Constitutional right to privacy in relation to technology and data collection practices.
- By Parkhi Agrawal
- Research Paper
ABSTRACT
The right to privacy in India was declared a fundamental right under Article 21 by the Supreme Court in the 2017 Puttaswamy judgement. This abstract looks at how this right is affected by modern technology and data collection.
With the rise of digital technologies, more personal data is being collected than ever before. This has created concerns about how this data is used and protected. The main law in India for data protection is the Information Technology (IT) Act of 2000, but as technology advances, there are questions about whether this law is strong enough to protect our privacy.
Some of the biggest issues involve government surveillance, the use of biometric data (like fingerprints and iris scans) in systems like Aadhaar, and the widespread use of data analytics. While these technologies can be very useful, they also risk invading our privacy.
In conclusion, recognizing the right to privacy is a big step forward for India. However, ensuring this right in the face of new technology and data practices is a complex challenge that requires ongoing legal and policy efforts.
INTRODUCTION
Privacy is a fundamental human right that encompasses the protection of personal information, autonomy, and the ability to control one’s own life without undue interference. It is the right to be left alone and to make personal decisions without external intrusion. Historically, privacy has been recognized as a critical component of human dignity and freedom, and it has been protected through various legal and social norms across different cultures and societies. In the context of legal frameworks, privacy rights often intersect with other fundamental rights, such as the right to freedom of expression, the right to a fair trial, and the right to personal liberty.
The advent of the digital age has transformed the way personal data is collected, processed, and utilized. With the proliferation of smartphones, social media platforms, and internet-connected devices, vast amounts of personal information are generated and stored by both private corporations and government agencies. This data includes sensitive details such as financial records, health information, and biometric identifiers. While technological advancements have brought about significant benefits, such as improved services and enhanced connectivity, they have also raised serious concerns regarding the protection of privacy. Data breaches, unauthorized surveillance, and misuse of personal information have become common occurrences, highlighting the need for robust privacy protections.
In India, the rapid digitalization and the implementation of large-scale data collection programs, such as Aadhaar, have brought privacy issues to the forefront of public discourse. The right to privacy has been subject to extensive legal scrutiny, culminating in landmark judicial pronouncements that have shaped the contemporary understanding of privacy rights in the country.
Historical context of Privacy Rights in India
Article 21 of the Indian Constitution guarantees the protection of life and personal liberty to every individual. It states, “No person shall be deprived of his life or personal liberty except according to a procedure established by law.” This provision has been interpreted expansively by the judiciary to include various facets of human life and dignity, and over the years, it has come to encompass the right to privacy as an integral component of personal liberty.
Kharak Singh v. State of Uttar Pradesh (1963)
One of the earliest cases to discuss privacy in the context of the Indian Constitution was Kharak Singh v. State of Uttar Pradesh (1963). Kharak Singh, who had been subjected to police surveillance, challenged the regulations that permitted such surveillance. The Supreme Court of India held that the right to privacy was not explicitly guaranteed by the Constitution. However, the court recognized that certain elements of privacy, such as the sanctity of a person’s home, were implicit in the concept of ordered liberty.
In this case, the court invalidated some of the surveillance practices, ruling that they violated Article 21 as they amounted to an intrusion into the personal liberty of the individual. Although the right to privacy was not explicitly acknowledged, this judgment laid the groundwork for future deliberations on privacy by linking it to personal liberty.
- Rajagopal v. State of Tamil Nadu (1994)
The case of R. Rajagopal v. State of Tamil Nadu (1994), also known as the “Auto Shankar Case,” was a significant milestone in the recognition of privacy as a fundamental right in India. This case involved the publication of the autobiography of a convicted criminal, Auto Shankar, which allegedly contained details of his nexus with various police officials. The state sought to prevent the publication of the book, citing privacy concerns.
The Supreme Court ruled in favor of the publisher, stating that the right to privacy is implicit under Article 21 of the Constitution. The court held that an individual’s right to privacy includes the right to protect one’s personal information from being published without consent, except in cases where the publication is justified by a larger public interest. This judgment marked a pivotal moment in Indian jurisprudence by explicitly recognizing privacy as a fundamental right within the framework of personal liberty under Article 21(supra).
TECHNOLOGICAL LANDSCAPE IN INDIA
Data Types
In the digital age, various types of data are collected, processed, and utilized, each posing unique challenges and concerns for privacy:
- Personal Data: Includes information that directly identifies an individual, such as name, address, phone number, email ID, and photographs. This type of data is crucial for services and transactions but requires robust protection to prevent misuse.
