RIGHT TO PRIVACY AND STATE'S PREROGATIVES

The Constitutional Basis for Privacy :

Since the 1960s, the Indian judiciary, and the Supreme Court in particular, have dealt with the issue of privacy, both as a fundamental right under the Constitution and as a  common law right. The common thread through all these judgments of the Indian  judiciary has been to recognise a right to privacy, either as a fundamental right or a  common law right, but to refrain from defining it in iron-clad terms. Instead the Courts  have preferred to have it evolve on a case by case basis.

Right to privacy in the context of surveillance by the State 

The very first case to lay down the contours of the right to privacy in India, was  the case of Kharak Singh v. State of Uttar Pradesh (1964) .

The petitioner in this case had challenged the  constitutionality of these regulations on the grounds that they violated his fundamental  right to privacy under the ‘personal liberty’ clause of Article 21 of the Constitution. In this  case a majority of the judges refused to interpret Article 21 to include within its ambit the right to privacy part the majority stated “The right of privacy is not a guaranteed right  under our Constitution, and therefore the attempt to ascertain the movements of an  individual is merely a manner in which privacy is invaded and is not an infringement of a  fundamental right guaranteed in Part III.”

 The majority however did recognise the  common law right of citizens to enjoy the liberty of their houses and approved of the age  old saying that a man’s home was his castle. The majority therefore understood the term  ‘personal liberty’ in Article 21 in the context of age old principles from common law while holding domiciliary visits to be unconstitutional. Two of the judges of the seven  judge bench, however, saw the right to privacy as a part of Article 21, marking an early  recognition of privacy as a fundamental right. Justice Subba Rao held “It is true our  Constitution does not expressly declare a right to privacy as a fundamental right, but the  said right is an essential ingredient of personal liberty.”

The question of privacy as a fundamental right presented itself once again to the  Supreme Court a few years later in the case of Govind v. State of Madhya Pradesh (AIR  1975 SC 1378). The petitioner in this case had challenged, as unconstitutional, certain  police regulations on the grounds that the regulations violated his fundamental right to  privacy. Although the issues were similar to the Kharak Singh case, the 3 judges hearing  this particular case were more inclined to grant the right to privacy the status of a 

fundamental right. Justice Mathew stated: 

 “Rights and freedoms of citizens are set forth in the Constitution in order to  guarantee that the individual, his personality and those things stamped with his  personality shall be free from official interference except where a reasonable basis  for intrusion exists. ‘Liberty against government’ a phrase coined by Professor 

Corwin expresses this idea forcefully. In this sense, many of the fundamental rights of citizens can be described as contributing to the right to privacy.”  This statement was however qualified with the disclaimer that this right was not  an absolute right and that the same could be curtailed by the State provided it could 

establish a “compelling public interest” in this regard. 

Balancing the ‘right to privacy’ against the ‘right to free speech’ 

Subsequent to the Govind judgment, the Supreme Court was required to balance  the right of privacy against the right to free speech in the case of R. Rajagopal v. State of  Tamil Nadu . a bench of two judges of the Supreme  Court, for the first time, directly linked the right to privacy to Article 21 of the  Constitution but at the same time excluded matters of public record from being protected  under this ‘Right to Privacy’.

Prior judicial sanction for tapping of telephones 

 In the case of PUCL v. Union of India ((1997) , the petitioner organisation had challenged the actions of the state in intercepting telephone calls.  Recognising procedural lapses that had occurred, the court set out procedural safeguards  which would have to be followed, even as it did not strike down the provision relating to  interception in the Telegraph Act 1885. In arriving at its decision, the court observed:  “Telephone-tapping is a serious invasion of an individual's privacy. It is no doubt correct  that every government, howsoever democratic, exercises some degree of sub rosa  operation as a part of its intelligence outfit, but at the same time citizen's right to privacy has to be protected from being abused by the authorities of the day.” The court held: 

“Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is  permitted under the procedure established by law.”The Supreme Court placed restrictions  on the class of bureaucrats who could authorise such surveillance and also ordered the  creation of a ‘review committee’ which would review all surveillance measures  authorised under the Act. 

