DATA PRIVACY LAWS IN INDIA- THE NEW DIMENSIONAL CHALLENGE

By Prajanya Raj Rathore 43 Minutes Read

Introduction to data and its types

Before divulging into the intricate concept of data privacy it is necessary to address the elephant in the room, what is data? Under the Information Technology Act, 2000, data is defined as representation of information, knowledge, concepts, codes and facts which is formalized in order for a computer system to work upon. In terms of a layman, data is any information that can be produced in an organized manner and which will make sense when arranged in a certain manner to the person who is reading it.[1]

How is it interpreted?

The value of our data is increasing day by day, companies and government are now so adept at analyzing the data which we produce that they have a better understanding of us than we have of ourselves. The data which we produce is generally used by the companies to run their targeted advertising campaigns on our PCs and mobile as well as the government also uses it to run their campaign or implementing some new schemes which are to be promulgated in the future. Today, some of the richest companies in the world are the ones that offer services like data storage and data protection. One of the biggest examples is the Amazon, which became a very important figure in the world economy, solely on the basis of utilizing such data gathered from individuals. Another classic example of utilizing data mining technology is the operation of surveillance applications by governments, particularly the Indian Government which recently introduced the Arogya Setu application to monitor its citizens. (We shall discuss it in detail in subsequent headings)

Usually, when we transmit data, we tend to leave some metadata in the form of date of access, time of access, time of transfer, nature of transmission, etc. which happens to be in a raw format, it’s not a data, we can say it’s a piece of information. Let’s take the example of internet access sessions, initially, it is very scrambled and no one can make the sense out of it. But once we start segregating and arranging such information, it takes the face of data, and by the arrangement of such data we are able to predict let’s say a shopping activity through a particular system or mobile phone or which device is used more for online shopping. Such information is useful for marketing strategies as corporates forward a particular product based on our preferences which are highly predicted by our browsing sessions and history[2].

A big question is that are we even considered humans now from the perspective of these corporations? No, unfortunately, we are not, we are walking and talking data banks now. They have hit a gold mine which is never going to run out the resources in terms of data. It is quite likely (and urgent) that a data protection regime shall be evolved in the future. With major breaches like the Kundakalam malware attack[3], the likes of which is simply groundbreaking, and with the current privacy law in its nascent stage, it is not far when the country would be open to attack from numerous points of vulnerability.

Types of Data[4]

For a better understanding, the article shall explain it with the analogy of the tech giant Google:

1. Big Data- Simply put big data is the data that is so big that it cannot be stored in a conventional database. It needs an ever-expanding space for storage. For example- data stored on google cloud service by a business or a person will be an example of big data. That data is interpreted and analyzed by the machine learning platforms to generate target advertisements for the user. Also, any data we generate using google chrome is subject to the storage in the same manner as any of our other data on the cloud. The tech giant companies often use the information for improving the services or sell it to other platforms. The whole exercise is the most profitable model of revenue generation in today’s age.

2. Structured, unstructured, and semi-structured data– Considering our browser Chrome, whenever we transmit a single quantum of data, it is unstructured. Then it passes through their machine learning platform which converts it into semi-structured data: data type which is not fully structured but one following the pattern can make a sense out of it. Once the data is processed by these platforms they are transferred to the data scientists who using several tools, separate the information and present it in a refined manner. Although now the same is handled by google AI, thereby eliminating the human factor from the equation. Such data helps in devising several marketing strategies and focuses on the advertisements which are supposed to go on their google ads.

3. Time Stamp Data- This type of data is based upon a time stamp meaning that chrome time stamps each and every visit you make to your beloved websites. It basically traces your switch between the websites and other things. How is this going to help Google? Google can easily trade off this information to other online platforms in the form of analytics which help google as well as the other platforms to trace your path. This helps in service improvement so that the time duration of the visit can be increased and thereby increasing their profits.

4. Spatio-temporal data- This type of data includes both the combination of your place of visit and time. It is generally used by Google Maps service. It facilitates real-time monitoring of the person, this data is used to predict the distance between the locations and time taken to reach that particular destination.

The aforesaid categories are the basic ones that we generate on a daily basis. There are several other types of data like translytic data, high dimensional data, open data, unverified data, operational data, and many more.