- Metadata: Refers to data about data, such as time stamps, geolocation, and device information. Although not personally identifiable on its own, metadata can reveal significant patterns about an individual’s behavior and preferences.
- Financial Data: Encompasses information related to banking, credit cards, financial transactions, and investment details. This data is highly sensitive and critical for preventing fraud and ensuring financial security.
- Health Data: Includes medical records, prescription details, biometric information, and health monitoring data. Protecting health data is essential to maintain confidentiality and prevent discrimination based on medical history.
Key Players
Several entities are involved in the collection and processing of data in India, each playing a significant role in shaping the technological landscape:
- Government Agencies: The Unique Identification Authority of India (UIDAI) is a prime example, managing the Aadhaar program, which collects and stores biometric and demographic data of Indian residents. Other government bodies also collect data for purposes such as national security, law enforcement, and public services.
- Tech Companies: Indian tech giants like Reliance Jio and Paytm collect vast amounts of data to provide telecom services, digital payments, and other online services. These companies leverage data to improve services, enhance user experience, and drive business growth.
- Social Media Platforms: Global platforms such as Facebook and WhatsApp have a massive user base in India. These platforms collect personal data, usage patterns, and interactions, which are used for targeted advertising and other business purposes.
Methods
Data collection methods in India vary widely, reflecting the diverse applications and purposes for which data is gathered:
- Biometric Data Collection: The Aadhaar program is a prominent example, involving the collection of fingerprints, iris scans, and facial photographs. This biometric data is used for identity verification and to facilitate access to government and financial services.
- Mobile Tracking: Telecom providers and app developers use mobile tracking to gather data on user locations, call logs, and app usage patterns. This data helps in delivering location-based services, improving network performance, and personalizing user experiences.
- Internet Surveillance: Government agencies and internet service providers (ISPs) monitor online activities for security and regulatory purposes. Internet surveillance involves tracking browsing history, email communications, social media interactions, and other online behaviors to detect and prevent cyber threats and unlawful activities.
Technology and need for Data Protection
Science and technology have made significant strides recently. Organisations must gather vast amounts of data from them to provide customers with improved services that meet their wants and demands.
The Indian government has enacted rules that are expressly intended to protect the private digital information that people contribute to these organizations through online platforms. The Information Technology Act of 2000 (supra) and the Digital Personal Data Protection Act of 2023 The two most important laws are these two.
Safeguarding the right to privacy is a major step forward, and the newly approved Digital Personal Data Protection Act, 2023 is a significant and revolutionary stride in Indian history since it protects users’ data who disclose information online on random platforms. The following are some of the Act’s key points:
- The Digital Personal Data Protection Act’s main objective is to make it possible to process digital personal data in a way that satisfies people’s right to have their personal data safeguarded and the requirement that such data be used for legal purposes.
- Data fiduciaries’ obligations – Data fiduciaries are required to treat personal data of data principals only for authorized purposes that have been approved by the principle. This ensures that the information won’t be utilized for reasons that the data principle hasn’t permitted. The data fiduciary must first get the principal’s consent before processing the principal’s information and provide a justification. It shall take all required safety measures to safeguard the personal data of the data principal. It is required to report the breach to the Board and the impacted parties. They have to ensure that complaints may be addressed through the proper procedures.
- Right of the Data Principal: A Data Principal who gives his personal information for processing is granted several rights under the Act. The ability to provide, manage, evaluate, and withdraw consent as needed is one of these rights. It also allows the data principal to add, update, erase, or change any personal data that the data fiduciary may have collected on them. The data principal has the right to ask the Board for a grievance remedy in the case of a complaint.
- Penalties for Violations – The Act outlines the following criteria that may be applied in determining the penalty levied in the case of a data principal infringement or other grievance:
- The kind, severity, and length of the breach,
- The categories and kinds of personal information compromised by the hack,
- The breach’s repetitive nature,
- Whether the individual has realized a benefit or averted any loss as a result of the breach,
- Whether the individual took any steps to lessen the impact of the breach and the promptness and efficacy of such steps,
Concerns
The Digital Personal Data Protection Act of 2023 is a historic step towards ensuring the right to privacy in India and for Indian persons; nevertheless, there are still some problems and flaws that need to be resolved in order for the Act to be properly implemented and finally accomplish its objectives.
