Privacy In Cyber Space
Dr Jasmine Alex
3 Jun 2020 1:01 PM GMT
Dr. Jasmine Alex My son, when he was six years old, vehemently opposed one of my relatives taking his photographs in a family function. Being embarrassed among the crowd due to his discourteous screams, I inquired the reason why he was so blunt in such a family gathering and he frantically revealed his dislike and apprehension on his photos being immediately uploaded by these uncles...
Dr. Jasmine Alex
My son, when he was six years old, vehemently opposed one of my relatives taking his photographs in a family function. Being embarrassed among the crowd due to his discourteous screams, I inquired the reason why he was so blunt in such a family gathering and he frantically revealed his dislike and apprehension on his photos being immediately uploaded by these uncles and aunts to the 'Facebook'. That was a very personal incident which opened up my inner eyes, towards the true understanding of the expression, "right to privacy as an inalienable, inherent, inborn, natural and fundamental human right"; even a doli incapax[1] who is exempted by law from liability for his deeds on account of his incapability of understanding, immaturity and vulnerability, has an inborn realisation of his privacy rights[2]! This natural and internal realisation is the centre point in the jurisprudence of privacy rights as observed by Brandies,J.:
"…solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. The right "to be let alone" thus represented a manifestation of "an inviolate personality", a core of freedom and liberty from which the human being had to be free from intrusion."[3]
If that much is the ambit, content and nature of integration of right to privacy to one's own person, the legal fraternity has to address this right more seriously, particularly in this cyber age.
Advancements in science and technology has opened up new vistas of Mobility (Geographic Knowledge Discovery), Data Mining, Cloud Computing etc. which bring unforeseen and unprecedented outcomes with respect to collection, analysis and handling of data in terms of accuracy, efficiency and saving of time, money and manpower. Even while offering tremendous benefits, they pose certain challenges for legal protection by denuding territorial jurisdictions of the court/tribunal; but the major challenge is threat to 'privacy', which has been endorsed as a fundamental right into the sweep of article 21[4] and article 19(1)(a)[5] of the Constitution of India, through judicial process.
After the advent of cyber space, anybody can access any information related to anything or anybody from anywhere at any time. Anybody can upload any data to the cyber space and keep it simply in the web, like something precious was kept safe by our elders in a chest of drawers, in the past. Globalization has given wider acceptance to this cyber technology in the whole world; e-commerce, e-governance, e-learning, e-courts, etc., have made day to day affairs very easy. The recent lock-down throughout the world, necessitating work from home and the urgency of combating pandemic burst-outs also necessitated the growing dependence on cyber data. The collection, storage, access, handling and disposal of these data raise the task of resolving many legal issues, of which the most fundamental one, viz., the right to privacy with respect to cyber data, is discussed here.
Any discussion on data privacy in cyber space shall have its focus on the basic human right and fundamental right of privacy, emanating from the core, 'right to life and personal liberty'. A bird's eye view on the international concern towards right to privacy and data protection, highlights the obligation of states parties to ensure the enjoyment of privacy rights to the citizens through legal framework[6]. Even in the absence of a statute, India is liable in public law to protect the fundamental right of its citizenry, upholding its international commitment[7].