The ‘search and seizure’ powers of revenue authorities 

In 2005, the Supreme Court passed one of its most important privacy related 

judgments in the case of District Registrar v. Canara Bank ((2005) . In this case the Supreme Court was required to determine the constitutionality of a provision of  the A.P. Stamps Act which allowed the Collector or ‘any person’ authorised by the  Collector to enter any premises to conduct an inspection of any records, registers, books,  documents in the custody of any public officer, if such inspection would result in 

discovery of fraud or omission of any duty payable to the Government. The main issue, in  the case, related to the privacy of a customer’s records stored by a financial institution  such as a bank. 

 The impugned provision was held to be unconstitutional by the Supreme Court on  the grounds that it failed the tests of reasonableness enshrined in Articles 14, 19 and 21 of  the Constitution. The Court held that any legislation intruding on the personal liberty of a  citizen (in this case the privacy of a citizen’s financial records) must, in order to be  constitutional, satisfy the triple test laid down by the Supreme Court in the case of 

Maneka Gandhi v. Union of India. This triple test requires any law intruding on the  concept of ‘personal liberty’ under Art. 21, to meet certain standards:

“(i) it must prescribe  a procedure; 

(ii) the procedure must withstand the test of one or more of the fundamental rights conferred under Article 19 which may be applicable in a given situation; and

 (iii) it must also be liable to be tested with reference to Article 14.” 

The impugned provision was  held to have failed this test. More importantly, the Court ruled that the concept of privacy  related to the citizen and not the place. The implication of such a statement was that it did 

not matter that the financial records were stored in a citizen’s home or in a bank. As long as the financial records in question belonged to a citizen, those records would be  protected under the citizen’s right to privacy.  

Privacy in the context of sexual identities

 In the case of Naz Foundation v. Union of India  the Delhi High Court ‘read down’ Section 377 of the Indian Penal Code, 1860 to decriminalise a class of sexual relations between consenting adults. One of the critical arguments accepted by the Court in this case was that the right to privacy of a citizen’s

sexual relations, protected as it was under Article 21, could be intruded into by the State only if the State was able to establish a compelling interest for such interference. Since the State was unable to prove a compelling state interest to interfere in the sexual relations of its citizens, the provision was read down to decriminalise all consensual sexual relations.

 Privacy has emerged, and evolved, as a fundamental right through these various decisions of the courts.

National Privacy Principles, Rationales, and Emerging Issues

there is a high degree of agreement among various approaches, most specifically, the principles followed by the US, OECD, EU and APEC, where transparency, enforcement and accountability are considered the cornerstone for privacy protection. While there are minor variations between these various formulations, it would not be inaccurate to suggest that there is a set of globally accepted privacy principles. 

On this basis, a set of National Privacy Principles can be enumerated as the distillation of global best practices which can be effectively implemented in Indian conditions. The principles must establish:

(1) Safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information, personal identifiable information, sharing, transfer, and identifiable information.

(2) Rights of the data subject in relation to their Sensitive Personal Information, Personal Identifiable Information, and Identifiable Information.

The principles will place an obligation on all public and private data controllers to put in place safeguards and procedures that will enable and ensure these protections and rights. The principles must be applicable to any information concerning an identified or identifiable natural person. Existing and emerging legislation, practices, and procedures should be brought into compliance with the National Privacy Principles.

Alongside the National Privacy Principles, self-regulating bodies will have the option of developing industry specific privacy standards that would be in conformity with the National Privacy Principles, which should be approved by a Privacy Commissioner. The Privacy Commissioner should have the power to enforce the agreed-upon standards, thus creating a system of co-regulation. If SROs do not develop standards, their member organisations shall be required to adhere to the National Privacy Principles.

 The proposed privacy principles are the following:

Principle 1: Notice

Principle: A data controller shall give simple-to-understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:

a) During Collection

 What personal information is being collected;

 Purposes for which personal information is being collected;

 Uses of collected personal information;

 Whether or not personal information may be disclosed to third persons;

● Security safeguards established by the data controller in relation to the personal information;

 Processes available to data subjects to access and correct their own personal information;

 Contact details of the privacy officers and SRO ombudsmen for filing complaints.

b) Other Notices

 Data breaches must be notified to affected individuals and the commissioner when applicable.

 Individuals must be notified of any legal access to their personal information after the purposes of the access have been met.

 Individuals must be notified of changes in the data controller’s privacy policy.

 Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

Principle 2: Choice and Consent

Principle: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required.

Principle 3: Collection Limitation

Principle: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.

