A Round table was held at National Law School of India, Bangalore, the premier law education institute in the country on assessing the impact of the Supreme Court order on Right to Privacy on Cyber Space and Data Protection. Dr Professor Nagaratna, Dr Professor Subbarao, from NLSUI led the discussions and several other invited guests from IT industry, Advocates, Police, Research scholars participated in the consultation program.
Participating in the discussion, the undersigned shared his views on the subject reproduced below:
Assessing the Impact of Supreme Court’s Order on Right to Privacy on Cyber Space and Data Protection
Discussion@ NLSUI, 31st August 2017
A Note By Naavi
Law is meant to be complied with by the Citizens. Hence it has to be written in a manner that is easily and precisely understood by the stake holders. A well written law brings better compliance than a law that people cannot properly understand. This principle also applies when laws are made by way of Jurisprudence developed in major Judgement of superior Courts. If the Judgement are precise and lucid, it will be well understood by the citizens and there will be better compliance. We need to assess this Judgement keeping this basic principle in mind.
The Bench in its 547 page judgement has given out a one page order signed by all the judges making just one major point namely:
“The right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.
Additionally the order specifically mentions that the earlier judgements in the M.P.Singh and Kharaksingh Cases have been over ruled.
Apart from the order, individual judgements have been given by 5 judges and the other four have given a common judgement. Some of these individual judgements list some conclusions after reflections and other citations from Indian and foreign judgements.
The operating part of the judgement is however limited to the declaration that Right to Privacy is a “Fundamental Right”. It means that the Government cannot make any law that infringes the right any previous laws made can be challenged. However, the Right is subject to the “Reasonable Restrictions” under Article 21 and it would be the line of defense whenever a law is challenged.
While infringement of the Privacy Right by the State can empower a citizen to claim damages from the Government, it cannot be used to claim damages from a Non State body.
Impact on Non State Bodies
Individuals and Companies who are not State bodies shall be liable on the basis of any law made by the Government to protect Privacy of a Citizen as per the obligation under the Constitution.
At present no law exists specifically to protect the Privacy of an Individual. However, Information Technology Act 2000/8 has certain provisions which afford protection to “Personal” data of an individual in electronic form which is collected and processed by a corporate entity.
Lack of Definition of Privacy
In the Judgement, it has been admitted that there is no acceptable definition of “Privacy” as it prevails in India. Earlier, the various judgements of the Supreme Court including the Kharak Singh judgement used the concept of Privacy Right as a “Right to be left alone”. It was mostly viewed in the context of “Physical Privacy”.
Additionally, some of the Judges have made reference to “Information Privacy” where “Right to decide how information that is related to the Privacy of a person may be collected and used” is recognized as a facet of Privacy. Again this is not part of the order and hence not binding under this judgement.
The current judgement did not add an acceptable definition of Privacy in its final order though different judges in their reflections made many remarks. At least one Judge (Justice Chelameswar) categorically stated “….Definitional uncertainty is no reason to not recognize the existence of the right of privacy…. “.
As a result the “Right to Privacy” is now sought to be defended with a vague understanding of the definition of “Privacy”. Citizens and Companies will have to therefore consider protection of Privacy of other Citizens and not to infringe them without having a clear understanding of what right they are really protecting.
If there is any dispute whether a “Right” is infringed and what is infringed is the “Right to Privacy”, then a reference would be required to be made a Court to define on a case to case basis whether the “Right which was infringed was in deed a Right to Privacy”.
The public will therefore look for the specific legal provision where the Privacy Right is mandated to be protected to find out whether they are indeed compliant with law or not.
For example, in cases where ITA 2000/8 applies, public and companies will look for the definition of “Personal Information” and “Sensitive Personal Information”. It also has certain sections like the Section 43A, Section 72A, Section 79, Section 65, Section 67C, Section 66E, Section 69, Section 69B, Section 70B etc. where different aspects of Privacy are referred to. All this applies to electronic documents other than excluded documents under Section 1(4). They do not apply to non-electronic documents or oral statements.
Courts have the right to not only interpret the law but to write the law
Justice Chelameswar has however made an interesting statement which implies that any decision of the Court in this regard may not necessarily be dictated by what is provided in the law.
According to him
“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation”
What this observation means is that even if the Constitution or any law does not mention something in the text of the law, the Court can still interpret the law to contain such text by way of an interpretation.
This makes law completely arbitrary and leaves not only interpreting what is written in the law but also import any other text not present there in as if the law is being “Re written”.
When we remember that Justice Chelameswar and Justice Nariman, who are part of this bench were also the Judges who in the Shreya Singhal Case struck down Section 66A considering that Messaging is no different from Publishing and Words used in the section were vague and also refused to read down the provisions and retain the section but insisted that it has to be struck down, it is surprising that they have now changed their view completely.