International Resolve on Right to Privacy and Data Protection
It is pertinent to note that the Universal Declaration of Human Rights, 1948 (UDHR)[8] and International Covenant on Civil and Political Rights, 1966(ICCPR)[9] have specifically asserted that right to privacy is an integral part of individual rights which cannot be arbitrarily interfered with. The United Nations Human Rights Committee in its General Comment No.16 on Article 17 of ICCPR has stated that "the gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person's private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes"[10]. Convention on the Rights of the Child, 1989[11] mandates the convention parties to ensure the right to privacy to children also in the same way as it is bound to provide in the case of adults. International Convention on the Protection of All Migrant Workers and Members of their Families, 1990[12] also ensures privacy protection in the case of migrants. The Budapest Treaty on Cyber Crimes, 2001[13] is an outcome of the realization by the member states of the need to pursue, as a matter of priority, a common criminal policy for the protection of society against cybercrimes, inter alia, by adopting appropriate legislation and fostering international co-operation. The treaty parties are concerned of the risk that computer networks and electronic information may also be misused for committing criminal offences including those affecting the privacy of individuals. The Budapest treaty intends to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalization of such conduct. The treaty upholds the mandates of all applicable international human rights treaties, which reaffirm the right of everyone to hold opinions without interference, as well as the right to freedom of expression, including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, and the rights concerning the respect for privacy. It also upholds the right to the protection of personal data, as conferred, for example, by the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data[14]. In 2013, the UN General Assembly adopted a resolution to protect privacy of individuals online, in the same way as is protected offline, " recognising the global and open nature of the internet and the rapid advancement in information and communications technologies as a driving force in accelerating progress towards development in its various form"[15]. The treaties of Council of Europe, mainly, Convention for the Protection of Human Rights and Fundamental Freedoms,1950, Convention for Protection of Individuals with Regard to Automatic Processing of Personal Data ,1981[16] and Additional Protocol to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Regarding Supervisory Authorities and Transborder Data Flows, 2001[17] expose the international obligation to protect right to privacy in the cyber regime. Protocol Amending the Convention for Protection of Individuals with Regard to Automatic Processing of Personal Data, 2018[18] is another document intended to improve the original 1981 Convention by taking into account the challenges posed by the new forms of information and communication technology (ICT) that have emerged during the ensuing decades. American Convention on Human Rights, 1969[19] upholds the right to privacy recognized by the UDHR and other international covenants. In 2014, the African Union adopted Convention on Cyber Security and Personal Data protection. Apart from these, we can identify a number of other regional documents which very strongly assert the enforcement of right to privacy[20], giving particular concern for the protection of data and information.
Whenever a privacy issue arises with respect to cyber-related data, the obligation of states parties to ensure protection of right to privacy to individuals is of paramount importance. This means, nothing can stand on the way of an individual, in assuring and realizing the right to privacy with respect to his data deposited/stored in the cyber space or computer network or electronic system. And, the international community has always expressed the resolve to firmly stand for the privacy rights of individuals against the state as well as private entities. States parties are obliged to legislate upon the convention/treaty mandates, for which ratification was accorded by the respective governments. With this backdrop in the international sphere, let us discuss, to what extent Indian legal system ensues in following this mandate conceded by the international community. Article 51(c) of the Constitution of India issues a directive to the state to endeavor to foster respect for international law and treaty obligations. With the help of Article 51(c), the apex judiciary has been able to input into Part III of the Constitution the vast number of rights flowing from various international declarations, charters and conventions ratified by India. In S R Bommai v. Union of India,[21] the Supreme Court has clearly stated that the provisions of an international covenant which elucidate and go to effectuate the fundamental rights guaranteed by our constitution, can clearly be relied upon by courts as facets of those fundamental rights and hence enforceable as such. In the light of our international commitment, this discourse on privacy rights, comprises of two facets; viz., the phase of recognition of right to privacy and the phase of right to protection of data and information relating to an individual so as to ensure right to privacy.
Right to Privacy in India
Right to privacy has been unequivocally articulated as a fundamental right by the apex court of India by the landmark judgment in, K.S. Puttaswamy (Retd) v Union of India [22]. The nine judges bench declared:
"Right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."
In fact, Putaswamy did not lay down a pretty new principle regarding right to life and personal liberty to Indian Constitutional law one fine morning. The remarkable outcome in the Puttaswamy case had been evolving through the judicial process over the past long years. The premise of 'right to life and personal liberty' expounded in Maneka Gandhi v Union of India[23] had been expanding through years by the judicial creativity of our learned judges of the apex court[24]. Further, the inconsistency resulted from two earlier judgments[25] had also been reconciled to unequivocally and explicitly declare that right to privacy is a fundamental right which comes within the scope of personal liberty of an individual. Quoting John Stuart Mill's prepositions in his essay, 'On Liberty' (1859), Chandrachud,J., gave expression to the need to preserve a zone within which the liberty of the citizen would be free from the authority of the state[26]. According to Mill :
"The only part of the conduct of any one, for which he is amenable to society, is that which concerns others. In the part which merely concerns himself, his independence is, of right, absolute. Over himself, over his own body and mind, the individual is sovereign." While speaking of a "struggle between liberty and authority" the tyranny of the majority could be reined by the recognition of civil rights such as the individual right to privacy, free speech, assembly and expression."
