We live in a very conflicted yet interesting times. In the age of internet and next to none surveillance technology at our disposal, right to privacy has been a hot and most debated topic around the world. Privacy is sacrosanct but how much of it is sacrosanct and what are its various connotations ? This is not just a question to ponder over or given after-thought, it is a question of this age and how we go about it will decide and set the future course of action.
Since the 1960s, the Indian judiciary, and the Supreme Court in particular, have dealt with the issue of privacy, both as a fundamental right under the Constitution and as a common law right. The common thread through all these judgments of the Indian judiciary has been to recognise a right to privacy, either as a fundamental right or a common law right, but to refrain from defining it in iron-clad terms. Instead the Courts have preferred to have it evolve on a case by case basis. As Justice Mathew put it, “The right to privacy will, therefore, necessarily, have to go through a process of case by case development.” (Govind v. State of Madhya Pradesh, AIR 1975 SC 1378)
Right to privacy in the context of surveillance by the State
The very first case to lay down the contours of the right to privacy in India, was the case of Kharak Singh v. State of Uttar Pradesh (1964), where a Supreme Court bench of seven judges was required to decide the constitutionality of certain police regulations which allowed the police to conduct domiciliary visits and surveillance of persons with a criminal record.
The petitioner in this case had challenged the constitutionality of these regulations on the grounds that they violated his fundamental right to privacy under the ‘personal liberty’ clause of Article 21 of the Constitution. In this case a majority of the judges refused to interpret Article 21 to include within its ambit the right to privacy part the majority stated “The right of privacy is not a guaranteed right under our Constitution, and therefore the attempt to ascertain the movements of an individual is merely a manner in which privacy is invaded and is not an infringement of a fundamental right guaranteed in Part III.”
The majority however did recognise the common law right of citizens to enjoy the liberty of their houses and approved of the age old saying that a man’s home was his castle. The majority therefore understood the term ‘personal liberty’ in Article 21 in the context of age old principles from common law while holding domiciliary visits to be unconstitutional.
Two of the judges of the seven judge bench, however, saw the right to privacy as a part of Article 21, marking an early recognition of privacy as a fundamental right. Justice Subba Rao held “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.”
The question of privacy as a fundamental right presented itself once again to the Supreme Court a few years later in the case of Govind v. State of Madhya Pradesh (AIR 1975 SC 1378). The petitioner in this case had challenged, as unconstitutional, certain police regulations on the grounds that the regulations violated his fundamental right to privacy. Although the issues were similar to the Kharak Singh case, the 3 judges hearing this particular case were more inclined to grant the right to privacy the status of a fundamental right. Justice Mathew stated:
“Rights and freedoms of citizens are set forth in the Constitution in order to guarantee that the individual, his personality and those things stamped with his personality shall be free from official interference except where a reasonable basis for intrusion exists. ‘Liberty against government’ a phrase coined by Professor Corwin expresses this idea forcefully. In this sense, many of the fundamental rights of citizens can be described as contributing to the right to privacy.” This statement was however qualified with the disclaimer that this right was not an absolute right and that the same could be curtailed by the State provided it could establish a “compelling public interest” in this regard.
Subsequent to the Govind judgment, the Supreme Court was required to balance the right of privacy against the right to free speech in the case of R. Rajagopal v. State of Tamil Nadu (1994 SCC (6) 632). In this case, the petitioner was a Tamil newsmagazine which had sought directions from the Court to restrain the respondent State of Tamil Nadu and its officers to not interfere in the publication of the autobiography of a death row convict–‘Auto Shankar’ which contained details about the nexus between criminals and police officers.
The Supreme Court framed the questions in these terms: “Whether a citizen of this country can prevent another person from writing his life story or biography? Does such unauthorised writing infringe the citizen’s right to privacy? Whether the freedom of press guaranteed by Article 19(1) (a) entitles the press to publish such unauthorised account of a citizen’s life and activities and if so to what extent and in what circumstances?”
While answering the above questions, a bench of two judges of the Supreme Court, for the first time, directly linked the right to privacy to Article 21 of the Constitution but at the same time excluded matters of public record from being protected under this ‘Right to Privacy’. The Supreme Court held: “(1) the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”.
A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.
