[co-authors: Sajai Singh and D Divyanshu*]

Government responds to a landmark Supreme Court case.

Takeaways

• The Indian Supreme Court affirms the fundamental right to privacy.
• Current data protection laws in India are seen as too narrow, and pressure has been applied to enact new legislation more consistent with global trends, including the right to be forgotten.
• New legislation could expand the extra-territorial jurisdiction and applicability of Indian data protection laws.

The case had its inception in 2012, when Justice K S Puttuswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the “Aadhaar” project on grounds of, amongst other things, its transgression on the Indian citizen’s fundamental rights. The “Aadhaar” project is a 12-digit unique identification number that is issued to Indian citizens based on their biometric and demographic data. It is the largest biometric database in the world, with over 1.25 billion Indian citizens registered. The project raised several privacy concerns due to the almost mandatory requirement of enrolment and the lack of safeguards provided by the Government to protect the data collected. The argument made by the Government was that there was no constitutionally guaranteed right to privacy in India. Reliance was placed on two earlier Supreme Court judgments, M P Sharma v. Satish Chandra (AIR 1954 SC 30) and Kharak Singh v. State of Uttar Pradesh (AIR 1963 SC 1295), which denied the existence of a constitutional right to privacy. Since these cases were decided by six- and eight-judge benches, respectively, the Supreme Court referred the matter to a constitutional bench of nine judges in 2015. Two years later, this bench overruled the two cases to the extent that they decided that privacy is not a constitutionally guaranteed right.

The Decision and Data Protection
The Court decided that the protection of individual autonomy was a valid justification for the right to privacy, especially in the context of a global, information based society. The judgment recognised the right of an individual to exercise control over his/her personal data. The Court opined that the ability of a person to control his/her own life would also encompass his/her right to control his/her existence on the internet. The Court further recognised the complexity involved in data protection and directed the Government to enact a comprehensive data protection law.

Another important aspect of the Court’s ruling was the implicit recognition of a “right to be forgotten.” The Court stated as follows:

“People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individual should have the capacity to change his/her beliefs and evolve as a person. Individuals should not live in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves….

“Thus, The European Union Regulation of 2016 has recognized what has been termed as ‘the right to be forgotten.’ This does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognize a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/ information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/ data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.”

These observations may increase the likelihood of the right to be forgotten or a similar right being incorporated into the forthcoming law. This right is distinct from the right to privacy which involves information that is not publicly known. It involves the removal of information that was publicly known at a certain time so that third parties cannot access it. Opinions about the right to be forgotten, which is a relatively new concept, differ significantly between the European Union, where it has more historical support, and the United States, where the right of free speech and the right to know have typically been favoured over the deletion of truthfully published information.

If the right to be forgotten is codified into Indian law, search engines, social media platforms and media companies operating in India will be most affected. These entities may need to reconsider their internal processes and procedures for receiving and processing requests from members of the general public for the deletion of data. Google’s ongoing dispute with the French data protection agency, CNIL, illustrates how complex matters can become. Now that the phrase “fake news” has become so common, the debate will become more urgent globally.

Current Data Protection Laws
India’s existing laws on data privacy are much narrower in scope. The primary statutes governing data privacy are the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules).

First, Indian laws primarily regulate the processing of “sensitive personal data or information” (SPDI) which is a subset of personal information. SPDI includes, among other things, information relating to passwords, financial information, medical records, sexual orientation, and biometric information. Non-sensitive personal information is still subject to little regulation in India. Second, under the Indian legal framework, the requirement for consent from the individual citizen is vague enough to allow for implied consent. Further, while Indian laws do confer limited extra-territorial jurisdiction, the applicability of these laws in certain scenarios remains unclear. For instance, it is questionable whether the IT Act or the Privacy Rules would apply to a United States company that collects an Indian citizen’s/resident’s SPDI while the latter is travelling in the United States.

The Government White Paper
The Government appointed a committee in August 2017, headed by a former Supreme Court judge, Justice B N Srikrishna, to examine issues related to data protection, to recommend methods to address them, and to draft a new data protection law. The committee released a white paper on November 27, 2017 and requested comments from the public by January 31, 2018. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” The committee suggested seven principles on which the proposed data protection law should be framed: (i) the law must be technology-agnostic; i.e., it should be flexible to take into account evolving technologies; (ii) the law must apply to both private sector entities and governments; (iii) any consent should be genuine, informed, and meaningful; (iv) the processing of data should be minimal and only for the purpose for which it is sought; (v) any entity controlling data should be accountable for any data processing; (vi) the enforcement of the data protection framework should be by a high-powered statutory authority; and (vii) the penalties should be adequate to discourage any wrongful acts.

Addressing the issues of the current data protection regime, the white paper has raised questions in relation to the territorial scope of the proposed data protection law and measures that should be included in the law to ensure compliance by foreign entities. Among other things, the white paper noted that it may be “worthwhile considering making the law applicable to any entity, no matter where they may be located that process personal data of Indian citizens or residents.” (White Paper, Chapter 1: Territorial and Personal Scope, Section 1.5(4) (Provisional Views)) Further, it has raised questions in relation to the definition of personal data and sensitive personal data. The white paper also addresses the concern of determining valid consent for processing of personal data and of enforcement models.

Conclusion
As the consultation process approaches its closure, the task before the committee and the Government is to enact a data protection law which encapsulates the current global trend in data protection. The judgment provided an impetus for a much-needed discussion on privacy, which has made the citizens of India aware of the issues and has applied pressure on the Government to enact a comprehensive law as soon as possible. Significantly, India appears to be moving towards a position similar to the European Union rather than the United States so that privacy will be seen as a fundamental right where the ability of the government to derogate from it will require substantial justification. Companies that collect, process or store data of Indian residents—whether or not these activities take place within or outside India—would be well advised to keep abreast of legislative developments in this area.

* Authors Sajai Singh and D Divyanshu are a partner and associate, respectively, with the Indian law firm J. Sagar Associates.