Introduction to privacy

 The concept of privacy was first defined by American jurists named Samuel D. Warren and Louis Brandeis in the paper called ‘Right to Privacy’, they argued that if a person chooses to be alone he aims to be free from the external influence and that should be respected, he cannot be scrutinized in a private setting, it was a very refined interpretation for the year 1890[5]. ‘However, privacy happens to be an illusion in the context of cyberspace. You can never be private on the internet until and unless you use certain specialized extensions that allow you to surf the net as an anonymous user.

Modern jurists named Alan Westin[6] produced a refined model of privacy which included four quintessential points which are still relevant to this day, they are namely-

• Solitude
• Intimacy
• Anonymity
• Reserve

The first facet is solitude, which basically means to be free from the group and also free from the observation of another person. The second facet is Intimacy, where a person is in contact with a very small group of people with whom he chooses to live with or whom he gives the right to observe him. The third facet is anonymity, most relevant in today’s time which resonates with every fabric of privacy in modern time; it basically means that a person, though in a group seeks freedom from surveillance and identification. The fourth and final facet of privacy is reserve, this involves a person creating a psychological barrier to external intrusion.

Functions of Westin’s model of privacy:

1. It provides personal autonomy

2. It helps in emotional release

3. It provides limited and protected communication

Modern definition of privacy

The modern definition of privacy is built around the four facets of privacy but they have much more evolved to the modern principle. The privacy can be divided into four fundamental facets in modern times. These are-

• Information Privacy- which generally involves the establishment of rules pertaining to the collection of data from the people by the government.
• Bodily Privacy- This basically includes the information like medical records of person, test results, hospital records etc. it also prevents person from invasive procedures like drug tests, genetic testing etc.
• Privacy of information- it covers security of information pertaining to e-mails, telephones and other forms of communication.
• Territorial privacy- it covers that a person cannot be a subject to scrutiny in his own house until and unless there is a procedure established by the law.[7]

Data and Privacy

The situation is very alarming. With the rate we are producing data every day, we are letting out some of our very intricate information which is either used to monitor us or used to advertise certain products based on our usage. If we talk in the context of India, then the data protection regime is not adequate to protect us from cyber-attacks. Anyone with the right clicks can assume our identity and can use that information for any number of nefarious purposes. The seriousness of the issue has not been completely realized by the government. Rather today the government is trying to force us into the corner to let out our information on purpose. They have sponsored and crafted several invasive procedures, using which the government can access our information for any purpose ranging from silencing of dissent to unethical surveillance, policy development, or anything else.

Evolution of Data Privacy regime in India-

Indian Information Technology Act, 2000 is a very nascent piece of legislation that came after the UNCITRAL conference on e-commerce, 1999[8]. One serious drawback of the act is that it does not even contain the definition of data privacy under it. Even Kenya’s data protection regime[9] which focuses on user’s privacy, fares better on a scale of it’s relevance to modern information technology.

Our data protection regime has not been evolving, it is so stagnant that the last amendment took place in 2008. There are no specific data protection laws in place in India. The bill which was proposed had so many flaws contained in it that if it was brought in as a law, we would have had a surveillance state by now. The flaws in the bill will be further enunciated in the study. This part of the study is divided into two parts which will focus on the development of the concept of privacy through various judicial predicaments before and after Just. Retd. K. Puttaswamy ruling, where the privacy was recognized as a fundamental right of the citizens under Article 21 of the Constitution of India.

Judicial Predicaments claiming the privacy rights before Just. Retd. K. Puttaswamy under Article 21 of the Constitution of India, 1950:

Article 21 of the Constitution entails that a person cannot be deprived of his life and liberty until and unless there is a procedure established by the law. It is one the most ambiguous and complex part of Indian law since it has multiple and dynamic interpretations attached to it along with the subject matter of this study.

In the case of M.P. Sharma vs. Satish Chandra, District Magistrate, Delhi & ors[10]. The apex court of India the procedure for search and seizure under section 94 and 96 of the Criminal Procedure Code was challenged. The procedure was defined as a non-invasive procedure and a person can be monitored in a private setting if a search and seizure order has been issued against him. The verbatim of the judgment which actually speaks about such a fallacy is mentioned below:

17. A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction. Nor is it legitimate to assume that the constitutional protection under Article 20(3) would be defeated by the statutory provisions for searches

There was no right to privacy in the year 1954 when this judgment came out.

