On August 24, 2017, a nine-judge bench of the Supreme Court of India in the Justice K.S. Puttaswamy (Retired) v Union of India[i] (“Puttaswamy”) unanimously recognized that the right to privacy is an intrinsic part of the right to life and personal liberty under Article 21. In a decision spanning 547 pages, the judgement recognizes several spheres where the need for privacy is necessary, including ‘informational privacy’ in the digital world. This is particularly relevant in the context of the internet, which has evolved from a virtual communications network into an interactive medium for services such as communications, entertainment, data storage, social networking and online marketplaces. Each of these services requires the collection and storage of personal identifiable information about users— thus rendering the internet a repository of personal information.[ii] Yet, few restrictions, if any, are imposed upon these websites under the Indian data protection regime. With the Facebook-Cambridge Analytica data scandal affecting 5.2 lakh Indian users[iii] and the recent PIL in the Supreme Court against WhatsApp for disclosure of user information to Facebook,[iv] it has become imperative to examine the contours of informational privacy recognized in the Puttaswamy judgement and its implications on the Indian data protection regime.
In this regard, this post will discuss the Puttaswamy judgement in the specific context of informational privacy on the internet, and further discuss two pending litigations in the Supreme Court which highlight serious concerns in the existing data protection regime. Prior to this case, the government has tried to take cognizance of privacy concerns on the internet through the Information Technology Act, 2000. More specifically, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) lay down the terms upon which personal information can be collected and/or used by service providers or intermediaries. However, as will be discussed hereunder, the SPDI Rules have failed to provide adequate data protection.
The Contours of Informational Privacy
In the specific context of informational privacy, the opinions of Nariman, Chandrachud and Kaul JJ are the most pertinent. Justice Nariman stated that informational privacy does not deal with the individual’s body, but rather with the individual’s mind.[v] Consequently, as part of one’s right to privacy, one must have complete control over the dissemination of information that is personal.[vi] Justice Kaul reaffirmed this proposition, stating that individuals establish boundaries that “are not only physical but also informational. It is therefore essential that “the individual knows what the data is being used for, with the ability to correct and amend it.”[vii] Justice Chandrachud, writing for four of the nine judges, stated that having “informational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person.” [viii]
Informational privacy, thus, has been conceptualized as a positive and individualistic right, which grants complete control to the individual over information pertaining to her. No state or non-state actors can collect, store or disseminate individual information without prior consent i.e. by giving the subject control over the decision to part with the information. Three important aspects of the judgement must be discussed. The first is the affirmation by the Justice Chandrachud of the Canara Bank case,[ix] which held that the right to privacy dealt with ‘persons and not places’, and even if information has been voluntarily given to another party, the individual would still retain the right to privacy in relation to that information. Consequently, that information cannot be disclosed to any third party without express consent. This is particularly important in the context of big data analytics, where user information given to one party is often transferred to related parties or other agencies to profile users, draw trends and make commercial gains.
The second important aspect of the judgement is that it does not limit itself to protection of ‘sensitive personal information or data’ ( “SPDI”) but gives protection to all information pertaining to the user. As per the existing data protection regime, only information which falls within the limited definition of SPDI is protected through data protection requirements on service providers and intermediaries.[x] However, the definition of SPDI does not include electronic communication records. Privacy of correspondence has been recognized as a facet of the right to privacy under the European Convention of Human Rights as well as the Fundamental Rights Charter, and forms part of national laws of several nations.[xi] Yet, correspondence through e-mails and chats did not fall within the ambit of the Indian data protection regime. The judgement has overturned this view, recognizing that all information pertaining to the individual is worth protecting.
