1

LEGAL AND CONSTITUTIONAL ASPECTS OF PRIVACY AND DATA

PROTECTION

1. INTRODUCTION

Rights, an inherent and inalienable characteristic of human society, have been reduce into
a visible and implementable document in international and national sphere.1 Some rights find
explicit mention in such documents while others are introduced through interpretative tool
due to integral linking with such rights. Among all these, right to privacy is one of the
most important and acceptable personal right. It provides power to individual snooping from
others. Right to privacy finds reference in the Universal Declaration of Human Rights and
International Covenants of Civil and Political Rights, Convention on the Rights of the Child.
Right to Privacy is the most integral part of human life. 2

Mid of the last century witnessed documentation of a right which relates with non-interference in
one’s personal life. It has acquired significance with the commodification of technology.
Technology has transcended every sphere of human life3. Intrusion in human life through
advanced technology has become every day phenomenon. It is happening either through
voluntary disclosure or involuntary acquisition of information.

The data protection concept is more or less connected with the individual’s privacy.4 It is
typically reserve for a set of norms that serve a wider range of interests than simply privacy
protection5. It is not privacy only which has been taken into consideration for data protection.

1
Prakash Shah, “International human Rights: A perspective from India,” Fordham International Law Journal, Vol.
21, Issue 1, Article 3, (1997): 24- 38.
2
Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review, Vol. 4, No. 5 (1890):
193-220.
3
Austin, Lisa Michelle, “Privacy law and the question of technology.”Ph.D. Thesis, University of Toronto; 2005,
ProQuest Dissertations and Theses.
4
Lutha R Nair, “Data Protection Efforts in India: Blind leading the Blind?,” The Indian Journal of Law &
Technology VOL 4 (2008).
5
Bygrave, L.A., “Data Protection Law: Approaching Its Rationale, Logic and Limits,” Kluwer Law International,
The Hague / London / New York (2002).
 2

There are variety of other, partly overlapping concepts which have been invoked too,
particularly those of “freedom”, “liberty” and “autonomy”6

2. CONSTITUTIONAL ASPECT

The Constitution of India has some provisions like, ‘Freedom of Speech and Expression’7and
‘Right to Life and Personal Liberty’.8 These provisions has its effect to the right to privacy
as a fundamental right. There are number of cases 9 also which establishes the right to
privacy as a fundamental right. The conceptuality of this proposition has also connected with
the new dimension of the ‘Data Protection’. The linkage between this privacy and data
protection are interdependent to each other. The right of data protection is closely related
with the ‘information’10 of an individual. The study of constitutional provisions to
understand the relationship of privacy with explicitly scripted rights along with interpretation
accorded by the apex court of the country.11 It explores the issue of data protection dealt

6
Westin, A.F., “Privacy and Freedom,” Atheneum, New York (1970); Miller, A., “The Assault on Privacy:
Computers, Data Banks and Dossiers,” University of Michigan Press, Ann Arbor (1971). The title of Westin’s
seminal work, Privacy and Freedom, is a case in point. Indeed, as pointed out further below, “privacy” in this
context has tended to be conceived essentially as a form of autonomy – i.e., one’s ability to control the flow of
information about oneself.
7
Article 19 (1) (a) of the Indian Constitution
8
Article 21 of the Indian constitution
9
R Rajagopal v. State of Tamil Nadu AIR 1995 SC 264; Sharda v. Dharampal, AIR 2003 SC 3450; District
Registrar and Collector v. Canara Bank, (2005)1 SCC 496; State of Karnataka v. Krishnappa AIR 2000 SC 1470;
State v. N. M. T. Joy Immaculate, AIR 2004 SC 2282; X v. Hospital Z AIR 1999 SC 495; Kottabomman transport
Corporation Limited v. State Bank Of Travancore and others, AIR 1992 Ker. 351; Registrar and Collector,
Hyderabad and Anr. v. Canara Bank Etc AIR 2004 SC 935;
10
In a case, The CPIO, Supreme Court of India v. Subhash Chandra Agarwal and Anr. the Information Technology
Act 2008, laid down the Definition of 2(f) "information" means ‘any material in any form, including records,
documents, memos, e-mails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports,
papers, samples, models, data material held in any electronic form and information relating to any private body
which can be accessed by a public authority under any other law for the time being in force’.
11
It has held that in a case of Ram Jethmalani&Ors v. Union of India, (2011) 8 SCC 1. “Right to privacy is an
integral part of right to life, a cherished constitutional value and it is important that human beings be allowed
domains of freedom that are free of public scrutiny unless they act in an unlawful manner. Revelation of
bank account details of individuals, without establishment of prima facie grounds to accuse them of wrong doing,
would be a violation of their rights to privacy. State cannot compel citizens to reveal, or itself reveal details of
their bank accounts to the public at large, either to receive benefits from the State or to facilitate investigations, and
prosecutions of such individuals, unless the State itself has, through properly conducted investigations, within
the four corners of constitutional permissibility.”
 3

under different legislations.12 Finally it builds a case of treating an issue of data protection from
a right-based perspective.

