What is Privacy?

Privacy is a fundamental right, essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built.

Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us.  Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and information.

Privacy can be defined in multiple definitions.  However, lets us first understand how the Right to Privacy was identified.  Year on year  the definition of  Privacy has continued to evolve and reached a level where today it means to encompass the tangible, physical body as well thoughts and emotions.

That the individual shall have full protection in person and in property is a principle as old as the common law; but it has undergone many necessary changes from time to time to reflect the actual requirement in the society. Political, Social and economic changes require the enactment of new rights as per the changing norms.  Thus in very early times, the law gave a remedy only for physical interference with life and property for trespasses vi et armis (Latin for “with force and arms).

Then the “Right to Life” served only to protect the human beings from various physical harms like Liberty meant freedom from actual restraint; and the right to property secured to the individual to his/her lands and cattle. 

However, much later, there came a recognition of man’s spiritual nature, of his feelings and his intellect.  Gradually, the scope of these legal rights broadened.  Now, the right to life has come to mean the right to enjoy life and the right to be let alone.  The right to liberty secures the exercise of extensive civil privileges.  The term ‘’property’’ includes every form of possession intangible as well as tangible.

As the time progressed, the newer laws were required to address the various other needs.  The intense intellectual and emotional life, and the heightening of sensations which came with the progress of civilization at a rapid pace made it clear to humans that only a part of the pain, pleasure and profit of life lay in physical things.

Thoughts, sensations and emotions demanded legal recognition and needed the framework of law to secure and provide protection through various legislatures.

Hence, in the United States, in an article in the Harvard Law Review, issue December 15, 1890, written by Attorney Samuel D Warren and future US Supreme Court Judge, Louise Brendeis, entitled “The Right to Privacy”, is often cited as the first explicit finding of US right to privacy.  They wrote and explained that Privacy is the “right to be let alone” and focussed on protecting individuals.  This approach was a response to recent technological developments of the time, such as photography and sensationalist journalism against the individuals.

Introduction to Privacy

Individual privacy is a modern concept that ushered first in Western culture and carried on to the rest of the world, leading to the enactment of privacy laws that entitle individuals not to be subjected to unsanctioned invasions by the government and corporation alike. Privacy for an individual or group is the ability to withhold information particular to them from access to wider society, and thereby express themselves selectively.

basic-definition-of-privacy

Privacy may be defined as the right of the individual to determine when, how, and to what extent he or she will release personal information. Technically speaking, in today’s business world, information privacy is the aspect of information technology that deals with an organisation’s/data controller’s handling of an individual’s/data subject’s personal information in compliance with data protection regulations.

What is Personal Information

Also known as personally identifiable information (PII) or personal data, personal information belongs to a natural, living person. If information relating to an individual acting as an employee, partner, company director or sole trader is individually identifiable, it may as well constitute personal information. According to IAPP, it includes a broad range of information that may relate to, describe, associate with, or could reasonably link with a particular consumer’s identity, preferences, location, activities, directly or indirectly.

What is personal information

Personal information could be as simple as a name and phone number, or as sensitive as criminal convictions and offences data. Sensitive PII comprises of  different walks of life, such as health, finance, education, business, internet activities, including but not limited to email address, date of birth, religion and caste, home and office address; official documents like social security number, driving license number, passport number, PAN, aadhar number; financial attributes like bank account number, credit or debit card number; personal characteristics like photographic image, handwriting, biometric data, etc.

Power of Personal Information

A Plethora of options unlock with a user’s consent to cookie preferences, allowing a brand to collect, process and share the personal data. Personal information answers vital questions on which contemporary businesses thrive. It is being scooped up, sold, traded, and disclosed by marketers, advertisers, analysts, and investors for a host of purposes ranging from products we need/buy/want to our engagement recency/frequency with a brand, from functional/emotional connectivity with the brand to channels/devices where we engage–and that’s not the end of the rope.

Golden key profile questions

According to Interactive Advertising Bureau, American corporations alone expectedly shelled out $19 billion this year acquiring and assessing personal data that consumers mostly remain opaque about. The privacy risks associated with vast streams of data rooted in personal experience, identity, and specific context that fuel the digital economy are still not being compensated fairly.

