RIGHT TO PRIVACY AND THE PERSONAL DATA PROTECTION BILL 2019: STILL NEDS TO GO A LONG WAY
In this paper, I had tried to analyze the right to privacy and its boundaries. The entire article has been divided into 4 parts. In the 1st part, the stories and the scams which revolve around the major privacy issues that the world faced have been brought into context and how they affected our country. In the 2nd part, the evolvement of right to privacy in India has been depicted, with a broad focus on transition from physical privacy to the notion of data privacy. In the 3rd part, the entire kingpin is on the Personal Data Protection bill 2019 and its broader impacts which can affect us by giving unrestrained powers to the central government. In the 4th part, I have concluded by highlighting how it is a big brother challenge and its need for remodeling.
In today’s time, we know that data is analogous to money and is even treated as an asset by the people. If we bang on to the personal data, it has so many ingredients and outlooks which needs to be secured, affixed and protected that we fail and fizzle to look at its other facets regarding its ways of collection, sharing and predicaments if it is casted off or leaked. If any data is even required by the government, then the person should be informed because his consent is seminal and the information derived should be commensurable with the impetus or the purpose for which it is sought. In 2016, there were several episodes of squandering of data by the police officers across U.S. who used the databases of people illegally to retrieve the information related to their partners, journalists and associates. The officers use to harass, molest and intimidate the people to quench their personal discords and dissensions by setting aside the legality. It was through a report by Associated Press which led to the discovery of such gross misuse of data by the officials leading to their suspension and resignations. Such free and unrestricted use of data is posing problem which needs to be resolved because it is about the integrity of the person whose data can be maltreated. This data can be in the guise of your interests, educational records, health records, emails as well as telephone records. Though these avantgarde and trailblazing techniques have made our lives comfortable by offering us everything at our doors but has taken away from us the face value of our privacy which we have taken seriously now only. Even the Universal Declaration of Human Rights (UDHR) states that “no one shall be subjected to arbitrary interference with his privacy, home, family or correspondence nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The privacy as a hunch concept got its origin from an article written by Samuel D. Warren and Louis D. Brandeis in 1890. So, after almost 130 years we are still struggling to save our data from spreading both on the public and private sectors. This un-regulating information is evading us and that is why 132 countries around the world are now having Data Protection Laws. Here, I would like to put light on some of the infamous data breach cases and how they took place?
BREACH OF DATA PRIVACY AROUND THE WORLD
In 2018, Cambridge Analytica Scandaltook place which shook the entire world. Cambridge Analytica is a political consulting firm in UK with its offices in New York and Washington DC and Steve Bannon was the Vice President at that time. It is this firm which did the work for Trump’s campaigning in elections in 2016 by hoarding data of 87 million Facebook profiles. But the one thing here which is astonishing is how this firm got such a vast reservoir of data from the Facebook? The answer to all these questions lies with Aleksander Kogan, a Russian-American Researcher who built a quiz app named “this is my digital life.” So the data of all the people who use to take the quiz was collected. This app developed such an aperture in the Application Programming Interface of Facebook that the data of friends of quiz takers was also collected. Though it was not done by Facebook, but this app transferred all their physiological profile which was then viewed properly so that the U.S. voters can be targeted across the various mediums. This is also what led to Trump winning the White House by showing different ads according to the viewer specific profiles. The communication of an ad was not generalized, rather it was individualized. For an example, in areas where there were more of Trump supporters were shown a jubilant and victorious image of Trump winning the elections whereas the voters in areas where people were not favoring Trump were shown images of high profile celebrities like Ivanka Trump and others to persuade then to vote for Trump. All this micro-targeted advertising proved to be a blessing in disguise for him. The roots of this firm and their scandals were not only confined to U.K. and U.S. but also India after Christopher Wylie, Cambridge Analytica’s whistleblower referred to the projects of SCL (Strategic Communications Limited), the parent company of this firm in India.
The claim was made of the firm holding data of people from more than 600 districts and 7 lakh villages and worked for an election in 8 states from 2003 to 2012 including the 2009 elections. This was the inside story of how CA enraptured in India. This was not only the first time but there were specimens of foul play with data in US. It was Edward Snowden who revealed about the information that he leaked to several journalists about the working of National Security Agency (NSA) when he was a contractor. It came as a bolt from the blue when it brought spying activities of NSA into limelight.Telephone calls of millions of Americans were recorded on a daily basis and telephone companies like Sprint and Verzona were forced to hand over the data. Not only this, the NSA also hacked the Chinese networks and kept around 38 embassies under its surveillance. The German newspaper Der Spiegel even reported that NSA targeted 122 world leaders including German Chancellor Angela Markel, Mexico’s former President Felipe Calderon and many leaders of G10 and G8 summits. Indian diplomats were also spied to track the growth of country’s nuclear programs. Snowden’s revelation was to benefit the public by bringing an oceanic change in the surveillance system and this worked penultimately led to the passing of USA Freedom Act to realign a distorted comfort between the intelligence agencies and the masses. Cohenwas of the view that “a structural understanding of privacy’s importance demands a structural approach to privacy regulation. Effective privacy protection requires comprehensive attention to the systematic attributes of both public and private surveillance practices and to the ways in which public and private surveillance practices supplement and reinforce one another.” This is more critical for a country like India which is the world’s biggest consumer of data. Before coming to the disclosure of Personal Data Protection Bill (PDPB), I would like to go in depth and discuss in fine points about how privacy evolved and transmogrified as a fundamental right in India coming under “Right to Life and Personal Liberty.” 