Therefore data protection explore how far the information, details and data of individuals and
organizations are protected under the laws of India, especially under the Constitution of
India.13 The emphasis is laid on the protection available under the Constitution of India
since it is the “basic and ultimate source” from which all other laws derive their validity and
force. These three must address for discussion of constitutional aspect concerning, (1)
Privacy rights of interested persons in real space and cyber space. (2) Mandates of freedom of
information under Article 19 (1) (a). (3) Mandates of right to know of people at large under
Article 21. It categorically speaks about the right to privacy, right to information, right to
know and electronics governance, trade secret, intellectual property etc. in the light of different
view point.

3. CONCEPT OF DATA PROTECTION

Data protection is commonly defined as the law designed to protect your personal data. In
modern societies, in order to empower us to control our data and to protect us from abuses, it is
essential that data protection laws restrain and shape the activities of companies and
governments.

3.1 Data Protection Laws

3.1.1 IT Act and Rules

In India, personal information is legally protected through section 43A of the Information
Technology Act and the Information Technology (Reasonable security practices and procedures
and sensitive personal data or information) Rules, 2011. This provision acts under a body
corporate who 'receives, possesses, stores, deals, or handles' any 'sensitive personal data' to
implement and maintain 'reasonable security practices', failing to which they are held liable to
compensate those affected.

12
Justice A P Shah Committee Report, “Report of the Group of Experts on Privacy”, (2012), Accessed
October 21, 2016,
13
Dr. AmitLudri, Law on protection of personal & official information in India, The Bright Law house, New Delhi, 1st
Edition, (2010).
 4

Non-observance of the data protection rules and general negligence with respect to personal data
attracts civil liability. Since the provisions provide that any corporate who fails to observe data
protection norms may be liable to pay compensation if they are negligent in implementing and
maintaining reasonable security practices and thereby cause wrongful loss or wrongful gain to
any person. In addition, body corporates may be exposed to criminal liability under Section 72A
of the IT Act if they disclose personal information with the intent of causing wrongful loss or
obtaining a wrongful gain.

3.1.2 Consumer Protection Act

In 2015, the Consumer Protection Act was enacted. The Act could be an additional source of
redress for the misuse of personal data by commercial entities as the Act includes the disclosure
of personal information which is given in confidence as an unfair trade practice [as defined under
section 2 (r)] which contains mental or emotional harm resulting from damage to any property,
among other things, as a harm.

3.2 Legal aspect concerning Data Protection

The Indian Penal Code has its roots in the time of British rule in India. The first introductory
draft was formulated in 1860s under the chairmanship of Lord Macaulay. By this the relation
with ‘data protection’ with the provision of ‘Indian Penal Code’ are not that much satisfying. The
Indian Criminal law does not specifically address breaches of data privacy. Under the Indian
Penal Code, liability for such breaches must be inferred from related crimes. For instance,
Section 403 of the India Penal Code imposes criminal penalty for dishonest misappropriation
or conversion of “movable property”14 for one’s own use. When it comes under the liability
part of the other, then the question arise on the opposite that whose rights are to be protected.
The Section 405 and Section 409 speaks about whoever misappropriates some other person’s
property is punishable under criminal breach of trust. In Section 378 no one can take
dishonestly any movable property out of the possession of any person without that person’s
consent, if he does so then he is said to commit theft and is punished but there is not any
particular act regarding electronic data protection till date. In this concern there are two ways to
address the legal right which one may undergo. Actually the crime is done against the state only.

14
‘Movable property’ has been defined as property which is not attached to anything and is not a land.
 5

In 2013 the Government published a National Cyber Security Policy. The Policy established an
umbrella framework for securing Indian cyberspace and lays out the need to develop a national
nodal agency to coordinate cybersecurity initiatives, create an assurance framework, encourage
the use of open standards across products and services, create a dynamic legal framework for
cyber security, create early warning mechanisms, secure e-government services, enhance the
security of critical information structure and enable the prevention and investigation of
cybercrime.

The 2013-2014 report by the Standing Committee on Information Technology observed that a
number of initiatives envisioned in the policy had not yet been implemented and recommended
the establishment of a National Critical Information Infrastructure Protection Centre and a
centralized body to address cybercrime in India. The Committee also noted the need for capacity
building and for a legal framework to protect privacy in India.

