CYBER LAW AND DATA PRIVACY REGIME IN INDIA: A COMPARATIVE STUDY – Soumya Sharma

Introduction

The exponential growth of ICTs presents major threats to users’ right to privacy and the integrity of their data. In light of these risks, the right to data privacy has emerged as a basic human right with the aim of regulating the treatment of individually identifiable information and protecting the interests of the person to whom the data belongs (the data subject). Information that pertains to or may be used to identify a particular living individual is considered personal data. The data or information doesn’t have to be secret. While the collection of personal information by private organizations and government agencies is nothing new, the advent of new technologies has increased the risk to individuals’ privacy. Because of technological advancements, it is now much easier to store vast amounts of data, modify data in real time, and transfer data with the click of a mouse.[1]  A breach or violation may occur without the data subject even realizing it.

Thus, unrestrained data processing may facilitate violations of human rights, including those pertaining to privacy, dignity, security of person, discrimination, and justice.  The widespread dissemination of private data has led to an increase in crimes such identity theft, phishing, fraud, monetary theft, harassment, and stalking. The misuse of private information may potentially lead to widespread violations of human rights.[2]  During the Rwandan genocide, for instance, hundreds of Tutsi were killed just because their tribe was included on their identification documents. Therefore, there must be regulations in place to protect people’s privacy in the present day.[3] While privacy protections were developed first in the West, the proliferation of ICTs has brought these problems to developing countries like Malawi.

Privacy of Data

The proliferation of electronic devices and software has resulted in a significant increase in the volume of data generated in recent years. The analysis of ‘big data’ offers substantial benefits to contemporary businesses, which are progressively utilizing it to guide their strategic determinations. While acknowledging the pragmatic advantages for enterprises, the central concern pertains to the extent of individual agency in determining the utilization of their personal information.

The concept of privacy entails the liberty to be free from unwarranted interference or intrusion into one’s personal life. The concept of privacy rights pertains to the liberty of individuals to be free from interference or intrusion into their personal affairs by the government or other entities, absent a compelling public interest justification.[4]

The notion of an individual’s entitlement to privacy is not a new concept. The legal system of common law acknowledges the entitlement of an individual to seek compensation for tortious harm in cases where their privacy has been infringed. Semayne’s Case[5], which dates back to 1604, represents one of the earliest examples of a legal proceeding that tackled this particular matter. The legal proceedings in question involved the authorized entry of a property by the Sheriff of London for the purpose of executing a warrant. Sir Edward Coke made a notable observation regarding men’s entitlement to privacy, stating that an individual’s dwelling is akin to a castle and fortress, serving as a means of protection against harm and violence, as well as a place of rest. During the nineteenth century, individuals from England made significant contributions to the contemporary comprehension of privacy. The legal precedent of Campbell v. MGN[6] determined that an intrusion upon an individual’s privacy in a context where a reasonable expectation of privacy exists may result in liability unless the intrusion can be justified.

Indian Jurisprudence on Right to Privacy

Article 21 of the Indian Constitution stipulates that no individual shall be deprived of their life or personal liberty, except in accordance with the procedure established by law. The Indian Constitution does not enumerate the ‘right to privacy’ as a fundamental right.

The matter of M. P. Sharma and Others v. Satish Chandra, District Magistrate[7], Delhi and Others involved a challenge to the legitimacy of a warrant for search and seizure that was granted under Sections 94 and 96 (1) of the Code of Criminal Procedure. The Supreme Court examined whether the “right to privacy” constitutes a fundamental right. According to the Supreme Court’s ruling, the Constitution does not impose limitations on the right to search and seize. Furthermore, the Supreme Court of India, in its ruling, refused to acknowledge the right to privacy as a fundamental right safeguarded by the Constitution of India, citing the following rationale: –

“Having given the matter our best consideration we are clearly of the opinion that the freedom guaranteed by Article 19(1)(d) is not infringed by a watch being kept over the movements of the suspect. Nor do we consider that Article 21 has any relevance in the context as was sought to be suggested by learned Counsel for the petitioner. As already pointed out, the right of privacy is not a guaranteed right under our Constitution and therefore the attempt to ascertain the movements of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.”