PRIVACY AS A FUNDAMENTAL RIGHT IN INDIA
Before the recognizing of Right to Privacy as fundamental right in K. Puttaswamy, Privacy was just assumed as an ambit of word liberty coming in Article 21 because of the ubiquity of common law which is braced by the British Colonial Rule as emancipated in Kharak Singhconsisting of a 6 judge bench. But Justice Subba Rao and J.C. Shah were different in their opinion from what the majority proclaimed.It was held by the bench that though privacy is not an expressly recognized and admitted fundamental right, yet it is the pre-eminent and called for ingredient. The essence of this can be trailed from Wolf v. Coloradoin which J. Felix Frankfurter said that “the security of one’s privacy against arbitrary intrusion by the police is basic to a free society.” In U.S., this came as a universal rule to be appertained to every criminal proceeding after the case of “Mapp v. Ohio”. Though it was singularly enunciated in Kharak Singh in Ayyangar J. that an attempt to locate the person’s manoeuvre cannot be termed as violation of privacy.
This judgement was in consonance with what was asserted by an 8 judge bench in MP Sharma in 1954. It was asserted as follows: “a power of search and seizure is, in any system of jurisprudence, an overriding power of the state for the protection of social security and that power is necessarily regulated by law. When the constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of the fundamental right to privacy, analogous to the American Amendment, there is no justification for imparting into it a totally different fundamental right by some process of strained construction.” Meanwhile, an important development clutched in 1961&1965 in Poecase and Griswold v Connecticut professing right to privacy as creating penumbras or zones. The constitutional right of privacy in American Constitution is derived from Bill of Rights which undertakes and devises precincts of privacy. Being a public animal, man needs a privacy and freedom from the govt. and public’s perusal.
The judgement served as the hallmark in Gobindwhere 3 judge bench said that if it were articulated as a right, it can be restricted by public interest only. Though this also didn’t recognized privacy as a fundamental right but supported the right of a person to be alone by relying on Kharak Singh. This notion started taking place in a newfangled silhouette when it was held in the case of People’s Union for Civil Liberties v. UOI that telephone tapping or technological snooping also rides roughshod over privacy but the major judgement came after the Aadharwhich is basically a 12 digit unique no. provided to every person and linking it to his biometric details like fingerprints and iris and in addition, demographic details were also taken. There was a specific perturbation regarding the biometric because fingerprint and iris scanners can be inveigled leading to false prints.This unique code was primarily assigned as a measure to provide all government related services like gas, subsidies, welfare houses, pensions, driving license, digi-lockers and many other benefits. But gradually, it started posing problems like identity theft as mentioned above. The biggest problem which is associated is that our data is stored in a centralized database and we have our data information enraptured in data silos i.e. on various platforms like air and train bookings, health and education history, mobile no. etc. So, Aadhar can disintegrate these data silos i.e. all these data silos can unravel our profile.What was forgotten by Nandan Nilekani were the civil liberties being transgressed by Aadhar before thinking it to be put into implementation.This was all similar to the “Orwellian ilk of surveillance methodology”by NSA, ultimately revealed by Snowden. The opinions of Justice Chandrachud and Chelameswar is interesting to be contemplated. One of the excerpts of what Justice Chandrachud wrote in the judgement was: “privacy is an intrinsic recognition of heterogeneity of the right of the individual to be different and to stand against the tide of conformity in creating a zone of solitude. Privacy protects the individuals from the searching glare of publicity in matters which are personal to his or her life.Privacy attaches to the person and not to the place where it is associated.”He also relied on the opinion given by Subba Rao in Kharak Singh. This judgement also unequivocally made an insinuation on Section 377 by attributing sexual orientation as an integrand on privacy. Justice Chelameswar also described the 3 facets of privacy i.e. repose (freedom from unwarranted stimuli), sanctuary (protection from intrusive observation) and intimate decision (personal life decisions), paving way for the amplification of privacy.