However, Justice Subba Rao in the case of Ak Gopalan vs. State of Madras[11]recognized the implied principle of bodily privacy under the ambit of Article 21 of the Constitution of India. The verbatim of the part which stated such a concept is mentioned below:

“it is described to mean liberty relating to or concerning the person or body of the individual; and personal liberty in this sense is the antithesis of physical restraint or coercion. The expression is wide enough to take in a right to be free from restrictions placed on his movements. The expression “coercion” in the modern age cannot be construed in a narrow sense. In an uncivilized society where there are no inhibitions, only physical restraints may detract from personal liberty, but as civilization advances the psychological restraints are more effective than physical ones. The scientific methods used to condition a man’s mind are in a real sense physical restraint, for they engender physical fear channelling one’s actions through anticipated and expected grooves. So also, the creation of conditions which necessarily engender inhibitions and fear complexes can be described as physical restraints. Further, the right to personal liberty takes in not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person’s house, where he lives with his family, is his “castle”; it is his rampart against encroachment on his personal liberty. The pregnant words of that famous Judge, Frankfurter J., in Wolf v. Colorado [[1949] 238 US 25] pointing out the importance of the security of one’s privacy against arbitrary intrusion by the police, could have no less application to an Indian home as to an American one. If physical restraints on a person’s movements affect his personal liberty, physical encroachments on his private life would affect it in a larger degree. Indeed, nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy. We would, therefore, define the right of personal liberty in Article 21 as a right of an individual to be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures. It so understood, all the acts of surveillance under Regulation 236 infringe the fundamental right of the petitioner under Article 21 of the Constitution.”

This was the first judgment which introduced the concept of bodily privacy. The concept under 236 (b) stated that police officers are authorized to enter the house of the history sheeters at any time. This was termed as an invasive procedure therefore; it was declared against the fundamental rights mentioned in Article 21 of the Constitution. The judgment completely differed from the aforesaid MP Sharma[12] judgment and also from Kharak Singh vs. State of Uttar Pradesh[13]. The Kharak Singh judgment stated that there is no concept of privacy in India so a person can be monitored at any point of time. The judges in this case invalidated the domiciliary visits at night by the police under regulation 236 and 237 , the verbatim of which is mentioned below:

“17. Having given the matter our best consideration we are clearly of the opinion that the freedom guaranteed by Article 19(1)(d) is not infringed by a watch being kept over the movements of the suspect. Nor do we consider that Article 21 has any relevance in the context as was sought to be suggested by learned Counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

However much water has flown over Kharak Singh judgment, one mentioned above is AK Gopalan[14]. Another significant judgment which actually mentioned about the innate right to privacy under the Constitution of India it was the judgment of Gobind vs. State of M.P[15]. it was stated that the domiciliary visit by the police officer at night will be an invasive procedure and is against the idea of privacy at that point of time. The verbatim of the judgment is mentioned below:

“28. The right to privacy in any event will necessarily have to go through a process of case-by-case development. Therefore, even assuming that the right to personal liberty, the right to move freely throughout the territory of India and the freedom of speech create an independent right of privacy as an emanation from them which one can characterize as a fundamental right, we do not think that the right is absolute.”

However, the right has been mentioned under article 19 of the Constitution India which still at that point was a very progressive step towards the realization of the concept of privacy.

There was no concept of data privacy mentioned in the aforementioned, however, it was realized that an innate right to privacy existed in the Constitution under Article 21 but still, it was never explicitly mentioned under Article 21 of the Constitution.

Position of Right to Privacy now:

It was held in the Retd. Just. K.S. Puttaswamy vs. Union of India[16] that Right to privacy is a fundamental right under Article 21 of the Constitution of India. This case revolved around the Aadhaar Scheme propounded by the government, which was challenged on the ground that compilation and collection of data pertaining to the demography and biometric information that was supposed to be used by the government for various purposes.

The petitioner argued that this collection of information is co-terminus with the rights entailed under Articles 14,19,21,20 and 25. Given the constitutional ambiguity of the previous judicial predicaments, the decision was laid into the hands of the constitutional bench of 9 judges. They immediately differed from the below-mentioned judgments:

“821. The reference is disposed of in the following terms:

(i) The decision in M P Sharma[17] which holds that the right to privacy is not protected by the Constitution stands over-ruled;

 (ii) The decision in Kharak Singh[18] to the extent that it holds that the right to privacy is not protected by the Constitution stands over-ruled;

 (iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. (iv) Decisions subsequent to Kharak Singh which have enunciated the position in (iii) above lay down the correct position in law.”