However, the sectional opinion by Hon’ble Mr. Justice Subba Rao predicted privacy as an important facet of “personal liberty” and thus “Article 21 of the Constitution of India” by observing as under: –

“ In A.K. Gopalan case [1950 SCR 88], it is described to mean liberty relating to or concerning the person or body of the individual; and personal liberty in this sense is the antithesis of physical restraint or coercion. The expression is wide enough to take in a right to be free from restrictions placed on his movements. The expression “coercion” in the modern age cannot be construed in a narrow sense. In an uncivilized society where there are no inhibitions, only physical restraints may detract from personal liberty, but as civilization advances the psychological restraints are more effective than physical ones. The scientific methods used to condition a man’s mind are in a real sense physical restraint, for they engender physical fear channelling one’s actions through anticipated and expected grooves. So also the creation of conditions which necessarily engender inhibitions and fear complexes can be described as physical restraints. Further, the right to personal liberty takes in not only a right to be free from restrictions placed on his movements, but also free from encroachments on his private life. It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty. Every democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person’s house, where he lives with his family, is his “castle”; it is his rampart against encroachment on his personal liberty. The pregnant words of that famous Judge, Frankfurter J., in Wolf v. Colorado [[1949] 238 US 25] pointing out the importance of the security of one’s privacy against arbitrary intrusion by the police, could have no less application to an Indian home as to an American one. If physical restraints on a person’s movements affect his personal liberty, physical encroachments on his private life would affect it in a larger degree. Indeed, nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy. We would, therefore, define the right of personal liberty in Article 21 as a right of an individual to be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures. It so understood, all the acts of surveillance under Regulation 236 infringe the fundamental right of the petitioner under Article 21 of the Constitution.”

The legitimacy of police’s ability to conduct domiciliary surveillance was contested in the case ofGobind v State of M.P[8] on the grounds of its inconsistency with the right to privacy as protected by Article 21 of the Indian Constitution. The Indian Supreme Court rendered a verdict deeming the police regulations unconstitutional and affirming the right to privacy as a constitutionally safeguarded liberty. However, the Court expressed a preference for the gradual development of this right through a case-by-case approach and dismissed assertions that it was an absolute right. The Hon’ble Supreme Court observed as under:-

“The right to privacy in any event will necessarily have to go through a process of case-by-case development. Therefore, even assuming that the right to personal liberty, the right to move freely throughout the territory of India and the freedom of speech create an independent right of privacy as an emanation from them which one can characterize as a fundamental right, we do not think that the right is absolute.”

A parallel scheme has been sustained by the Hon’ble Supreme Court in the case of R. Rajagopal and Anr. v State of Tamil Nadu[9] ,in the progression of its swift of the decision, as under: –

“We may now summarize the broad principles flowing from the above discussion: (1) The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent — whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.”

Subsequently in the case of People’s Union for Civil Liberties (PUCL) v Union of India[10] the Hon’ble Supreme Court evidently held that:-

“We have, therefore, no hesitation in holding that right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtailed “except according to procedure established by law”.”

Current Issues Surrounding Data Privacy

The Apex Court of India has laid down three criteria that must be satisfied prior to the state’s encroachment upon the fundamental freedoms of its populace. In order to safeguard lawful state interests, it is permissible for the state to intervene. However, this intervention must adhere to certain conditions.

1. There must exist a legal basis to justify any infringement upon privacy, as stipulated by Article 21 of the Constitution.
2. The nature and substance of the legislation that imposes such restrictions must conform to the reasonable standards mandated by Article 14.
3. The methods employed by the legislature must be commensurate with the objectives and requirements that are intended to be achieved.

Moving forward, regulations that infringe upon individuals’ privacy must demonstrate their essentiality, appropriateness, and impartiality. The determination of the appropriate and equitable extent of State involvement is a matter that will require a considerable amount of time for the legal system to arrive at a definitive conclusion. The legality of the Adhar Scheme will be subject to examination based on the aforementioned ruling.

A prevalent suggestion is for India to adopt a ‘rights based’ approach to safeguarding personal data, as opposed to the current ‘permission based’ strategy. Under the consent-based approach, the data controller is authorized to utilize the information in any manner as long as they have obtained the user’s consent. A significant number of individuals may grant consent for the sharing of their data without comprehensively grasping the potential consequences associated with such an action. In contrast, the ‘rights based’ methodology confers greater autonomy to users with regard to their information, while simultaneously imposing a responsibility upon the data controller to safeguard these rights. Consequently, this leads to an increased level of autonomy for individuals with regards to their personal data.