PERSONAL DATA PROT’ECTION BILL: “CLOUDS STILL ON THE HORIZON”
The Puttaswamy judgement became the substratum for ushering bills on this subject of data privacy. The major dissension with regards to PDPB 2019 is with regard to Section 35 which is as follows: “Where the central government is satisfied that it is necessary or expedient – (i) in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order; or(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, friendly relations with foreign states, public order, it may, by order, for reasons to be recorded in writing , direct that all or any of the provisions of this act shall not apply to any agency of the government in respect of the processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency as may be prescribed.”
What has substantially been done is that central government has been empowered to spare any agency or the government body from the provisions of this act for the purpose of national security and maintaining law and order. This situation is tumulus because such an act by the state can lead to the molestation of citizens by making the govt. both the party and the mediator. It would then be very difficult to ascertain that whether a particular govt. agency has accessed someone’s information in true regard to the national security. The test of proportionality has been bypassed by adjoining new reasons for exemption like sovereignty, integrity and public order which needs to be properly scrutinized since these terms are very formless and raises the concern for privacy up in the air. These words are not generally used in a statute because of their scope of being misused as they involve wide parameters. What is the actual definition of public order should have been clearly expounded or should have not been stated. Questions are also raised on the formation of Data Protection Authority.The authority will be constituted by a Chairperson and 6 whole time members.The irony here is that out of these 6 members, only 1 member will be there having an experience in law. Therefore Data Protection Authority is entirely dependent on the Central government for appointing of its members. The independence of DPA cannot be ensured unless there are 3-4 eminent judicial persons in the committee to take decisions. Moreover, Section 42has also a clause which is as follows:
“The Chairperson and the members of authority shall be persons of ability, integrity and standing, and shall have qualification and specialized knowledge and experience and not less than 10 years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects.” In this clause, though many stakeholders are there, but private data fiduciaries should also have been included to make it more comprehensive and exhaustive.
Certain good changes also have been taken there in Personal Data Protection Bill 2019, but has still not expanded the skyline of data privacy. Consent has been an utmost preference in Section 11. Section 11(2)(a) says that: “The consent of data principal shall not be valid, unless such consent is free having regard to whether it complies with the standard specified under Section 14 of the Indian Contract Act 1872.” This section goes on to mention various subclauses regarding consent, but then it is again restricted by Section 12whereby 6 clauses are there under which the government can extract your personal data without your consent. Moreover, the most cataclysmic part of the bill is the government’s access to non-personal data. Though the definition of non-personal data has not been crystal-clear except that it means the data other than personal data. It can be simply enunciated that business organizations can have data related to marketing and strategies, financial data and others. So, they might not be willing to share all this information with the govt. So, the provisions incorporating non-personal data should be dropped. All that can be simply deduced is that the PDPB 2019 has not strengthened data privacy, rather weakened it.
It is due to so many inadequacies and slip-ups that led Justice (retired) B.N. Srikrishna to call it as “dangerous and a piece of legislation that could twin the country into an Orwellian state.”This is the reason that it has been termed as “pouring old wine in a new bottle.”All the contention is focused, rather centered around the surveillance powers which have been given in the hands of government agencies without any reasonability. The bill has not incorporated several rules which can determine the privacy of crores of people. There has been an immense suffusion of bill by giving so much autonomy to govt. agencies and it has been stated that personal and non-personal data can be processed without consent in order to provide govt. related services. The bill has therefore been referred to a joint parliamentary committee headed by Meenakshi Lekhi to make changes and to analyze it. Hence, we can simply say that “privacy in our country is going three steps forward and then six steps backward.”
