Data Protection Policy: India

In India, the State has become one of the largest consumers of data, considering how easy

it has become to store data in colossal amounts at a very low cost1. Since everything in

today’s era is digitised, whatever activity an individual undertakes involves some kind of

digital transaction leaving behind a digital print which remains on the internet forever. It

is this digital print which is stored and used by entities who have access to this data for

essentially creating an e-profile of the individual. In India, owing to the rapid pace of the

“Digital Revolution”, the State has started using personal data for welfare such as the

targeted delivery of social welfare benefits effective planning and implementation of

government schemes, counter-terrorism operations, etc. Such collection and use of data is

usually backed by law, though in the context of counter-terrorism and intelligence

gathering, it appears not to be the case2. As it is discussed above it is not just the State

which has access to such data, but it is both the public sector and the non-public sector

actors which use this data at an enormous scale, it is because of such exponential use of

data which has led to problems like centralisation of databases, profiling of individuals,

1
Joel Reidenberg, ‗Resolving Conflicting International Data Privacy Rules in Cyberspace‘, 52 Stanford Law
Review 1315 (1999).
2
Press Information Bureau, ‗Home minister proposes radical restructuring of security architecture‘, Ministry of
Home Affairs, Government of India (23 December 2009), available at
http://pib.nic.in/newsite/erelease.aspx?relid=56395 (last accessed 5 November 2017); Press Information Bureau,
‗Centralised System to Monitor Communications‘, Ministry of Communications, Government of India (26
November 2009), available at http://pib.nic.in/newsite/PrintRelease.aspx?relid=54679 (last accessed 16
November 2017); Udbhav Tiwari, ‗The Design and Technology behind India‘s Surveillance Programme‘,
Centre for Internet & Society, India (20 January 2017), available at https://cis-
india.org/internetgovernance/blog/the-design-technology-behind-india2019s-surveillance-programmes (last
accessed 16 November 2017).
increased surveillance and a consequent erosion of individual autonomy[whitepaper].

These issues were the main issues put forward in the Supreme Court case of Puttaswamy,

which recognised the Right to Privacy as a Fundamental Right, with Informational

Privacy being one of the fulcrums on which the Judges have very proficiently expounded

upon in the Landmark Judgement.

In India Justice K. Puttaswamy v Union of India overruled two judgments in two cases of

MP up to the extent to which they indicated that the Right to Privacy was not a

guaranteed right under the constitution. MP Sharma and Kharak Singh. Judgement in MP

Sharma essentially held that in the absence of a provision like the Fourth Amendment to

the US constitution, the right to privacy can’t be read under Article 20(3) of the Indian

Constitution. The Judgement does not specifically adjudicate on whether a right to

privacy would arise from any other provisions guaranteed by Part 3 of the Constitution

under Article 21 and Article 19. In Kharak Singh, it has correctly been held that under

Article 21 of the Indian Constitution means not only Right to personal animal existence

and that expression personal liberty is a guarantee against invasion of a personal home or

intrusion into personal security. Kharak Singh also correctly held that the dignity of the

individual must lend context to the meaning of personal liberty. The first part in Kharak

Singh which invalidated Domiciliary visits to at night on the ground that they violated

‘ordered liberty’ is an implicit recognition of the Right to Privacy. The second part of the
judgement which holds the Right to Privacy is not a guaranteed right under our

constitution, is not reflective of the corrective position. Both MP Sharma and Kharak

Singh were based on the principles of Ak Gopalan v State of Madras. It was Justice

Subba Rao’s dissenting view in the judgemenet of Kharak Singh that has been followed

by the nine judge bench in Puttaswamy that has led to Right to Privacy becoming a

Fundamental Right under Article 21 and Article 19 of the Constitution of India. It was put

under both Article 21 and Article 19 of the Constitution because it was held by Justice

DY Chandrachud that, “privacy facilitates freedom and is intrinsic to the exercise of

liberty”. The court struck down the part where it was held in Ak Gopalan v State of

Madras where it stated that the freedoms existing under Part III of the Constitution exited

in exclusivity. Justice Chandrachud held that a law restricting a freedom under Article 21

of the Constitution of India would also have to meet the reasonableness requirements

under Article 19 and Article 14 of the Constitution of India.

Justice Nariman and Justice Chamleswar have defined privacy under three facets

‘repose’, ‘intimate decision’, ‘sanctuary’. ‘Repose’ refers to freedom from unwarranted

stimuli, “sanctuary” to protection against intrusive observation, and “intimate decision” to

autonomy with respect to the most personal life choices. Justice Chandrachud in his

Judgement has further extrapolated upon the definition of privacy by categorising it into
nine types the nine primary types of privacy are, according to the depiction given in the

