (76) AIC 854 (AP)). This is why it is generally suggest that section 8, when apply, should be given a strict interpretation as it is a fetter on not only a statutory right grant under the RTI Act but also a pre-existing constitutional right (Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).) When one sees it logically this argument may seem and as appropriate in some situations,  though it does seem to be problematic while dealing with the privacy exception contained in section 8(1)(j).

This is because the right to privacy envisage in this section has also been trace to the same provisions of the Constitution from which the constitutional right of freedom of information emanates (Articles 14, 19(1) (a) and 21 of the Constitution of India, 1950.)  A sense of confusion and ambiguity is observe while studying exceptions relate to privacy and the disclosure mandate given in the Right to Information Act because it not only involves two statutory rights but also two very important constitutional.

Regulatory bodies relating to privacy in India

Currently, there is no specific body lawfully regulating any breach of data. Though the Data Security Council of India a self-regulatory organization that works in NASSCOM that collaborates with other industry developing codes and other practises that relate to data protection. Though they are neither enforceable nor binding.

Cyber Appellate Tribunals

India’s first and the only Cyber Appellant Tribunal were established by the Central Government as per the sec 48 (1) of the IT Act, 2000 is located at New Delhi.

Data breaches: Case Law

There are few cases where the people working with private information have try copying the data and use it in a non-authorize way though no such case was file where it was contend that the data was illegally use by breaking the breaching security system.

Instances of data breaches

There has been a frequent breach of data in our country. One such instance of a huge data breach was the Aadhar Controversy.

 Back in 2016, it was state that the e-booking website of the Indian Railways was hack and this may lead to a breach of private data of site users which are over millions in no. The data that stole may include name, mobile no, account details, date of birth, etc which were sold at rupees 15000, store in a Compact Disk. Though the company refuse and state that their data is all safe with them.

In the same year, malware in the processing systems of Hitachi Payment Services allowed the hackers to extract the monetary details of the ures using enabled criminals to steal financial information of customers of a number of banking institutions including Visa, MasterCard, and those having accounts or using the services from ICICI Bank, Axis Bank and YES Bank. This lead to halfway settlement of As many as 3.2 million cards.

In the year 2017, two other incidents of data-stealing came in the news when a hacker stole the personal data like email address and password of 15 million Zomato users through Zomato refused from any such stealing.

In the same year on July 2017, the personal details of various Jio Users were posted on the internet that included an email address, phone no etc. The Reliance Jio did agree to the breach of data being authentic and filed complain regarding illegal entry into their computer system.

Conclusion

Privacy is a sensitive matter which affects a Peron financially as well as emotionally and any breach in a person’s data may have disastrous consequences. After making the right to privacy a fundamental right, more legislation should be framed to ensure that implementation of this right is done at all levels and all platforms. Individuals are to be given more right as to whether they want to share the data and up to what extent they are willing to do so.

When it comes to communication, the software should be encrypted to ensure that the software developers or app are not stealing the data. The Indian cyberspace should be made more explicit and the users, using the internet and other services should be more alert and aware of what they are sharing online. Any sorts of information that is sensitive like bank acc no, the password should not be shared on chartrooms. Its is important to read all the terms and conditions that re provided before downloading any application or reading or clicking on a link or a webpage.

In the end, the ball lies in the court of the Judiciary System and they have to take the charge. Better and more elaborative legislation and stray laws and giving a  wider meaning to the right to privacy  might help the citizens whose information is at stake at all times