PRIVACY PART II: MATURING OF CONCEPTS, AND THE CONSTITUTIONAL IMPERATIVE

PRIVACY BILL OF 2011 & ONWARDS: INDIAN ATTEMPTS AT PROTECTION

The Privacy Bill, 2011¹ (the “2011 Bill”) was meant to be an omnibus law to deal with defining, and circumscribing the right, the very first of many that were to come as we shall learn below! So the 2011 Bill intended “to provide for the right to privacy to citizens of India and regulate the collection, maintenance, use, and dissemination of their personal information and provide for penal action for violation of such right and for matters connected therewith or incidental thereto.”² Despite the ruling of the Supreme Court in People’s Union for Civil Liberties (PUCL) v Union of India³ that held that the Right to Privacy was a Fundamental Right under Article 21 of the Constitution of India, the 2011 Bill under S.3(1) sought to grant the Right to Privacy to ‘every individual’. S.3(2) defined inclusively the said right.⁴ The Right was defined expansively to include every aspect of an individual’s life. Since the right is a Fundamental Right, it is bound to be a right that is not only expansive, but also all encompassing, and thus pervasive – affecting each and every aspect of one’s life, behaviour, and legal and biological existence. Interception was made a Central or State Home Secretarial clearance.⁵ Interception orders were to contain definite details as to identities of persons, addresses, and/or premises used for communication.⁶ Orders or interception would lapse after two months of date of issue,⁷ and extensions shall be granted upto a maximum of six months total⁸.

As regards Health Information Privacy, access to an individual’s health data and disclosure of the same to the public was strictly prohibited⁹, except by way of prior consent of such individual¹⁰, and the same was not to be revealed to the public if so collected¹¹. All such data collected without consent was to be done with a specifically defined purpose and not without returned and destroyed after such specific purpose was met.¹² All such collection, consensual or otherwise, should be done in accordance with a specific applicable law.¹³ However, what the 2011 Bill failed to specify was the specific parameters for the purpose of collection, for the collection simpliciter, and destruction of such collected information.

As regards Data Privacy, collection, processing, use, and/or disclosure, of all the data not including Health Information data, vis-à-vis an individual was only to be with the consent of such individual, if such data were to be transmitted within India.¹⁴ If the said data were to be transmitted outside India, the provision would not apply. Exceptions to the said restrictions¹⁵ were in the nature of consent, court order or direction, scientific / academic research, in discharge of professional duties subject to code of ethics / legislation governing such profession, national security or public order, detection or prevention of a crime, law enforcement, taxation, journalistic, literary, or artistic publication, historical research, and for obtaining legal advice or for legal proceedings to establish, exercise, or defend one’s legal rights.¹⁶

As regards Personal Data, collection and handling of the same was subject to Data Privacy provisions of the 2011 Bill, and in accordance with a possible pointer to the IT Personal Data Rules, 2011.¹⁷ Exceptions to the said restrictions¹⁸ were when such data is already public record or has been voluntarily made the same publicly available, or when the individual has consented to the same. While collecting such data the collector needs to intimate the purpose of such collection, consequences of failure to provide such data, disclose the identities of recipients of the data, identity of data processors, and intent to transfer data out of the country.¹⁹

Data Processing had been subjected to restrictions such as purposeful, and fair, appropriate, and lawful processing of data, restriction against collection of personal data in excess of requirement, and the individual has a right to object to processing of personal data if such applicable data processing law is not adhered to.²⁰ All data collectors, processors, disclosers, and users are required to keep such data complete, accurate, and updated at all times for the duration the said data is within their custody or control.

As regards Personal Sensitive Data, prior written consent from individuals over 18 years, and from any parent of such individual below 18 years was required.²¹ Exceptions²² to the same were when the said data was required by one’s employer, the same was already made public by such individual, towards legal advice or defending legal rights, used by medical professional, or towards education to data subject by his school or educational institution.

The 2011 Bill also placed restrictions on data processing for unsolicited commercial communications, by granting the data subject a right to notify a cease and desist direction in this regard.²³ Data Retention was also subjected to restrictions as to time, consent for extension, destruction, and anonymization.²⁴ A data handler was to ensure Data Security from loss, theft, damage, unauthorized destruction, unlawful processing, and unauthorized accidental or intentional disclosure.²⁵ All sub-contractors of data controllers were considered at par with data controller for the purposes of the 2011 Bill.²⁶ Thus liability was not only vicarious but primary, and resultantly also joint and several. All individuals had a Right to Access their data and request Correction of the same, as also know who has requested or accessed their data.²⁷ A Data Security Breach was to be intimated to individuals concerned, as well as the Data Protection Authority of India²⁸, unless specified otherwise.²⁹ Sadly, the 2011 Bill never saw the light of day.

