THE RIGHT TO PRIVACY: CONSTITUTIONALITY OF PERSONAL DATA PROTECTION BILL 2019
Author: Muskaan Gupta
Co-Author: Harshul Bangia*
O.P. Jindal Global University.
ISSN: 2582-3655
Abstract
Privacy is a critical concept that is being talked about in today’s modern and online world. The use and abuse of privacy is a continuous threat to humans and violates their human rights recognized by many International Institutions including UDHR and ICCPR. In India, the right to privacy was not considered a part of Fundamental Rights but in recently, the Supreme Court found that the right to privacy comes under the ambit of Fundamental Rights, despite it not being enumerated as one in the Constitution of India, and recommended passing of legislation to ensure that this right is not violated. The Government in 2019, tabled the Personal Data Protection Bill in the Lok Sabha. There are numerous issues raised on the constitutionality of the bill which is discussed in this paper. The Bill gives and places the government to act in whichever way possible and also controls every authority formed under the said Bill. The Bill also diminishes the powers of Data Protection Authority (DPA) along with imposing a threat on the user’s right to seek a remedy. The Bill of 2019 is much favourable to the Government than the previous draft bill drafted by Justice B.N. Srikrishna Committee. The Draft was considered to be much effective and the aim of protecting people’s private data was looked upon, unlike the Bill of 2019 which deviates from its aim of protecting the data principal. As a result, it is said that this Bill has a detrimental effect on user’s privacy.
Introduction
“If the right to privacy means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion.”[1] – William J. Brennan
Privacy is considered as a ‘distinctly contemporary’ concept[2] and the use and abuse of privacy through sophisticated products of technology including computers, surveillance devices, etc is a continuous threat to human freedom.[3] The rights of conceptualizing privacy are widely supported and acknowledged across the world. India is a signatory of the Universal Declaration of Human Rights (UDHR) 1948 and the International Convention on Civil and Political Rights (ICCPR) 1966, which recognizes privacy as a Human Right.[4] Both these definitions along with the one given by Judge William J. Brennan were along the same lines and states that no one shall be subjected to arbitrary interference with privacy, which implies that there should be restrictions to the right and the right is not absolute but those restrictions should be reasonable and for some purpose. The right to privacy aims at restraining governmental and private institutions’ intervention which would threaten the privacy of individuals. The right to privacy has been one of the most talked-about rights in recent times as it has not been directly mentioned in the Constitution of India. The right has recently been recognized as a fundamental right in the Puttaswamy judgement. But even before that, the right to privacy was a right which the advocated took for granted because of the series of smaller bench judgements which did not call it a fundamental right outrightly but gave relief assuming people had the right to privacy to some extent and subject to reasonable restrictions.
The Personal Data Protection Bill, 2019 has been introduced in the parliament with the view to protect this very right after the recommendations of the B.N. Srikrishna Committee, which were made in light of the Puttaswamy judgement, by making a change to the draft bill given by the committee. This paper is written with the view to determine the existence of the Right to Privacy as a Fundamental Right and the constitutionality of the bill.
Origin of Right to Privacy and its Tests
The status of the Right to Privacy in India has not always been the way it is today. When the Constitution of India was first drafted, there was no mention of the right to privacy in it. It was rather developed through a series of cases.
The first time when the Supreme Court deliberated whether Right to Privacy was a fundamental right or not was in the case of M.P. Sharma v. Satish Chandra[5], by an eight-judge bench in 1954 wherein the court said that “fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it, into a different fundamental right.”[6] Therefore, disregarding the idea of Right to Privacy as a fundamental right as courts at that time, read the constitution narrowly.
Then the question came up, again, in the case of Kharak Singh v State of Uttar Pradesh[7] in 1962 heard by a six-judge bench. In this case, regulation 236 of U.P. Police Regulations was challenged which defined surveillance. Surveillance included secret picketing and domiciliary visits at night at the house of the suspects to keep a record of his whereabouts and activities. The majority judgement (5 out of 6 judges) said that the Right to Privacy was not a fundamental right but domiciliary visits were unconstitutional as they violated Article 21 of the Constitution of India. The dissenting judgement was given by Justice Subba Rao wherein he said that “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” He then went on to say, “Indeed, nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy.” This was the first time that a Supreme Court judge in India had favored the Right to Privacy as a Fundamental Right and gave reasoning for it, but it is a dissenting minority opinion, could not be enforced though it played a crucial role in the jurisprudential development of the right to privacy.