- The Central Government has unconstrained discretionary powers and is not accountable for whatever actions the State conducts. The State has unlimited authority. This gives them access to a substantial amount of public data that they could abuse for security or political ends. The Act gives the government extra power when it exempts any “instrumentalities of the State” from its provisions.
- Application to non-digital data: Both digital and non-digital data that is subsequently converted to digital form are covered by the Act. But how is a person going to find out whether the data fiduciary has digitized material that was sent in hard copy?
- Does not follow international standards – The Act does not follow international norms, especially those concerning the “anonymization of data” and “sensitive personal data.”
- Data Protection Board of India – The Board is expected to be one of the most powerful and independent organizations, charged with protecting the nation’s privacy. Unfortunately, all jurisdiction over it rests with the Central Government.
Legal Frameworks and Privacy Protection
In recent years, there have been significant developments in privacy laws and data protection in India.
Some of the notable developments are:
- The Personal Data Protection Bill, 2019: In December 2019, the Personal Data Protection Bill, 2019 was presented to the Indian Parliament. The General Data Protection Regulation (GDPR) of the European Union serves as the model for the bill, which aims to provide a comprehensive legal framework for the protection of personal data in India. The bill outlines what constitutes critical, sensitive, and personal data as well as how it should be collected, stored, processed, and transferred. In order to supervise the law’s execution and guarantee the security of personal data in India, the bill also establishes the Data Protection Authority of India (DPA). The Parliament is now debating the bill, and it is anticipated that it will soon become a law.
- The right to privacy has been recognized by the Supreme Court as a basic right. In a historic ruling in the case ofJustice K.S. Puttaswamy (Retd.) v. Union of India, the Supreme Court of India recognized the right to privacy as a basic freedom guaranteed by the Indian Constitution in August 2017. The court determined that Article 21 of the Constitution guarantees the right to life and personal liberty, which includes the right to privacy. This ruling has opened the door for more robust privacy safeguards under Indian law and has important ramifications for privacy protection in India.
- The Data Protection Authority’s (DPA) founding: To secure the security of personal data in India and to supervise the execution of the Personal Data security Bill, the Indian government established the Data Protection Authority (DPA) in 2020. The DPA will be able to look into complaints, carry out audits, and give directives to make sure the law is followed.
- The Indian government outlawed a number of Chinese smartphone applications in 2020, citing worries about data privacy and national security. Well-known apps like UC Browser, WeChat, and TikTok were among those prohibited. The prohibition made clear how crucial it is to safeguard personal information and make sure it is handled and stored securely, as well as the necessity for India to enact stricter data protection regulations.
- The COVID-19 pandemic has underscored the importance of privacy and data protection as governments worldwide have implemented contact tracing and surveillance measures to monitor the virus’s spread. In India, the government has launched several digital initiatives to track COVID-19 cases and distribute vaccines, raising concerns about data privacy and security. The pandemic has also emphasized the need for stronger legal frameworks to protect personal data and ensure its secure handling and storage.
Constitutional Right to Privacy in the Digital Age
Justice K.S. Puttaswamy (Retd.) v. Union of India (2018): This landmark ruling by the Supreme Court of India affirmed the right to privacy as a fundamental right under Article 21(supra) of the Indian Constitution. The judgment recognized that privacy is intrinsic to the right to life and personal liberty, and it is essential to safeguard individual autonomy, dignity, and freedom in the digital age. This ruling has significant implications for data protection and privacy in the context of increasing digitalization and surveillance.
Case Study: Pegasus Spyware
Pegasus Spyware: Pegasus is a sophisticated spyware developed by the Israeli cyber intelligence firm NSO Group. It has been at the center of global controversies due to allegations that it has been used by governments for surveillance purposes, particularly targeting journalists, activists, and political opponents.
Allegations in India: In India, there have been significant allegations that Pegasus spyware was used for surveillance on a range of individuals, including journalists, activists, politicians, and even government officials. These allegations have raised serious concerns about privacy violations and the misuse of surveillance technology.
Key Points:
- Surveillance of Journalists and Activists
- Legal and Ethical Concerns
- Government’s Role
- Judicial Intervention
- Impact on Privacy Rights
Future Directions
Emerging Technologies: Impact of AI, IoT, and Facial Recognition on Privacy
- Artificial Intelligence (AI):
- Data Collection and Analysis: AI systems rely on vast amounts of data to function effectively. This data collection can include personal information, which raises significant privacy concerns.
