Privacy has been the most talked about topic of the town ever since 2017 with the introduction of the European Union’s General Data Protection Regulation, aka, GDPR. GDPR being extra-territorial in its scope raised concern for a lot of companies and countries. Requirements such as cross-border transfer of data, adequacy decision, etc. raised the brows of many. It was not only a legal or operational issue but also became a topic of discussion for governments and the judiciary to ensure effective and stringent IT and Privacy Laws.
For countries to do business in the European market, their statutory and regulatory models had to be competent enough. This resulted in hundreds of countries to introduce their version of GDPR or the Privacy Laws, and many more countries to revisit the existing laws. India has been touched by the Privacy wave too and the legislative developments have further been a pressing point for the government to level up the laws regulating Privacy and Cyber Space. Let’s understand the evolution of the privacy landscape in India.
Do we have privacy laws in India?
There are different forms of Privacy- the bodily privacy which talks about privacy to one’s body, the territorial privacy which is privacy to one’s territory, the communication privacy- privacy to one’s communication, and lastly, the Information Privacy- privacy to one’s information or data. Indian judiciary has had the privilege of hearing cases involving questions on all the above forms. Cases questioning collection of evidence in breach of bodily privacy, to the ones questioning phone tapping; putting communication privacy at risk and lastly, of territorial privacy where administrative task force could barge in the house of an accused of surveillance, privacy has been an on-going concern. Surprisingly, In India, the apprehension around data privacy is more than any other form of privacy.
India is the number one country catering to the BPO sector, the second-largest country in the world for internet consumption and the second-largest populated country. Having said that, a lot of information flows and is generated within the country. Billions of data transaction happen every day. It is very crucial for the country to look into data privacy. The focus of this blog is on the forth form- Data Privacy.
India doesn’t have any comprehensive or dedicated law on Privacy. The Information in India is governed by the Information Technology (Amendment) Act, 2008 and Reasonable Security Practices and Procedures and Sensitive Personal Data Rules, 2011 which were introduced under section 43A of the IT Act. There are several sections in the IT Act, which talk about the protection of sensitive data held by the body corporates, penalizes for unlawful disclosure of data, and suggests processing data with due diligence and reasonable practices. However, the act carries numerous loopholes with it. It doesn’t provide any strict guidelines nor does it set expectations as to how the organizations should process data. Additionally, absence of an authority to govern the data protection practices further weakens the legislation. The IT Act doesn’t have sufficient checks and balances to meet the present globe standards of Data Privacy.
Apart from the IT Act, there are sector-specific regulations, rules, and standards which lay provisions for Information Security and Data Privacy. A few examples include regulations by SEBI, RBI, standards such as ISO 27001, ISO 27701, laws governing financial, telecom, and health sector, etc. There is, however, no umbrella legislation that governs privacy, holistically or talks about tenets of privacy. Individuals today have no control over their data. Data is easily available to organizations that have no past-relationship with the individual. The selling of data has become so common and easy. Individuals don’t have a redressal mechanism and are at the mercy of the organizations using their data. To add to it, there are several shortcomings of the IT Act which make it inadequate for governing Data Privacy. A detailed analysis of why the current landscape is insufficient will be discussed in our upcoming blogs.
Does this mean that the Right to Privacy is not recognized in India?
India signed the Universal Declaration of Human Rights which recognises Privacy as one of the Human rights. The interesting fact to note here is that India became a party to the convention in the year 1942 and it took 75 years to declare Privacy as a Fundamental Right. Right to Privacy or Privacy as a fundamental right was recognized in 2017 by Hon’ Supreme Court while giving judgement in the case of K.S. Puttaswamy v. Union of India 
It is further Interesting to note that the Right to Privacy has been dissented as a fundamental right in the past. Privacy in India has been a journey of complete 180 degrees. It started from the early case of MP Sharma v. Satish Chandra in 1954 where the right to privacy was denied and held it is not a right that the constitution-makers intended to fit in. Hence, the court rejected references to the American amendment recognizing the right to privacy. The court also emphasized that no attempt should be made to modify what the constitution-makers have well thought about. This decision was taken with an eight-judge constitutional bench. The question on the fundamental nature of privacy was again brought up in 1962 in the case of Kharak Singh v. State of UP. The decision of 1954 was grandfathered. The court recognized the common law on right to privacy but despite that, it said that it was not guaranteed under the Indian Constitution. In the dissenting opinions, judges acknowledged that the right could be derived from Article 21 of the Constitution as an integral part of the “Right to life and personal liberty”. The difference in opinions kept the fundamental nature of privacy in question. Nevertheless, both the judgements upheld that privacy was not a fundamental right.
In the case of K.S. Puttaswamy v. Union of India, for the first time, the constitutional bench of 9 judges took cognizance of the fundamental nature of the right to privacy under the Indian Constitution. It was declared a fundamental right under Article 21 as part of the right to life and personal liberty; overruled the precedence.
It would be interesting to think if it was in awake of the right of privacy for citizens or in realizing the need to be legally adequate in the global market. Well, that’s a bit of political thought. Regardless of the source of the above shift in judgements, India needed a comprehensive law on data privacy to meet the rapid and stringent political and regulatory changes at the international and national level. In 2018, India released a draft of the Data Protection Bill which was modelled on EU’s GDPR.
It is one strong step that can help India bridge the gap at the international level and also strengthen the digital economy.
Data Protection Bill in India and the road ahead
India lacks a strong framework for the protection of personal data. Even though privacy has been recognized as a fundamental right, it is important to develop a stand-alone framework for privacy, covering different principles, rights of individuals and minimum security requirements. At present the Data Protection Bill, 2019 is in the house for discussion. It has received criticism as well as support from the government and different peer groups. It is to consider that the Bill still vests a lot of power in the government, from granting relaxations to organizations, to the exception of using data in the name of national security. This may defeat the purpose of why Privacy came into picture in the first place.
The ease at which data is available with the lack of strong data protection regulation is a serious concern. The absence of a data protection authority, bleak guidance to the organization, and security practices being a matter of due diligence and reasonableness, are a few alarming worriments. The need and intention to have one independent authority has been reflected in the Data Protection Bill. However, the fate of the bill is still uncertain. We will have to wait a bit longer to know more on it as the government has postponed the discussion of the Bill in the current sessions.
In my next blog, I will talk more about the Draft on Indian’s Data protection Bill and represent its critical analysis. There is so much to happen in the field of Data Protection which is not only going to change the way businesses operate but also how trade, globalization and political arenas will change. Stay tuned to IP Press for more updates on Privacy.
 K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
 M.P. Sharma v. Satish Chandra, AIR 1954 SC 300
 Kharak Singh v. State of U.P., AIR 1963 SC 1295