The rule aforesaid is subject to the exception, that any publication concerning the aforesaid aspects becomes unobjectionable if such publication is based upon public records including court records. This is for the reason that once a matter becomes a matter of public record, the right to privacy no longer subsists and it becomes a legitimate subject for comment by press and media among others.”
In the case of PUCL v. Union of India ((1997) the petitioner organisation had challenged the actions of the state in intercepting telephone calls. Recognising procedural lapses that had occurred, the court set out procedural safeguards which would have to be followed, even as it did not strike down the provision relating to interception in the Telegraph Act 1885.
In arriving at its decision, the court observed: “Telephone-tapping is a serious invasion of an individual’s privacy. It is no doubt that every government, howsoever democratic, exercises some degree of sub rosa operation as a part of its intelligence outfit, but at the same time citizen’s right to privacy has to be protected from being abused by the authorities of the day.”
The court held: “Telephone-tapping would, thus, infract Article 21 of the Constitution of India unless it is permitted under the procedure established by law.”The Supreme Court placed restrictions on the class of bureaucrats who could authorise such surveillance and also ordered the creation of a ‘review committee’ which would review all surveillance measures authorised under the Act.
In 2005, the Supreme Court passed one of its most important privacy related judgments in the case of District Registrar v. Canara Bank (2005).
In this case the Supreme Court was required to determine the constitutionality of a provision of the A.P. Stamps Act which allowed the Collector or ‘any person’ authorised by the Collector to enter any premises to conduct an inspection of any records, registers, books, documents in the custody of any public officer, if such inspection would result in discovery of fraud or omission of any duty payable to the Government.
The main issue, in the case, related to the privacy of a customer’s records stored by a financial institution such as a bank.
The impugned provision was held to be unconstitutional by the Supreme Court on the grounds that it failed the tests of reasonableness enshrined in Articles 14, 19 and 21 of the Constitution.
The Court held that any legislation intruding on the personal liberty of a citizen (in this case the privacy of a citizen’s financial records) must, in order to be constitutional, satisfy the triple test laid down by the Supreme Court in the case of Maneka Gandhi v. Union of India.
This triple test requires any law intruding on the concept of ‘personal liberty’ under Art. 21, to meet certain standards:
“(i) it must prescribe a procedure;
(ii) the procedure must withstand the test of one or more of the fundamental rights conferred under Article 19 which may be applicable in a given situation; and
(iii) it must also be liable to be tested with reference to Article 14.”
The impugned provision was held to have failed this test. More importantly, the Court ruled that the concept of privacy related to the citizen and not the place.
The implication of such a statement was that it did not matter that the financial records were stored in a citizen’s home or in a bank. As long as the financial records in question belonged to a citizen, those records would be protected under the citizen’s right to privacy.
In the case of Naz Foundation v. Union of India the Delhi High Court ‘read down’ Section 377 of the Indian Penal Code, 1860 to decriminalise a class of sexual relations between consenting adults.
One of the critical arguments accepted by the Court in this case was that the right to privacy of a citizen’s sexual relations, protected as it was under Article 21, could be intruded into by the State only if the State was able to establish a compelling interest for such interference.
Since the State was unable to prove a compelling state interest to interfere in the sexual relations of its citizens, the provision was read down to decriminalise all consensual sexual relations.Privacy has emerged, and evolved, as a fundamental right through these various decisions of the courts.
Different geographies across the globe have defined their privacy requirements, articulating the requirements for the protection of the personal data and prevent harm to an individual whose data is at stake. The following table represents the derivation of privacy requirements as articulated by the OECD Privacy Guidelines, EU Data Protection Directives, APEC Privacy Framework, Canada PIPEDA (Personal Information Protection and Electronic Documents Act), and Australia ANPP (Australia National Privacy Principles).
Privacy Principles such as Notice, Consent, Collection Limitation, Use Limitation, Access and Corrections, Security/Safeguards, and Openness cut across these frameworks. The principle of Enforcement, which APEC calls as Preventing Harm, is introduced by APEC, EU and the Canadian privacy enforcement regimes.
The EU Data Protection Directive, OECD Guidelines and APEC framework additionally deals with the subject of Trans-border data flow. Australia’s ANPP specifically prescribes de-identification of the personal information.