PUTTASWAMY JUDGMENT & THE BLUE PRINT OF PRIVACY

While the 2011 Bill gathered dust upon a desk somewhere in a room at the legislature, the Supreme Court was called upon to consider the matter of privacy in a 2012 SLP filed by a 91-year old retired High Court Judge Justice K. S. Puttaswamy against the Union of India³⁰ before a nine-judge bench of the Supreme Court which had been set up on reference from the Constitution Bench to determine whether the Right to Privacy was guaranteed as an independent fundamental right following conflicting decisions from previous Supreme Court decisions. The latest case concerned a challenge to the Indian government’s Aadhaar scheme (a form of uniform biometrics-based identity card) which the government proposed making mandatory for access to government services and benefits. The challenge was made before a three-judge bench of the Supreme Court on the basis that the scheme violated the right to privacy. However, the Attorney General argued on behalf of the Union that the Indian Constitution does not grant specific protection for the right to privacy. He based this on observations made in the case of M.P. Sharma & Ors. v. Satish Chandra, District Magistrate, Delhi & Ors.³¹ (“M.P. Sharma”) (an eight-judge bench decision), and Kharak Singh v. State of Uttar Pradesh & Ors.³² (“Kharak Singh”) (a five-judge bench decision). However, the Petitioners argued that M P Sharma and Kharak Singh were founded on principles expounded in A K Gopalan v State of Madras³³ (“Gopalan”). That Gopalan which construed each provision contained in the Chapter on fundamental rights as embodying a distinct protection, was held not to be good law by an eleven-judge bench in Rustom Cavasji Cooper v Union of India³⁴ (“Cooper”). Hence the Petitioners submitted that the basis of the two earlier decisions is not valid. Moreover, it was also urged that in the seven-judge Bench decision in Maneka Gandhi v Union of India³⁵ (“Maneka”), the minority judgment of Justice Subba Rao in Kharak Singh was specifically approved of and the decision of the majority was overruled. The referencing three judge bench herein also observed that since the Right to Privacy had subsequently been held to be a constitutionally protected right in subsequent decisions of the Supreme Court³⁶ of various strengths, it posed a predicament viz the far-reaching questions of importance involving interpretation of the Constitution, and institutional integrity and judicial discipline and thus warranted reference to a larger Bench of Nine Judges.

The Nine Judge Bench (the “Bench”) was constituted and tasked itself with the determining the correctness of the aforestated decisions in view of the scheme of the Indian Constitution, and with the most important question of “whether the Constitution protects privacy” “not by providing an exhaustive enunciation or catalogue of what it includes but by indicating its broad contours.”³⁷ The bench restated the position of constitutional law and fundamental rights in India as follows:³⁸

“Firstly, the fundamental rights emanate from basic notions of liberty and dignity and the enumeration of some facets of liberty as distinctly protected rights under Article 19 does not denude Article 21 of its expansive ambit. Secondly, the validity of a law which infringes the fundamental rights has to be tested not with reference to the object of state action but on the basis of its effect on the guarantees of freedom. Thirdly, the requirement of Article 14 that state action must not be arbitrary and must fulfill the requirement of reasonableness, imparts meaning to the constitutional guarantees in Part III.”

The Bench further sought out the theoretical origins of the concept of privacy by discussing philosophers such as Aristotle, William Blackstone, John Stuart Mill, John Austin, James Madison, Roscoe Pound, etc. The Right to be Left Alone was observed to have been first coined by Thomas Cooley when he wrote: “the right of one’s person may be said to be a right of complete immunity; the right to be alone.”³⁹ Further, the Bench went through a trove of cases that associated privacy of the individual with human dignity. The Indian Constitution also clearly states: “… JUSTICE, social, economic and political; LIBERTY of thought, expression, belief, faith and worship; EQUALITY of status and of opportunity; and to promote among them all FRATERNITY assuring the dignity of the individual and the unity of the Nation;…” Hence, concept of dignity clearly is envisaged within the basic structure of the Indian Constitution. The Bench thus observed:⁴⁰

“Over the last four decades, our constitutional jurisprudence has recognised the inseparable relationship between protection of life and liberty with dignity. Dignity as a constitutional value finds expression in the Preamble. The constitutional vision seeks the realisation of justice (social, economic and political); liberty (of thought, expression, belief, faith and worship); equality (as a guarantee against arbitrary treatment of individuals) and fraternity (which assures a life of dignity to every individual). These constitutional precepts exist in unity to facilitate a humane and compassionate society. The individual is the focal point of the Constitution because it is in the realisation of individual rights that the collective well being of the community is determined. Human dignity is an integral part of the Constitution. Reflections of dignity are found in the guarantee against arbitrariness (Article 14), the lamps of freedom (Article 19) and in the right to life and personal liberty (Article 21).”