As per the verdict of the Hon’ble Supreme Court, Indian citizens are now empowered to pursue legal recourse in case of infringement of their data privacy rights. Potential consequences of privacy and security regulations on India’s IT industry. Individuals are afforded the opportunity to assert an infringement upon their privacy through either the tort law or the Fourth Amendment of the Constitution.

Information and Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011

The Government has established a legislative framework for the protection of personal information and privacy via the Information Technology Act and the Information Technology Rules.

Several clauses addressing data protection, required privacy policies, and fines for breaching such policies were added to the IT Act in 2008 as a result of revisions made to the act at that time. Following is a summary of the pertinent sections of the ITAct: In accordance with subsections (a), (b), and (i) of Section 43, it is unlawful for any person to access, use, or disclose any information contained in, or transmit through, any computer, computer system, or computer network without the express consent of the owner or, any other person who may be in charge of such a system.

“a) accesses or obtains access to such computer, computer system, or computer network;“ “b) downloads, copies, or extracts any data, computer data base, or information from such computer, computer system, or computer network, including information or data held or stored on any removal storage medium;”

“c) accesses or obtains access to such computer, computer system, or computer network;”

“d) downloads, copies, or extracts any data, computer data base, or information from such computer, computer system, or computer network, including information or data held or stored on any removal storage medium;”

“e) steals, conceals, destroys, or modifies, or causes any person to steal, conceal, destroy, or modify, any computer source code used for a computer resource with the intent to cause damage; will be accountable to the person thus injured for damages by means of compensation not exceeding INR 1,00,00,000 (Rupees One Crore).”

Research problem

The employment of information and communication technology (ICT) by both governmental and non-governmental organizations in Malawi has been on the rise, leading to the gathering and analysis of personal data. This trend poses a potential risk to the protection of individuals’ right to data privacy. Despite the potential risks involved, the matter of safeguarding data privacy has not been given significant consideration by academics and policymakers in Malawi. Moreover, there is a lack of comprehension among data subjects regarding the significance of safeguarding their personal data. Consequently, Malawi presents a significant likelihood of infringements upon individuals’ data privacy rights. The potential hazards could be amplified due to the widespread prevalence of poverty, disparities in wealth and education, prevalent lack of digital literacy, gender inequalities, and insufficient safeguards for individuals with disabilities. The escalating employment of Information and Communication Technology (ICT) in the manipulation of personal information in Malawi, coupled with the rapid advancement of such technologies, calls for a critical evaluation of the extent to which the existing legal framework sufficiently safeguards individuals’ data privacy rights. This study aims to evaluate the sufficiency and effectiveness of data privacy regulations in Malawi, taking into consideration various contexts and vulnerabilities.

1.1.          Research questions

The main research question addressed by this study is:

1. What are the factors influencing the people to download the application from application store at cost of online data privacy breach?
2. What is the impact of law and technology on society, particularly on the vulnerable segments of the population, prompts an inquiry into the theoretical frameworks that underpin this phenomenon?
3. What is the extent to which personal information is protected under existing legislation?

Methodology

The present study utilizes a methodology of research that is based on desk work. The utilization of primary sources is a crucial aspect in this context, with a particular emphasis on instruments, acts, bills, and case law pertaining to human rights and data privacy protection. In addition to primary sources, this study incorporates secondary sources such as books, scholarly articles, governmental and non-governmental reports, conference proceedings, commentaries, and dissertations. Furthermore, comparative legal research is carried out with the aim of extracting insights from international legal systems regarding safeguarding of data privacy, which can be utilized to inform requisite legal modifications.

Objectives

• To study and analyze the legal position of the right to privacy in India.
• To study the constraints and limitations of the right to privacy in governance.
• To suggest concrete suggestions in the form of a model law on right to privacy befitting for the Indian scenario.

PRIVACY A GLOBAL RIGHT

Privacy is the right to be free from covert observation and to select when, how, and to whom one’s information is disclosed. Privacy is an age-old concept and with time it has developed both in favor as well as against a person[11]. Due to advancement in technology, its ambit has increased to include categories such as physical, informational, decisional and dispositional.

The law has to keep pace with increase in advancement in technology to protect the rights of individuals. Several amendments in the existing statues along with development and initiation of new statues have helped the Indian legal system to evolve[12]. The recent decision of the Supreme Court declaring privacy as a fundamental right has become a landmark judgement.