Understanding the risks associated with companies reaping billions of dollars at the expense of users’ data, policymakers and researchers worldwide have proposed granular market designs to balance the current uneven data mechanism. Some ideas have been enacted into nation-level data protection regulations such as GDPR, CCPA, PDPB, etc.

International Privacy Standards

The Universal Declaration of Human Rights y United Nations is a milestone that provides every human being  with the right to privacy. However, the interpretation of these rights varies globally and are not always harmonious.  It was proclaimed by the United Nations General Assembly in Paris on 10th December 1948.

  • All 21 member economies of Asia-Pacific Economic Cooperation (APEC) since 2004 have agreed upon a treaty that underpins nine Privacy Principles governing information privacy and cross-border data transfer.
  • The Council of Europe adopted the Convention for the Protection of Individuals with Regards to Automatic Processing of Personal Data in 1981 and morphed its internet version in 1998 with the publication of “Draft Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highway, which may be incorporated in or annexed by Code of Conduct.”
  • In the European Union, the Data Protection Directives of 1995 has been substituted by General Data Protection Regulation since 2018, which is influenced by European Convention on Human Rights.
  • The USA has enacted its data privacy legislation meeting the specifics of a particular industry or section of the population. For example, the Children’s Online Privacy Protection Act (COPPA) entrusts parents to govern their kids’ information privacy; Electronic Communications Privacy Act (ECPA) extends government restrictions on the wire, oral and electronic communications; Gramm-Leach-Bliley Act mandates financial institutions to explain their information-sharing practices to their consumers, etc. The USA has no federal law on Privacy.  However, till recently various states are coming up with their own version of Privacy Laws e.g California Consumer Privacy Act and CPRA 2020, Washington Privacy Act etc.
  • In 2013, the United Nations General Assembly adopted resolution 68/167 on the right to privacy in the digital age for the United Nations (UN).

Evolution of Privacy in India

Momentum in the Indian privacy space picked pace with the Information Technology Act, 2000 giving a legal framework for electronic governance by giving recognition to electronic records and digital signatures. However, in absence of provisions for protection and procedures to stick by to ensure security of sensitive personal information, it couldn’t do much.

In 2006, the Information Technology bill was placed in parliament but was not passed.

In 2008, the same Bill led to the Information Technology Act. Major amendments were made in 2008, with the introduction of Section 43A, which mandates a data processing body to compensate the affected person in case the corporate body deals with sensitive personal information and fails in maintaining reasonable security standards to protect such data, which thereby causes damage to the person; Section 72A provides for the punishment for a term not exceeding three years for disclosure of information in breach of lawful contract.

Evolution of Privacy in India

In June 2011, India issued final regulations implementing parts of IT (Amendment) Act, 2008, requiring organisations to obtain written consent from the data subjects before undertaking data processing activities. However, to date, the enforcement and application of the law remain uncertain.

In 2016, Karmanya Singh Sareen and Shreya Sethi filed a petition in Delhi High Court arguing WhatsApp’s change in privacy policy to share data with Facebook violated user privacy. On 23rd September 2016, a Divisional bench rejected the petition but directed WhatsApp to delete the data, until 25th September 2016, of users who opt to delete–as well as who retain–the application.

In 2017, TRAI came out with a consultation paper on “Privacy, Security and Ownership of Data in the Telecom Sector” to protect the data rights of individuals.

Right to Privacy as a fundament right in India

Since the 1960s, the Indian judiciary and the Supreme Court in particular have dealt with the issue of privacy both as a fundamental right under the constitution and as a common law right.  The common thread through all these judgement by the Supreme Court of India has been to recognize the right to privacy either as a fundamental right under the constitution or as a common law right but to refrain from giving a specific definition.

However, on 24th August, 2017, a historic judgement was passed by the Supreme Court of India that stated the right to privacy to be a part of fundamental rights that was protected by the Indian Constitution.  The Supreme Court declared that the right to privacy stems from the fundamental right to life and liberty and that it would be having a long lasting consequence.  The nine judge bench of the Supreme Court was involved in the case of Justice KS Puttuswamy(Retd) vs Union of India.

