The Personal Data Protection Bill, 2019 (hereinafter referred to as “PDPB 2019”) was introduced in Parliament on 11-12-2019 in its winter session. The underlying objective of this Bill is to regulate the data of Indian citizens. The current draft as introduced in the foregoing date has some interesting amendments vis-à-vis the original draft Bill of 2018. The revised Bill though introduced in the Lok Sabha (Lower House of Parliament) was subsequently referred to a Joint Select Committee of both Houses of Parliament. This is possibly for more pragmatic amendments to be included.
Privacy is not a very new concept and has been first recognised as early as in Semayne case in 1604 wherein it was recognised that “the house of everyone is to him as his castle and fortress.”[1] This case has other different legal angles attached to it, but on the territorial privacy part i.e. the privacy of one’s home or premise, holds good precedent. In principle, it means that that you cannot come unannounced to search someone’s house without a warrant or notice and break open anyone’s house. This would tantamount to breach of one’s territorial privacy.
The term “privacy” kept considerably evolving thereafter and gained heightened attention on 15-12-1890 when Justice Louis Brandeis and Boston Attorney Mr Samuel Warren penned their now ageless article, “the right to privacy”, in which they defined protection of the private realm as the foundation of the individual freedom in the modern age and argued that the law should recognise such a right and impose liability regarding any intrusions on it.[2] The authors, Brandeis and Warren said, “It is our purpose to consider whether the existing law affords a principle which can properly be invoked to protect the privacy of the individual; and, if it does, what the nature and extent of such protection is.”[3]
Universal Declaration of Human Rights (UDHR) in 1948
Privacy was statutorily recognised globally for the very first time by the UDHR in 1948 through its Article 12[4]. With the advent of such protection in UDHR, many countries became vigilant about the nuances of privacy and started inculcating such provisions in their domestic laws.
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980 [5]
During the 1980s, with more globalisation and emerging possibility of data traversing international borders necessitated regulations for transborder data flows. This resulted in the OECD (Organisation for Economic Cooperation and Development) to formulate the 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD which houses many countries in its association aims at bringing synergy and to harmonise diversified connotations of privacy principles as being followed in multiple jurisdictions. The basic privacy principles as mentioned hereunder were derived then and have been undergoing transformation with emergent needs.
Privacy Principles as Coined by OECD, 1980
Collection Limitation | Data for which notice has been given and consent has been obtained should only be collected by fair and lawful means. |
Data Quality | Data collected with respect to the objective should be relevant, accurate, complete and up to date. |
Purpose Specification | Data can be used only for which it was collected with notice and consent. |
Use Limitation | No unauthorised disclosure of data or its use unless except permitted by the person or lawfully allowed. |
Security Safeguards | Reasonable security measures to protect data. |
Openness | An organisation should be transparent on its policies on how its uses collected personal data. |
Individual Participation | The person sharing data should have the right to know/clarify/confirm on what personal data is in possession, to delete, rectify, etc. from the other party. |
Accountability | The data controller is responsible for complying with these privacy principles. |
European Union Adopted Directive 95/46/EC and the GDPR
However, a major transition in the privacy laws came about in 1995 when for the very first time the European Union (EU) passed the Directive 95/46/EC. This directive laid down an organised framework for EU member nations for inter-country personal data transfer/flow, protection against unlawful processing of personal data, regulation providing for processing of data, classification of sensitive data and its protection, but recently it has been supplanted by the all new EU Act — General Data Protection Regulation (GDPR) which came into effect on 25-5-2018 with many new features such as the role of Data Protection Officer, etc.
While prior or round about the movement for codification of Directive 95/46//EC, there were other legislations, self-regulations, privacy codes from different corners of the globe. It is worth mentioning a few for relevance perspective and has been excluded from detailed reference above for brevity;
(i) Data Law of Sweden, 1973.
(ii) Fair Credit Reporting Act, 1970, the Privacy Act, 1974, the Fair Information Privacy Principles, 1974 – USA.
(iii) National Standard of Canada/Standards Council of Canada March 1996 (privacy code).