3.3 Legislation and Codes

Privacy safeguards related to health information as well as standards around access and
disclosure can be found in various pieces of legislation and policy and patient privacy is a
recognized principle in Indian jurisprudence. For example, the Rules issued under Section 43A15
of the Information Technology Act, 2000 classify "medical records and history" as sensitive
personal data or information for the purposes of data protection standards and body corporate
handling such data must do so in compliance with the Act and Rules. Additionally, the Medical
Council of India (MCI) Code of Ethics Regulations sets the professional standards for medical
practice.

Civil liability and data protection; The Information Technology Act, 2000 provides for civil
liability in case of computer database theft, computer trespass, unauthorized digital copying,

15
Section 43-A Compensation for failure to protect data.Where a body corporate, possessing, dealing or handling
any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the
person so affected.
 6

downloading and extraction of data, privacy violation, etc. Moreover, Section 4316 provides for
penalty for a wide range of cyber contraventions such as: (a) related to unauthorized access to
computer, computer system, computer network or resources; (b) unauthorized digital copying,
downloading and extraction of data, computer database or information, theft of data held or
stored in any media; (c) introduction of any computer contaminant or computer virus into any
computer system or computer network; (d) unauthorized transmission of data or program
residing within a computer, computer system or computer network; (e) computer data/database
disruption, spamming, etc.; (f) denial of service attacks, data theft, fraud, forgery, etc.; (g)
unauthorized access to computer data/computer databases; (h) instances of data theft (passwords,
login IDs), etc.; (i) destroys, deletes or alters any information residing in a computer resource,
etc. and (j) steal, conceal, destroy or alter any computer source code used for a computer
resource with an intention to cause damage.

4. DEVELOPMENT OF RIGHT TO PRIVACY IN INDIA

The right to privacy is a multidimensional concept. In a society which is growing rapidly, right to
privacy has been recognized both in the eye of the law and in common parlance. Article 2117
protects the right to privacy and promotes the dignity of the individual. There has been growing
fear about the large amount of information about individuals held in computer files in the recent
years. The right to privacy alludes to the explicit right of a person to control the collection, use
and revelation of individual data. Personal information can be in various forms such as personal
interests, habits and activities, family records, educational records, communications (including
mail and telephone) records, medical records and financial records, to name a few. An individual
could easily be harmed by the existence of computerized data about him/her which is inaccurate
or misleading and which could be transferred to an unauthorized third party at high speed and
very little cost.

16
Section 43 provisions definition of computer database as, 43. (ii) a representation of information, knowledge, facts,
concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized
manner or have been produced by a computer, computer system or computer network and are intended for use in a
computer, computer system or computer network;
17
The Constitution Of India 1949
 7

The right to privacy has been interpreted as an unarticulated fundamental right under the
Constitution of India (“Constitution”). The growing violation of this right by the State on
grounds (that are not always bona fide) encouraged the Indian Judiciary to take a pro-active role
in protecting this right.

A landmark judgment with respect to this issue is Kharak Singh v. State of U.P. 18 The Supreme
Court held that the right of privacy falls within the scope of Article 21 of the Constitution and
therefore concluded that an unauthorized intrusion into a person’s home and disturbance caused
to him is in violation of personal liberty of the individual.

However, in Gobind v. State of Madhya Pradesh,19 the Supreme Court qualified the right to
privacy and held that a violation of privacy could be possible under the sanction of law.

The scope and ambit of the right of privacy or right to be left alone came up for consideration
before the Supreme Court in R. Rajagopal v. State of T.N. during 1994. 20 In this case the right of
privacy of a condemned prisoner was in issue.

In Justice K.S. Puttaswamy V. Union Of India And Ors 21 the government of India decided to
provide to all its citizens a unique identity called Aadhar which is a card containing 12 digit
Aadhar number. The registration for this card was made mandatory so as to enable the people to
file tax returns, opening bank accounts etc. However, the registration procedure for such card
required the citizens to give their biometrics such as fingerprints, iris scans etc. Retired judge
justice K.S Puttaswamy filed a petition challenging the constitutional validity of this Aadhar
project contending that there was a violation of right to privacy of the citizens since, the

