Social Change and Role of Judiciary towards

Right to Informational Privacy

Submitted to
Dr. Balraj K. Sidhu

Presented by-
Ragini (LL.M 1st Yr.)
18IP62014

1
Privacy of Data- History
• The right to privacy is not new. It has been a common law concept, and an
invasion of privacy gives a right to the individual to claim tort based
damages. One of first cases on the said topic was-
• Semayne’s Case (1604)- The case related to the entry into a property by
the Sheriff of London in order to execute a valid writ. Sir Edward Coke,
while recognising a man’s right to privacy famously said that “the house of
everyone is to him as his castle and fortress, as well for his defence against
injury and violence, as for his repose”. The concept of privacy further
developed in England in the 19th century and has been well established in
today’s world.
• In case of Campbell v. MGN (2004)- the court held that if “there is an
intrusion in a situation where a person can reasonably expect his privacy to
be respected, that intrusion will be capable of giving rise to liability unless
the intrusion can be justified”.
2
 Development in India

1-M.P. Sharma v. Satish Chandra. 1954 AIR 300, 1954 SCR 1077.
 8 bench Judge
 The power to search and seize documents from the Dalmia Group.
 Right to Privacy not a Fundamental right.
2-Kharak Singh v. The State of U.P. 1963 AIR 1295, 1964 SCR (1) 332.
 6 Bench Judge
 Subjected to surveillance and secret picketing of the house, visits at night,
periodical inquiries and verification of movements
 Right to Privacy not a Fundamental right.
Recent Case
Justice K S Puttaswamy (Retd) v. Union of India and Ors.
WRIT PETITION (CIVIL) NO 494 OF 2012
• Former Karnataka H.C. Juatice K.S. Puttaswamy filed PIL.
• in which case the ‘Aadhaar Card Scheme’ was challenged on the ground that
collecting and compiling the demographic and biometric data of the residents of
the country to be used for various purposes is in breach of the fundamental right
to privacy embodied in Article 21 of the Constitution of India. Given the
ambiguity from prior judicial precedents on the constitutional status of right to
privacy, the Hon’ble Supreme Court referred the matter to a constitutional bench
consisting of 9 judges.
• Judgments Overruled-
a. M.P. Sharma vs. Satish Chandra.
b. Kharak Singh vs. Uttar Pradesh.

4
Cont..
• 9 Bench holding- ‘right to privacy’ is a constitutional right.
• C. justice H.L. Dattu declared “Aadhar is purely voluntary” and could
not be mandatory.
• And court held that Sharing of Biometric Data to any government
agencies may no longer be mandatory. And court limited the use of
Aadhar for only welfare payments, filing of income-tax returns and
linking it with PAN cards.
• The Court also observed that ‘informational privacy’, or the privacy
of personal data and facts, is an essential facet of the right to
privacy.
5
Cont..
• Justice D.Y. Chandrachud-
"Informational privacy is a facet of the right to privacy. The dangers to
privacy in an age of information can originate not only from the state
but from non-state actors as well. We commend to the Union
Government the need to examine and put into place a robust regime for
data protection. The creation of such a regime requires a careful and
sensitive balance between individual interests and legitimate concerns
of the state.”

6
Karmanya Singh Sareen vs. UOI- 2016 SCC Online
Del 5334
• Recently, WhatsApp Inc. after being acquired by Facebook Inc. changed its privacy policy, and the users
were put to notice that "WhatsApp" account information of users would be shared with "Facebook" to
improve "Facebook" ads and products experiences and the users’ were asked to agree to the revised
terms for continued use of WhatsApp on or before September 25, 2016.
• Karmanya Singh Sareen and another filed a writ petition before the Hon’ble High Court of Delhi
contending that taking away the protection to privacy of data of users of "WhatsApp" and sharing the
same with Facebook was in infringement of fundamental rights of the users guaranteed under Article
21 of the Constitution.
• The Hon’ble Delhi High Court while deciding upon the case ordered that if the users opt to completely
delete the WhatsApp account, WhatsApp shall delete users’ data completely from its servers and
refrain from sharing users’ data with Facebook, and so far as the users who opt to remain in
"WhatsApp" are concerned, the existing information/data/details of such users upto September 25,
2016 shall not be shared with "Facebook" or any one of its group companies.
• The court also directed the Government to consider whether it is feasible to bring messaging apps like
WhatsApp under some statutory regulatory framework.