At the end of a voyage through the Aristotelian division between the public sphere of political affairs (which he named as polis) and the personal sphere of human life (named oikos), comparative jurisprudential evolution of the concept of right to privacy, treatises of John Stuart Mill, James Madison, Warren and Brandeis, Thomas Cooley, William Blackstone, Roscoe Pound, Ronald Dworkin etc., and above all, the traditional Indian legal philosophy, the Puttaswamy court assimilated 'privacy' as the very basic need of every individual to live with dignity. The court recognized it as a natural and inalienable right and upheld the view that privacy is a concomitant of the right of the individual to exercise control over his or her personality[27].
Besides, the preposition that "constitutional provisions must be read and interpreted in a manner which would enhance their conformity with international human rights instruments ratified by India" had again been affirmed. The judgment also concludes that privacy is a necessary condition for the meaningful exercise of other guaranteed freedoms.
A similar adherence to right to privacy of an individual as a fundamental constitutional right is reflected in other jurisdictions also. In 2018, in the landmark decision of Carpenter v. US[28] Supreme Court of United States held that the state is obligated to ensure that the "progress of science" does not erode Fourth Amendment[29] protection assuring privacy. The Court held that the government violates the Fourth Amendment to the Constitution of US by accessing historical records containing the physical locations of cell phones without a warrant[30]. Roberts, C.J., noted that "the development of technology has required the court to find ways to preserve privacy from the government even when surveillance tools have enhanced the government's ability to encroach on areas normally guarded from inquisitive eyes." It is interesting to see that the very famous dissenting view of Brandies, J., in Olmstead v. United States[31] became the ratio in Carpenter. Brandies,J., pointed out, " The framers of the US Constitution sought to protect Americans in their beliefs, their thoughts, their emotions, and their sensations. It is for this reason that they established, as against the government, the right to be let alone as the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment…".
In England, privacy law was developing as a part of tort in common law; as distinct from tort of trespass or tort of assault. The introduction of Human Rights Act, 1998, incorporating European Convention on Human Rights into the domestic law, provides explicit human rights protection to privacy of individuals.
Hence, 'right to privacy' is identified and established as the most fundamental right for the existence of a human being, by the judiciary world over. With this premise, the next issue relating to the necessity of protection of right to privacy in cyber space shall be examined.
Privacy Issues w.r.t to Personal Data and Information in Cyber Space
Today, the meaning of information has gained varied meanings in terms of its production, collection, analysis, storage and access using cyber tools and internet. In the same way, definition of personal data also has been redefined. For instance, the personal information of user can be easily generated by tracking his movement on various internet platforms like social media, online transactions, browsing history etc. This again advances the dilemma of what constitute the private and personal information. In the present netizen's world, there are two different and extreme views, i.e., one school believes in the protection of privacy of an individual as the paramount virtue, as in the real world; but the other school believes that there is no privacy at all, when the netizen enters into the web world. In other words, there is a confusion as to what privacy is and what it is not, in a cyber world[32]. It is quite true that the protection once secured to individuals with geographical barriers has now been removed by World Wide Web, the advent of which threatens one's own personal existence and privacy even within the four walls of his own room[33].
