(This story was first published on 30 September 2021 and is being republished from The Quint's archives in the backdrop of the Centre's Personal Data Protection (PDP) Bill 2019, which is expected to be tabled in the Winter Session of Parliament. The bill has received backlash from several members of the Opposition.)
The jurisprudence of Right to Privacy has evolved and developed through a series of judgments over the past 67 years, culminating with the Puttaswamy-I judgment in 2017 which reaffirmed that it is very much a fundamental right.
The judgment stated that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.
(Below is a quick timeline of all the events leading up to Right to Privacy being held as fundamental.)
How Far Have We Come Since the Puttaswamy-I Judgment?
On 24 August 2017, a nine-judge bench of the Supreme Court in Justice KS Puttaswamy vs Union of India passed a historic judgment affirming the constitutional right to privacy. It declared privacy as an integral component of Part III of the Constitution of India.
Part III of the Constitution lays down our fundamental rights, ranging from rights relating to equality, freedom of speech and expression, freedom of movement, protection of life and personal liberty and others.
In this judgment, the court specifically upheld an individual’s right to data privacy and directed a special committee to be formed to study this matter at the earliest and propose a data protection framework to uphold the right to privacy.
In the absence of reforms to our laws on surveillance, we need a robust data protection law, which provides for adequate checks and balances when the government seeks to access data for national security purposes.
Additionally, since surveillance is predominantly driven by the political executive, we also need surveillance reforms that provide for parliamentary and judicial oversight of India’s intelligence agencies and police, conforming to the doctrine of separation of powers as enshrined in the Constitution of India in order to prevent abuse of power.
The Srikrishna Committee (2017)
Pursuant to the directions of the SC in the Puttaswamy judgment, regarding the regulation of informational privacy, a committee headed by retired Supreme Court judge Justice BN Srikrishna was tasked with the responsibility of studying the key issues and relaying recommendations.
Nearly a year later, the Committee submitted its report on 27 July 2018 titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, along with a draft Data Protection Bill, to the Ministry of Electronics and Information Technology.
Navtej Singh Johar vs Union of India (6 September 2018)
On 6 September 2018, the Supreme Court unanimously ruled that Section 377 of the IPC, 1860 dealing with ‘carnal intercourse against the order of nature’ was unconstitutional with regards to how it criminalised sexual conduct between two consenting adults.
The court relied here upon its decision in the right to privacy case when reasoning that discrimination on the basis of sexual orientation was violative of the right to equality, that criminalising consensual sex between adults in private was violative of the right to privacy, that sexual orientation forms an inherent part of self-identity and denying the same would be violative of the right to life, and that fundamental rights cannot be denied on the ground that they only affect a minuscule section of the population.
Constitutionality of the Aadhaar Act (Puttaswamy-II Judgment | 26 September 2018)
The right to privacy judgment had arisen out of a challenge filed by former Karnataka High Court judge KS Puttaswamy, who had argued that the Aadhaar programme violated the right to privacy.
His original petition, filed in 2012 when there was no Aadhaar legislation, had argued that the scheme collected sensitive personal data without adequate privacy safeguards.
Even after the Aadhaar Act was introduced in 2016, there was still no data protection law, and now the scope of the whole project had been expanded even further, since private entities could request authentication by Aadhaar for any reason subject to regulations by the UIDAI. Justice Puttaswamy raised concerns over the government’s ability to use the biometric data collected for any purposes.
While the majority of the court eventually upheld most of the Aadhaar Act the ability for private entities to use it for authentication was struck down. The principles laid down in the Puttaswamy-I judgment, from the content of the right to the proportionality test which has to be applied to any potential restrictions on the right, were followed by the court when arriving at its verdict.
Vinit Kumar vs CBI (October 2019)
The question of interception of a businessman’s telephone calls was viewed from the lens of infringement to his right to privacy, by the Bombay High Court. The subject of this case was the Union Home Ministry ordering interception of the said person's communications owing to accusations of bribery of a public servant.
The orders were challenged and the court held that there was no lawful justification for these orders and set them aside.
It relied on the Puttaswamy-I judgment heavily along with stating that it did not follow the legislative requirements and procedure under Section 5(2) and Rule 419A of the Telegraph Act.
Introduction of the Personal Data Protection Bill (December 2019)
The government tabled its version of the Personal Data Protection Bill in Parliament on 12 December 2019. Immediately after introduction of the Bill, it was sent to a Joint Parliamentary Committee (JPC) for scrutiny.
The Personal Data Protection Bill, 2019 also showed several variations as compared to the draft bill suggested by the Srikrishna Committee. Among the most contentious variations, has been the expansion of the scope of exemptions for the government and enhancement of the powers of the government.