The third important feature of the Puttaswamy judgement is its discussion on the horizontal application of the right to privacy. Only then can citizens bring claims of privacy violations against data giants like Facebook and WhatsApp. While the judgement does not expressly remark on this aspect, the commonly accepted view in this regard is that instead of affirming horizontal applicability and opening a floodgate of privacy litigation, the judgement has mandated the state to create a holistic data protection regime which protects citizens from non-state actors.[xii] In this context, Justice Kaul and Justice Chandrachud raised serious concerns against collection and use of data by ‘big data’ companies for targeted advertising.[xiii] Justice Kaul elaborated that personal data collected over the internet is capable of influencing decision-making processes, affecting representations and shaping behavior.[xiv] Consequently, he stated that there exists an unprecedented need for regulation of the extent to which such information can be collected and shared. Justice Chandrachud also concludes his opinion by stating that there is a positive mandate on the government to not only ensure that it does not violate privacy, but also to proactively ensure that an individual’s privacy is not violated by other non-state actors as well. Stating this, he calls for a data protection law that would not only concern itself with what the government can do with regard to data collection, processing and use, but also what private entities as well as individuals can do with others’ data.[xv]
WhatsApp Cases: Highlighting Cracks in the Data Protection Regime
However, after the Puttaswamy judgement, an appeal to the case has been filed in the Supreme Court. Petitioners have argued that the sharing of data with Facebook violates Indian users’ fundamental right to privacy as well as free communication. This is because personal user data is being transferred solely for commercial benefit of Facebook, with little to no information being given to the users about the details of this sharing agreement.[xviii] In the absence of the Puttaswamy judgement, petitioners had been unable to argue a violation of the IT Act, since data protection was only offered to SPDI.[xix] However, even user account information now falls within the scope of protection, a win for all privacy advocates.
It is also important to note that a second public interest litigation has been clubbed along with the WhatsApp case before the Supreme Court. As per a Press Note[xx] released on 24 August, 2011, it was clarified that the SPDI Rules are applicable to a body corporate located in India. This is a cause of concern as data collected by prominent social media websites such as Facebook is entirely controlled by the principal entity (i.e. Facebook Inc.) on servers outside India and the Indian subsidiaries hold no data.[xxi] Consequently, these companies fall outside the grasp of Indian laws even though they deal entirely with data originating in India. The litigation, thus, highlights the absence of regulatory control over sharing of data with cross-border entities.[xxii] Another issue that has been highlighted is that a Press Note does not have the force of law[xxiii] and, therefore, leaves more ambiguity in the current regime. Based on these facts, the petition has challenged the constitutional validity of the SPDI Rules and the Press Note arguing that these rules fail to provide adequate remedy to Indian citizens against foreign corporations whose Indian subsidiaries exercise scarce control over data.[xxiv] While the court has denied immediate relief, it has asked WhatsApp, Twitter and Google to submits responses relating to their policies on disclosure of information to third parties.[xxv]
In conclusion, the Supreme Court in Puttaswamy has been careful in ensuring that it lays down the contours of informational privacy, while leaving the drafting to the legislators. Further, cases pertaining to data protection filed after the judgement have highlighted some of the most serious flaws in the current data protection regime. With a Supreme Court decision on these cases and a legislation dedicated solely to the protection of data, one can hope that India will make strides in data protection.
[i] WP (C) 494 of 2012.
[ii] Nandan Kamath, Law Relating to Computers Internet and E-Commerce (A Guide to Cyber Laws & The Information Technology Act), (Universal Law Publication, 2nd ed., 2015) 19.
[iii] Rahul Srivastava, ‘Cambridge Analytica Data Breach Hit 5.62 Lakh Indians: Facebook Tells Govt.’ (Business Today, 6 April 2018) available at https://www.businesstoday.in/current/economy-politics/cambridge-analytica-data-breach-562-lakh-indian-users-facebook/story/274258.html.
[iv] Karmanya Singh Sareen & Anr. v. Union of India & Ors. SLP No. 804 of 2017.
[v] Supra note 1, ¶81.
[vii] See n 1 above, ¶53.
[viii] See n 1 above, ¶142
[ix] District Registrar and Collector, Hyderabad v Canara Bank (2005) 1 SCC 496.
[x] Refer to Rule 3, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (which states inter alia that sensitive personal information or data refers to personal information relating to passwords, financial information, biometric information, physical, physiological and mental health condition, sexual orientation, medical records and history).