Indian Context
Constitution and Fundamental Rights
In India, the debate whether privacy is the right protected under Part III of the Constitution has been there for quite a long time starting from M.P. Sharma [6] and Kharak Singh [7] wherein the Supreme Court denied such right to be protected by the Constitution.
In M.P. Sharma [8], the Court said that “if the constitution-makers did not think it to be fit into Constitution, there is no justification for importing such right by strained construction” while in Kharak Singh [9], the Court relied upon the privacy doctrine enunciated in the US judgment of Wolf v. Colorado[10] and denied right to privacy to be a fundamental right. However, both the M.P. Sharma [11] and Kharak Singh cases [12] were overruled by the 2017 judgment of the Supreme Court—K.S. Puttaswamy v. Union of India [13] Justice D.Y. Chandrachud, in his view expressed the need of formulation of a robust regime for data protection to protect both the interest of State and its citizens [14]. The present CJI and the then Judge of Supreme Court of India, Justice S.A. Bobde viewed that the right to privacy is an indispensable part of personal liberty [15] and is guaranteed under Article 21 of the Constitution [16].
Information Technology Act
The Parliament vide the Information Technology Act of 2000 including its amendments of 2008 (hereinafter referred to as the “IT Act”) attempted to formulate a statute for protection of data inter alia viz. providing legal recognition to e-transactions.
The IT Act through Section 43-A provides that a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining “reasonable security practices” resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.
Further, Section 72-A of the IT Act provides that disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years or a fine extending to Rs 5,00,000 or both.
The IT Act was primarily brought in to cater to the needs of the outsourcing industry in India and to contain data thefts and misuse of it as it surfaced for Indian outsourcing industry which had to cater with personal data of customers residing in countries having stringent regulations on data protection.
However, the IT Act was not comprehensive enough in all privacy dimensions as we were progressing to a digital economy and increased government measures focusing on personal information of citizens for reportedly percolating benefits, furthering national security interests versus privacy concerns/risks.
With digital economy increasingly getting a boost and data of individuals being frequently used for business operations such as e-commerce, digipay, etc., personal data of individuals have become a tradable commodity for brokers/dealers in the e-economy. This has created a need to regulate the data flow and feeling of trust between those whose data is in question and those who decide what to do with such data.
Therefore, a robust legal framework is need of the hours to inter alia regulate cross-border transfer of personal data of residents in India and to provide rights and remedies to individuals for protection of its rights.
In order to have a full-fledged statute for data protection, the legislature has come up with the Personal Data Protection Bill, 2018 and currently the 2019 version which has been highly motivated by the GDPR [17].
With the discussion/enactment of the Personal Data Protection Bill, the right to privacy being a fundamental right would get a definite and certain legal framework for its protection and usage. Further, it would also boost law enforcement, preventing foreign surveillance, creating local jobs, ensuring jurisdiction of Indian authorities over data breaches and strengthening of the Indian economy.
*Bhumesh Verma is Managing Partner at Corp Comm Legal and can be contacted at bhumesh.verma@corpcommlegal.in.
**Sayantan Dey is a Legal and Compliance Professional and Ujjwal Agrawal, Student researcher and 3rd year BA LL.B. student with Maharashtra National Law University, Nagpur.
[1] (1604) 5 Co Rep 91a : 77 ER 194.
[2] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, Harvard Law Review Vol. IV No. 5, 15-12-1890.
[3] Complete Tort Law: Text, Cases and Materials by Stacie Strong, S.I. Strong and Liz Williams, Oxford University Press.
[4] Art. 12 — No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
[5] <https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm>.
[6] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300.
[7] Kharak Singh v. State of U.P., AIR 1963 SC 1295.
[10] 1949 SCC OnLine US SC 102 : 93 L Ed 1782 : 338 US 25 (1949).
[13] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[14] Ibid
[15] Ibid
[16] Ibid
[17] Ibid
The OECD, which has numerous nations as members, attempts to create synergy and harmonize the many meanings of privacy principles as they are applied in different jurisdictions. Thank you!