#RighttoPrivacy: Implications for Organizations

 

By Shivangi Nadkarni & Anand Krishnan

Since the Supreme Court ruled Privacy to be a Fundamental Right in India, we got a lot of queries about what this means to an organization and to an individual whose Personal Information is in the custody of an organization. This note discusses key points in this context and presents a set of FAQs to clarify on some aspects.

Note: The judgement is a veritable tome on privacy – covering various aspects of privacy in great detail. This note looks at it from just the Information Privacy aspect.

 

 Key Aspects of Privacy:

In the Indian context, the judgement says, a fundamental right to privacy would cover at least the following three aspects:

  • Privacy that involves the person i.e. when there is some invasion by the State of a person’s rights relatable to his physical body, such as the right to move freely
  • Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right; and
  • The Privacy of choice, which protects an individual’s autonomy over fundamental personal choices

 

The three facets of Information:

The following is an interesting view of how Information can be looked at.

  1. Nonrivalrous: Which means there can be simultaneous users of the good – use of a piece of information by one person does not make it less available to another
  2. Invisible: Invasions of data privacy are difficult to detect because they can be invisible. Information can be accessed, stored and disseminated without notice. Its ability to travel at the speed of light enhances the invisibility of access to data
  3. Recombinant: Data output can be used as an input to generate more data output

 

Key concepts discussed:

Outlined below are some of the key points that the judgement talks about.

  • Online Transactions leave electronic tracks – usually without the knowledge of the person
  • Aggregation of info collected discloses the nature of the individual’s personality – although in silos it may not amount to anything
  • The use of algorithms allows the creation of profiles about internet users
  • Data Mining with knowledge discovery can be combined to create facts & new knowledge about individuals, something which even she or he did not possess
  • The contemporary age is regarded as “an era of ubiquitous dataveillance, or the systematic monitoring of citizen’s communications or actions through the use of information technology
  • The rise in the so-called quantified self, or the self-tracking of biological, environmental, physical, or behavioural information through tracking devices, Internet-of-things devices, social network data and other means may result in information being gathered not just about the individual user, but about people around them as well
  • Concept of a ‘veillant panoptic assemblage’, where data gathered through the ordinary citizen’s veillance practices finds its way to state surveillance mechanisms, through the corporations that hold that data.
  • Privacy & Data Protection: Privacy, as such, connotes to a right to be left alone. A broader connotation is related to the protection of one’s identity. Data Protection relates to this. Apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual
  • The data which the state has collected has to be utilised for legitimate purposes of the state and ought not to be utilised unauthorizedly for extraneous purposes. This will ensure that the legitimate concerns of the state are duly safeguarded while, at the same time, protecting privacy concerns
  • Non-State Actors: Individuals are constantly generating valuable data which can be used by non-State actors to track their moves, choices and preferences. There is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors
  • The right of an individual to control his existence on the Internet. The technology results almost in a sort of a permanent storage making it difficult to begin life again giving up past mistakes. Privacy nurtures this ability and removes the shackles of unadvisable things which may have been done in the past
  • Privacy of Children will require special protection not just in the context of the virtual world, but also the real world. They should not be subjected to the consequences of their childish mistakes and naivety, their entire life.

The judgement mentions the Justice Srikrishna committee set up to draft a data protection framework for India and urges the setting up of a robust data protection regime at the earliest. Detailed references to the work of the Justice AP Shah committee’s report have also been made.

The above points give us an indication of what laws, regulations and interpretations are expected down the line – and organizations need to gear up for the same.

 

Frequently Asked Questions (FAQs):

Here are some questions that we were asked.

1.Does this judgement mean we can now expect companies to stop collecting my personal information from my phone?

While companies should certainly stop collecting unnecessary data from individuals via any device – whether a phone or a laptop – the only law in India that talks of some aspects of privacy is the Indian Information Technology Act. Hence until specific laws and regulations are passed to curb such collection, OR there are other drivers like reputational impact, client demands, etc, it is unlikely that rampant data collection would get curbed.

2.Will the Aadhaar act be nullified?

Decisions with regard to Aadhaar would be taken by the smaller 5-Judge bench set up to listen to the Aadhaar-specific cases. One would need to wait and see what the ruling would be.

3. Can I now NOT give my Aadhaar number to my Bank/ Telecom Company/ Anyone else asking for my Aadhaar number? They can’t compel me anymore?

In its order dated 15th October 2015, the Supreme Court of India reaffirmed that the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court one way or the other. As the matter is yet to be decided, no one can be compelled to give their Aadhaar number or be forced to provide their Aadhaar number mandatorily. However, the reality on the ground is different and various agencies are mandating the collection of Aadhaar numbers and data.

4. So now India doesn’t require a separate privacy law/ Data privacy framework? Does this mean companies will have to start implementing privacy like in other countries?

A fundamental right is a restriction on the actions of the state with respect to its citizens and residents. The liabilities of companies with respect to their actions affecting citizens would have to be governed by a legislation i.e. a national data protection legislation. Having said that, this is an indication of how things stand as of today. The Courts would be faced with numerous situations in the future where they might be asked to suggest appropriate remedies with respect to the interaction between companies and individuals vis-a –vis this right or issue directions to the government to make laws to deal with these problems.

5.Will India now acquire a ‘data adequate’ nation status as per EU DP/ EU GDPR?

It’s a big step in the right direction for India. Constitutional recognition of the Right to Privacy shows the existence of a privacy culture in the nation. However, for India to be compliant nation with the EU GDPR, India could have to have a comprehensive data protection legislation that reflects the privacy principles accepted worldwide and provides a stringent enforcement mechanism.

6.What does it mean when the judgement says that it is not an ‘absolute’ right? What is the meaning of ‘reasonable restrictions’ that everyone is talking about?

No Fundamental Right under Part III of the constitution is absolute in nature. They are subject to restrictions that may be imposed to curtail them but these restrictions have to be fair, just and reasonable in nature. For example, Article 19(1) (a) of the Constitution gives a citizen the right to freedom of expression is subject to restrictions listed under Article 19 (2) of the constitution which provides that the freedoms guaranteed under Article 19 (1) do not prevent the government from making laws that might restrict them on the basis of sovereignty and integrity of India, the security of the State, etc.

We will be happy to address more queries. Do send them to privacy@arrka.com

Shivangi Nadkarni is Co-Founder & CEO and Anand Krishnan is Associate Consultant at Arrka Consulting