RIGHT TO PRIVACY AND SRI KRISHNA COMMITTEE REPORT ON PDP BILL, 2019
Author: Rakshit Gupta, I year of BBA.LLB from Symbiosis Law School, Pune
Before we go into detail about the Right to Privacy, it's important to understand what the term "privacy" means. “Right to be left alone; the right of a citizen to be exempt from any unwarranted publicity; the right to live without any unwarranted public intervention in matters in which the public is not generally concerned,” according to Black's Law Dictionary. “No person shall be deprived of his life or personal liberty except in accordance with the procedure provided by law,” according to Article 21 of the Indian Constitution. After reading Article 21, it was determined that the word "life" encompasses all facets of life that contribute to making a man's life meaningful, full, and worthwhile.
Right to Privacy in India
As previously stated, Article 21 of the Indian Constitution states that "no person shall be deprived of his life or personal liberty except in compliance with legal procedure." Article 21's right to life has been liberally interpreted to mean more than mere survival, creation, or animal existence. As a result, it encompasses all facets of life that make a man's life more meaningful, complete, and worthwhile, and the right to privacy is one of them. The Supreme Court held in Kharak Singh v. State of Uttar Pradesh that Regulation 236 of the Uttar Pradesh Police Regulation was unconstitutional because it conflicted with Article 21 of the Constitution. The right to privacy is a part of the right to life and personal liberty, according to the Court. The Court had equated privacy with personal liberty in this case. The right to privacy is an emanation of Art. 19(a), (d), and 21, but it is not an absolute right, according to Mathew, J. in Govind v. State of Madhya Pradesh. “Assuming that a citizen's constitutional rights have penumbral zones and that the right to privacy is a fundamental right in and of itself, the fundamental right must be subject to restraint in the public interest.” Due to the character and antecedents of the person subjected to surveillance, as well as the items and limitations under which the surveillance is made, surveillance by domiciliary visits need not always be an unfair encroachment on a person's privacy. The right to privacy is about people, not places.
In the case of Smt. Maneka Gandhi v. Union of India & Anr., (1978), a seven-judge SC bench ruled that "personal liberty" in article 21 encompasses a broad range of rights, some of which have the status of fundamental rights and are afforded additional protection under section 19.
Any legislation that restricts personal liberty must pass the Triple Test:
(1) It must provide a procedure;
(2) the procedure must pass the test of one or more of the fundamental rights conferred under Article 19 that may be applicable in a particular situation; and (3) it must pass the test of Article 14. Interference with personal liberty and the right to privacy must be legal, just, and equitable, not unreasonable, fanciful, or oppressive.
International Concepts of Privacy
“No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks on his honour and reputation, all have a legal right to be protected from such interference or attacks. According to Article 12 of the Universal Declaration of Human Rights (1948).
“No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, nor to unlawful attacks on his honour and reputation,” notes Article 17 of the International Covenant on Civil and Political Rights (to which India is a party).
“Everyone has the right to respect for his private and family life, his home and his correspondence; there shall be no interference by a public authority unless it is by law and is essential in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the protection of the prot,” says Article 8 of the European Convention on Human Rights.
Right to Privacy- Permissible Restriction
Legislative provisions, administrative/executive orders, and judicial orders are also exampling of intrusion into privacy. Legislative interference must be judged based on reasonableness, as provided by the Constitution, and the Court will do so by looking at the proportionality of the intrusion about the aim pursued. (2) When it comes to regulatory or executive action, it must be fair given the facts and circumstances of the situation. (3) In the case of judicial warrants, the Court must have fair grounds to conclude that the search or seizure is justified, and it must recognize the scope of the search or seizure needed to protect the relevant State interest. Furthermore, as previously mentioned, the common law recognized unusual exceptions to the rule that warrantless searches may be done in good faith, to protect evidence or to avoid sudden anger to an individual or property.
Justice B.N. Krishna Committee Submits Data Protection Report
The Government has received a study on the "Data Protection Framework" from a committee led by retired Supreme Court Judge Justice BN Srikrishna.
The Union government formed the Committee in July 2017 to negotiate a data protection system.
In the Puttaswamy decision from 2017, the Supreme Court declared privacy to be a fundamental right. This prompted the government to begin working on a new data protection law for the country.
The report emphasizes that citizens' interests and the state's obligations must be secured, but not at the expense of trade and industry.
A draft Personal Data Protection Bill has also been introduced by the Committee.
Highlights of Report
Individual Consent: The draft Bill prioritizes individual consent in data exchange, grants users’ privileges, and places responsibilities on data fiduciaries (all those entities, including the State, which determine purpose and means of data processing).