Online Invasion to Privacy
An individual's privacy may be invaded online, most often, without his knowledge. There are two aspects that we will have to keep in mind; (i) the person entering into the web world in almost all the cases, is a person having little understanding of the operation of various commands, locations, cookies, the hooks and crooks by which technology mines sensitive and valuable information, etc., to which he will respond without any hesitation. Many people undertake their operations in the net with a belief that their online activities are anonymous. They may be recorded virtually. The data the subscriber accesses, the websites visited and e-mails read etc., would be monitored and copied by the service providers and by web site operators. The information and privacy of an individual may be at risk by threat of invasion during generation, storage, transmission, and processing by the system itself or by the Internet Service Providers (ISP) or web sites or due to a Spyware. Again, when we surf the web, many web sites deposit data about our visit, called "cookies," and the cookie data will reveal that we have been there before[34]. In a 2019 decision of the Court of Justice of the European Union (CJEU) involving consent for the use of cookies by a German business firm called 'Planet49', the Court held that "(i) consent for cookies cannot be lawfully established through the use of pre-ticked boxes, and (ii) any consent obtained regarding cookies cannot be sufficiently informed in compliance with applicable law if the user cannot reasonably comprehend how the cookies employed on a given website will function."[35]
It should be noted that the legal implications of the use of cookies to gather user's information was first considered in Doubleclick case.[36] In that case, Court dismissed the claims advanced by the plaintiffs under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Wiretap Act, arising out of Google-Doubleclick's use and placement of "cookies" on plaintiffs' computers. Doubleclick used such "cookies" to gather information about the users' use of client web sites of Doubleclick. Doubleclick's users consented to such information-gathering, though not with willful awareness, the court held that Doubleclick's activities did not run counter to either the Electronic Communications Privacy Act or the Wiretap Act. The Doubleclick approach has now been overturned and privacy rights of individuals gained momentum over simple commercial interests.
Spyware is fast-becoming the biggest annoyance to computers these days, degrading system performance, tracking our computing habits, popping up annoying advertisements, and even stealing our important personal information. Detecting and removing spyware may be difficult, since it occurs in so many different forms.
Data Protection in Cyber Space: Legal Frame Work in India
As seen earlier, due to the growing requirement for assuring protection to cyber data, different countries have introduced laws like Data Protection Act, 1998 superseded by Data Protection Act 2018 (UK)[37], Electronic Communications Privacy Act, 1986 (USA)[38] etc. from time to time; European Union has enacted the General Data Protection Regulation(GDPR), which came into force on 25 May 2018, replacing the Data Protection Directive of 1995. In India, there is no such comprehensive legal framework that deals with privacy issue. Major cyber challenges are dealt with by the Information Technology Act, 2008 (IT Act)[39], which was enacted with the predominant objective to facilitate e-commerce[40] and hence privacy was not a primary concern. The 2011 Rules[41] issued under the IT Act provide for compensation from a body corporate on account of any negligence in implementing and maintaining reasonable security practices and procedures while dealing with sensitive personal data or information. These Rules also provide for various contingencies such as consent requirement, lawfulness of purpose, subsequent withdrawal of consent, etc. Still, there is a danger with these Rules as it permits the wrongdoer to evade responsibility, by the payment of compensation to the person who suffered infringement of his privacy rights[42]. Again, the proviso in Rule 3 which defines sensitive personal data, exempts any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force, out of the purview of sensitive personal data or information for the purposes of these rules. As per Rule 7, "a body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules". This again creates suspicion as to the extent of privacy that can be availed by an individual; Is the 'level of data protection' envisaged by the Rules sufficient to ensure privacy rights of an individual, particularly when Rule 7 permits transfer of sensitive personal data or information including any information[43]; What are the criteria for determining the level of data protection?
The relevant provisions of the Indian Penal Code could also be utilized to deal with cybercrimes affecting privacy[44]. The liability will be fixed on the basis of general principles of criminal law and the convict will be punished. When the prosecution fails to establish the commission of an offence, there is no scope for privacy protection under criminal law. So, there is a vacuum in the legislative frame work as far as the protection of privacy rights in cyber space is concerned.
Pursuant to the Puttaswamy verdict which called upon the government to create a data protection regime to protect the privacy of the individual in compliance with the international obligations, a new legislative measure viz., 'Data Protection Bill, 2019' was introduced in Lok Sabha on December 11, 2019 to provide for protection of personal data of individuals, and establishing a Data Protection Authority, for the same[45]. It recommends a powerful regime which balances individual interests and legitimate concerns of the state. As the lead judgment in Puttaswamy cautions, "formulation of a regime for data protection is a complex exercise that needs to be undertaken by the state after a careful balancing of requirements of privacy coupled with other values which the protection of data sub serves together with the legitimate concerns of the state."[46] For example, the court observes, "government could mine data to ensure resources reached intended beneficiaries." However, the bench restrains itself from providing further guidance on the issue.