(emphasis added)

The Bench further opined:⁴¹

“Life is precious in itself. But life is worth living because of the freedoms which enable each individual to live life as it should be lived. The best decisions on how life should be lived are entrusted to the individual. They are continuously shaped by the social milieu in which individuals exist. The duty of the state is to safeguard the ability to take decisions – the autonomy of the individual – and not to dictate those decisions. ‘Life’ within the meaning of Article 21 is not confined to the integrity of the physical body. The right comprehends one’s being in its fullest sense. That which facilitates the fulfilment of life is as much within the protection of the guarantee of life.”

Thus, the Bench concluded that privacy ensures the fulfillment of dignity, and thus the protection of life and liberty,⁴² and that “constitutional interpretation is but a process in achieving justice, liberty and dignity to every citizen”⁴³.

Referring to the Protection of Human Right Act, 1993 (the “PHRA”), the Bench observed that the PHRA while defining⁴⁴ human rights states that they are “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”. Further, international covenants are defined⁴⁵ as “International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights”. The National Human Right Commission has been set up under the PHRA and is entrusted⁴⁶ with “the function of studying treaties and other international instruments on human rights and make recommendations for their effective implementation.” Since India has fully ratified Article 17⁴⁷ of the ICCPR, the Right to Privacy has been fully adopted within the jurisprudence of the nation, and within the constitutional fabric, by way of assumption of this international law obligation. The Bench further observed that it is well settled law that if international law obligations and domestic law do not conflict, enforcing international law obligations is a constitutional imperative, in this case by way of the fundamental rights guaranteed under Part III of the Indian Constitution. Thus “constitutional provisions must be read and interpreted in a manner which would enhance their conformity with the global human rights regime.”⁴⁸

Referring to the Constitutional Assembly Debates (the “CAD”) the Bench observed that there were two proposals regarding privacy, one pertaining to “the guarantee to every citizen the right to secrecy of correspondence”⁴⁹ and the other regarding “protection against unreasonable searches”⁵⁰. The said clauses were not included at all in the Constitution of India. The debates revealed that the exclusions were not meant to deny the right to privacy but to prevent invalidation of any and all police investigation.⁵¹ The Bench concluded that over time Articles 14, 19 and 21 have been interpreted as being inter-related and not stand alone rights, and thus the Constitution of India has evolved over time to include newer rights, and restrict them with permissible restrictions that are just, fair and reasonable, and are imposed by way of procedure established by law.⁵² The Bench further opined that the Constitution has preserved the natural rights of citizens, and all technological advancements, and the newer challenges they bring with them as to rights of citizens would further require “succeeding generations to apply the principles on which it has been founded to find innovative solutions to intractable problems of their times.”⁵³

The Bench also dealt with the question of whether ‘statutory protection to privacy is reason enough to deny a constitutional right?’ The Bench reasoned that the protection to the Right to Privacy warranted inviolability as it was fundamentally intertwined with the natural law principles of the Constitution as well as “dignity” of its Preamble, and thus needed to be part of Part III.⁵⁴ Privacy is nothing but an incident of protection of life, personal liberty, and of the liberties guaranteed by the provisions of Part III.⁵⁵

The Bench also opined that Privacy is both a negative and positive right. As a negative, the right entails that individuals are protected from unwanted intrusion by both the state and private actors into their private life, especially features that define their personal identity such as sexuality, religion and political affiliation, that is, the inner core of a person’s private life. As a positive, the right entails an obligation of states to remove obstacles for an autonomous shaping of individual identities.⁵⁶ Thus Privacy ranges from the Right to be Left Alone all the way to Protection of One’s Identity. It is the former that ties in with the negative, and the latter, where the issue of Data or Informational Privacy ties in with the positive.

The Bench then dealt with Informational Privacy in the current context. How a mere tracking of internet presence of individuals can reveal food habits, language, health, hobbies, sexual preferences, friendships, ways of dressing, and political affiliation. That in aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.⁵⁷ Informational Privacy is now paramount than ever, since it is subject to the swiftest and quickest theft and/or misappropriation.⁵⁸ The legal machinery seems to always play catch-up in protection of individual rights, and to anticipate and identify invisible ever evolving harms, in this age of rapidly evolving technology, that poses newer challenges for Informational Privacy, especially when State and its actors too resort of technology intensive governance and politics, in addition to private actors.⁵⁹