Consent would be a legal basis for personal data collection. The rule, on the other hand, would use a changed consent process, making the data fiduciary responsible for any damage caused to the data principal.
The Data Protection Bill also mandates that data processors implement privacy by design, and defines terminology such as consent, data breach, confidential data, and so on.
Right to be forgotten: It refers to people's right to restrict, delink, erase, or correct personal information that is deceptive, embarrassing, irrelevant, or anachronistic on the internet.
Data Protection Authority: A Data Protection Authority (DPA) will be established under the data protection law, which will be an autonomous regulatory agency responsible for the law's compliance and successful implementation. The DPA's key duties are as follows:
monitoring and enforcing the law, as well as establishing policies and standards
study and education
investigation, grievance resolution, and adjudication
Personal Data: The legislation would extend to both public and private organizations that process personal data. If personal data has been used, exchanged, disclosed, collected, or otherwise processed in India, the law would have jurisdiction over it.
The bill proposes that sensitive personal data of Indian people be stored in Indian-controlled centres.
Passwords, financial data, health data, official identifiers, sex life, sexual identity, biometric and genetic data, and data revealing transgender status, intersex status, caste, tribe, religious or political views or affiliations of an individual would all be considered sensitive personal data. The DPA would, however, be granted the residuary power to inform additional groups in compliance with the law's requirements.
Data Storage: The bill contains provisions for data protection, including the requirement that a copy of personal data is kept in India.
Appellate Tribunal: The Central Government must either establish an appellate tribunal or assign powers to an established appellate tribunal to hear and decide any appeals against DPA orders.
Penalties: Violations of the data protection law may result in penalties. Penalties will be levied in the proportion of the set upper limit or a percentage of the previous financial year's gross worldwide revenue, whichever is higher.
For violations of the provisions, the Committee proposes a penalty of Rs. 15 crores or 4% of any data collection/processing entity's total worldwide turnover. Failure to respond quickly to a data security breach will result in a penalty of up to Rs. 5 crores or 2% of turnover.
The fines charged by breaching organizations, in this case, would be deposited into a Data Protection Fund, which will be used to fund the Data Protection Authority's operations, among other things.
The legislation will not apply retroactively and will be implemented in a standardized and staggered manner.
Impact on allied Law: The effect of the proposed data protection policy on related laws, such as the Aadhaar Act and the RTI Act, which require or authorize the processing of personal data for various purposes, is also listed in the study.
The Aadhaar Act is silent on the authority of the Unique Identification Authority of India (UIDAI) to take legal action against errant companies in its ecosystem, according to the committee. To improve data security, the Aadhaar Act needs to be amended.
The report also recommends changes to the RTI Act, stating that the release of information from public authorities can result in private harm.
Exceptions: On the grounds of public safety, law and order, emergency circumstances where the person is unable to provide consent, jobs, and fair intent, the state may process data without the user's consent.
Certain data processing interests, such as state security, legal proceedings, analysis, and journalistic purposes, may be excluded from some of the proposed data protection law's obligations.
To protect against possible abuse, appropriate security protections must be included in the legislation.
Cross Border Data Transfer: Other than critical personal data, the transfer of personal data would be done by model contract clauses containing main responsibilities, with the transferor being responsible for any damage caused to the principal as a result of the transferee's breaches.
Personal data that is determined to be vital would be required to be processed only in India (there will be a prohibition against cross border transfer for such data).
Data of Children: The Committee has explicitly stated the need for different and more strict norms for protecting children's data, recommending that businesses be excluded from such forms of data processing, such as behavioural surveillance, tracking, targeted advertisement, and any other form of processing that is not in the child's best interest.
The explanation for this difference in care derives from the fact that children do not fully comprehend the implications of their acts. This is compounded in the modern world, where data collection and analysis are largely ambiguous and encumbered by complicated consent forms.
The committee recommends that the Data Protection Authority be given the authority to appoint guardian data fiduciaries to websites or online services that process vast amounts of personal data about children.
According to the bill, personal data of individuals may be collected to carry out some state operation. This may be done without the individual's permission as long as the intention is to offer a service or benefit to them. This runs counter to the Puttaswamy decision, which emphasized informed consent as a key component of informational privacy. The draft bill does not address the reform of surveillance legislation, which is an important subject. In India, there is very little legislative and judicial oversight of surveillance operations. Requiring all companies to store data within India, as suggested by the Bill, without any reform of surveillance governance, could lead to even more privacy concerns in the future.
Individual privacy would be preserved, autonomy would be assured, and data flows for a growing data environment would be permitted by enacting data protection legislation in the nation. It has the potential to create a free and equal digital economy, in which freedom is defined as the expansion of individual autonomy over personal data and fairness is defined as the regulatory system in which this individual right is secured.