#RighttoPrivacy: Implications for Organizations


#RighttoPrivacy: Implications for Organizations

Since the Supreme Court ruled Privacy to be a Fundamental Right in India, we got a lot of queries about what this means to an organization and to an individual whose Personal Information is in the custody of an organization. This note discusses key points in this context and presents a set of FAQs to clarify on some aspects.

Note: The judgement is a veritable tome on privacy – covering various aspects of privacy in great detail. This note looks at it from just the Information Privacy aspect.

 

Key Aspects of Privacy:

In the Indian context, the judgement says, a fundamental right to privacy would cover at least the following three aspects:

Privacy that involves the person i.e. when there is some invasion by the State of a person’s rights relatable to his physical body, such as the right to move freely 

Informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right; and 

The Privacy of choice, which protects an individual’s autonomy over fundamental personal choices

 

The three facets of Information:

The following is an interesting view of how Information can be looked at.

  1. Nonrivalrous: Which means there can be simultaneous users of the good – use of a piece of information by one person does not make it less available to another
  2. Invisible: Invasions of data privacy are difficult to detect because they can be invisible.  Information can be accessed, stored and disseminated without notice. Its ability to travel at the speed of light enhances the invisibility of access to data
  3. Recombinant: Data output can be used as an input to generate more data output

 

Key concepts discussed:

Outlined below are some of the key points that the judgement talks about.

The judgement mentions the Justice Srikrishna committee set up to draft a data protection framework for India and urges the setting up of a robust data protection regime at the earliest. Detailed references to the work of the Justice AP Shah committee’s report have also been made.

The above points give us an indication of what laws, regulations and interpretations are expected down the line – and organizations need to gear up for the same.

 

Frequently Asked Questions (FAQs):

Here are some questions that we were asked.

  1. Does this judgement mean we can now expect companies to stop collecting my personal information from my phone?

 

While companies should certainly stop collecting unnecessary data from individuals via any device – whether a phone or a laptop – the only law in India that talks of some aspects of privacy is the Indian Information Technology Act. Hence until specific laws and regulations are passed to curb such collection, OR there are other drivers like reputational impact, client demands, etc, it is unlikely that rampant data collection would get curbed.

 

  1. Will the Aadhaar act be nullified?

Decisions with regard to Aadhaar would be taken by the smaller 5-Judge bench set up to listen to the Aadhaar-specific cases. One would need to wait and see what the ruling would be.

  1. Can I now NOT give my Aadhaar number to my Bank/ Telecom Company/ Anyone else asking for my Aadhaar number? They can’t compel me anymore?

In its order dated 15th October 2015, the Supreme Court of India reaffirmed that the Aadhaar card Scheme is purely voluntary and it cannot be made mandatory till the matter is finally decided by this Court one way or the other. As the matter is yet to be decided, no one can be compelled to give their Aadhaar number or be forced to provide their Aadhaar number mandatorily. However, the reality on the ground is different and various agencies are mandating the collection of Aadhaar numbers and data.

  1. So now India doesn’t require a separate privacy law/ Data privacy framework? Does this mean companies will have to start implementing privacy like in other countries?

A fundamental right is a restriction on the actions of the state with respect to its citizens and residents. The liabilities of companies with respect to their actions affecting citizens would have to be governed by a legislation i.e. a national data protection legislation. Having said that, this is an indication of how things stand as of today. The Courts would be faced with numerous situations in the future where they might be asked to suggest appropriate remedies with respect to the interaction between companies and individuals vis-a –vis this right or issue directions to the government to make laws to deal with these problems.

  1. Will India now acquire a ‘data adequate’ nation status as per EU DP/ EU GDPR?

It’s a big step in the right direction for India. Constitutional recognition of the Right to Privacy shows the existence of a privacy culture in the nation. However, for India to be compliant nation with the EU GDPR, India could have to have a comprehensive data protection legislation that reflects the privacy principles accepted worldwide and provides a stringent enforcement mechanism.

  1. What does it mean when the judgement says that it is not an ‘absolute’ right? What is the meaning of ‘reasonable restrictions’ that everyone is talking about?

No Fundamental Right under Part III of the constitution is absolute in nature. They are subject to restrictions that may be imposed to curtail them but these restrictions have to be fair, just and reasonable in nature. For example, Article 19(1) (a) of the Constitution gives a citizen the right to freedom of expression is subject to restrictions listed under Article 19 (2) of the constitution which provides that the freedoms guaranteed under Article 19 (1) do not prevent the government from making laws that might restrict them on the basis of sovereignty and integrity of India, the security of the State, etc.

We will be happy to address more queries. Do send them to privacy@arrka.com

Shivangi Nadkarni is Co-Founder & CEO and Anand Krishnan is Associate Consultant at Arrka Consulting