In the 2019 Bill, procedural safeguards are provided in relation to the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is identified as "data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual". It deals with Personal Data, Sensitive Personal Data and Critical Personal Data. The rights of individuals/data principal and the liabilities of data fiduciary are well defined. The data fiduciary decides how the data will be processed; the purpose also will be determined by the data fiduciary. The rights of the individual availing the services of data fiduciary is protected in the Bill by ensuring security safeguards like data encryption and other measures for preventing misuse of data. The individual/data principal enjoys rights to (i) obtain confirmation from the fiduciary on whether their personal data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and (iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn. The Bill also envisages for the establishment of a Data Protection Authority which may take steps to protect interests of individuals and prevent misuse of personal data.
Another important provision in the Bill is that Sensitive Personal Data can be transferred outside India for processing only if explicitly consented to by the individual, and subject to certain additional conditions. Let us wait to see how efficiently this forthcoming law is going to protect privacy rights of individuals.
Protection against Privacy Breach: the GDPR Model
The General Data Protection Regulations, 2018 of EU (GDPR) has identified Sensitive Personal Data as personal data consisting of information as to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. Collection, handling and processing of Sensitive Personal Data requires special legal backing and documentation under GDPR[47]. The conditions include, the requirement of a specific contract with the individual from whom data is collected, and consent obtained on providing a clear information regarding the collection, processing, storage, privacy measures etc. to the individual (informed consent). The information regarding archiving of data, for scientific or research or governmental purpose, access to legal remedies, repudiation of contracts etc., should also be informed. In line with these Regulations, Justice B.N. Srikrishna Committee Report in 2018 recommended to enact a law adopting special measures to ensure privacy to sensitive personal data. These recommendations have been culminated in Personal Data Protection Bill, 2019, wherein provisions regarding Sensitive Personal Data and Critical Personal Data are included. The Bill provides that Sensitive Personal Data can be transferred outside India for processing only if explicit consent from the individual is obtained and that too subject to certain additional conditions; however, such Sensitive Personal Data should continue to be stored in India. According to the Bill, certain Personal Data notified as Critical Personal Data by the government from time to time can be processed in India only.
Concluding Remarks
Technology has now brought us to a critical juncture, where we are not able to pinpoint the horizons to which the developments are fast moving. Ignorant of the dangerous webs spun by the cyber spiders, innocent human beings are attracted towards the amazing possibilities created by the 'world wide web' and cyber technology. Hence the legislature as well as the judiciary shall remain vigilant to ensure the fundamental rights of the individuals in the cyber space and digital operations, and to control the state intervention into the enjoyment of basic rights, particularly, right to privacy. In the modern context of the concept of state, the agencies entrusted with responsibilities by the state for discharging state functions are amenable to writ jurisdiction. Whenever, 'right to privacy and protection of personal data and information' is in question before the judiciary, a number of issues might surface in the process of solving the privacy grievance. Likewise, during collection of personal data, many questions like, whether a strict data collection policy has been released and made known to the data principal/individual; whether information is collected by authorized agency; whether purpose of information is adequately transmitted to the individual; whether informed consent, which is the most crucial requirement, is obtained; whether any commercial interest is involved; whether the terms of the Master Service Agreement[48] was verified and adhered to on the basis of a 'techno-legal audit' so that privacy and data security is ensured; etc., shall be analyzed to examine the appropriateness of collection of data and information itself. Once data is gathered from or about a person it shall be kept accurately and responsibly. Appropriate technical measures such as information security controls which are necessary to keep information secured over internet, should be utilised. Data privacy or confidentiality is, protecting data from unlawful, unauthorized use as well as from unintentional access, handling and disclosure. Similarly, personal data shall be processed lawfully. Processing means any application upon the data, for the purpose of obtaining a result. Data can be processed only if the consent of the individual is obtained. The state should ensure that there are sufficient safeguards to maintain the data confidentiality and that the data is appropriately dealt with after processing and analysis. While entering into a contract between data principal and data fiduciary, the clauses for effective cyber security measures shall be added.