7
Remsburg vs. Docusearch- (2003 WL 346260, Sup. Ct.
N.H.2003)
• In this case Defendant information broker disclosed to its client information
about the decedent. The client used the information to find the decedent, whom
he then shot and killed. Plaintiff, executrix of decedent's estate, sued defendant
for damages. the district court certified questions of law to define duties of
brokers to persons such as the decedent. The state supreme court answered the
questions and remanded the case.
• ISSUE: Did defendant information broker, who sold information to a client
pertaining to a third party, have a cognizable legal duty to that third party with
respect to the sale of the information?
• The threats posed by stalking and identity theft showed that the risk of criminal
misconduct was sufficiently foreseeable so that an investigator had a duty to
exercise reasonable care in disclosing a third person's personal information to a
client. That duty applied especially when the investigator did not know the client
or the client's purpose in seeking the information. Accordingly, defendant
information broker who sold information to a client pertaining to the decedent
had a cognizable legal duty to the decedent with respect to the sale of the
information
8
Data Protection Bill,2018
• Justice BN Srikrishna Committee was formed the draft bill.
• submitted to the Ministry of Electronic and Information Technology.
• 3 Definitions-
1) Data fiduciary- as the entity or individual who decides the means
and purposes of processing data.
2) Data principal- the individual whose data is being processed.
3) Data processor- as the entity or individual who processes data on
behalf of the fiduciary.
 Territorial Applicability of Bill- Both government and private entities
incorporated in India.
9
Grounds For Processing Personal Data

• Personal Data- as any information which renders an individual

identifiable.
• No data shall be processed without the consent of the data principal.
• Exceptions-
If processing is necessary for any function of Parliament, any State
Legislature, for any service or benefit to the data principal.
For compliance with any order or judgement of-Court or Tribunal in
India.
To respond to any medical emergency involving- a threat to the life a
severe threat to the health or outbreak of disease.

10
Cont..
• purposes related to employment, such as recruitment.
• for reasonable purposes specified by the Data Protection Authority
with regard to activities such as fraud detection, debt recovery, credit
scoring, and whistle blowing.

11
Grounds For Processing Sensitive Personal Data
Sensitive personal data includes-passwords, financial data, biometric and
genetic data, caste, religious or political beliefs.
• The Bill specifies more stringent grounds for processing of sensitive
personal data, such as seeking explicit consent of an individual prior to
processing.
may be processed on the basis of explicit consent for Any function of
Parliament or any State Legislature.
For any service or benefit to the data principal.
For compliance with any order or judgement of any Court or Tribunal in
India.
To respond to any medical emergency involving a threat to the life, a
severe threat to the health or outbreak of disease.

12
Cross-border Storage of Data
• The Bill states that every fiduciary shall keep a ‘serving copy’ of all
personal data in a server or data centre located in India.
• The central government may notify certain categories of personal
data as exempt from this requirement on grounds of necessity or
strategic interests of the State.
• The central government may also notify certain categories of personal
data as ‘critical personal data’, which may be processed only in
servers located in India

13
Transfer of Data Outside The Country
• Personal data (except sensitive personal data) may be transferred
outside India under certain circumstances.
 The central government prescribes that transfers to a particular
country are permissible.
 The DPA approves the transfer in a situation of necessity.

14
Penalties
• Any person who obtains, discloses, transfers, sells or offers to sell
personal and sensitive personal data
• Shall be punishable with imprisonment up to five years, or a fine of
up to three lakh rupees.