The Bench then discussed the various data interests of the State machinery. The State might be interested in data of its citizens or persons within living or operating within its jurisdiction on account of concerns of protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits, etc. The purpose of data collection by the State should be towards the narrow legitimate purpose of the aforementioned, and not for any other illegal unconstitutional end. Prevention and investigation of crime and protection of the revenue are among the legitimate aims of the state. Digital platforms are a vital tool of ensuring good governance in a social welfare state. Information technology – legitimately deployed is a powerful enabler in the spread of innovation and knowledge.⁶⁰ Thus like the right to life and personal liberty guaranteed under Article 21, the right to privacy is also not an absolute right. Thus any curtailment or deprivation of that right would have to take place under a regime of law. The procedure established by law must be fair, just and reasonable. The law which provides for the curtailment of the right must also be subject to constitutional safeguards.⁶¹ Further, the Bench discussed the Report of Group of Experts (the “GoX”) on Privacy.⁶² The GoX proposed Privacy Principles⁶³ to be followed at all times and costs, and proposed a Privacy Framework with certain Salient Features⁶⁴.

The Bench thus held that the Rights to Life and Personal Liberty are not Constitutionally guaranteed rights but are Constitutionally recognised rights as “inhering in each individual as an intrinsic and inseparable part of the human element which dwells within”. Right to Privacy emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III. Privacy is the constitutional core of human dignity. Privacy has both a normative and descriptive function. At a normative level privacy sub-serves those eternal values upon which the guarantees of life, liberty and freedom are founded. At a descriptive level, privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty. However, the Bench refused to provide an exhaustive enumeration or a catalogue of entitlements or interests comprised in the right to privacy, and thus left the evolution of such entitlements to democracy, and democratic interactions, and technological change. An invasion of life or personal liberty, that also includes Privacy, must meet the three-fold requirement of:

1. legality, which postulates the existence of law;

2. need, defined in terms of a legitimate state aim; and

3. proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them.

The Bench held that Privacy has both positive and negative content. The negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual. As regards Informational Privacy, the Bench burdened the Central Government to bring about a robust regime of Data Protection.

Justice Chelameshwar emphasised on the concept of “Compelling State Interest Standard” as used in Gobind. From the United States where the terminology of ‘compelling state interest’ originated, a strict standard of scrutiny comprises (1) a ‘compelling state interest’ (an interest is compelling when it is essential or necessary rather than a matter of choice, preference, or discretion)⁶⁵ and (2) a requirement of ‘narrow tailoring’ of the statute (narrow tailoring means that the law must be narrowly framed to achieve its objective)⁶⁶. Thus Justice Chelameshwar emphasised upon using this standard, in privacy cases with clarity.⁶⁷

Justice Sanjay Kishan Kaul looked into the justifications of Privacy and stated that “[p]rivacy, for example is nothing but a form of dignity, which itself is a subset of liberty.”⁶⁸ Privacy is also the key to freedom of thought.⁶⁹ The hallmark of freedom in a democracy is having the autonomy and control over our lives which becomes impossible, if important decisions are made in secret without our awareness or participation.⁷⁰ He observed that an individual’s reputation rests upon the extent of revelations of truths about such an individual as much as spread of falsehoods.⁷¹ Thus Justice Kaul observed that truthful information that breaches privacy may also require protection.⁷² This also spawns the right of an individual to control commercialization of his information and/or identity.⁷³ Privacy also enables personal reinvention and erasure of past mistakes.⁷⁴ He also emphasised special attention to children's’ privacy and the need for its protection such that their digital footprints do not haunt them for their entire life.⁷⁵ He emphasised that the right to be forgotten also spawns from Privacy, and is tamed, just like privacy by other fundamental rights like the freedom of expression, or freedom of media, fundamental to a democratic society.⁷⁶ Justice Kaul emphasised upon the need for Data Regulation in view of the EU GDPR as well as in view of the aforementioned GoX proposed Privacy Principles and the proposed Privacy Framework with certain Salient Features. He concluded with the finding that the Right to Privacy was a Fundamental Right that was necessary for self determination, dignity, and thus liberty, and was subject to privileges and restrictions of Part III of the Constitution of India.⁷⁷

From the aforesaid, it can thus safely be concluded that a law that seeks to regulate privacy should have the following salient features:

1. Broadest possible definition of Privacy and its scope encompassing all possible areas that existing laws cover, and that anticipates Privacy applications / areas that current laws do not cover.

2. Clear⁷⁸ definition of Restrictions sought to be imposed upon Privacy.

3. Clear definitions of and Procedures to be followed in imposing those Restrictions.

4. Clear applicability of the law to private and public actors alike, including intermediaries.

5. Clear procedures for data collection, augmentation/correction/updation, processing, storage, and destruction.

6. Clear disputes resolution mechanism, that possibly does not exclude the current judicial system.⁷⁹

7. Clear Privacy Infringement Penalties with harsh consequences, both with deterrent amounts towards civil damages and criminal imprisonment for office bearers of government and private actors alike. Corporate veil to have no relevance in cases of privacy breaches, and personal liberty stakes to be enforced against erring corporate top brass / board of directors, and government officials as well as ministers without any immunities whatsoever.