In nut shell, in all the cyber activities, the data principal, the cyber intermediaries, the society, the state and the legal system should extent eternal vigilance to place the right to privacy of the individual at the prime position. Whatever be the cause of thrusting individuals into the cyber world, collecting personal data without their informed consent will be highly unfair, unjust and arbitrary. The right to privacy which is the core fundamental right for the existence of an individual as a respectable human being, shall never be compromised, sans a just, fair and reasonable procedure established by law. One should be cautious of the eagerness of the service providers in gathering and mining sensitive and personal information of individuals under the pretext of providing speedy and efficient services. Quoting Brandeis,J., "our government is the potent, the omnipresent teacher; for good or ill, it teaches the whole people by its example"[49]. Let us hope for an efficient statutory frame work, guided by illustrious judicial wisdom, to regulate the activities in cyber space and handling of data and information, assuring privacy of individuals.
(*The author is Assistant Professor at School of Indian Legal Thought, Mahatma Gandhi University, Kottayam, Kerala.)
[1]Common law exempted a child below seven from criminal liability; parallel to this, common law did not recognise the independent rights of a child also. Rather a child was simply identified as the property of his father or guardian. It was by the middle of the 19th century that rights of children were started to be recognised. Declaration of the Rights of the Child on September 16, 1924, adopted by the League of Nations is the first international treaty concerning children's rights.
[2] It is true that right to privacy of children is now recognised by the Convention on Protection of Rights of Children 1989.
[3] Warren and Brandeis, "The Right to Privacy", Harvard Law Review (1890), Vol.4, No. 5, at page 193
[4]"No person shall be deprived of his life or personal liberty except according to procedure established by law."
[5]" Article 19. (1) All citizens shall have the right - (a) to freedom of speech and expression; (b)…"
[6] Constitution of India, Article 253: "Legislation for giving effect to international agreements: Notwithstanding anything in the foregoing provisions of this Chapter, Parliament has power to make any law for the whole or any part of the territory of India for implementing any treaty, agreement or convention with any other country or countries or any decision made at any international conference, association or other body"
[7] Francies Coralie Mullin v. Administrator, UT of Delhi, AIR 1981 SC 746; Rudul Sah v. State of Bihar, (1983) 4 SCC 141; Gramaphone Company of India Ltd., v Birendra Bahadur Pandey, AIR 1984 SC 671; Gian Kaur v. State of Punjab (1996) 2 SCC 648; D K Basu v. State of West Bengal, (1997) 1 SCC 416; Visakha v. State of Rajastan, AIR 1997 SC 3011; Apparel Export Promotion Council v. Chopra, AIR 1999 SC 63; Chairman, Railway Board v. Chandrima Das, AIR 2000 SC 988; Charu Khurana & Ors., v. UOI & Ors., (2015) 1 SCC 192; See also, Ralph G. Steinhardt, "The Role of International Law as a Canon of Domestic Statutory Construction", 43 Vand. L. Rev. 1111, (1990).
[8] Article 12 – "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, or to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."
[9] Article 17 - "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home and correspondence, nor to unlawful attacks on his honor and reputation".
[10] HRI/GEN/1/Rev.9 (Vol. I), Human Rights Committee General Comment No.16, Clause 10
[11] "Article 16-1. No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation. 2. The child has the right to the protection of the law against such interference or attacks".
[12] Signed on 18 December 1990 and entered into force on 1 July 2003; "Article 14 -No migrant worker or member of his or her family shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, correspondence or other communications, or to unlawful attacks on his or her honour and reputation. Each migrant worker and member of his or her family shall have the right to the protection of the law against such interference or attacks."
[13] Convention on Cyber Crime of the Council of Europe (No.185) known as the Budapest Convention 2001, is the only binding international instrument on this issue. It stands for transboundary cooperation to effectively deal with cybercrimes and ensure privacy rights by invoking penal measures. It is an advisory to any country intending to legislate on protective measures in cyber space. The Budapest Convention is supplemented by a Protocol on Xenophobia and Racism committed through computer systems. India is not a party and has not acceded to.
[14] See, The Budapest Convention 2001,
"Article 2 – Illegal access
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.
Article 3 – Illegal interception
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.
Article 4 – Data interference
1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.
2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm."
[15] UN Resolution No. A/RES/68/167 adopted on 18 December 2013
[16] The Convention, which entered into force in 1985, is the first legal[y binding international instrument on data protection. It is open to signature by countries who are not members of the Council of Europe.
