From the time of birth till the time of death, and even beyond, we all are being tracked. Even a harmless tweet or a ‘like’ on Facebook can give away crucial data such as location of home and workplace. Privacy has become the quintessential issue of our times, but it continues to be violated every day. Privacy is supreme human right inherently given by the nature, yet its status as a fundamental right under the constitution remains dubious.
The question of privacy as a right gained significance when the government submitted to the supreme court (SC) in July 2015 that there is no fundamental right to privacy. The SC on its part formed a bench of five judges to hear the submissions on this ground, and deliver a judgment that settles the issue. However, even as the matter stands pending before the court, there have been numerous developments on the rights relating to privacy, which impacts India as a democracy as well as its constituents.

Simply defined, privacy is a state in which one is not observed or disturbed by other people. In reality, however, every phone call is tracked, recorded, stored and retrieved. The government has a system of doing that with text messages, personal e-mails, chat conversations, Google searches, website visits, and usernames and passwords for communications that are not encrypted. The central monitoring system (CMS) received flak after the Snowden revelations, but it has come to stay in India, with the new government putting its implementation on fast track. It has been said that the system is against the right to privacy, which has been claimed to be a fundamental right. With the permanence of the CMS, nonetheless, it is better to ascertain if there is even a right to privacy.

The past

It is interesting to note that the right to privacy was not directly envisaged by the constitution makers as it fails to get a mention even once in the whole of constituent assembly debates. As a result, it is our judiciary that has deliberated upon the matter, and has interpreted privacy from the very beginning. However, it was in 1954, just four years after the constitution came into being, that the SC had to deal with the question of privacy. In the MP Sharma vs Satish Chandra case, the SC decided in favour of the practice of search and seizure when contrasted with privacy.

In 1962, while deciding the Kharak Singh vs State of UP, the court examined the power of police surveillance with respect to history-sheeters and it ruled in favour of the police, saying that the right of privacy is not a guaranteed right under the constitution. In fact, justice Subba Rao in the same case delivered a separate opinion and said, “It is true our constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty (recognised in Article 21 of the constitution).” Eleven years later, the imagination of the SC in the Kharak Singh case came true in the RM Malkani vs State of Maharashtra case, wherein the court upheld the phone tapping of a guilty person, with the word ‘guilty’ putting the case in favour of the government.

All through these years, the right to privacy remained as a question mark, seldom before courts but actively negated by state. It was 1975 that became a watershed year for the right to privacy in India. The SC while hearing the Gobind vs State of MP case introduced the compelling state interest test from the American jurisprudence. The court stated that right to privacy of an individual would have to give way to larger state interest, the nature of which must be convincing. With time, the domain of privacy has expanded and it has come to incorporate personal sensitive data such as medical records and biometrics.

In 1997 in the matter of PUCL vs Union of India, commonly known as telephone tapping cases, the SC unequivocally held that individuals had a privacy interest in the content of their telephone communications. Making just exceptions to the complete cover, it said that rigorous standards are required for law that derogates privacy and that mechanism used should be targeted, based on specific suspicion of identifiable individuals and be the only means possible to fulfil the government’s goals of public safety and crime prevention. Thus, through a series of cases, it can be observed that the right to privacy was being recognised, but its exceptions were also given due place. In the Selvi vs State of Karnataka, which was decided in 2010, the SC gave strength to Article 20(3), that is, Right against Self-Incrimination. Closely aligned with privacy, the right to remain silent was found to be derogated by usage of narco-analysis as evidence in trials. Accordingly, the same were disallowed.

The present

In the second decade of the 21st century, questions with respect to the right to privacy have centred around Aadhaar, a government scheme in which residents get a unique ID after giving their biometrics such as fingerprints and iris scan and demographic details. Aadhaar was challenged in court on the grounds of violation of privacy and its usage was limited by the SC through its order in September 2013, with Aadhaar being allowed in public distribution system and LPG subsidy only. However, in October 2015, it amended its order and said that Aadhaar can be used to deliver services such as MNREGA, Pradhan Mantri Jan-Dhan Yojana, pension and provident fund schemes but no person should be deprived of any service in absence of Aadhaar. The SC was slated to hear the matter in January this year, but the case seems to have gone into cold storage as no next date has been listed by the court.

On more recent terms, the Delhi high court has been approached by an individual seeking enforcement of ‘right to be forgotten’, as it exists in the EU (see box in the previous report). The court has sought responses from the government and websites in this matter. The Bombay high court has also overturned the ban on possession of beef in Maharashtra and said that the right to eat beef is a part of the right to privacy, which is part of a citizen’s fundamental right to life, even as the SC examines the later part of the statement.