LAW OF PRIVACY

The Information Technology Act, 2000 (hereinafter referred to as ―IT Act‖) under the definition of computer, a computer, computer system, computer network, data, computer database, and software are included. The phrase encompasses broadly intrusions involving any electronic communication devices or networks, including mobile networks. The IT Act imposes civil responsibility and criminal punishment for a range of precisely defined computer-related acts, many of which directly or indirectly impair privacy.

THE HISTORICAL BACKGROUND OF INDIAN CONSTITUTION IN CONTEXT TO PRIVACY

When the Constituent Assembly was debating on the preamble there was a lot of discussion with regards to Fraternity clause, this shows the relevance and importance of dignity of an individual.

The members of the Constituent Assembly[13] B. Pattabhi, Srimati Durga Bai, Thakurdas Bhargava, B.V. Keskar, T.T. Krishnamachari, M. Ananthasayanam and K. Sanathanam wanted to change the language to the following order: –

Fraternity assuring the unity of Nation and the dignity of the Individuals.

This proposal amendment was criticized and rejected on the ground that Unity of Nation can only be achieved when dignity of individual is assured. Based on the lines of U.S. Constitution Fourth amendment Kazi Karimuddin forwarded an Amendment which was favored and supported by Dr. B.R. Ambedkar. Though being convinced, Dr. Ambedkar supported it in a very reserved manner, due to which Right to Privacy was not incorporated in the constitution of India.

Even though this amendment related to the Constitution‘s 5^th amendment, it was not accepted in full but a part of it was approved. It says the protection against self- incrimination given under Article 20(g). This Article is the essential clause to protect personal liberty. Confession made on own will, choice and freedom is very important and essential aspect of privacy. Therefore, it is the Privacy of Personal Liberty.

 

CONSTITUTIONAL RIGHT TO PRIVACY

After the verdict in the case of K.S. Puttaswamy v. UOI the Right to privacy got its desired place under Article 21 of the constitution of India[14]. The scope of this extension under Article 21 came from the case of Maneka Gandhi v. UOI whereby the way of judicial activism and interpretation many human rights were made part of Article 21.

If we look at the preamble, dignity of individual is already assured, and it has been already seen and discussed that privacy is an inseparable and integral part of human dignity. Therefore, this acceptance of human dignity in the preamble has already laid a ground for the development and incorporation of Right to Privacy in the Indian Constitution. Now after Right to Privacy becoming a fundamental right, right to live with human dignity has become very strong and forceful.

When we look deeper in the Indian Constitution, we can find other Articles which are providing Right to Privacy and protecting any violation against this right. One such article is Article 23 which prohibits trafficking, beggary etc. This article supports the concept laid down by Warren – Brandeis means inviolate personality. Article 23 also recognizes inviolate personality.

Now that Privacy has become a fundamental right it can also be remedied by way of writ under Article 32 and 226. The enforceability that has come to privacy after becoming a fundamental right has given this Right long due recognition.

Article 13 of the Constitution is also essential when we talk about fundamental rights. This article clearly forbids the State from passing / making altering any law which is found to be in contravention to fundamental rights. Therefore, no act, regulation or law can contravene the right to privacy of an individual.

The right to life protected by Article 21 has been expansively construed to include more than mere survival, simple existence, or animal existence. Its scope if always expanding and thus refers to every aspect of a man‘s life. When the Constitution guarantees right to life, it also ensures right to live with dignity which can be ensured when the privacy of a person is maintained. Thereby, leading to the evolution and need of right to privacy.

Privacy enjoys a robust legal framework internationally. Article 12 of the Universal Declaration of Human Rights, 1948 and Article 17 of the International Covenant on Civil and Political Rights (ICCPR), 1966[15], legally protect persons  against arbitrary interference with one’s privacy, family, home, correspondence, honor, and reputation. India signed and ratified the ICCPR on ‘April 10, 1979, without reservation. Article 7 and 8 of the Charter of Fundamental Rights of the European Union, 2012, recognizes the respect for private and family life, home and communications. Article 8 mandates protection of personal data and its collection for a specified legitimate purpose.