Firstly, Clause 35 of the Bill provides blanket exemptions to the government and agencies authorised by it citing reasons such as public order, national security and friendly relations with other states.
The 2018 draft bill had provided for safeguards and had restricted the same to merely “national security” reasons. The clause had raised surveillance concerns and must be tested against the principles of necessity, legality and proportionality, as laid down in the Puttaswamy judgment.
Shefali Mehta, of The Dialogue, tells The Quint that as India rapidly moves into an era of digitisation, with technology being utilised for better delivery of welfare services and for innovation in almost all sectors, the need for a data protection framework is being felt very strongly to protect citizens and empower the government.
"Once the legislation is conceptualised, the task of implementation and ensuring compliance will begin, considering India's data infrastructure and state of the sector at present – this is going to be an uphill task. In order to protect the interests of Indian citizens and make India a favourable tech destination, it is imperative that the government speeds up the process and brings in place a well balanced law at the earliest," she added.
Rout vs State of Odisha (November 2020)
The High Court of Orissa recognised the right to be forgotten as a subset of the right to privacy. During the course of a bail plea, the court commented on how the right to be forgotten is an integral part of the right to privacy.
It spoke of the need for frameworks to ensure that an individual can protect their privacy by exercising this right.
Kush Kalra vs Union of India (December 2020)
In this judgment, the SC held that pasting posters outside of homes of COVID positive patients is not permissible. This was on the basis that it violated fundamental rights, such as those of right to privacy and the right to life with dignity.
It was held that “the affixation of posters led to violation of the right to privacy guaranteed under article 21 of the Constitution of India, reiterated by the Supreme Court of India in the case of Puttaswamy vs Union of India.”
Introduction of the IT Rules, 2021
On 25 February, the Government of India released the Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The rules were notified three months after they were released.
These guidelines sought to place regulations on two different classes within the digital media ecosystem:
Regulation of social media and other intermediaries
Regulation of OTT platforms and digital news media
These rules place a traceability requirement on significant social media intermediaries, to identify the first originator of a particular message, in a bid to tackle challenges like fake news, hate speech and the proliferation of CSAM (Child Sexual Abuse Material) on the internet.
However, such a requirement to be fulfilled would undermine the ‘end-to-end encryption’ feature of many platforms or provide a ‘backdoor access’ to these secure systems to enable identification.
This will certainly impact the right to privacy of Indian citizens, and it is unclear if the proportionality test from Puttaswamy-I judgment is fulfilled when it comes to it.
Rise in Data Breaches & the Need for New Cyber Security Policy
In 2021, a spate of alleged data breaches – such as those involving Air India, Domino’s, Facebook, Mobikwik, and Upstox – significantly compromised the personal data of crores of Indian people and brought to light the growing need for India to modernise its cyber security standards.
The major gap in policy at present remains the need for statutory protections for compromised users and updation of India’s Cyber Security Policy, 2013.
Though comprehensive at the time of its enactment, the policy seems to fall short based on technological progress since then.
It needs to address present needs related to national security, critical infrastructure and even business.
Incidents such as the alleged Chinese disenablement of power infrastructure in Mumbai by the means of a cyber-attack or similar attacks that targeted India’s nuclear power plant in Kudankulam have reinforced the need for a cyber security policy.
The new cyber security policy is greatly awaited by industry, academia and civil society, however, it has not yet been released by the government.
There is a major task at hand for the government to ensure that the new policy addresses the gaps that have come to light during the implementation of the 2013 policy, especially when it comes to strengthening the security of the critical infrastructure.
The implications of data breaches on the right to privacy of citizens is also a matter of concern. Strong data protection mechanisms and cyber security measures must be put in place to ensure that a citizen’s personal data and therefore their right to privacy are protected/upheld.
Pegasus Surveillance Concerns & What India Needs Going Forward
The recent revelations made by the Pegasus Project regarding thousands of possible targets of surveillance across the globe has taken the world by surprise.
The absence of an overarching and nuanced surveillance framework is challenging. There is a strong need to modernise and re-evaluate frameworks that govern surveillance activities.
It is imperative that there are safeguards in place to protect the citizens' rights and that due process is established and followed for sanctioning of requests for surveillance by the State.
In India, the absence of an overarching and nuanced surveillance framework coupled with the lack of clear data privacy safeguards is a challenge. Privacy and security are complementary to one another, compromise on one can lead to the other being compromised.
(Kazim Rizvi is the Founding Director of The Dialogue, a public policy think-tank based out of New Delhi. He is one of the leading voices in India's tech policy discourse and closely engages with the government and other stakeholders on matters of such policy areas)