Online Privacy Law (Constitutional Aspect)

Privacy and protection. These words are common in talk but their presence in the real world can be considered near to nothing. One’s right to put information on the internet could lead to some major problems. Social media brings us a platform where it is difficult to differentiate between what is public and what private. Section 2(1)(o) of the Information Technology Act, 2000 (the “IT Act”) has defined "data" to mean “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”

The electronic consent framework issued by the Digital Locker Authority defines ‘data’ to mean “any electronic information that is held by a public or private service provider (like a government service department, a bank, a document repository, etc. This may include both static documents and transactional documents’. However, the concept of data is not only restricted to electronic information but also extends to information stored in physical form, e.g. on a piece of paper”.

Over last couple of years there has been a substantial increase in the amount of data that is generated through the usage of various electronic devices and applications. Today’s businesses derive a substantial value by analyzing the ‘big data’ and often determine their business strategies based on such analysis. While there is no denying the business efficiency involved, the burning question is ‘do individuals have a control over the manner in which information pertaining to them is accessed and processed by others’. Privacy is the right to be left alone or to be free from misuse or abuse of one’s personality. The right of privacy is the right to be free from unwarranted publicity, to live a life of seclusion, and to live without unwarranted interference by the public in matters with which the public is not necessarily concerned.

Recently, this issue was once again raised before the Hon’ble Supreme Court in the case of K. S. Puttaswamy (Retd.) v Union of India, in which case the ‘Aadhaar Card Scheme’ was challenged on the ground that collecting and compiling the demographic and biometric data of the residents of the country to be used for various purposes is in breach of the fundamental right to privacy embodied in Article 21 of the Constitution of India. Given the ambiguity from prior judicial precedents on the constitutional status of right to privacy, the Hon’ble Supreme Court referred the matter to a constitutional bench consisting of 9 (nine) judges. It was argued on behalf of the Petitioners that the right to privacy is very much a fundamental right which is coterminus with the liberty and dignity of the individual and this right is found in Articles 14, 19, 20, 21 and 25 of the Constitution of India read with several international covenants. On the contrary, Union of India contended that ‘right to privacy’ is not a fundamental right guaranteed under the Constitution.

The primary defence of the Union of India was that

(i) if the framers of the Constitution wanted to include the ‘right to privacy’ as 1 (2015) 8 SCC 735 a fundamental right, the same would have been specifically included within the Constitution;

(ii) privacy is inherently a subjective and vague concept. The concept of privacy is difficult to define. Such vague concept cannot be elevated to a fundamental right;

(iii) The present laws already confer sufficient protection to individuals against invasion of privacy; and

(iv) ‘right to privacy’ is a legitimate claim having sanction of common law, each such claim cannot be elevated to fundamental right.

The Hon’ble Supreme Court by its decision pronounced on August 24, 2017 unanimously held as under: -“821. The reference is disposed of in the following terms:

(i) The decision in M P Sharma which holds that the right to privacy is not protected by the Constitution stands over-ruled;

(ii) The decision in Kharak Singh to the extent that it holds that the right to privacy is not protected by the Constitution stands overruled;

(iii) The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.

(iv) Decisions subsequent to Kharak Singh which have enunciated the position in (iii) above lay down the correct position in law.” The Information Technology Act, 2000 (hereinafter referred to as the "IT Act") is an act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternative to paper-based methods of communication and storage of information to facilitate electronic filing of documents with the Government agencies. Violation of privacy is mentioned in Sec 66 E of the IT Act and the Breach of confidentiality or privacy is mentioned in Sec 72. The mandatory use of the mobile app brings many constitutional challenges such as the right to privacy of the citizens. Currently, there is no legal framework that governs it beyond its privacy policy and terms of use. The government’s decision to make the coronavirus (Covid 19) tracking application, Aarogya Setu, mandatory in many spheres of life brings constitutional challenges such as the right to privacy of citizens Supreme Court issues notice to Centre on PIL seeking a ban on the use of Zoom app for official and personal purposes. The petition was filed by a homemaker Harsh Chugh who sought banning the use of the app for official and personal purposes on the grounds that the software gives rise to several privacy and security concerns.