18
AIR 1963 SC 1295. In this case, it was held that the expression “right to life” was not limited to bodily restraint or
confinement to prison only but something more than mere animal existence. Here the Petitioner was kept under
police surveillance, while he was charged with the offence of dacoity. The police made domiciliary visits to his
house for verification of his movements and activities.
19
(1975) SCC (Cri) 468. The case related to surveillance according to Regulations 855 and 856 of Madhya Pradesh
Police Regulations. The Court held that though the right to privacy existed, it had not been violated since the
procedure was required by law.
20
Auto Shankar, a condemned prisoner, wrote his autobiography while confined in jail and handed it over to his
wife for being delivered to an advocate to ensure its publication in a certain magazine edited, printed and published
by the petitioner. This autobiography allegedly set out close nexus between the prisoner and several officers
including those belonging to IAS and IPS some of whom were indeed his partners in several crimes. The publication
of this autobiography was restrained in more than one manner. It was on these facts that the petitioner challenged the
restrictions imposed on the publication before the Supreme Court.
21
WRIT PETITION (CIVIL) NO 494 OF 2012
 8

registration for Aadhar is made mandatory. As a result of which all those who don’t even want to
register themselves, are not left with any option. Moreover, there is a lack of data protection laws
in India and hence, there are chances that the private information of the people may be leaked if
proper care is not taken. This will lead to violation of right to privacy of the individuals.

The Judgment of the Apex Court that Right to privacy is a fundamental right is correct.
However, it is true that privacy cannot be an absolute right. For instance, surveillance is
important to prevent crime in the society. An individual cannot simply argue that his privacy is
being violated if larger public interest requires keeping him/her under the surveillance. The
major question is that the Supreme Court of India, unlike the USA, has still not recognized the
doctrine of waiver, which facilitates that an individual can waive off the fundamental rights if
larger public interest requires so. The reason behind this being that it would defeat the purpose of
the Constitution which implies that fundamental rights are absolute. Right to privacy cannot be
denied the status of a fundamental right because liberty without privacy and dignity would be of
no use.

The Justice AP Shah Committee on Privacy

The Planning Commission of the Government of India held gatherings of the Group of Experts
on Privacy Issues all through 2012. The Group was chaired by Justice AP Shah, the former Chief
Justice of the Delhi High Court. This report entails a list of recommended National Privacy
Principles that should be followed in the creation of a privacy law. As indicated by the report, the
National Privacy Principles of India ought to be the following:

 Principle of Notice: This principle requires a data controller to advise all people of its
information practices before gathering information from them.

 Principle of Choice and Consent: This principle requires all data controllers to give
individuals choices, either through the opt-in method or through the opt-out method, with
regard to providing their personal information, and further states that no collection or
processing et alia of data should take place without such consent, with the exception of
authorised agencies.
 9

 Principle of Collection Limitation: This principle requires a data controller to

collect only as much information as is directly necessary for the purposes identified and
notified to the data subject for such collection, and to do so through 'lawful' and 'fair'
means.

 Principle of Purpose Limitation: It requires that the collection or processing of

information be confined to just as much information as is sufficient and important. It
further states that the collection, procession, disclosure, usage, et alia of personal
information by a data controller should be limited to the purpose notified and consented
to the individual by the data controller, and that any adjustment in this purpose must be
notified to the individual.

 Principle of Access and Correction: This principle requires that data subjects have access
to the data held about them, the ability to seek correction, amendment, or deletion of such
data in the event of inaccuracy, and the ability to affirm if a data controller is holding any
information on them.

 Principle of Disclosure of Information: This principle secures the right to privacy of a

data subject in case the personal information collected by a data controller is disclosed to
a third party.

 Principle of Security: This principle requires that a data controller ensure the security of
the collected personal information by 'reasonable security standards' to protect from
reasonably foreseeable risks, and specifically mentions the following possible dangers:
loss, unauthorized access, destruction, use, processing, storage, modification, de
anonymization, and unauthorized disclosure, either accidental or incidental.

 Principle of Openness: This principle requires a data controller to make public all the
information it can about the practices, procedures, policies and systems that it executes so
as to follow the National Privacy principles.

 Principle of Accountability: This principle makes the data controller accountable for
complying with measures that give effect to the Principles. It states that such measures
should include mechanisms to implement privacy policies, and specifically mentions the
following: training and education, external and internal audits, and requiring
 10

organizations or overseeing bodies stretch out all necessary support to the Privacy
Commissioner and consent to the Commissioner's orders.

CONCLUSION

Remembering the development and ramifications of worldwide exchange, particularly with the
impact of the Internet, it is imperative that India cooperate with the world to set up laws entirely
relating to protection of privacy and personal data.

In today's connected world it is very difficult to prevent information to escape into the public
domain if someone is determined to put it out without using extremely repressive methods. A
legal framework should be set up setting explicit standards relating to the methods and purpose
of assimilation of personal data offline and over the Internet. Consumers must be made aware of
voluntarily sharing information and no data ought to be gathered without express consent.

Due to lack of provisions for protection of data there was a recent data breach in January 2018 ,
news broke that access to the details such as name, address, and photos of 1.3 billion records on
the UIDAI database were being sold for 500 rupees. There is no act which has been established
for data protection in India. For protection of privacy and data there is a need for establishment
of an act along with an agency setting up the framework and regulation of the act.
11