Hon’ble justice D.Y. Chandrachud talked about various facets of privacy at length in this judgment he stated that privacy is the fundamentally recognized right under Part III of the constitution, the verbatim of the judgment is produced below:

“459. (A) Life and personal liberty are inalienable rights. These are rights which are inseparable from a dignified human existence. The dignity of the individual, equality between human beings and the quest for liberty are the foundational pillars of the Indian Constitution; … (C) Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III; … (F) Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being; … (H) Like other rights which form part of the fundamental freedoms protected by Part III, including the right to life and personal liberty under Article 21, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights. In the context of Article 21 an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on life and personal liberty under Article 21. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them; and (I) Privacy has both positive and negative content. The negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual.”

After reading the aforesaid ideology of privacy, it can be said that it is inspired by the Alan Westin’s model of privacy. However, the court grants it as an essential right but privacy is not an absolute right it can be abridged by various procedures established by law. It was also argued in the case that the right to privacy lies at the core of human dignity and should be entailed in the Constitution explicitly. It was further stated in this judgment that Aadhaar Scheme will be tested and implemented. The verbatim of the part of judgment claiming this is mentioned below:

“457. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B.N. Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.

746. We are in an information age. With the growth and development of technology, more information is now easily available. The information explosion has manifold advantages but also some disadvantages. The access to information, which an individual may not want to give, needs the protection of privacy.

 747. The right to privacy is claimed qua the State and non-State actors. Recognition and enforcement of claims qua non-state actors may require legislative intervention by the State.“[19]

Data Privacy laws before K.S. Puttaswamy Judgment

There was no concept of data privacy prior to this judgment but however, there was Information Technology Act, 2000 which had provisions as to the violation privacy under:

Section 72 A deals with the breach of confidentiality and privacy. This section prescribes punishment for the person who is concerned with the documents like electronic records, book, register, correspondence, information, document or other material discloses the said information without the consent of the owner of such information shall be punished with a fine of one lakh rupees or imprisonment up to the term which extend to two years, or fine or both.

Section 85 of the Act deals with the breach of data by a body corporate, a company that discloses the data of the people will be liable for a fine and the people who will be in charge of the handling of such data shall be punishable under this section. This section generally involves civil liability, prescribing payment of very hefty fine under section 43A of the act.

Since, Information Technology Act, 2000 didn’t have any comprehensive laws for data protection, the type of data which needed to be protected was defined under Information technology Act,2000 (Reasonable security practices) Rules,2011 which draws a distinction between the types of data into sensitive and general type of data. Sensitive personal data namely includes a person biometric, sexual orientation, medical records, psychological orientation, financial records, and passwords. This was a remarkable step by the legislation to demarcate the types of data.[20]

However, no matter how remarkable the step was it failed to address the extent to which such data can be exchanged which is another whole subject matter. Certain laws in place still speaks about the invasive procedures established under the below-mentioned sections-

1. Section 67 c: Intermediary retaining or preserving information

2. Section 69: Any agency or intermediary can be directed to intercept, monitor or decrypt any information.

3. Section 69B: Any agency or intermediary of the government authorized to monitor, collect data or information.

These procedures are so invasive that they shatter the very essence of privacy we uphold today. These practices help the government but what happens to the information once it has been utilized? Unfortunately, nobody knows the answer to that.

Data Protection Regime after K.S. Puttaswamy judgment:

After the K.S. Puttaswamy judgment[21], as per the direction of the judges, NN Shree Krishna Committee on Data Protection Bill, 2018 sat down in order to give India’s own GDPR which was an appreciable attempt. But the recommendations were a blatant copy-paste of GDPR with slight modifications. It contained so many fallacious procedures that enabled the government to assume the responsibility of our data as per its discretion whenever there is a need for development or implementation of new policy. Also, there was no procedures pertaining to Right to be Forgotten.

Besides, there were no guidelines explaining for how long the data can be stored in a system, or as to how the employee’s data will be treated after their resignation, or as to how much data is to be exchanged. More importantly, it failed to address a set definition of data privacy.[22]

What the current regime doing about it to correct it?

Unfortunately, the government of the day is doing nothing to create a data privacy-friendly policy and to top it all, it is drawing inspiration from countries like Singapore & Taiwan. It has introduced apps like Arogya Setu app, which trace your position and tells you about how many people in your vicinity are being affected by the virus. On the face of it, the app seems very innocent on the surface. But once we peel off a layer, we find so many fundamentally wrong things with it. For example, one of the most heated issues that revolve around it is that it centralizes the information from Bluetooth and GPS. Thus if somebody wants to know your exact location, they can simply infiltrate and get it. Features such as Bluetooth and GPS information were never meant to be centralized. An alternate route could have been taken to achieve a similar result since all the data we access goes through a central guarded repository.