15
International Comparison of Data Protection
India (proposed Draft
Country European Union Australia Canada
Bill)

Separate laws for private

Coverage of Single law for private and Single law for private and Single law for private and
entities and federal
entities public entities. public entities. public entities.
government institutions.

Sensitive Not defined separately; any

Does not include financial Does not include financial Includes financial data,
personal data may be sensitive based
data, passwords. data, passwords. passwords.
data on the context.
Storage and sharing of data across borders

Local Not mandatory. Mandatory storage of a copy;

storage of Not mandatory. Sector specific mandates, Not mandatory. critical personal data stored
data e.g., for health data. only in the country.

Permitted if the receiving Permitted if the processing Permitted if the processing

Permitted (for some data) if
Cross border country has adequate entity has taken steps to entity uses contractual or
approved by the regulator or
transfer of standards of data protection, ensure that the recipient does other means to ensure
prescribed by the
data as assessed by the European not breach country’s privacy comparable level of
government.
Commission. principles. protection.
16
Regulation And Enforcement

Potentially harmful breach Potentially harmful breach

must be reported to the
regulator.
Data breach Individual may not be
notification informed if processing entity
has taken corrective measures,
or if it involves
disproportionate effort.
must be reported to the
Potentially harmful breach
Potentially harmful breach regulator.
must be reported to the
must be reported to the Regulator will determine if
regulator and affected
regulator and affected the individual will be notified,
individuals(amendment not in
individuals. on the basis of severity or
force).
need of an action by the
individual.

Criminal Imprisonment up to five years

No criminal penalties. No criminal penalties. No criminal penalties.
penalties for certain offences.

Sources: European Union - The General Data Protection Regulation, 2016; Australia - The Privacy
Act, 1988; Canada - The Privacy Act, 1985; The Personal Information Protection and Electronic
Documents Act, 2000; India - The Personal Data Protection (Draft) Bill, 2018; PRS 17
Data privacy other Laws in India
• Indian Telegraph Act, 1885
• State Bank of India Act, 1955
• Banking Companies (Transfer and Acquisition of Undertakings) Act, 1980
• Credit Information Companies (Regulation) Act, 2005 (“CIC Act”) and Credit Information Companies Regulations, 2006
• The Public Financial Institutions (Obligation As To Fidelity And Secrecy) Act, 1983
Mental Health Act, 1987
• Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
• Information and Technology Act, 2000
• Insurance Regulatory and Development Authority of India (Sharing of Database for Distribution of Insurance Products) Regulations,
2017
• Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015
• Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017
• Right to Information Act, 2005 (“RTI Act”)
• The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”), Aadhaar (Data
• Security) Regulations, 2016 (“Aadhaar DS Regulations”) and Aadhaar (Sharing of Information) Regulations, 2016 (“Sharing
Regulations”)

18
Advantages and Disadvantages of Data Protection
Advantages
Data Protection is technology neutral, so a regime enacted in 1995 can be used to
regulate Facebook today;
It’s all encompassing; data protection applies to just about everything outside the
(narrowly defined) domestic sphere;
It provides subjects with non-negotiable rights. You retain your rights as a data subject,
such as access and objection, even where you consent to the processing of your personal
data.
Disadvantages
Data protection lacks definitions, which makes it technologically neutral, but also more
difficult to enforce.
Data protection is indiscriminate, it applies to a small business or a club in the same way
as it applies to a global conglomerate.
Data networks are global, but data protection is local.

19
Conclusion
Ever since the internet was created, people have been sharing more
and more of their personal information online. In many countries,
privacy rules exist and remain important to help protect people’s
information and human rights, but they are not adapted to suit the
challenges of today’s connected world. Around the world, companies
and other entities that collect people’s data have long advocated for
regulation of privacy and data protection not through binding
frameworks but rather through self- or co-regulation mechanisms that
offer them greater flexibility. However, despite several attempts, we
have yet to see examples of non-binding regimes that are positive for
users’ rights (or, indeed, for business as a whole).
20
Thank-you

21