In this judgement the Court is ruling on “Protection of Privacy” without freezing on what is meant by “Privacy”. This is not considered vague. Also now the Court is read to not only “Read down” but also “Write down” law in any manner in which the Judges consider it correct.
This inconsistency in judicial approach creates needless confusion to companies who would like to be compliant with law.
With this approach of laying down law without clarity is undesirable. As a result, any law can be interpreted by the Court any time and what is written in the law is immaterial.
In such a scenario, compliance is almost impossible and Businesses will not be able to invest in technologies and build an infrastructure or brand without the constant fear that law may be re-interpreted by a Court in a different manner and make their business illegal.
ITA 2008 approach to Privacy Protection
ITA 2008 defines Personal Information as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. (Notification of 11th April 2011).
The sensitive Personal information is defined as password, financial information such as Bank account or credit card or debit card or other payment instrument details , physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Under Section 72A, any person disclosing personal information in violation of an agreement with the data subject is liable for 3 year imprisonment.
Under Section 43A, which is applicable only to companies, a company handling “Sensitive Personal Information” needs to implement “Reasonable Security Practices” failing which it would be liable to pay compensation.
Under Section 43, any person who “Diminishes the value of information residing inside a computer” or obtains unauthorized access to information (whether personal, or sensitive personal or any other) is liable for payment of compensation and additionally for 3 year imprisonment.
Further there is data retention requirements (Sec 67C, sec 65) bodily privacy protection, (Sec 66E), Disclosure and interception related issues (Sec 69, 69B, 70B) for which punishments are prescribed. Section 79 is a complete reproduction of internationally accepted norms of privacy protection as applicable to information intermediaries.
ITA 2000/8 however provides emphasis on “Contract” with the data subject which gets translated into “Informed consent”. Hence any company dealing with privacy related information has to focus on obtaining a proper consent after a proper disclosure of why an information is being collected, what all information is collected, how they are used, how they are shared, how they are secured, how long they are retained etc.
The law is reasonably robust, though there is lacuna in its implementation. Companies are negligent in not going for a structured ITA 2008 compliance exercise despite nudging by the Government through various means.
Now the Government is contemplating a separate law on Data Protection for which a committee led by another retired Judge of Supreme Court (Justice Srikrishna) is working. Since this is a “Data Protection law”, it has to address only what ITA 2008 has already addressed. It is expected that it would focus on the administrative part of the data protection including appointment of a data commissioner, replacing the Adjudication and Cyber Appellate Tribunals with a separate system. Hopefully there will be not much of a need to ticker with ITA 2000/8 itself to ensure that the two laws are not contradictory.
What Can change after the Judgement?
Now that this judgement elevates Privacy to the status of a “Fundamental Right” there will be a greater attention from the Privacy advocates and there would be a number of frivolous litigations on e-commerce players who are today banking on the “Contractual Permissions” from the data subjects.
The common approach of business is to offer a service under the specific condition that certain data is shared and it may be used by them in a certain manner in which they generate some additional revenue.
In a way the data subject “Trades” his personal information for a benefit. Whether he gets a fair price for his data or whether he is allowing the data processor to get free data is perhaps a point of debate. We however have to recognize that the world is already recognising the IPR laws in which often the author/inventor gets some small revenue and transfers the rights to a business entity which makes a windfall. These imbalances in data trade cannot be easily regulated by law and should be left to the NGOs and better education of the consumer.
Businesses like Data Anaytics, Advertising etc. survive only on collection and use of personal data. Some businesses can do with de-identified data but many need value which comes only with identified data. In the digital economy “Data” is considered an important commodity just like “Oil” and hence imposing irrational curbs on its usage in the guise of “Privacy” will be counterproductive.
Additionally “Privacy” is always at logger head with Security and even the Judges in this judgement have recognized this. Hence Government and Companies will try to justify certain practices on the basis of security requirements while whether there were “Compelling reasons” for the same will remain eternally a debate in Courts.
What is required now is for development of good enforcement machinery which will guide the Companies in India to protect the Privacy of individuals and ensure that a fair price will be paid to them whenever personal data is used for commercial purposes. How this will be done is the challenge for the Data Protection Act in the anvil.
Technically, apart from De-Identification, Regulated Anonymity concepts provide a strategy for striking balance between Privacy Rights and Security requirements. They need to be harnessed in the Data Protection regime.
Industry therefore may continue to follow the principles of Data Protection under ITA 2008 as its obligation for “Privacy Protection” and await the Data Protection Act for any review of its strategies.
31st August 2017
The deliberations of the Round table are likely to be collated and submitted by NLSUI to the Government and the Srikrishna Panel on Data Protection.