Recent developments in privacy laws The European Union (EU), the United States and the Organisation for Economic Cooperation and Development (OECD), Australia and Canada have debated changes to existing privacy regimes in the wake of technology and globalization challenges to privacy that have emerged over the last two decades.
The key issues to emerge from these debates are:EU Regulation of January 2012. Several new principles and changes to existing principles were suggested by the EU Regulation of January 2012. These include:
- More explicit expression of the “data minimization” principle and will require companies to limit the amount of data they collect much more strictly.
- Accountability of data controllers by requiring that personal data be processed under the responsibility and liability of the controller. The data controller is also responsible for compliance with the Regulation.
- Right to object by the data subject for the sending of direct marketing; Opt-in consent is, however, not required.
- Data controllers bear the burden of proof in showing that data subjects consented to the subject of personal data.
- Expands the definition of sensitive data to also include genetic data and data concerning “criminal convictions of related security measures”.
- Right to be forgotten and to erasure: Data must not be retained indefinitely and time limits must be set in place after which data must be erased from the system.
- Data controllers must have “transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects’ rights”
- Right to data portability allowing individuals to change online service providers.
- Regulate the use of “Profiling”
- Accountability of data controllers, and independent verification of compliance measures.
- Data controllers implement “appropriate technical and organisational measures” including Privacy by Design, and Privacy by default.
- Data controllers subjected to wide-ranging data security obligations.
- Data breach notification requirement applicable to all types of data controllers, notification of a data breach to be given by a data controller to both its Lead DPA and to the data subjects concerned.
- Data protection impact assessments are to be carried out by data controllers and data processors.
- Data protection officers mandatory for all public authorities and for all companies with more than 250 employees
- The Regulation also foresees drafting of codes of conduct covering various data protection sectors, and allows them to be submitted to DPAs, which may give an opinion as to whether they are “in compliance with the Regulation”.
- Compliance with a code of conduct may be deemed to satisfy the legal requirements of the proposed Regulation. Article 39 establishing “data protection certification mechanisms and of data protection seals and marks”, is encouraged, though the legal effect of such recognition needs to be clarified.
OECD Privacy Principles
The discussion on revision of OECD privacy principles has revolved around three topics:
(1) The roles and responsibilities of key actors;
(2) Geographic restrictions on data flows; and
(3) Proactive implementation and enforcement.
By emphasizing transparency and individual consent, the current privacy framework imposes significant, sometimes unrealistic obligations on both businesses and individuals. On the one hand, businesses are expected to explain their data processing activities on increasingly small screens and seek consent from often-uninterested individuals; on the other hand, individuals are expected to understand complicated privacy disclosures and knowingly consent to them.
It is not clear as to the role that consent should play in an age where data flows become increasingly complex, multiple parties are involved, and information is provided to individuals with short attention spans on increasingly small screens?
What is the right balance between individual consent on the one hand and efficiency or legitimate business interests on the other hand
The OECD Privacy Guidelines have long recognized that consent is not the sine qua non of data processing. The “collection limitation principle”, for example, states that “data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject”.
Proactive implementation and enforcement elaborate the accountability principle to feature concepts like privacy by design and data breach notification. Undertake analysis of the economics of remedies and sanctions by enforcement authorities, as well as trying to enhance international regulatory cooperation and interoperability of regulatory frameworks.
APEC Privacy Framework
This is a grouping of some 21 countries that has come up with the APEC Privacy Framework to promote e-commerce. Self-regulation is part of the APEC Privacy Program, which has taken the approach of accountability under which the data protection obligations flow along with data in trans-border data flows.
In order to accommodate different privacy laws in various countries, APEC has placed emphasis on the practical aspects of data flows, and on the manner of interface between various players including companies, regulators, and governments.
Cross-Border Privacy Rules (CBPRs), along with information sharing, investigation and enforcement across borders among regulators, including self-regulatory organisations (SROs) will form an integral part of the APEC Privacy Framework.