Principle 4: Purpose Limitation

Principle: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified

procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.

Principle 5: Access and Correction

Principle: Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data . Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.

Principle 6: Disclosure of Information

Principle: A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.

Principle 7: Security

Principle: A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other

reasonably foreseeable risks.

Principle 8: Openness

Principle: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Principle 9: Accountability

Principle: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.

CURRENT CONTEXT

January 10, 2014 

Centre issues new guidelines for phone interception

The Union government has announced a fresh set of procedures for interception of  Telephones.

 The “Standard Operating Procedures (SOP) for Lawful Interception and Monitoring of Telecom Service Providers (TSP)”,.

According to the norms, requests would include interception and monitoring under the Indian Telegraph Act, 1885, for voice, SMS, GPRS, MMS, Video and VoIP calls.

Additionally, authorised security agencies can seek information under Section 92 of the Criminal Procedure Code (CrPC) of call records (CDRs), home and roaming network, CDR by tower location and by calling/called number, location details of target number within home or roaming network, and so on.

One specification detailed in the section “Validation of Interception Request” is that only the Chief Nodal Officer of a telecom company can provide interception if the order is issued by the “Secretary to the Government of India in the Home Ministry, in case of Government of India, or a Secretary to the State Government in charge of Home Department, in case of State Government.”
 In unavoidable circumstances, such orders can be issued by an officer “not below the rank of Joint Secretary to the GOI who has been fully authorised by the Union Home Secretary or the State Home Secretary.”

Interception is subject to eight checks before monitoring is allowed. These include receiving the request “in a sealed envelope”, ensuring the delivery of interception by “an officer not below the rank of sub-inspector of police or equivalent.”

Any inquiry process could, under the new SOP, check “whether the request was in original and addressed to the Nodal Officer” and from which “designated security agency” it came from.

The SOP mandates that, any “request received by telephone, SMS and fax, should not be accepted under any circumstances.” This would mean that the government concerned would have to produce an original copy of its request that bears “the Union/State Secretary’s order number with date”, or an order and date by an officer of the rank of “Joint Secretary who has been duly authorised”.

Non-compliance with the provisions can result in prosecution “as per the law of the land”.

The SOP document is 45 pages long and divided into 11 sections. The sections include the operational structure, types of request, validation of interception request, legal intercept under number portability, reconciliation and pruning processes, consequences, list of 10 law enforcement agencies authorised to intercept and a set of 10 annexures relating to interception.

The SOP require that if a request is made on e-mail, unless a “physical copy is not reached to the telecom service provider within 48 hours” the interception should be terminated and an intimation provided “to [the] concerned Home Secretary as a part of the fortnightly report.”

The SOP require that records pertaining to such interception, such as letter and envelope, intercept form and internal interception request form should be “destroyed within 2 months of discontinuance of interception of such messages.”

If, however, it is a case of “emergent request where Home Ministry Order for approval was not conveyed to the telecom company, then the telecom company cannot destroy such records until the Home Ministry order is conveyed or a list of such numbers is provided to the concerned Home Secretary intimating this fact.”

An inquiry could seek to find out whether “an acknowledgement was sent within 2 hours of the receipt of the [interception] request, to the requesting agency confirming that the request has been complied with”, from the mobile operator.

“The date and time of the actual provisioning of target in the TSP network” should be mentioned, too.

The confusion in the case of the Gujarat-based snooping case, over whether the Union Home Secretary’s permission is required to intercept a subscriber roaming out of the State stands clarified. According to the new SOP document, “the interception order of the State Home Secretary in which the subscriber is registered should be honoured by the State in which the subscriber is roaming”. In effect, no new order from a second State that may be involved, or from the Union Home Secretary, is needed. However, evidence under the new SOP will need to be provided to the effect that a formal request was made to the other State for interception while roaming.

The Union Cabinet’s latest decision on a new SOP has come in the wake of recent new evidence that the alleged snooping went beyond Gujarat and extended to Karnataka as well.

Any inquiry process will eventually boil down to whether or not the entire paper trail, both internal and between the government and telecom operators with appropriate internal justification and full compliance existed prior to interception.

Whether these new SOP are consistent with the procedure that existed during the alleged snooping incidents in 2009 remains uncertain. Further, if there is a marked difference, the SOP of 2014 would provide contrasting evidence on practices adopted earlier for interception.