The issue was then brought up in the Supreme Court in the year 1975 in the case of Govind Singh v. State of Madhya Pradesh[8] before a three-judge bench. The matter was again related to police regulations but this time, the judges were inclined towards accepting that Right to Privacy should be a fundamental right. The dissenting opinion of Justice Subba Rao was discussed but the bench being a three-judge bench could not overrule a six-judge bench decision. Though, while they agreed that there should be a fundamental right to privacy, they also said that there should be restrictions on this right as the court said, “There can be no doubt that privacy-dignity claims deserve to be examined with care and to be denied only when an important countervailing interest is shown to be superior.”
A similar thing happened in the case of the People’s Union of Civil Liberties v. Union of India[9] in 1996 where the court again hinted that right to privacy should be a fundamental right as the court said, “We have, therefore, no hesitation in holding that right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtailed “except according to the procedure established by law.” With this, they emphasized there can be restrictions on the right but only through the procedure established by law. But this was a two-judge bench and so, their decision could not overrule the earlier decision by the larger bench in M.P. Sharma case.
The Supreme court of India did not, initially, read the right to privacy into the fundamental rights given in the constitution, owing to a narrow interpretation of the fundamental rights. The Right to privacy was finally recognized as a fundamental right in the case of K.S. Puttaswamy v. Union of India[10] by a nine-judge bench in the year 2017 in a unanimous decision. The question initially came up in front of a three-judge bench but they referred it to a nine-judge bench so that the previous decisions could be overturned and the question could be settled without any scope for confusion or doubt. Though the judges decided unanimously that, “The right to privacy is protected as an intrinsic part of the right to life and personal liberty Under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”[11] thereby overturning the previous judgements of cases M.P. Sharma[12] and Kharak Singh[13] as this was a larger bench, they agreed with a majority on very few other things. With this, the judges also agreed on the fact that this right, like every other fundamental right, is not absolute and there can be restrictions imposed on this right by the government. Any such restrictions should pass the test of constitutional validity. The judges, in this case, suggested the following tests-
- The existence of law i.e. a specific and clear law should be present to limit the right to privacy;
- Legitimacy i.e. the Central government can only restrict the right to privacy only to satisfy a legitimate state aim, and
- Proportionality i.e. objective of law should be matched with quality and severity of restrictions.
Apart from this three-part test, the restrictions should also pass the tests of articles 14, 19, and 21 as these are the rights from which the right to privacy originates. Under Article 21, through the case of Maneka Gandhi v. Union of India[14], it was established by the court that any procedure established by law to restrict Fundamental Rights should be just, fair and reasonable and also that it should be free from any unreasonableness and arbitrariness. In addition, Puttaswamy’s case[15]also called out that the ‘legitimate’ state aim must fall within the purview of the reasonableness mandated by Article 14.
Constitutional critique to PDPB 2019
The Personal Data Protection Bill 2019 (herein referred as the Bill) was formed to provide privacy rights to data principal and protect them from the misuse of their data but a closer look into the bill reveals that there are many shortcomings in the Bill and is in contravention of the right to privacy and other similar rights. Therefore, the Bill of 2019, which is introduced in the Lok Sabha, has certain provisions that are a bit problematic. These problems are specifically in contravention to the tests discussed in the Puttaswamy judgement.
Chapter III of the bill deals with the grounds on which the government can process personal data without the consent of the data principal. Section 12(b) says that “the personal data may be processed if such processing is necessary, — under any law for the time being in force made by the Parliament or any State Legislature.”[16] This section implies the government can process the personal data of individuals if they pass a law that makes necessary, the processing of any such data, without any consent. The scope or purpose of such laws has not been mentioned. Neither is there any specification as to what can be the purpose of such law. Therefore, there is no reason for putting such a restriction on the right to privacy of people. This makes the sub-clause very arbitrary and thus, it fails the test under article 21 as laid down in the Maneka Gandhi case.
A. Immense powers and exemption for the State
The 2018 draft bill by the committee was indeed very efficient, keeping in mind all the above-mentioned tests, for the protection of personal data. Section 42 of that bill was written keeping in mind the tests mentioned above as it provided that the exemptions would be provided only through the procedure established by a law passed by the parliament and that the restriction to the right to privacy ought to be proportional to the objective sought to be achieved.
Section 35 of the Bill of 2019 was bought with changes in the 2018 draft bill and exempts all the state agencies from all the provisions provided in the data protection regime through an order passed by the Central Government i.e. executive orders. These orders can be passed where the Government considers it necessary in the interest of sovereignty and integrity of the country, national security, friendly relation with foreign states, and public order or to prevent the incitement to commit offenses that jeopardize these interests.[17] The bill nowhere talks about the proportionality test to keep the restrictions imposed on the fundamental right in check. The central government alone has the power according to the bill and that defeats the purpose of the bill as there are no checks on the use of power conferred by the bill on the central government. There is a whole list of areas where the central government is authorized to intervene in the Annexure A[18] of the bill.
