The Privacy Judgement… Conclusion.. Need for Definition of Privacy

[This is in continuation of our debate on the Privacy Judgement]

The Puttaswamy judgement from the 9 member bench of the Supreme Court which was hailed as a “Historic” judgement ended up with a simple declaration that “Right to Privacy is a Fundamental Right under the Indian Constitution which is subject to the reasonable restrictions applicable to all such rights”. Let us now look at how this decision affects the three stake holders we identified for this issue of “Privacy” namely,

a) The Citizen of the Country who should feel that he has a “Right to Privacy” in whatever manner the Constitution understands it.
b)  The Government which makes laws and uses services such as Aadhaar which may have an indirect association with the principle of “Privacy”
c) The business entities which use services that have a direct and indirect association with the principle of “Privacy”.

Whether a “Right” is a fundamental right or a legal right makes some difference as to the Government but not so much for the Citizen or even the data processing Companies

Because the “Right to Privacy” is a “Fundamental Right” under Part III of our constitution, Government cannot make any law which a Court may interpret as resulting in “Privacy Infringement” but not saved by the “Reasonable Restrictions” argument.

The “Reasonable Restrictions” relate to

a) interests of the sovereignty and integrity of India,
b) the security of the State,
c) friendly relations with foreign States,
d) public order,
e) decency or morality, or
f) in relation to contempt of court,
g) defamation or
h) incitement to an offence.

A detailed academic discussion on these “Reasonable Restrictions” can be found here. As one can see, the “Reasonable” restrictions is reasonably vague and there could be many excuses under which a law can be defended under one of these restrictions.

In each such case, the law can be challenged at the High Court or the  Supreme Court as violative of the fundamental rights and the Court will apply the test of reasonableness and the need for the law before ruling either the law does not violate any of the fundamental rights or that even if it does so it may be saved by falling into one of the reasonable restriction categories. If not the law will be struck down.

The current judgement will therefore provide an opportunity to challenge every law made by the Government and the Courts will spend their precious time in the coming days debating these issues.

If the Government is careful in drafting the law, and if the Judiciary is not too unfriendly, then it may be able to justify its position and get through the law as it intended or with whatever modifications that the Court may suggest.

The immediate challenge  is regarding the UIDAI Act and the use of Aadhar as an ID for providing many of the Government services with a need to be linked to the PAN, Driving License or Mobile. Each of these can be eminently defended under national security and hence the law may pass the test.

Key is Interpretation and it depends….

We need to however observe that ultimately it is the “interpretation” of the judges that determines whether the law is violative of the fundamental rights or not.

Even now the 9 member bench has only interpreted that “Privacy” is a “Right” which is part of the “Right to Life and Personal Liberty” and Article 21 and 19 are not different and hence the bench came to the conclusion that Privacy Right is a fundamental right. The Constitution has not been amended to include “Privacy” as a right nor the bench defined the term “Privacy” in an unambiguous manner.

This “interpretation” will stand unless a bench of more than 9 members holds otherwise in some point of time in future.

Whether any legislation comes under any “Reasonable Restriction” principle will be subject to another “Interpretation” by other benches which can be of a smaller size. We may recall that the Shreya Singhal case was an example of how the “Power to Interpret” was used by the Court to strike down a law that was meant for “Messages” sent from one person to another through e-mail or SMS by interpreting it as equivalent to “Publishing” of an information reaching out to the public.

Interpretations therefore may vary from time to time. This may not be bad since law has to keep moving forward but it also means that the law can be rendered inconsistent with different judges coming to different interpretations based on their own understanding of the problem.

Both the judges who earlier interpreted  “Messaging” as “Publication” in the case of Shreya Singhal case were also part of this bench and had seen “Chilling Effect” of Section 66A while coming down with a sledge hammer on the section.

Hence possibility of any law made by the Government even in future to be over turned if a Court so desires cannot be ruled out.