The first mention of the right to privacy dates back to 1964 in the case of Kharak Singh v State of UP. The case involved the legality of certain police regulations that, without a statutory basis, authorised the police to keep under  surveillance  persons whose names were recorded in the history-sheet maintained by the police as habitual criminals or as persons who were likely to become habitual criminals. The petitioner alleged that this regulation led to violation of his fundamental right under Article 19(1)(d) and personal liberty under Article 21. The majority of the Supreme Court ruled that the regulation permitting police to perform house calls violated Article 21 of the Constitution. However, it did not violate Article 19(1). Ayyangar J. held that the right to privacy is not a right under our Constitution and therefore attempt to ascertain the movement of an individual which is merely a manner in which privacy is invaded is not an infringement of a fundamental right guaranteed by Part III.

Conclusion

Conducting a comprehensive comparative study on cyber law and data privacy regimes in India can provide valuable insights into the legal frameworks governing digital activities and the protection of personal information. Here are some potential conclusions one might draw from such a study:

1. Evolutionary Nature: India’s cyber law and data privacy regime have evolved significantly over the years, reflecting the changing landscape of technology and digital communication. From the Information Technology Act, 2000 to more recent developments like the Personal Data Protection Bill, 2019, there is a clear effort to keep pace with global standards and address emerging challenges.
2. Complexity and Interconnectedness: The legal landscape governing cyber activities and data privacy in India is multifaceted and interconnected. It involves a combination of statutes, regulations, guidelines, and judicial interpretations. Understanding the nuances and interactions between these various legal instruments is essential for both compliance and effective enforcement.
3. Alignment with International Standards: In comparing India’s cyber law and data privacy regime with those of other countries, it becomes apparent that there is a growing emphasis on aligning domestic regulations with international standards and best practices. This alignment is crucial for facilitating cross-border data flows, promoting digital trade, and enhancing global cybersecurity cooperation.
4. Challenges and Gaps: Despite progress, several challenges and gaps persist in India’s cyber law and data privacy framework. These may include issues related to enforcement mechanisms, resource constraints, regulatory overlaps, and the need for greater clarity on certain legal provisions. Addressing these challenges will be essential for ensuring effective protection of digital rights and fostering trust in the digital ecosystem.
5. Balancing Rights and Responsibilities: Achieving an appropriate balance between protecting individual rights, such as privacy and freedom of expression, and promoting legitimate interests, such as national security and law enforcement, remains a key challenge for policymakers and legal practitioners. Striking this balance requires careful consideration of competing interests and stakeholder perspectives.
6. Need for Continuous Adaptation: Given the rapid pace of technological innovation and evolving cyber threats, India’s cyber law and data privacy regime must adapt continuously to keep pace with emerging trends and challenges. This may involve regular updates to existing laws, adoption of new regulatory frameworks, capacity building for law enforcement agencies, and fostering greater public awareness and digital literacy.

In conclusion, a comparative study of India’s cyber law and data privacy regime can shed light on its strengths, weaknesses, and areas for improvement. By analyzing similarities and differences with other jurisdictions, policymakers, legal experts, and other stakeholders can identify best practices, learn from international experiences, and work towards building a more robust and effective legal framework for the digital age.

[1] Alex Boniface Makulilo (ed), African Data Privacy Laws, Springer (2016) 3.

[2] Esma Aimeur and David Schonfeld, ‘The Ultimate Invasion of Privacy: Identity Theft’ (Ninth Annual

International Conference on Privacy, Security and Trust 2011).

[3] James Wiley, ‘The Globalisation of Technology to Developing Countries’ (Digital Commons, 4 August 2009).

[4] Strutner v Dispatch Printing Co., 2 Ohio App. 3d 377 (Ohio Ct. App., Franklin County 1982).

[5]Peter Semayne v Richard Gresham, 77 ER 194.

[6] 2004 UKHL 22.

[7] 1954 SCR 1077.

[8] (1975) 2 SCC 148.

[9] (1994) 6 SCC 632.

[10] (1997) 1 SCC 301

[11] Lindsey Norman, ‗An Overview of the Changing Data Privacy Landscape in India‘ (2018)919 <www.pwc.in>.Accessed on2November2021.

[12] PayalThaorey, ‗Informational Privacy: Legal Introspection in India‘ ILI Law, Review Vol and II Winter Issue(2019)II160.

[13]RoyKapoor,‗ConstituentAssemblyofIndiaDebates(Proceedings)-VolumeIX‘(1949)IX.

[14]A Berriedale Keith and GN Joshi, The New Constitution of India ‘(1939) The University of Toronto Law Journal 676.

[15]AnjaMihr,‗PublicPrivacy-HumanRightsinCyberspace‘(2013)SIMWorkingPaper108.