- Predictive Analytics: AI can predict personal behavior and preferences by analyzing data patterns, potentially leading to intrusive profiling and loss of individual privacy.
- Decision-Making: Automated decision-making by AI systems in areas like credit scoring, hiring, and law enforcement can have profound implications on individuals’ lives. These systems might operate without transparency, accountability, or recourse for those affected.
- Internet of Things (IoT):
- Data Proliferation: IoT devices, from smart home gadgets to wearable health monitors, collect a continuous stream of data about users’ activities, habits, and health.
- Security Vulnerabilities: Many IoT devices lack robust security measures, making them susceptible to hacking and unauthorized data access, thus compromising privacy.
- Surveillance: The widespread deployment of IoT devices can create a pervasive surveillance environment, where every action and interaction is potentially monitored and recorded.
- Facial Recognition:
- Mass Surveillance: Facial recognition technology enables real-time monitoring of individuals in public and private spaces, raising concerns about mass surveillance and the erosion of anonymity.
- Misidentification and Bias: The accuracy of facial recognition systems can vary, leading to false positives and negatives, which can result in wrongful accusations or discrimination.
- Consent and Use: Often, facial recognition is used without explicit consent, and individuals may not be aware they are being monitored.
Legal Reforms: Need for Updated Privacy Laws to Address Technological Advancements
- Comprehensive Data Protection Laws:
- Broad Coverage: New laws should cover all aspects of data collection, processing, storage, and sharing to protect individuals from invasive technologies.
- Consent and Transparency: Regulations must ensure that individuals are informed about data collection practices and provide explicit consent for the use of their data.
- Right to Access and Control: Individuals should have the right to access their data, correct inaccuracies, and delete information that is no longer necessary.
- Regulating Emerging Technologies:
- AI Ethics and Accountability: Laws should mandate transparency in AI decision-making processes and establish accountability mechanisms to address biases and errors.
- IoT Security Standards: Regulations should enforce stringent security standards for IoT devices to prevent data breaches and unauthorized access.
- Facial Recognition Oversight: Clear guidelines and restrictions on the use of facial recognition technology are essential to prevent misuse and protect individual freedoms.
- Government and Corporate Responsibility:
- Surveillance Regulations: Legal frameworks should define the extent and limitations of government surveillance, ensuring it is conducted lawfully and proportionately.
- Corporate Data Practices: Companies should be held accountable for their data practices, with requirements for regular audits, impact assessments, and compliance with privacy laws.
Public Awareness: Importance of Digital Literacy and Advocacy for Stronger Privacy Protections
- Digital Literacy:
- Education and Training: Promote digital literacy programs that educate individuals about the implications of data collection, the use of emerging technologies, and their rights to privacy.
- Safe Online Practices: Encourage safe online behaviors, such as using strong passwords, enabling two-factor authentication, and being cautious about sharing personal information.
- Advocacy and Public Participation:
- Civil Society Engagement: Support civil society organizations that advocate for stronger privacy protections and hold governments and corporations accountable.
- Public Discourse: Foster public discourse on privacy issues to raise awareness and drive demand for robust privacy laws and practices.
CONCLUSION
The constitutional right to privacy is a fundamental pillar in protecting individual freedoms and dignity, particularly in the context of rapid technological advancements and pervasive data collection practices. The landmark ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India (2018) established privacy as a fundamental right under Article 21(supra), highlighting its intrinsic value in safeguarding personal liberty and autonomy.
The COVID-19 pandemic further amplified these concerns, as governments worldwide, including India, adopted digital measures for contact tracing and vaccine distribution, raising questions about data privacy and security. This period highlighted the critical need for robust legal frameworks that not only facilitate technological innovation but also protect individual privacy rights.
In conclusion, the constitutional right to privacy must be rigorously upheld in the face of evolving technological landscapes and data collection practices. By implementing robust legal reforms and fostering a culture of digital literacy, we can create a balanced environment where technological progress and individual privacy rights coexist harmoniously. This will ensure that the benefits of technological advancements are realized without compromising the fundamental right to privacy.
REFERENCE
- https://www.legalserviceindia.com/legal/article
- Privacy in the Age of Big Data.
- The Age of Surveillance Capitalism..
- Privacy and the Internet: The Case of the DoubleClick, Inc.
BY
PARKHI AGRAWAL