[17] The additional protocol provides for the establishment of national data protection authorities to monitor compliance with laws adopted pursuant to the original Convention and regulates the transmission of data across national boundaries.
[19] Came into force on 18 July 1978; "Article 11- Right to Privacy 1. Everyone has the right to have his honour respected and his dignity recognised. 2. No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation. 3. Everyone has the right to the protection of the law against such interference or attacks."
[20] For example, Cairo Declaration on Human Rights in Islam (Article 18), Arab Charter on Human Rights (Articles 16 and 21), African Charter on the Rights and Welfare of the Child (Article 19), Human Rights Declaration of the Association of Southeast Asian Nations (Article 21), Asia-Pacific Economic Cooperation Privacy Framework, Council of Europe Recommendation No.R (99) 5 for the protection of privacy on the Internet, European Union Data Protection Directive.
[21] (1994) 3 SCC 1
[22] Justice K.S.Puttaswamy(Retd) & Anr. v Union of India & Ors., (2017) 10 SCC 1; Per J. S. Khehar, CJI, J. Chelameswar, S.A. Bobde, R. K. Agarwal, Rohinton Fali Nariman, Abhay Manohar Sapre, Dr. D. Y. Chandrachud, Sanjay Kishan Kaul, S. Abdul Nazeer,JJ.
[23] AIR 1978 SC 597
[24] See the judicial process evolved through the cases, People's Union for Civil Liberties v. Union of India, AIR 1997 SC 568; X v Z Hospital, (1998) 8 SCC 296; District Registrar & Collector, Hyderabad & Anr. v Canara Bank & Anr., 2005 1 SCC 496; Selvi & Ors., v State of Karnataka, 2010 7 SCC 263.
[25] MP Sharma & Ors.v Satish Chandra, District Magistrate Delhi, & Ors. AIR 1954 SC 300 and Kharak Singh v State of Uttar Pradesh & Ors. AIR 1963 SC 1295; In M.P Sharma, it was held that the drafters of the Constitution did not intend to subject the power of search and seizure to a fundamental right of privacy; Indian Constitution does not include a proposition similar to the Fourth Amendment of the US Constitution, and therefore, questioned the existence of a protected right to privacy. The Supreme Court also made clear that M.P Sharma did not decide other questions, such as "whether a constitutional right to privacy would arise from any other provisions of the rights guaranteed by Part III including Article 21 and Article 19."
In Kharak Singh, though the court invalidated a Police Regulation that provided for nightly domiciliary visits, calling them an "unauthorized intrusion into a person's home and a violation of ordered liberty", it upheld other clauses of the Regulation on the ground that the right of privacy was not guaranteed under the Constitution, and barred the application of Article 21 of the Indian Constitution to the rest of the provisions. Justice Subbarao's dissenting opinion deserves mention. According to him, although the right to privacy was not expressly recognized as a fundamental right, it was an essential ingredient of personal liberty under Article 21.
[26] Puttaswamy, para 31
[29] Fourth Amendment: "The right of the person to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
[30]. The Stored Communications Act (SCA), Title II of the Electronic Communications Privacy Act, 1986 (ECPA), creates privacy protections for the content of stored communications and the related non-content information. As per the orders made u/s.2703(d), state can compel the production of the content of stored communications or related non-content information, when "specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." The earlier decisions in United States v. Miller, 307 U.S. 174 (1939), Smith v. Maryland, 442 U.S. 735 (1979), and United States v. Jones, 565 U.S. 400 (2012), where the Federal Supreme Court did not give much concern to the right to privacy of an individual over the state's power to interfere without warrant, have been overturned in Carpenter. The legal principle that when an individual voluntarily gives information to a third party, the privacy interest in that information is forfeited, was taken into account in those pre-Carpenter decisions. But application of the 'third-party doctrine' which was advanced to justify the governmental invasion into individual' s privacy without his knowledge, was negated by the Court in Carpenter.