The Zoom app is available free of cost on all app stores and can be used on phones, laptops, tablets etc. For the purposes of hosting video calls, meetings, webinars and such, Zoom has emerged as one of the most used applications in the recent times. Prone to Cyber Threats', PIL filed in SC seeks ban on Zoom App, also alleges Company of 'Cyber Hoarding. Raising security and privacy concerns, a PIL in the Supreme Court has sought a direction to the Centre to ban ‘Zoom’ app for both government and private use. Indian Computer Emergency Response Team (CERT-In) -- India’s nodal cyber security agency—too had warned about cyber risks involved in using Zoom and many organisations across the world had already banned it, petitioner Harsh Chugh submitted. Zoom app—which was widely being used for video conferencing—“practices data hoarding and cyber hoarding” Justice K.S.Puttaswamy v UOI, 2017 SCC Online 996 which includes mass storage of personal data of its users and stores cloud recordings, instant messages and files, he alleged. The PIL also said that the CEO of Zoom, Eric S Yuan, has publically apologized for privacy lapses, highlighting the security shortcomings in the app. The plea also submitted that Zoom had publically apologized for routing traffic through China, where internet is heavily monitored by the government.

Noting that COVID-19 pandemic drastically reshaped the way in which consumers, businesses and schools communicated, Chugh said instead of lending a helping hand to people in need, Zoom violated the privacy of its millions of users by misusing and exploiting their personal information. With this trend to protect privacy, China is poised to enshrine the individuals’ rights to privacy & personal data for the first time, a symbolic first step as the country of more than 1.4 billion people becomes digitized, and more vulnerable to leaks& hacks. The legislation is part of China’s first civil code, the sweeping package of laws that are being deliberated during the annual meeting of parliament, which began on Friday after a delay of more than that of 2 months due to this coronavirus. According to the recent draft, an individual has the right to privacy & to have their personal information protected. Data collectors must protect an individual’s personal information as well as cannot obtain, disclose, or conduct the transactions of such data without their consent. The push to shore up the data privacy in China is widely seen as an effort to protect & legitimize the country’s fast growing internet sector & place the safeguards on the movement of the valuable Chinese data overseas. It is important to see how those rights will be protected, and this gives them no protection from the increasingly pervasive surveillance by the government that wields total control over the country’s digital sphere.

The recognition of digital privacy rights is an important step allowing the individuals who suffer from leaks to seek to readdress. The legislation places China among the minority of countries building up the legal frameworks governing individual data privacy, although the individual protections currently in place are not as strong as that of Europe’s General Data Protection Regulations The common problem with the present rules are that they don’t impose any significant punishment for the companies responsible for privacy-related breaches. Chinese courts also have been inconsistent with the privacy cases, which some blamed on inadequate regulations & guidance for a rigid court system that limits the judges’ scope to make new interpretations in law. Stronger penalties for such breaches or leaks are needed to provide effective protection. The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of "Sensitive personal data or information of a person", which includes such personal information which consists of information relating to Passwords; Financial information such as bank account or credit card or debit card or other payment instrument details; Physical, physiological and mental health condition; Sexual orientation; Medical records and history; Biometric information. The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with "Personal sensitive data or information". In case of any breach, the body corporate or any other person acting on behalf of body corporate, the body corporate may be held liable to pay damages to the person so affected. Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000 (approx. US$ 8,000). It is to be noted that S 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary in the interest of: the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It may by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

This section empowers the Government to intercept, monitor or decrypt any information including information of personal nature in any computer resource. Grounds on which Government can interfere with Data are under section 69 of the IT Act, any person, authorised by the Government or any of its officer specially authorised by the Government, if satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, for reasons to be recorded in writing, by order, can direct any agency of the Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. The scope of section 69 of the IT Act includes both interception and monitoring along with decryption for the purpose of investigation of cyber-crimes. The Government has also notified the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above section. The Government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which deals with the blocking of websites. The Government has blocked the access of various websites. Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with both. Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both. Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both. Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which lays down that contracts formed through electronic means "shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose" It can be understood that privacy rights is which an individual has online with respect to their data, and violations of the same that take place online. Given the dynamic nature of the online sphere, privacy concerns and issues are rapidly changing. Seemingly harmless data such IP address, key words used in searches, websites visited, can now be combined and analysed to identify individuals and learn personal information about an individual.

From information shared on social media sites, to cookies collecting user browser history, to individuals transacting online, to mobile phones registering location data – information about an individual is generated through each use of the internet. In some cases the individual is aware that they are generating information and that it is being collected, but in many cases, the individual is unaware of the information trail that they are leaving online, do not know who is accessing the information, and do not have control over how their information is being handled, and for what purposes it is being used. For example, law enforcement routinely troll social media sites for information that might be useful in an investigation