[xi] Art 8, Convention for the Protection of Human Rights and Fundamental Freedoms, Nov 4, 1950, 313 UNTS 222; Art 7, Charter of Fundamental Human Rights of the European Union, 2000 OJ (C 364/01); Art 1 ¶1 Grundgesetz (Basic Law); Art 18 ¶1, Spanish Constitution.
[xii] Gautam Bhatia, ‘The Supreme Court’s Right to Privacy Judgment – IV: Privacy, Informational Self-Determination, and the Idea of Consent’ (Indian Constitutional Law and Philosophy, 8 August 2017), available at https://indconlawphil.wordpress.com/2017/08/30/the-supreme-courts-right-to-privacy-judgment-iv-privacy-informational-self-determination-and-the-idea-of-consent/; See also Prashant Reddy, ‘Does India Need Only One Data Protection Law and Regulator to Rule Them All?’ (The Wire, 7 December 2017) available at https://thewire.in/tech/data-protection-law-regulator-india; Gautam Bhatia, Alok Prasanna Kumar, ‘Meaningful Data Protection Law Vital in Securing Right to Privacy’ (Bloomberg Quint, 25 August 2017) available at https://www.bloombergquint.com/opinion/2017/08/25/after-the-right-to-privacy-ruling-the-need-for-a-data-protection-law.
[xiii] See n 1 above, ¶18, ¶174.
[xiv] See n 1 above, ¶19.
[xv] See n 1 above, ¶73.
[xvi] Karmanya Singh Sareen vs Union of India W.P.(C) 7663/2016.
[xvii] Priyanka Mittal, ‘Supreme Court tells WhatsApp to give Details of user Data It Shared with Third Parties’ (Livemint, 7 September 2017), available at https://www.livemint.com/Industry/4ZHBBToChW2T6JMThhjR9L/SC-tells-WhatsApp-to-give-details-of-user-data-it-shared-wit.html.
[xviii] Murali Krishnan, ‘SC Will Hear Petition to Protect User Data On WhatsApp, Provided Harish Salve Argues During Vacation’ (Bar and Bench, 16 January 2017) available at https://barandbench.com/sc-petition-WhatsApp-harish-salve/.
[xix] Asheeta Regidi, ‘WhatsApp User Data: Our Inadequate Laws Put the Privacy of Millions Of Indians At Risk’ (First Post, 17 January 2017) available at http://www.firstpost.com/tech/news-analysis/WhatsApp-user-data-our-inadequate-laws-put-the-privacy-of-millions-of-indians-at-risk-3695957.html.
[xx] Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology Act, 2000 (24 August, 201), available at http://pib.nic.in/newsite/erelcontent.aspx?relid=74990.
[xxi] See n 16 above; See also Samanwaya Rautray, ‘Ready to declare that we never shared data with anybody: WhatsApp to Supreme Court’ (Economic Times, May 17 2017) available at https://economictimes.indiatimes.com/tech/internet/ready-to-declare-that-we-never-shared-data-with-anybody-WhatsApp-to-supreme-court/articleshow/58706935.cms.
[xxii] Sukanya Mukherjee, ‘Right to Privacy, Thou Art Frail! Google, Twitter, WhatsApp, Others Face Supreme Court Wrath Over Data Privacy Concerns’, (Inc 42, 8 September 2017) available at https://inc42.com/buzz/google-facebook-WhatsApp-data-privacy/.
[xxiii] See Raj Narain v. Chairman, Patna Administrative Committee AIR 1954 SC 569; In Re Delhi Laws Act AIR 1951 SC 332 (Rules cannot be modified by sub-delegated orders which are made in exercise of a power conferred by statutory rules).
[xxiv] See n 22 above.
[xxv] Nishith Desai Associates Newsletter, ‘Supreme Court Holds That the Right to Privacy is A Fundamental Right Guaranteed Under The Constitution Of India’ (September 2017) available at http://www.nishithdesai.com/information/news-storage/news-details/article/supreme-court-holds-that-the-right-to-privacy-is-a-fundamental-right-guaranteed-under-the-constituti.html.