 ‘A.P. investigation: Across U.S. police officers abuse confidential databases’, CHICAGO TRIBUNE, Sept.28,2016, available at https://www.chicagotribune.com/nation-world/ct-ap-police-database-abuse-20160928-story.html (Last visited on 14-2-2020)  Article 12 of Universal Declaration of Human Rights  Samuel D. Warren &Louis D. Brandeis, The Right to Privacy, 4 Harv.L.R.193(1890)  Graham Greenleaf ‘Global Data privacy laws 2019: 132 national laws &many bills’(2019) 157 Privacy Laws & Business International Report, 14-18.  ‘What is Cambridge Analytica? The firm at the centre of Facebook’s data breach’, IRISH TIMES, Mar. 18,2018, available at https://www.irishtimes.com/business/technology/what-is-cambridge-analytica-the-firm-at-the-centre-of-facebook-s-data-breach-1.3431749 (Last visited on 14-02-2020).  ‘How marketing helped Donald Trump win the 2016 election’, T. WASHIGTON POST, Nov.17, 2016, available at https://www.washingtonpost.com/graphics/politics/2016-election/trump-campaign-marketing/ (Last visited on 14-02-2020).  ‘What We Know and What We Don’t About What Cambridge Analytica Did in India’ T.WIRE, Mar.29,2018 available at https://thewire.in/tech/what-we-know-and-what-we-dont-about-what-cambridge-analytica-did-in-india(Last visited on 14-02-2020).  ‘Edward Snowden: leaks that exposed US spy programme’, BBC, Jan.17,2014, available at https://www.bbc.com/news/world-us-canada-23123964(Last visited on 14-02-2020). ‘India among top targets of spying by NSA’, T. HINDU, Sept.23,2013, available at https://www.thehindu.com/news/national/india-among-top-targets-of-spying-by-nsa/article5157526.ece(Last updated on 14-02-2020).  Julie E. Cohen, ‘What Privacy is For’, 126(7) Harv L.R. 1906 (2013)  INDIA CONST. Art. 21  K.S. Puttaswamy v. Union of India (2017) 10 SCC 1  Kharak Singh v. State of UP AIR 1963 SC 1295 ‘The Privacy Challenge and the power of legal dissent’, LIVE MINT, July24,2017 available at https://www.livemint.com/Politics/3oK9OD8tsmDIpTN8CM7EXI/The-privacy-challenge-and-the-power-of-legal-dissent.html (Last visited on 14-02-2020)  338 U.S. 25 (1949)  367 U.S. 643 (1961)  Supra note 13  MP Sharma v. Satish Chandra AIR 1954 SC 300 ‘MP Sharma and Kharak Singh’s Case : Privacy not a Fundamental Right, Supreme Court has held decades ago’, FRST POST, Aug24,2017 available at https://www.firstpost.com/india/mp-sharma-and-kharak-singhs-case-privacy-not-a-fundamental-right-supreme-court-had-held-decades-ago-3966467.html (Last visited on 14-02-2020)  Poe v. Ullman 367 U.S. 497 (1961) 381 U.S. 479 (1965)  Ernest Katin, ‘Griswold v Connecticut: The Justices and Connecticuts Silly Law,’ 42 Notre Dame L. Rev. 681 (1967)  Ibid., at 700-701  Gobind v State of M.P. AIR 1975 SC 1378  Ibid  (1997) 1 SCC 301 ‘SC’s Aadhar verdict/ Privacy v Identity’, DECCAN HERALD, Sept.20,2018, available at https://www.deccanherald.com/national/aadhaar-act-verdict-history-693614.html (Last visited on 14-02-2020)  Kalyani Menon Sen, ‘Aadhar: Wrong number or Big Brother calling?’, 11(2) Socio Legal Rev. 89 (2015)  ‘The different ways in which Aadhar infringes on Privacy’, THE WIRE, July 19,2017, available at https://thewire.in/featured/privacy-aadhaar-supreme-court (Last visited on 25-02-2020) ‘Transcript of the VIIIth annual National Law School of India Review Symposium: Bridging the Security Liberty Divide’, 26 NLSI Rev. 169 (2014)  Ibid at 175 ‘What did Justice Chandrachud says in his Historic order on Privacy’, NEWS 18, Aug. 24, 2017, available at https://www.news18.com/news/india/what-did-justice-chandrachud-say-in-his-historic-order-on-privacy-1500375.html (Last visited on 25-02-2020)  Bhandari V., Kak A., Parsheera S., &Rahman F., (2017), ‘An analysis of Puttaswamy: The Supreme Court’s Privacy verdict.’, Indrasastra Global ,11,1-5 available at https://www.ssoar.info/ssoar/bitstream/handle/document/54766/ssoar-indrastraglobal-2017-11-bhandari_et_al-An_Analysis_of_Puttaswamy_The.pdf?sequence=1 (Last visited on 25-02-2020 )  The Personal Data Protection Bill, 373 of 2019, S.35.  The Personal Data Protection Bill, 373 of 2019, S.41.  The Personal Data Protection Bill, 373 of 2019, S.42(1).  The Personal Data Protection Bill, 373 of 2019, S.42(4).  The Personal Data Protection Bill, 373 of 2019, S.11(2).  The personal Data Protection Bill, 373 of 2019, S.12  The Personal Data Protection Bill, 373 of 2019, S.91(2).  ‘Final Privacy Bill could turn India into an Orwellian State: Justice Srikrishna’, T. WIRE, Dec.12, 2019, available at https://thewire.in/law/privacy-bill-india-orwellian-state-justice-bn-srikrishna (Last visited on 29-02-2020)  ‘Shubhodip Chakraborty’, ‘PERSONAL DATA PROTECTION BILL,2019 – Acritical Analysis: Old Wine in a New Bottle’, 66 PL (2020)
Author Details: Aaditya Mootha (Dr. Ram Manohar Lohiya National Law University, Lucknow)
The views are personal only, if any.