By Mitesh Ravishankar
“The right to privacy will, therefore, necessarily, have to go through a process of case by case development”.
Data protection is the balance of protecting privacy and ensuring innovation and productivity growth. In December 2019, the government introduced the Personal Data Protection Bill, 2019[i], in parliament, which would create the first cross-sectoral legal framework for data protection in India.
The bill does not address privacy-related harms in the data economy in India. It focuses on government intervention on public data and lacks the protection free speech and sexual autonomy of the public. Not only is this problematic since the proposed framework is unlikely to protect privacy adequately, the bill also significantly strengthens the state’s role in the data economy, dilutes property rights in data, and increases the state’s power without creating adequate checks and balances. This is likely to have deleterious consequences for innovation in the economy while leaving unfulfilled the stated objective of protecting informational privacy. The informational privacy has become salient in the past decade but, India has privacy jurisprudence going back several decades.
2.Historical background of Privacy in India
The constitution does not explicitly mention a right to privacy, Indian courts have held that a right to privacy exists under the right to life guaranteed under Article 21.Supreme Court in Kharak Singh v. State of Uttar Pradesh,[ii] where the court held that a right to privacy did not exist under the constitution. Privacy as a fundamental right presented itself once again to the Supreme Court a few years later in the case of Govind v. State of Madhya Pradesh.[iii] The petitioner in this case had challenged, as unconstitutional, certain police regulations on the grounds that the regulations violated his fundamental right to privacy.Justice Mathew stated: “Rights and freedoms of citizens are set forth in the Constitution in order to guarantee that the individual, his personality and those things stamped with his personality shall be free from official interference except where a reasonable basis for intrusion exists. ‘Liberty against government’ a phrase coined by Professor Corwin expresses this idea forcefully. In this sense, many of the fundamental rights of citizens can be described as contributing to the right to privacy.”[iv] This statement was however qualified with the disclaimer that this right was not an absolute right and that the same could be curtailed by the State provided it could establish a “compelling public interest” in this regard. Finally, Supreme Court has given its verdict on Right to privacy inJustice K S Puttaswamy V. Union of India,[v] declaring it as a fundamental right of a citizen. This judgment has finally put an end to the long historical legal battle from the past 40-50 years.
3.Recent development and Privacy Policies
The National Digital Health Mission (NDHM)
The mission involves government collaboration between hospitals in both public as well as private sectors, laboratories, insurance firms, pharmacies and telemedicine, there is a risk of exposing individual healthcare data to hacking and commercial misuse. In such a context, ensuring the safety of individual health data becomes paramount.
The creation of a digital health ID for every Indian, will create a digital ecosystem for healthcare through the creation of personal digital health IDs, unique identifiers for doctors and health facilities and personal health records. The individual will be able to view the content of their health records via a web interface and a mobile application. Access will be provided only after the user authenticates using any of the authentication methods supported by the underlying Health ID. To address this, a National Policy on Security of Health Systems and Privacy of Personal Health Records will be developed, in accordance with the Personal Data Protection Bill 2019.
Aarogya Setu App
Aarogya Setu, India’s contact-tracing app to combat COVID-19, poses significant risks to the privacy of the user compared to similar apps in other countries. This app then accesses your location information continuously and uses Bluetooth technology to record who you come in contact with and when.The app’s Terms of Service (TOS) confer blanket limited liability on the government.The Information Technology Act lacked legal and procedural safeguards to preserve the integrity of its citizens’ personal information. It is no secret that India lacks a general culture of privacy. Even in such emergencies, the government must ensure that privacy is not disproportionately infringed.
4.The Principle of Proportionality
The Data protection legal framework in India, the only authoritative standards are the principles propounded in the Puttaswamy judgement[vi] and the Personal Data Protection Bill, 2019.[vii]Data protection is recognised as an essential part of information privacy.
It stated that any infringement of such privacy must satisfy three requirements, namely – the existence of a valid law, a legitimate state interest in pursuing that course of action and that the infringement of privacy must be proportionate to the objective sought. Any means of achieving state interest would be considered proportional if it was the least-restrictive means to achieve that goal and did not have a disproportionate impact on the right holder.[viii]
The Personal Data Protection Bill, 2019comprehensively lays down the rights and duties of the Data Principals, Data Fiduciaries, and Data Processors. It holds the Data Fiduciary accountable for compliance with the Bill, which contains detailed provisions for consent of the Data Principal for data processing, data retention, purpose of collection of data, and transparency in the processing of data.[ix]
To summarise, the Personal Data Protection Bill, 2019 requires notice and consent for the collection of data and also places other significant obligations on data processing.There is a need for a more pragmatic and modest approach to data protection and harms from misuse of personal data.
The use of emergency measures must remain in the ambit of emergency situations, else we risk the creation of an Orwellian state. Therefore, even in times of public crises, the right to privacy cannot be completely compromised. Governments must find a middle ground to protect its citizens and their privacy.
[i]“Personal Data Protection bill, 2019,” Pub. L. No. 373 of 2019. [ii]Kharak Singh v. State of Uttar Pradesh, 1963 A.I.R. 1295, 1964 S.C.R. (1) 332 (India). [iii]Govind V State of Madhya Pradesh, A.I.R. 1975 S.C. 1378(India). [iv] Ibid. [v]Justice K.S. Puttaswamy Vs. Union of India, (2017) 10 S.C.C. 1(India). [vi] Ibid. [vii] Supra note i. [viii] Supra note v. [ix] Supra note i.