The model which the government implemented was of contact tracing which has no routes or has been defined in India. According to WHO, contact tracing[23] is a process where a person involved gets to know about the people you came in contact with and evaluate your chances of being infected. Since there are no laws and well-defined boundaries pertaining to it, it has the potential to serve as aid and kin to surveillance. Arogya app[24] facilitates the government to actually live track a person at all times. The faults in such kind of tracing procedure are prone to misuse and privacy infringement, which were exposed recently by a French Cyber Security Analyst who examined the app and showed its intrusive nature.

This concept of contact tracing can be used as garb to prevent any questions against the regime. It enables them to live track our movements to various places. This goes beyond and against the idea of privacy. Yes, privacy rights have some limitations but making an app mandatory for the masses so that you can live track them is not right. It doesn’t seem right.

Conclusion

It can be conveniently concluded that the Indian Data Protection legal framework, unfortunately, lies in a state of abyss. In spite of having an explicitly user-friendly data privacy regime on paper, the government has of late ventured into invading into citizen’s private life in the name of implementation of new schemes and policy. Everyone has the right to left alone if he chooses to do so.

The governments’s initiative of tracking and storing our data for the effective implementation and formulation of its ‘claimed’ progressive policies, schemes, and subsidies must be taken with a pinch of salt. It must be laid down and transparency must be brought in about the issue surrounding the question that what would be the status of such data after its purpose has been achieved. They must define the limits to the ambit of its usage and final determination. After all, we have a right to know what happens to our data after it has been used.

[1] Anirudh Rastogi, Cyber Law- Law of Information Technology and Internet, Lexis Nexis ed- 1
[2] Mona Lebied, How data is interpreted?, the datapine blog,(6/05/2020, 2:00 am),
[3] Vaksha Sachadev & Sushovan Sircar, Was the Nuclear Power Plant hit by a Malware Attack, the quint (6/05/2020, 3:00am), see also the Logical Indian, Malware attack of Kundakalam critical infrastructure not affected- NPCIL, the Logical Indian,(6/05/2020, 3:30am), see also Utpal Bhaskar, India confirms malware attack on Kundakalam Nuclear plant, live mint, (6/05/2020, 4:00 am),
[4]Adrian Bridgewater, the 13 types of data, forbes (6/05/2020, 4:30 am), forbes.
[5] Susan E. Gallagher, Introduction right to privacy by Louis D. Brandeis and Samuel Warren: A digital critical edition, University of Massachusetts press, forthcoming.
[6] Peter Swire, Alan Westin’s Legacy of privacy and freedom, International Association of Privacy Professionals, (6/05/2020, 2:00pm),
[7] Australian Law reform Commission, the Meaning of Privacy, Australian Government, (6/05/2020, 3:00pm).
[8] Supra 1
[9] Kenyan Government, State of Privacy in Kenya, Kenya Government, (6/05/2020, 3:30pm).
[10] M.P. Sharma vs. Satish Chandra, District Magistrate, Delhi & ors, 1954 SCR 1077
[11] Ak Gopalan vs. State of Madras, 1950 SCR 88
[12] Supra 10
[13] Kharak Singh vs. State of Uttar Pradesh, (1964) 1 SCR 334
[14] Supra 11
[15] Gobind vs. State of M.P, (1975) 2 SCC 148
[16] Retd. Just. K.S. Puttaswamy vs. Union of India, (2015) 8 SCC 735
[17] Supra 12
[18] Supra 13
[19] Press trust India, three great dissent find place in Supreme Court’s Privacy verdict, the Hindustan times, (7/05/2020 , 1:00 am).
[20] Economic Law Practices, Data protection and privacy issues in India, Economic Law Practices,(7/05/2020, 1:30 am)
[21] Supra 16
[22] Supra 20
[23] Shirin Ghaffary, What the US can learn from other countries using phones to track Covid-19?, Vox, (7/05/2020, 6:00am).
[24] Elliot Alderson, Aarogya Setu- the story of Failure, the medium (7/05/2020, 12:00 am).

Prajanya Raj Rathore

Just an average guy, who is here to learn and explore new things. With interest in Technology law, Media law, telecommunications law, Criminal law and Environmental law.