8. Reverse onus liability, and presumption of guilt for privacy breach should be incorporated, and thus burden should be upon data handlers to prove their innocence.

The above is merely a legal safeguard framework discussed by the Supreme Court of India, and a blue print as well as touchstone of validity of the law regulating the Right to Privacy in India. The following parts shall deal with the proposed Indian law, GDPR, and Technological Safeguards to enforce the Right to Privacy.

1Various versions of the Bill are available over the internet, but none at the Government of India website. The version referred to here is available at: https://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf

2See Preamble of the 2011 Bill.

3[1997] 1 SCC 301, holding that: “We have, therefore, no hesitation in holding that right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtailed “except according to procedure established by law”

4The Right of privacy of an individual under sub-section (1) shall include,—

1. confidentiality of communication made to, or, by him (including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication;

2. confidentiality of his private or his family life;

3. protection of his honour and good name;

4. protection from search, detention or exposure of lawful communication between and among individuals;

5. privacy from his surveillance;

6. confidentiality of his banking and financial transactions;

7. confidentiality of his medical and legal information;

8. protection from his identity theft including criminal identity theft (posing as another person when apprehended for a crime), financial identity theft (using another’s identity to obtain credit, goods and services), identity cloning (using another’s information to assume his or her identity in daily life), medical identity theft (using another’s identity to obtain medical care and drugs);

9. protection from use of his photographs, fingerprints, DNA samples, and other samples taken at police syations or other places;

10. privacy of his health information;

11. Protection of data relating to individual.

5As per Section 5, 2011 Bill.

6As per Section 7, 2011 Bill.

7As per Section 10, 2011 Bill.

8As per Section 11, 2011 Bill.

9As per Section 27, 2011 Bill.

10As per Section 28(1), 2011 Bill.

11As per Section 28(4), 2011 Bill.

12As per Section 28(3), 2011 Bill.

13As per Section 28(2) & 28(3), 2011 Bill.

14As per Section 29(1), 2011 Bill.

15As per Section 30, 2011 Bill.

16As per Section 30(1)(a) to (k), 2011 Bill.

17As per Section 33(1), 2011 Bill.

18As per Section 33(2), 2011 Bill.

19As per Section 33(3), 2011 Bill.

20As per Section 34, 2011 Bill.

21As per Section 36(1), 2011 Bill.

22As per Section 36(2), 2011 Bill.

23As per Section 37, 2011 Bill.

24As per Section 38, 2011 Bill.

25As per Section 40(1), 2011 Bill.

26As per Section 40(2) & (3), 2011 Bill.

27As per Section 42(1), 2011 Bill.

28As per Section 49, 2011 Bill was to be established and was entrusted with functions under S.57(1).

29As per Section 41, 2011 Bill.

30In Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., W.P. (C) 494 / 2012 decided on 24-08-2017, and available at: [https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf] (hereinafter referred to as Puttaswamy).

31[1950] SCR 1077.

32[1962] 1 SCR 332 :: AIR 1963 SC 1295.

33AIR 1950 SC 27.

34[1970] 1 SCC 248.

35[1978] 1 SCC 248.

36Gobind v State of Madhya Pradesh, [1975] 2 SCC 148 (“Gobind”), R Rajagopal v State of Tamil Nadu, [1994] 6 SCC 632 (“Rajagopal”) and People’s Union for Civil Liberties v Union of India, [1997] 1 SCC 301 (“PUCL”).

37As per Para 7: “The correctness of the decisions in M P Sharma and Kharak Singh, is to be evaluated during the course of the reference. Besides, the jurisprudential correctness of subsequent decisions holding the right to privacy to be a constitutionally protected right is to be determined. The basic question whether privacy is a right protected under our Constitution requires an understanding of what privacy means. For it is when we understand what interests or entitlements privacy safeguards, that we can determine whether the Constitution protects privacy. The contents of privacy need to be analysed, not by providing an exhaustive enunciation or catalogue of what it includes but by indicating its broad contours. The Court has been addressed on various aspects of privacy including: (i) Whether there is a constitutionally protected right to privacy; (ii) If there is a constitutionally protected right, whether this has the character of an independent fundamental right or whether it arises from within the existing guarantees of protected rights such as life and personal liberty; (iii) the doctrinal foundations of the claim to privacy; (iv) the content of privacy; and (v) the nature of the regulatory power of the state.”

38See Puttaswamy Para 24.

39Thomas M. Cooley, Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract (Chicago: Callaghan and Company, 1879) at p.29.

40See Puttaswamy Para 96.

41See Puttaswamy Para 106.