[31] 227 US 438 (1928)
[32] Ruth Granson tries to comprehend privacy: "the concept of privacy is a central one in most discussions of modern Western life, yet only recently have there been serious efforts to analyze just what is meant by privacy." Yet another scholar, Judith DeCew, examines the diversity of privacy conceptions: "The idea of privacy which is employed by various legal scholars, is not always the same. Privacy may refer to the separation of spheres of activity, limits on governmental authority, forbidden knowledge and experience, limited access, and ideas of group membership consequently privacy is commonly taken to incorporate different clusters of interest". See for a wide reading, Robert A. Reilly, Conceptual Foundations of Privacy: Looking Backward Before Stepping Forward, 6 RICH. J.L. & TECH. 6 (Fall 1999).
[33] Schwartz M Paul, "Property, Privacy and Personal Data", Harvard Law Review, Vol.117:2055, May 2004, at p.2065.
[34]Cookies are certain types of files/data deposited by websites into the system of the user, when he first browses the sites. A cookie notifies the entry of the user into the site and from the repeated entries into that site, it collects data/information regarding your interests, without your knowledge. A cookie is different from a virus; but its harmless appearance may not be that much harmless, because it is used by the website to collect information/data.
[35] Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v. Planet49 GmbH, decided by the Grand Chamber of the Court of European Union. "The term 'consent' in General Data Protection Regulation, must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user's terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.";
Available at http://curia.europa.eu/juris/document/document.jsf?docid=218462&mode=lst&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=1486059
[36] In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), on an action against "Double Click" by the internet users alleging that DoubleClick's placement of cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated sites constituted violations of three federal laws: viz., the Stored Communications Act, Wiretap Statute and Computer Fraud and Abuse Act, the court held that DoubleClick was not liable under any of the three federal laws because it fell within the consent exceptions.
The case is available in the link location,
The dissent of Commissioner Pamela Jones Harbour is important. Pamela was of the view that privacy mechanism which would not serve the actual purpose of consent requirement, cannot be considered sufficient to protect the interests of consumers. She observed: "…the firm is urged to state clearly and unambiguously what kind of information it intends to gather, how it will collect and use that information, and what choices consumers will be able to exercise. Consumers deserve a clear explanation from Google/DoubleClick, so they can shape their Internet behavior and determine how much information they are willing to reveal. Clearly explaining the firm's information practices and the choices available to consumers will demonstrate Google/DoubleClick's good intentions, as well as the company's willingness to be held accountable for its commitments".
[37] The Acts are available at https://www.gov.uk/data-protection
[38] Amended in 1994, 2001, 2006 and 2008 with various Acts; The history, objectives and texts of the statutes are available at https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285
[39] Sections 43, 43A, 65, 66E, 67C, 69, 69B, 70B, 72A, 79, etc.
[40] The preamble of the Information Technology Act, 2000 reads: "An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.
WHEREAS the General Assembly of the United Nations by resolution A/RES/51/162, dated the 30th January, 1997 has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law;
AND WHEREAS the said resolution recommends inter alia that all States give favourable consideration to the said Model Law when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information;
AND WHEREAS it is considered necessary to give effect to the said resolution and to promote efficient delivery of Government services by means of reliable electronic records."
[41] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), were issued under section 87(2) read with section 43-A of the IT Act.
[42] The Data Protection Bill, 2019 suggests the removal of such clauses by appropriate amendments in IT Act.
[44] The scope of Indian Penal Code is limited to an extent as pointed out by the High Court of Bombay in Gagan Harsh Sharma & Anr v. Maharashtra & Anr.[Writ Petition(Criminal) No. 4361 0f 2018] that when an offence is well covered under the provisions of IT Act, the IT Act should be applied as lex specialis excluding IPC.
[45]The Preamble of the Bill reads:"… to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto.
WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy; AND WHEREAS the growth of the digital economy has expanded the use of data as a
critical means of communication between persons; AND WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto".
[47] Articles 6 and 9 of GDPR, 2018
[48] Master Service Agreement (MSA) is a contract in which parties of an ongoing project or repeated transactions agree to most of the terms in it, which will control all the future transactions. It provides for a statement of Work (SOW) which contains a general format narrating the purpose of contract, scope, location, data collection, period, applicable standards the service provider must follow, as well as IP ownership, dispute resolution, jurisdiction etc.