The CBPRs are akin to Binding Corporate Rules (BCRs) allowed to Multinationals under the EU Directive. The principles are:
- Open and Transparent Management of Personal Information Principle requires the incorporation of privacy safeguards before information is collected and stored by entities. It is an example of “privacy by design” in action which seeks to ensure that privacy and data protection are included in the design of information systems. The key significance of this principle is to institutionalise a culture of privacy protection in entities from the very outset, without waiting for a post-facto remedy to adequately take care of privacy concerns.
- Anonymity and Pseudonymity Principle provides individuals the options of not identifying themselves or using a pseudonym while dealing with entities. Entities thus must consider whether it is necessary to require the specific identification asked for. The exception to the principle, narrowly construed, is when such non-identification is not lawful or practicable, i.e. where the law requires identification. This principle thus fits well with the principle of data minimisation that is generally considered desirable especially insofar as electronic data is concerned.
- It lays down a functions test, i.e. unless certain personal information is reasonably necessary or directly related to the performance of one of the entity’s functions or activities, it shall not be collected. This also extends to sensitive information which can only be collected by consent, unless it is related to war and warlike activities, diplomatic and consular processes and assisting in the location of missing persons. This principle represents a watered down version of the ALRC Report’s recommendations, owing to the use of the word “reasonably” which mitigates the requirement of necessity thereby allowing the entities to collect personal information in a wider set of circumstances
- Receiving Unsolicited Personal Information principle applies only to unsolicited information which an agency may have received. The test that an entity in possession of such unsolicited information must use is the one laid down in the principles i.e. whether it could have reasonably solicited the information. If it could, then the rest of the principles apply; if it could not, then this principle requires that the information be destroyed or de-identified.
- The key significance of this principle is to bring unsolicited personal information within the ambit of the Privacy Act. Notification of the Collection of Personal Information The notification principle requires the individual whose personal information is being collected to know why the information is being collected and the specific uses it is going to be put to.
- The rationale behind this provision is to ensure greater transparency in data handling thereby giving individuals greater information and consequently greater potential for control over use of their personal information.
- Use or Disclosure of Personal Information principle sets out the circumstances in which entities may use or disclose personal information that has been collected or received. It is evident that it can be used for the primary purpose for which it has been collected; in case of secondary purposes, the general rule is that the information cannot be used unless there is consent. However, this principle also contains a long list of ‘public policy’ exceptions of when the consent criterion is overridden by public interest, such as when disclosure is required by law, necessary to save life, part of diplomatic and consular processes etc. The wide ambit of the exceptions has led to considerable concern regarding the sanctity of the principled statement itself.
- Direct Marketing Principle regulates a specific purpose for use and disclosure of personal information, i.e. when such information is used to advertise or sell goods via direct marketing. It however excludes tele-marketing and direct marketing by electronic communication as they are covered under the Spam Act 2003 and the Do Not Call Register Act 2006.
- Insofar as other types of direct marketing are concerned, this principle makes a distinction between sensitive information which can only be used expressly with consent; for non-sensitive information, if the individual reasonably expects the information to be used for direct marketing and has an easy option for opting out, it can be so used; in all other cases, i.e. where information is not directly obtained from the individual, the obligations are onerous on the marketer.
- By setting out this threefold model, the principle dispenses with the earlier existing distinction between existing and potential customers of an entity, by bringing both under its fold. In addition, the extra emphasis placed as a result of this principle on direct marketing shows its increasing significance in affecting privacy in Australia, a trend with parallels across the world.
- Cross Border Disclosure of Personal Information Principle incorporates the requirement of accountability in cross border data flows. As a result of this principle, Australian entities which may be sending data abroad for any reason will continue to remain liable in Australian law for actions taken by the foreign handler with regard to the data. Compliance with this principle usually takes the form of a contract between the Australian entity and the foreign data handler, the latter undertaking to comply with the privacy principles, despite itself not being a private entity.
- The only concern raised with regard to this principle is that when the Australian entity reasonably believes that the data protection regime in the foreign country in question is substantially similar or better and an individual has access to overseas enforcement mechanisms, it is not held accountable for the data handler’s actions. This creates principled problems (too wide an exception to accountability) and policy ones (can be used in bundled consent to disclaim liability in a wide number of situations).