42See Puttaswamy Para 107: “To live is to live with dignity. The draftsmen of the Constitution defined their vision of the society in which constitutional values would be attained by emphasising, among other freedoms, liberty and dignity. So fundamental is dignity that it permeates the core of the rights guaranteed to the individual by Part III. Dignity is the core which unites the fundamental rights because the fundamental rights seek to achieve for each individual the dignity of existence. Privacy with its attendant values assures dignity to the individual and it is only when life can be enjoyed with dignity can liberty be of true substance. Privacy ensures the fulfillment of dignity and is a core value which the protection of life and liberty is intended to achieve.”

43See Puttaswamy Para 116.

44Under Section 2(1)(d), PHRA.

45Under Section 2(1)(f), PHRA.

46Under Section 12(f), PHRA.

47In contrast to Articles 1, 9, and 13 of the ICCPR to which India has filed its reservations.

48See Puttaswamy Para 133. The Bench thus concluded that “[i]n fact, the enactment of the Human Rights Act by Parliament would indicate a legislative desire to implement the human rights regime founded on constitutional values and international conventions acceded to by India.

49Proposed Clause 9(d): The right of every citizen to the secrecy of his correspondence. Provision may be made by law to regulate the interception or detention of articles and messages in course of transmission by post, telegraph or otherwise on the occurrence of any public emergency or in the interests of public safety or tranquility…

50Proposed Clause 10: The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures, shall not be violated and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

51See Puttaswamy Paras 143 to 148.

52The ‘procedure established by law’ means ‘procedural due process’ or as requiring compliance with natural justice. See Gopalan, Cooper and Meneka supra. Additionally, the measure of “procedure established by law” found place in the Constitution of India instead of “due process of law” as in the US Constitution. See Granville Austin, The Indian Constitution: Cornerstone of a Nation, Oxford University Press (1966), at 103, as cited in Puttaswamy Para 161. See also B. Shiva Rao, The Framing of India’s Constitution: A Study, Indian Institute of Public Administration (1968), at page 235. See also B. Shiva Rao, The Framing of India’s Constitution, Vol. 2, at pages 20-36, 147-153, as cited in Puttaswamy Para 161. However, the Bench observed:

“Having noticed this, the evolution of Article 21, since the decision in Cooper indicates two major areas of change. First, the fundamental rights are no longer regarded as isolated silos or water tight compartments. In consequence, Article 14 has been held to animate the content of Article 21. Second, the expression ‘procedure established by law’ in Article 21 does not connote a formalistic requirement of a mere presence of procedure in enacted law. That expression has been held to signify the content of the procedure and its quality which must be fair, just and reasonable. The mere fact that the law provides for the deprivation of life or personal liberty is not sufficient to conclude its validity and the procedure to be constitutionally valid must be fair, just and reasonable. The quality of reasonableness does not attach only to the content of the procedure which the law prescribes with reference to Article 21 but to the content of the law itself. In other words, the requirement of Article 21 is not fulfilled only by the enactment of fair and reasonable procedure under the law and a law which does so may yet be susceptible to challenge on the ground that its content does not accord with the requirements of a valid law. The law is open to substantive challenge on the ground that it violates the fundamental right.”

See Puttaswamy Para 164.

“Reference to substantive due process in some of the judgments is essentially a reference to a substantive challenge to the validity of a law on the ground that its substantive (as distinct from procedural) provisions violate the Constitution.”

See Puttaswamy Para 167.

53See Puttaswamy Para 151. The profound words of Justice D.Y. Chandrachud can not be summarized and are thus quoted here:

Today’s technology renders models of application of a few years ago obsolescent. Hence, it would be an injustice both to the draftsmen of the Constitution as well as to the document which they sanctified to constrict its interpretation to an originalist interpretation. Today’s problems have to be adjudged by a vibrant application of constitutional doctrine and cannot be frozen by a vision suited to a radically different society. We describe the Constitution as a living instrument simply for the reason that while it is a document which enunciates eternal values for Indian society, it possesses the resilience necessary to ensure its continued relevance. Its continued relevance lies precisely in its ability to allow succeeding generations to apply the principles on which it has been founded to find innovative solutions to intractable problems of their times. In doing so, we must equally understand that our solutions must continuously undergo a process of re-engineering.

54See Puttaswamy Para 153.

55See Puttaswamy Para 158.

56Anna Jonsson Cornell, “Right to Privacy”, Max Planck Encyclopaedia of Comparative Constitutional Law (2015), as cited in Puttaswamy Para 158.

57See Puttaswamy Para 170.