In the case of State of W.B v. Anwar Ali Sarkar[19], it was observed that to be reasonable and non-arbitrary, an act needs to lay down specific guidelines and policies for the exercise of power while conferring power on the executive. Also, in the case of The Special Courts Bill, 1978[20]the court saidthat for a law to be reasonable, it should provide clear and definite legislative policy. So, this provision (section 35 of the Bill) can easily be challenged for arbitrariness as it fails to provide a specific and clear safeguard to guarantee the protection of the right against arbitrary state action. It was further noted by the Supreme Court while deciding the constitutionality of Aadhaar in K.S. Puttaswamy v. Union of India[21]that:
“Nine judges of this Court in Puttaswamy categorically held that there must be a valid law in existence to encroach upon the right to privacy. An executive notification does not satisfy the requirement of a valid law contemplated in Puttaswamy. A valid law, in this case, would mean a law enacted by Parliament, which is just, fair and reasonable. Any encroachment upon the fundamental right to privacy cannot be sustained by an executive notification.”
Therefore, the current powers of Government under the provision are under direct violation of the Fundamental Rights including the right to privacy as the restrictions are being imposed solely by executive order.
B. Limited Powers of Data Protection Authority (DPA)
Section 42(2) of the bill talks about the Selection Committee for the appointment of members of DPA. It provides that only the Secretaries to the Ministries and Central Government could be a part of the Selection Committee. This empowers the Central government to have indirect control over the DPA. Ideally, it is not the government bodies alone who are responsible for the appointment and selection of members to such authorities. Like in the Real Estate Act, section 22 establishes Real Estate Regulatory Authority and makes Chief Justice of every state as a part Selection Committee[22] which helps to keep make sure that the government does not take arbitrary decisions and impose its will on the authority. To prevent individuals and violation of their rights, the draft bill of 2018, proposed by Justice B.N. Srikrishna committee, too made the Chief Justice of India along with an Independent Expert as a part of the Selection Committee. But any such inclusion of judiciary or experts is absent from the selection committee for appointment of members to the DPA which clearly shows the attempt of the government to keep the power to regulate personal data of data principal with themselves which in turn may violate rights of individuals. Since the government has indirect control over DPA, the rulemaking authority that the DPA has and the regulations it may pass (including areas mentioned in Annexure B[23] of the bill), under the bill, would also be influenced by the Government itself.
C. Restriction of users’ right to seek remedies
According to section 83(2) of the Bill, only the Data Protection Authority (DPA) can file a complaint in court to take cognizance of an offense.[24] The presence of this provision prevents the data principal from filing a complaint directly in court when an offense is committed under this Bill, instead the data principal whose right is violated has to file the complaint to DPA after which only the DPA can file the complaint to the court. Section 63(1) of the bill is on similar terms stating “that no inquiry under this section shall be initiated except by a complaint made by the Authority.”[25] This implies that the individuals are restricted from initiating civil inquires under the data protection regime and they must approach the DPA to register any civil complaints. Apart from these two provisos, there is no other provision in the Bill that empowers the data principal or individual to appeal against the DPA. Furthermore, there is no right to remedy for individuals if the DPA doesn’t do anything for the complaint filed and they can’t initiate an inquiry pursuant to the complaint.
There was a similar section in the Aadhar Act of 2016. Section 47 of the Aadhaar Act barred the court from taking cognizance of the offense unless the authority (UIDAI) files a complaint.[26] The Supreme Court, in K.S. Puttaswamy v. Union of India held that the provision was arbitrary as it fails to provide a mechanism to individuals to seek efficacious remedies for violation of their rights.[27] Such provisions violate the right of individuals to be heard. There are no grounds to curb any such right and thus the sections are arbitrary. Also, following the above-mentioned precedent set by the Supreme Court, it can be safely said that the sections 83(2) and 63(1) of the Personal Data Protection Bill, stand in violation of the constitution.