The judgements ringing endorsement of the right to privacy as a fundamental right marks a watershed moment in the constitutional history of India.

During the same time, the Government of India had set up committee headed by Retd Justice BN Srikrishna as the Chairman and had directed to look into the various issues related to right to privacy.  This commission called the Justice BN Srikrishna committee was established in July 2017 for the purpose of deliberating the data protection framework which would in turn allow the Government to move forward to bring in new data protection legislation for the country.  The committee went ahead and created the first Draft for Personal Data Protection Bill.

In 2018, the long-awaited Draft for Personal Data Protection Bill was released on July 27, 2018. On December 4, it was cleared by the Union Cabinet.  In the winter session of the Parliament in December 2019, the Draft PDPB 2019 was presented in the Parliament.  And then further referred to the Joint Parliamentary Committee so that some further changes needed to be discussed and a final shape to the Draft PDPB 2019 can be given. This bill, however, may undergo a series of changes before it is adopted as law.

Draft Personal Data Protection Bill (PDPB) 2019

In a country that ranks in the top three for the highest number of internet users, an appropriately designed privacy legal framework is earnestly needed. With the amount of personal information being shared over the internet by citizens, it’s extremely crucial to ensure users have direct autonomy and control over personal information.

Comprehending the need for a robust and structured privacy regime, India introduced Draft PDPB in December 2019 in the winter session of the Parliament, which is under review by the Joint Parliamentary Committee (JPC). Draft India PDPB 2019 entails privacy of personal information throughout its cycle, from collection to processing to disclosure and disposal. Some of its elements are similar to the EU’s GDPR.

The proposed bill applies to both government and private entities operating in India as well as abroad. The Bill also establishes the Data Protection Authority of India, which will independently monitor and oversee the enforcement of the law. Non-compliance to the law may attract both financial penalty and personal liability.  Kindly read the full Draft PDPB 2019 at India Draft Personal Data Protection Bill 2019 – DATA SECURE

Key privacy requirements of Draft PDPB 2019

  • Privacy Notice: Data fiduciaries are obligated to provide notice about their data processing activities and associated purpose at the time–or before–of data collection.
  • Oversee Transfer: Data fiduciaries are required to store at least one copy of data principal’s personal data on a server located within India.
  • Privacy by Design: Data fiduciaries are required to incorporate privacy into the design, operations, and management of their systems from the very onset.
  • Choice and Consent: Data fiduciaries are required to describe the choices available to the data principal, coupled with obtaining explicit consent for collection, processing and sharing of personal information.
  • Rights of Data Principal: Data principals are provided with rights such as the right to access, right to correction, right to portability, and right to be forgotten.
  • Data Breach Notification: Data fiduciaries are required to notify the Data Protection Authority about the nature of data affected by the breach within a reasonable time, including the number of individuals affected, possible consequences of the breach and measures implemented by the company to mitigate the risk.
  • Culture and Communication: Organisations are required to develop a culture of privacy by guiding employees/vendors into best practices to handle and share personal data.
  • Third-Party Compliance: Data fiduciaries are required to sign a written contract with data processors (third parties) mentioning privacy-related requirements and conducting a data privacy impact assessment while onboarding third parties.
  • Data Disposal: Data fiduciaries are required to store personal data for only a specified period necessary for processing. Thereafter, personal data should be securely destroyed.
  • Tough Penalties and Liabilities: In case of violation of adherence to Draft PDPB 2019, fines upto 2-4% of the worldwide turnover whichever is higher or INR 5-15 Crores fines.
  • Imprisonment: Imprisonment of 3 years and or/fines of INR 2 Lakh for person who is found involved in violating the principles as entailed in the Draft PDPB 2019 once it becomes law.

For downloading the latest version of various data privacy laws, kindly visit the Resources page under www.datasecure.ind.in

For demo/presentation of Consent Management Platform solutions, kindly write to us at info@datasecure.ind.in

 

Leave a Reply

Your email address will not be published. Required fields are marked *