58See Puttaswamy Para 173: The age of information has resulted in complex issues for informational privacy. These issues arise from the nature of information itself. Information has three facets: it is nonrivalrous, invisible, and recombinant. [citing Christina P. Moniodis, “Moving from Nixon to NASA: Privacy’s Second Strand – A Right to Informational Privacy”, 15(1) Yale J. of L. and Tech. (2012), at 153, hereinafter referred to as Moniodis] Information is nonrivalrous in the sense that there can be simultaneous users of the good – use of a piece of information by one person does not make it less available to another. Secondly, invasions of data privacy are difficult to detect because they can be invisible. Information can be accessed, stored and disseminated without notice. Its ability to travel at the speed of light enhances the invisibility of access to data, “information collection can be the swiftest theft of all”. Ibid. Thirdly, information is recombinant in the sense that data output can be used as an input to generate more data output.

59See Puttaswamy Para 174, citing Moniodis at 154 thus: The creation of new knowledge complicates data privacy law as it involves information the individual did not possess and could not disclose, knowingly or otherwise. In addition, as our state becomes an “information state” through increasing reliance on information – such that information is described as the “lifeblood that sustains political, social, and business decisions. It becomes impossible to conceptualize all of the possible uses of information and resulting harms. Such a situation poses a challenge for courts who are effectively asked to anticipate and remedy invisible, evolving harms.

60See Puttaswamy Para 181.

61See Puttaswamy Para 183.

62See earlier at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf, now at: https://www.niti.gov.in/planningcommission.gov.in/docs/reports/genrep/rep_privacy.pdf

63The Proposed Privacy Principles are as follows:

1. Notice: a simple-to-understand notice of information practices to all concerned in clear and concise language, before personal information collection.

2. Choice and Consent: an opt-in/opt-out choice with respect to personal information, and seek individual consent only after providing aforesaid notice. Such consent shall be revokable at any time.

3. Collection Limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.

4. Purpose Limitation: Personal data so collected and processed should be adequate and relevant to the purposes for which it is processed, as mentioned in the aforementioned Notice. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.

5. Access and Correction: Individuals shall have access to personal information and shall be able to correct, update, and seek deletion of the said personal data.

6. Disclosure of Information: Disclosure only upon informed consent to third parties, and the latter shall be subject to the same privacy principles. Disclosure to law enforcement shall be in accordance with law.

7. Security: Data to be made secure by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.

8. Openness: Practices, procedures, policies, and systems should be proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles. Information regarding the aforesaid shall be made in an intelligible form, using clear and plain language, and made available to all individuals.

9. Accountability: Accountability for giving effect to the privacy principles, that include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.

64Proposed Salient Feature of the Privacy Framework are as follows:

1. Technological Neutrality and Interoperability with International Standards: The framework for privacy legislation must be technologically neutral and interoperable with international standards. No any reference to specific technologies should be made and the law should be generic enough such that the principles and enforcement mechanisms remain adaptable to changes in society, the marketplace, technology, and the government, as well as global data privacy norms. Thus, one of the focuses of the framework should be to inspire trust of global clients and their end users, without compromising the interests of domestic customers in enhancing their privacy protection.

2. Multi-Dimensional Privacy: Privacy in its broadest sense includes not only data protection viz. the right to privacy over the internet and challenges emerging therefrom, but also protection from unauthorised interception, audio and video surveillance, use of personal identifiers, bodily privacy including DNA as well as physical privacy, and any other new and emerging privacy issues.

3. Horizontal Applicability: Both government and private actors, whether national or international should be subject to the privacy law. The Pegasus fiasco has heightened the need for this salient feature. (See Cindy Cohn, “Pegasus Project Shows the Need for Real Device Security, Accountability, and Redress for Those Facing State-Sponsored Malware”, July 20, 2021, at https://www.eff.org/deeplinks/2021/07/nso-group-leak-shows-need-real-device-security-accountability-and-redress-those).

4. Conformity with Privacy Principles: The 9 fundamental Privacy Principles should form the bedrock of the proposed Privacy Act in India. are intended to provide the minimum level of privacy protection to all individuals.

5. Co-Regulatory Enforcement Regime: Establishment of a Privacy Commissioner, both at the central and regional levels that shall be the primary authority for enforcement of the provisions of the Act. Also establishment of an ecosystem of Self-Regulation Organisations (SROs) that would be vested with the responsibility of autonomously ensuring compliance with the Act, subject to regular oversight by the Privacy Commissioners. The SROs, apart from possessing industry-specific knowledge, would also be better placed to create awareness about the right to privacy and explaining the sensitivities of privacy protection both within industry as well as to the public in respective sectors. This co-regulatory regime will not derogate from the powers of courts which will a forum of last resort in case of persistent and unresolved violations of the Privacy Act.