D. Not so Anonymised Data
Anonymity allows people to express themselves without the fear of being judged or harmed for their views. But that is not all that anonymized data is used for. The government can collect anonymized data from various data fiduciaries to know about the people and make policies accordingly. For example, the government may take the medical records of people from hospitals after the process of anonymization so that the government can have a fair idea about the kinds of diseases that are most widespread and the kind of help governmental policies can provide. The Bill allows for such taking of data by the government after it has been anonymized, that is, gone through the process of anonymization. Section 3(2) of the Bill defines anonymization as, “in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority.”[28] Now, thought the act says that the process is irreversible but that is far from reality. In the entire world, there have been various studies and instances[29] that have taken place which shows that anonymized data is not free from re-identification and it is very easy to identify the data principal[30], that is, the person to whom the data belongs. For example, in 2016, journalists reidentified politicians in an anonymized browsing history dataset of three million German citizens, uncovering their medical information and their sexual preferences.[31] Such instances pose a continuous threat and raise a grave concern on privacy, confidentiality, and ethical use of personal data of the data principal. All these situations jeopardize the rights of data principles including the right to anonymity which is a vital component of the right to privacy and right to freedom of expression. The Justice B.N. Srikrishna Committee’s Report along with other scholars also supported that the irreversible anonymization as prescribed under the Bill is impossible to achieve with the current technology. Therefore, the risk of using and processing the data which could be re-identified raises a grave concern on the fundamental rights of individuals who opted to remain anonymous or for the people whose data was supposedly anonymized by the data fiduciaries for the purposes that the government or the DPA deems necessary.
Conclusion
The bill doesn’t seem to accept the idea of privacy in its true sense and tries to undermine it by way of its various arbitrary and intrusive provisions which indicates the Government’s reluctance to respect people’s right to privacy. In the current scenario, as discussed in the previous section, there are numerous provisions of the bill which run at the risk of creating legal uncertainty. These uncertainties, apart from the uncertainties highlighted above, include the inclusion of non-personal data under the act aimed specifically for the protection of personal data, lack of various definitions like critical data, and lack of procedure for restrictions, etc. All these uncertainties pose a direct threat to the Fundamental Rights including the right to privacy of the data principal. The bill is replete with arbitrary measures that provide the state with enormous powers and violates the Judgement on Right to Privacy. Therefore, it can clearly be stated that Bill has a detrimental effect on data privacy right. The bill exacerbates the privacy concerns of individuals rather than mitigating it and went too far from the draft bill of 2018 which was almost perfect. The alterations made in the draft bill of 2018 to present the 2019 bill show that the government wants to keep the power and is trying to resisting the much-needed changes in the law as given by the Supreme Court judges in the Puttaswamy judgement. The intent of the legislature in giving voice to our fundamental rights in this Bill must be to uphold them and provide careful guidance and safeguards when they are restricted, rather than to abdicate this function in favour of some outside authority.[32]
* The authors are 2nd year B.B.A-L.L.B student at O.P Jindal Global University. They can be reached at [email protected] and [email protected].
[1] ‘William J. Brennan, Jr. Quotes – Citation’ (BrainyQuote, 2020) <https://www.brainyquote.com/citation/quotes/william_j_brennan_jr_189775> accessed 8 May 2020.
[2] Glenn Negley, Philosophical Views on the Value of Privacy, 31 Law and Contemporary Problems (1966).
[3] Suzanne Uniacke, Privacy and the Right to Privacy, Bull Austl Soc Leg Phil 1 (1977) .
[4] Universal Declaration on Human Rights, G.A. Res. 217A, U.N. Doc. A/810, Art. 12 (1948); International Covenant on Civil and Political Rights, UN Doc. A/6316, Art. 17 (1966).
[5] (1954) AIR 300.
[6] Id.
[7] (1964) SCR (1) 332.
[8] (1975) SCC (2) 148
[9] AIR (1997) SC 568.
[10] (2017) 10 SCC 1.
[11] Id.
[12] (1954) AIR 300.
[13](1964) SCR (1) 332.
[14] AIR (1978) SC 597
[15] (2017) 10 SCC 1.
[16] Personal Data Protection Bill, § 12(b) (2019).
[17] Personal Data Protection Bill, § 35 (2019).
[18] Personal Data Protection Bill, Annexure A (2019).
[19] AIR (1952) SC 75.
[20] AIR (1979) SC 478
[21] (2019) 1 SCC 1.
[22] The Real Estate Act, § 22 (2016).
[23] Personal Data Protection Bill, (2019), Annexure B (2019).
[24] Personal Data Protection Bill, § 83(2) (2019).
[25] Personal Data Protection Bill, § 63(1) (2019).
[26] The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, § 47(2016).
[27] Id.
[28] Personal Data Protection Bill, § 3(2) (2019).
[29] Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L Rev 1701 (2010).
[30] Luc Rocher, Julien M. Hendrickx and Yves-Alexandre de Montjoye, Estimating The Success Of Re-Identifications In Incomplete Datasets Using Generative Models, 10 Nature Communications (2019).
[31] Id.
[32] Prasad, S., Raghavan, M., Chugh , B., & Singh, A., Implementing the Personal Data Protection Bill: Mapping Points of Action for Central Government and the future Data Protection Authority in India, Dvara Research (2019).