In view of this there is no significant impact of the decision on the Government except that there would be more litigation and challenges for every law made by the Government and the battle of the opposition to put hurdles in the path of growth contemplated by the Government will move from the Rajya Sabha to the Supreme Court.

Whether the Supreme Court will continue to entertain all politically motivated cases filed under the guise of “Privacy Rights” or exercise discretion needs to be seen.

Definition of Privacy

Despite some academic discussions on how to define “Privacy”, the final order did not include a clarity on “What is Privacy” as a “Right”.

When the Government legislates on “Privacy” in future, this lack of definition will come to haunt us since whatever the Government does can be challenged under the argument that it infringes  “Privacy” as a petitioner may try to interpret and the Supreme Court will keep hearing such petitions.

It was also interesting to note that some of the discussions were centered around “Information Privacy” as if “Right to control information related to a person” itself as the “Right to Privacy”.

Is name an information related to privacy? Is Mobile number an information related to privacy”, Is information on caste, sub caste, political affiliation, etc are information related to privacy have not been clarified in this judgement. They continue to be in the realm of uncertainty.

Is a “Phone Conversation” between A and B a joint property of “A and B”?, is recording of such conversation is not amounting to Privacy breach?, what about information between children and parents? family members? are they under constraints of Privacy?, Should we blindly follow the Privacy culture of the west or re-define it along with our own family customs and culture?

…all these remain as unclear as it ever was.

The health, financial and sexual orientation related information is presently identified as Sensitive Personal information under ITA 2000/8 and that continues to remain in operation.

In other words, even after this 9 member bench report, if we need to look at a “Definition of Privacy” we need to look at what is “Personal Information” under Section 72A or 43A of ITA 2008 or Sensitive personal information under Section 43A of ITA 2008 and the rules there under.

Hence ITA 2008 continues to define “Information Privacy” and not the Indian Constitution Part III nor this judgement.

On the other hand, Rights to Privacy outside the “Information domain” continues to remain an enigma since we donot have any new definition of what is “Privacy”. The earlier concept of “Right to be Left Alone” continues to be our guide.

When we look at Privacy as “Right to be left alone”, the main focus is on the “Physical Privacy” which was a subject matter of Kharak Singh judgement, a right against interference of physical space of an individual.

Cyber Privacy

This definition (Privacy as a Right to be left alone)  fails in the context of “Cyber World” where Cyber bullying and Cyber Stalking do occur without physical proximity.

Does “Virtual Proximity” is equal to “Physical Proximity”? …could have been one aspect that the bench could have considered but failed.

In the recent “Blue Whale Challenge” issue, does it constitute “Violation of Cyber Privacy”? … would have been another interesting debate which the 9 Judges missed.

While “Physical Privacy” can be defined as coming within “Touching distance” between two individuals, we still need to define whether “Touching distance” is zero cms or 5 or 10 centimeters and whether the distance has to be different for different body parts. Additionally, exception has to be made for Mumbai locals where physical privacy is most of the time less than zero cms.

“Cyber Privacy” depends on “Informational Proximity” and we can devise means of defining this. For example, in Facebook, “Friends” should have more accessibility than public. Similarly in Whats App group, the group members should have more proximity than e-mail contacts.

Hence some thing said in a Whats App group may not be a privacy invasion where as the same thing said in an e-mail could be. Some comment passed by a “Friend” in  Face book may not be a Privacy objection where as the same comment made by a non-friend could be.

Presently neither our Judiciary nor Police make distinction of who made a comment and whether the comment was made in a restricted group (eg Whats App) or in public place (eg Twitter, website) before charging them under defamation or obscenity etc. They will continue to make the same mistake under Privacy invasion also.

There was also no debate on Anonymity, Pseudonomity or “Regulated Anonymity” either as components of Information Privacy or as solutions to privacy protection.  Neither the petitioners nor the Government attorneys nor the advisers to the Judges brought out such issues as part of the Privacy debate.