The biggest violation of privacy, nevertheless, continues to be through surveillance. The draft encryption policy has been ridiculed for its stringent and impracticable rules that disallowed encryption. The policy, which has now been put into cold storage, faces the stark reality that WhatsApp has introduced end-to-end encryption for all its services. This means the message can be logically read only on the sending and receiving device, which is indeed a great tool for escaping surveillance. However, the same gives a headache to governments across the world as terror networks seem to be using the internet in a major way. A clear example of this is in the case of FBI and Apple, wherein the tech giant refused to help FBI access data stored in an iPhone and the US government had to spend a large sum to obtain the data after breaking the code. Many fear that such instances may bolster privacy, but allow illegal activities to prosper within its ambit. However, India seems to be buoyant about the issue and the communications and IT minister, Ravi Shankar Prasad, has claimed that “As part of this programme, a tool for mobile forensics has been developed, which handles smartphones including Apple phones.” The private companies too are responsible for protecting data and privacy of their consumers but are deceived by smarter hacks who hack the private data and sell it in the market, as was being done by Russian hackers. The Ashley Madison hack of January 2016, wherein personal data of more than 1.1 million persons was leaked also shows the threat of privacy invasion in the private-sector world.

In India, the regulatory environment over the subject remains unclear. Voice-over-IP services such as Skype have been identified as something that can be easily used by terrorists, but no policy over the same has taken form. Only recently, the Telecom Regulatory Authority of India (TRAI) amended the telecom licence agreement to allow interconnection of IP-based networks. On the other hand, in France, Skype was made to register as a telecom operator. In Germany, VoIP is subject to the same requirements as other telecom services because of the technology neutral approach of its Telecommunications Act. In China, VoIP calls have a separate regulatory system under the head of ‘voice based calls’. Regarding this, the most problematic thing for the government seems to be the presence of servers of most of the apps and websites in foreign countries. WhatsApp end-to-end encryption directly goes against Section 69 of the Information Technology Act and there remains a question mark over WhatsApp acceding to demands of the government of India over data requests. With even a greater number of persons moving online, privacy and its security in the digital world is the latest challenge before everyone.

Arvind Sivaramakrishnan, CIO, Apollo Hospitals Group, has called upon the government to frame regulatory standards on privacy and security of health records. Bangladesh’s top bank recently lost millions of dollars due to lack of effective cyber protection. In light of increasing theft of financial data, South Korea has amended its laws and from September 23 this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times the actual damages suffered by their customers.

The law firm Mossack Fonseca has called the Panama Papers release a breach of privacy. However, as it may seem so in the first look, there is indeed compelling public interest in the release of such papers. Hence, the Panama Papers give an idea that the right to privacy cannot be a blanket one, and there will exist exceptions to it, at all times.

The future

In the era of Internet of Things and cloud computing, the data is not only being stored in hard drives of individual computers but also in the overall internet, and keeps floating between various servers. Even as India is planning to use schemes like Meghraj for cloud computing, it has fallen to rank 18 in cloud computing due to absence of privacy law. While technology-rich Japan, US, Germany and Canada scored the highest in the ratings released, India has fallen behind Malaysia, South Africa, Mexico and Argentina. The biggest violators of privacy seem to be the social networking websites themselves. Revealed in the PRISM episode for co-joining the hands with the US, websites have been known to use personal data for advertisements. Recently, a US judge rejected a request by Facebook to toss out a civil suit accusing it of violating privacy with face-recognition software to help ‘tag’ people in pictures.

Sections 43, 43A and 72A of the IT Act of 2000, along with Rules of 2011 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorised access or leakage of information, but the laws have been let down by lack of effective implementation.

Communications minister Prasad announced that India is working on a privacy bill but failed to give a timeline. The EU already has a data protection directive and it is unclear whether India is planning to make a similar law. Even though the government claimed that the Aadhaar bill was in fact a money bill and that it provided for protection of privacy, it received the most criticism on the issue of privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.
 

READ: Privacy law is virtually shelved: govt will instead amend the IT Act


India has released a draft of Geospatial Information Regulation Bill, 2016. Some say it violates privacy on every count and has been labelled being against open data sharing, human dignity and constructive speech or expression. The provisions of the draft are such that almost every smartphone user today is in violation of the same. Envisioned to control GPS, the draft law mandates a licence from the government even for clicking a picture with GPS tag. Though it has been designed to act against big entities, the draft law is full of flaws, and puts a maximum penalty of '100 crore as fine and a jail term of seven years. Facing backlash, the government has stated that it is ready to discuss the bill.
Article 17 of the International Covenant on Civil and Political Rights that has been signed and ratified by India recognises right to privacy in its most basic yet complete form. Even though the constitution makers did not expressly mention privacy in their debates, it can certainly be said that privacy and personal liberty co-exist and should be read together. And as the American judge, justice William O Douglas, said 64 years back, “The right to be let alone is indeed the beginning of all freedom.”


Gupta is a senior supreme court lawyer.

(The article appears in the July 1-15, 2016 issue)