‘Typology of Privacy3’ in the University of Pennsylvania Journal of International Law

depiction: (i) bodily privacy which reflects the privacy of the physical body. Implicit in

this is the negative freedom of being able to prevent others from violating one’s body

or from restraining the freedom of bodily movement; (ii) spatial privacy which is

reflected in the privacy of a private space through which access of others can be

restricted to the space; intimate relations and family life are an apt illustration of spatial

privacy; (iii) communicational privacy which is reflected in enabling an individual to

restrict access to communications or control the use of information which is

communicated to third parties; (iv) proprietary privacy which is reflected by the interest

of a person in utilising property as a means to shield facts, things or information from

others; (v) intellectual privacy which is reflected as an individual interest in the privacy

of thought and mind and the development of opinions and beliefs; (vi) decisional

privacy reflected by an ability to make intimate decisions primarily consisting one’s

sexual or procreative nature and decisions in respect of intimate relations; (vii)

associational privacy which is reflected in the ability of the individual to choose who

she wishes to interact with; (viii) behavioural privacy which recognises the privacy

interests of a person even while conducting publicly visible activities. Behavioural

3
Bert-Jaap Koops et al., “A Typology of Privacy”, University of Pennsylvania Journal of International Law
(2017), Vol. 38 Issue 2, at page 566
privacy postulates that even when access is granted to others, the individual is entitled

to control the extent of access and preserve to herself a measure of freedom from

unwanted intrusion; and (ix) informational privacy which reflects an interest in

preventing information about the self from being disseminated and controlling the

extent of access to information.

It is the category of ‘Informational Privacy’ which has been further stressed upon by

Justice Nariman, Justice Chandrachud, Justice Kaul in the above-mentioned Judgement.

Data Protection is mainly related to the category of ‘Informational Privacy’. Justice

Chandrachud very clearly points out that the need to protect the privacy of the being, is

no less than the development and technological change continuously threaten to place the

person into privilege and portend to submerge the individual into a web of seamless

interconnected lives. Justice Kaul also states in his Judgement that the knowledge about a

person gives power over that person and also weighs upon the importance of introducing

a system to regulate such information. In the case of State of Maharashtra vs Bharat

Shantilal Shah, Justice Chandrachud gives his own take on the courts Judgement stating

that: The safeguards that the court adverts to in the above extract section 14, which

require details of organisation crime being committed. The requirements also mandate

requiring the nature and location of the facilities from which the communication is to be

intercepted. The nature of the communication and the identity of the person. Statement is

also necessary on whether other modes of inquiry or intelligence. A statement is also

failed or why they reasonably appear to be unlikely to succeed if tried or whether they

would likely result in the identification of those connected with the operation. The

duration of the surveillance is restricted in time and the provision requires minimal

interception. The duration of the surveillance is restricted in time and the provision

requires minimal interception.

Justice Chamleswar in para 43 of his judgment has made a very vital clarification further

clearing the smoke surrounding the Right to Privacy. In this para he is providing us with a

very useful insight regarding the conditions which are to be met by the State for justifying

its violations against the privacy of individuals. He has done this by providing a

distinction between a standard just, fair and reasonable test and the compelling state

interest test which he called the highest standard of scrutiny. He has stated that, only in

privacy claims which deserve the strictest scrutiny is the standard of compelling state

interest to be used and as for others ordinary claims the just, fair and reasonable standard

under Article 21 of the Indian Constitution will apply. Justice Kaul for providing a

limitation measure to the Right to Privacy incorporated the three-pronged test given by

Justice Chandrachud and added a fourth requirement for justifying violations of privacy

by the State:

1. Presence of a legitimate state interest

3. Proportionality [ the proportionality standard is used in European and international

human rights jurisprudence, apart from being applied by the courts in Canada and

South Africa]

4. The existence of procedural guarantees against the abuse of such interference

[ the last requirement was added by Justice Kaul]

Legislative Developments

Information Technology Act, 2000 [ IT Act] gave birth to The Information Technology

(Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011

(SPDI Rules). The SPDI rules under 43A of the IT Act. Section 43A of the IT Act

pertains to “Compensation for Failure to Protect Data” and empowers the enactment of

“reasonable security practices and procedures for the protection of sensitive personal

data”. The SPDI Rules incorporate, to a limited extent, the OECD Guidelines,

specifically: collection limitation, purpose specification, use limitation and individual

participation. The SPDI Rules mandate certain requirements for the collection of

information and insist that it be done only for a lawful purpose connected with the

function of the organisation. In addition, every organisation is required to have a detailed

privacy policy. The SPDI Rules also set out instructions for the period of time

information can be retained and gives individuals the right to correct their information.
Disclosure is not permitted without consent of the provider of the individual, or unless

such disclosure is contractually permitted or necessary for legal compliance. When it

comes to sharing information with Government agencies, then the consent of the provider

is not required and such information can be shared for purposes such as verification of

identity, prevention, detection and investigation including of cyber incidents, prosecution,

and punishment of offences. The SPDI Rules apply only to corporate entities and leaves

the government and government bodies outside its ambit; the rules are restricted to

sensitive personal data ‘, which includes attributes like sexual orientation, medical

records and history, biometric information etc., and not to the larger category of personal

data. Further, the Cyber Appellate Tribunal (CyAT) which hears appeals under the IT Act

has issued its last order in 2011. The absence of an effective enforcement machinery

therefore raises concerns about the implementation of the SPDI Rules. The SPDI Rules

recognise financial information such as credit card, debit card and other payment

instrument details as sensitive personal data, thus to that extent regulating their use,

collection and disclosure.