The bench had an opportunity to debate such issues instead of simply debating earlier judgments, cutting and pasting the previous judgments into the current judgement and making it a 547 page volume.

Privacy as a Mental State

In my opinion, “Privacy” is a “State of mind”. A person may be amidst a crowd and still feel his privacy is not invaded. On the other hand he may be sitting in a closed room but filled with anxiety  that his privacy is being invaded.

“Mental Privacy” as a “State of Mind” of one individual is outside definition of the Physical definition of “Right to be left alone” or “Right to control dissemination of of privacy information”,.

It is also outside the definition of  Cyber Privacy as  “Keeping a certain virtual distance”.

It is for each individual to declare what are his/her mental privacy boundaries.

Section 66A of ITA 2008 which was scrapped,  did have a link to such concept but the Supreme Court which handled the Shreya Singhal Case did not understand it.

Most Cyber Stalking victims have a psychological condition where what is not “Privacy Invasion” for most may be considered by them as “Privacy Invasion”. This is a “Deemed Privacy Invasion” and would be a factor to be considered in the “State of the Mind” definition.

Under this concept Privacy boundaries would be different from a Man and Woman, Boy and Girl, Friend and Stranger, from a relative to a non relative, from a City bred person to a Villager and so on.

Using one yard stick for all would not be a good idea.

Without being able to define “Privacy” any attempt to grant a “Right” and call it “Fundamental” appears to be a fruitless exercise.

The Data Protection Legislation

Now when the new Data Protection law comes into being, it will again use the definition of “Personal Information” and “Sensitive Personal Information” as used in ITA 20008 and define what constitutes “Breach of Privacy of an individual through his information”. It will be a repetition of what is already there.

The Privacy of information in oral form or in hand written paper form would be outside the Data Protection Act or ITA 2008 and since there is no definition in the Constitution, we will not have any clarity on this issue.

In the absence of law for non electronic information, when a hand written diary of a person is accessed by another, he has to move the High Court or Supreme Court  as a “Constitutional Right” and claim compensation.

On the other hand, had the Nine Member bench advised the Government to amend the constitution and add “Privacy” as a specific right along with a definition, then there would have been progress in Privacy legislation in India. This was missed by the bench.

In this context, the 547 magnum opus is a great effort but of little practical utility for the Citizens.

Impact on Corporate Entities

The Corporate entities and Others who collect information from public in electronic form are today covered under ITA 2000/8. They have “Privacy Principles” equivalent to the international practices . ITA 2000/8 defines data protection in terms of a need to obtain consent and enter into a contract with the data subject.

The current judgement has no impact on this corporate handling of personal data.

One of the judges has briefly mentioned GDPR without naming it. But even he has not proceeded further to discuss what would be the impact of overlapping international privacy legislation on an Indian Corporate entity bound by the Indian laws on Privacy.

Does Indian law apply only to Indian subjects and international laws apply only to those international citizens based on their individual nationalities?.

It could be an interpretation. But the bench did not find it necessary to address such practical problems faced by the industry in India.

This is another point fo failure of this high profile decision.

Summary

Overall therefore I am disappointed with the Judgement and consider it as a “Lost Opportunity” to bring clarity to the Privacy regime in India.

It ended up as a reiteration of the current status as everyone understood and respected, in a fresh document updated for the current date.

( I welcome a debate on the subject and look forward to comments from other experts)

Naavi

Earlier Articles in the series:

Hashing the 547 pages of Privacy Judgement

Supreme Court Judgement on Privacy as a Fundamental Right… What changes?

Reference:

Part-I  (Chandrachud, Kehar, Agarwal, Nazeer)

Part -II (Chelmeshwar) 

Part- III (Bobde):

Part -IV (Nariman)

Part-V (Sapre)

Part -VI (Kaul)

Part -VII (Order)

Full Judgement

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.