65In the US, a government regulation that impairs First Amendment rights must meet a higher standard of need, called a “compelling government interest”, to be constitutional. Regulation vital to the protection of public health and safety, including the regulation of violent crime, the requirements of national security and military necessity are examples of compelling governmental interests. But courts have decided other regulations go too far. For instance in Wisconsin v. Yoder, 406 U.S. 205 (1972), United States Supreme Court found that Amish children could not be placed under compulsory education past 8th grade. The parents’ fundamental right to freedom of religion was determined to outweigh the state’s interest in educating their children. The case is often cited as a basis for parents’ right to educate their children outside of traditional private or public schools.

66The US Supreme Court has ruled that government regulation of First Amendment rights must be “narrowly tailored,” which means that laws must be written precisely to place as few restrictions as possible on First Amendment liberties. Narrow tailoring is linked to the Overbreadth Doctrine, which the Court invokes when a law sweeps too broadly and inhibits protected, as well as unprotected, expression. An example of the Supreme Court rejecting a law that was not narrowly tailored to its purpose was in Gooding v. Wilson, 405 U.S. 518 (1972), where Georgia had convicted an anti-war protester for violating its breach of peace statute that prohibited “opprobrious words or abusive language, tending to cause a breach of the peace.” (When Johnny C. Wilson, an anti-war activist, was taken into custody for interfering with military recruitment, he threatened to kill arresting officers. He was charged under a Georgia statute that outlawed “opprobrious words or abusive language tending to cause a breach of the peace.” The Supreme Court first identified fighting words as a categorical exception to the First Amendment in Chaplinsky v. New Hampshire, 315 U.S. 568 (1942). A unanimous Court held that words that “by their very utterance inflict injury or tend to incite an immediate breach of the peace” constituted unprotected expression. Writing for the majority in Gooding, Justice William J. Brennan Jr. invalidated the Georgia statute, interpreting Chaplinsky to apply only to language that had “a direct tendency to cause acts of violence by the person to whom, individually, the remark is addressed.” The Court analyzed the history of Georgia’s application of the statute and concluded that it had been invoked repeatedly to punish the use of communications that were “not ‘fighting words’ as Chaplinsky defines them.” Thus, the Court concluded that the statute was overbroad because it was “susceptible of application to protected expression.” The Court’s decision in effect limited the application of the “fighting words” exception. When classifying expression as fighting words, courts would look at a communication’s tendency to produce an immediate and violent reaction rather than the offensiveness of the language used.)

67As to when and in what types of privacy claims should the standard be used. See Puttaswamy Para 45, J. Chelameshwar.

68See Puttaswamy Para 40, J. Kaul.

69See Puttaswamy Para 52, J. Kaul. “A person has a right to think. The thoughts are sometimes translated into speech but confined to the person to whom it is made. For example, one may want to criticize someone but not share the criticism with the world.” Privacy assists in preventing awkward social situations and reducing social frictions. Most of the information about individuals can fall under the phrase “none of your business”. On information being shared voluntarily, the same may be said to be in confidence and any breach of confidentiality is a breach of the trust. This is more so in the professional relationships such as with doctors and lawyers which requires an element of candor in disclosure of information. An individual has the right to control one’s life while submitting personal data for various facilities and services. It is but essential that the individual knows as to what the data is being used for with the ability to correct and amend it.

70See Puttaswamy Para 53, J. Kaul, citing Daniel Solove, ‘10 Reasons Why Privacy Matters’, published on January 20, 2014 (at https://www.teachprivacy.com/10-reasons-privacy-matters/)

71See Puttaswamy Para 56, J. Kaul stating that: An individual has a right to protect his reputation from being unfairly harmed and such protection of reputation needs to exist not only against falsehood but also certain truths. It cannot be said that a more accurate judgment about people can be facilitated by knowing private details about their lives – people judge us badly, they judge us in haste, they judge out of context, they judge without hearing the whole story and they judge with hypocrisy. Privacy lets people protect themselves from these troublesome judgments. Citing Daniel Solove, Id. He further stated that: There is no justification for making all truthful information available to the public. The public does not have an interest in knowing all information that is true. Which celebrity has had sexual relationships with whom might be of interest to the public but has no element of public interest and may therefore be a breach of privacy.

72See Puttaswamy Para 56, J. Kaul.

73See Puttaswamy Para 57, J. Kaul.

74See Puttaswamy Para 65, J. Kaul.

75See Puttaswamy Paras 66-67, J. Kaul.

76See Puttaswamy Paras 68-69, J. Kaul.

77See Puttaswamy Paras 77-83, J. Kaul.

78Well, when I say clear I am aware of the conundrum of language becoming ambiguous while broadening of definitions and future-proofing laws.

79We have seen how implementation and enforcement of Human Rights, Consumer Laws, and the like get sidelined and watered down due to lack of appointments, casual attitude of tribunals, and complacency on account of non-formal nature of proceedings in the name of ease of decision making and reduction to rigour of the legal system that is blamed for its delays. The GoX too has proposed the same.