Apart from the nine Central agencies — namely, the IB, the NCB, the DE, the CBDT, the DRI, the CBI, the NIA, RAW and the Defence Ministry — State Directors-General of Police and the Commissioner of Police in Delhi, are authorised to request intercepts.

Note: There are many examples where privacy has been invaded by government agencies of Self Regulatory Organizations (SRO) i.e. Gujrat case , last year Arun jaitely case etc.

Privacy needs greater protection and respect in a more integrated world
Edward Snowden's disclosures about the US National Security Agency's mass international surveillance programme, PRISM, have exploded around the globe, setting off more exposes on how NSA not just infringed on the privacy of Americans and Europeans but also spied on world leaders, including German chancellor Angela Merkel and Brazilian president Dilma Rousseff.

Despite claims by US intelligence authorities that the overriding aim was to protect the public from terrorist attacks, the global penetration of the NSA and its British counterpart, Government Communications Headquarters (GCHQ), signals a reckless and excessive watch over civilians and political leaders in the name of a global war against terrorism. These disconcerting developments also demonstrate that snoop agencies of both the US and UK have for long violated the privacy of their own publics even as the world has become more integrated.

Privacy is further transgressed by the vast amounts of data that American internet companies like Google and Facebook collect on users, often without their knowledge. While these social networking sites now claim they have been hacked into by NSA, recent exposure of the NSA's data trawling suggests that you don't have to be a terror suspect for your communication, whether over cellphones, Skype, Facebook or chat rooms, to be mined and analysed by intrusive security agencies.

There is no denying the importance of surveillance post-9/11, but American and British spy agencies have dangerously crossed limits. This calls for legislation that would protect the sanctity of private information and limit when and how such information can be gathered by security and commercial agencies. Facebook CEO Mark Zuckerberg's comment three years ago that the age of online social networking marked the end of privacy cannot be the last word on this matter. In India, internet and social networking site users have been arrested or harassed by megalomaniacal political leaders for activities such as posting 'likes' or transmitting harmless cartoons. Concerns have also been raised that data mined from the Aadhaar scheme might go well beyond what nascent privacy laws allow. Brazil has taken an initiative to hold a global summit in May 2014 on excessive surveillance and has approached India to be a partner. Before taking a decision on the summit the Indian government must scrap the controversial Section 66A of the Information Technology Act, or at least those parts of it which penalise free speech.

Not a right to be shielded

The intent behind the European Union Court of Justice verdict, to allow people to remove awkward, embarrassing and inconvenient personal information from search-engines, may not quite be to create sanitised online societies. But the May 13, 2014, ruling could more or less push citizens in the bloc of 28 states of the European Union, and possibly other countries around the world in the future, in that rather odd direction where, in the guise of protecting personal data, people end up hiding aspects of their own history. The court held that individuals have a right to influence what information others may gather about them on the Internet. Individuals have to show that the information sought to be removed is no longer relevant for the purpose for which it was originally processed. Against such a broad criterion, imagine a flood of petitions to have data deleted from search results, and on all sorts of grounds. Allowing people to exercise control over data that get into the public domain may sometimes work against transparency. This aspect cannot be wished away lightly, considering the number of repeat offenders that so often slip through the net, causing grievous harm to the public. Attempts to rewrite societies’ collective history have been viewed with some suspicion in recent years. Concealing one’s personal history also may not always be all that innocent. It is in any case not the most effective means to ensure that one’s past is not held against him. Coming clean stands a better chance of winning the trust and confidence of others.

The ruling of the Luxembourg court puts a question mark on the premium currently attached to the principle of free flow of information. Potential employers and headhunters would want to know more, rather than less, about the antecedents of prospective recruits before they finalise contracts. This need may be felt more acutely today when hiring from abroad has become a common practice. Firms would also prefer not to have to invest much effort or time to access such information. To be sure, personal data that are dropped from Google links would still be available archivally and in records held by governments. The bona fides of persons can always be verified directly via individual sites, or through overseas contacts. Hence, the inference that the fallout from the verdict would work to the detriment of the public interest may not be entirely justified. The ruling comes against the backdrop of reform of the 1995 EU personal data protection law that has been approved overwhelmingly by Parliament, wherein the right to forget forms an element. The right to be forgotten ought not to be allowed to be abused as a right to be shielded.