- Adoption, Use or Disclosure of Government-related Identifiers principle lays down the significant rule that the scope for data matching by entities must be reduced to the extent possible. Government-related identifiers, i.e. a number, letter or symbols used by the government for identification (eg.) Unique ID, Tax File Number, Social Security Number etc.) cannot generally be used by organisations for their own identification purposes. The only exception is when such use is required or permitted by law or by regulations, provided the entity using such information is also expressly permitted to do so in the regulations. In addition, a separate sub-principle regulates use and disclosure of such information by entities. The key thrust of this principle is thus to ensure that government related identifiers used for particular social welfare purposes remain tethered to their original purpose and do not become facilitators of data matching across the private and public sectors, which has tremendous privacy implications.
- Quality of Personal Information principle is aimed at ensuring the integrity of personal information. It is thus an obligation on all entities to ensure that the information they collect or use is accurate and up-to-date. This is necessary to prevent misinformation about an individual from spreading and thereby ensuring integrity and quality.
- Security of Personal Information – There are twin aspects to this principle. First, the entity which holds personal information must ensure its security. This extends to both security of physical information as well as encryption or other forms of security for electronic information. At the same time, if the entity holds information about an individual which it no longer needs, then it must take steps to securely destroy or de-identify the information. Though the “right to be forgotten” is not expressly part of Australian law, this principle comes close to making it obligatory on entities to destroy information when it is not necessary, though when such an occasion arises is not clearly spelt out.
- Access to Personal Information principle states that access to personal information must reasonably be provided to the individual. It must also be done speedily, within 30 days by a government agency (provided in the Principle) and within 15 days for straightforward requests and 30 days for more complex requests to private sector organisation (guidance issued by OPC). At the same time there is a long list of exceptions as to when access need not be provided. The key point to note in this regard is the interface between the Privacy Principles and the Freedom of Information Act under which several requests for access will be made and the crucial need to ensure that the two provisions do not contradict each other.
- Correction of Personal Information principle is, most accurately, an extension of Principle 10 above which obliges entities to hold accurate information about individuals. When information is inaccurate or not up-to-date, and the entity is either asked to correct it (or to associate a statement that it is inaccurate) by the individual or discovers such inaccuracy itself, it is obliged to correct such wrongly held information (or associate a statement to the effect that it may be inaccurate) and notify third parties to whom it may have communicated the said information, within a reasonable period of time, free of charge.
Canada’s Privacy Laws
In Canada there is no single comprehensive law to privacy. Canada’s legislative privacy regime consists of two horizontal legislations at the federal level, one which is applicable to the public known as the Privacy Act, and one to the private sector known as Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Sectoral privacy legislations can be found at the federal and provincial level. For example: the Bank Act, the Insurance Companies Act, the Telecommunications Act, and the Young Offenders Act all address privacy at the federal sectoral level.
In Canada the private sector is governed by the Personal Information Protection and Electronic Documents Act. PIPEDA was enacted with the purpose of balancing data subjects’ right to privacy with the increasing need of organizations to collect, use and disclose personal information to a reasonable degree, and applies to all “organizations where personal information is collected, used or disclosed in the course of “commercial activities” except where provincial privacy law applies, and where personal information relates to the organization’s employees and it collects, uses or discloses the data in connection with a federal undertaking or business.
PIPEDA explicitly excludes the following from the scope of its application:
1. Government institutions to which the Privacy Act already applies;
2. Information collected, used or disclosed only for personal and domestic purposes; and
3. Information collected, used or disclosed only for journalistic, artistic or literary purposes.
PIPEDA defines the term “personal information” as any information about an identifiable individual, other than the name, title or business address or telephone number of an employee of an organization. The privacy principles found under PIPEDA are:
1. Accountability- This principle requires that organizations take responsibility for personal information in their control. Organizations will designate individuals to ensure compliance. The designated individuals must make their identities available on request. The organization will retain responsibility for personal information where it transfers it to a third party for processing. It is recommended that a comparable degree of protection must apply to the information while it is being processed, through contract or otherwise.
2. Identifying Purposes- This principle requires that organization identify and document the purposes for which personal information is collected in order to comply with the Openness principle and the Individual Access principles. The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose must be identified prior to use.
3. Consent- This principle requires individual knowledge and consent, except where inappropriate, before personal information can be collected, used, or disclosed. An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal. Exceptions to this principle are enumerated in the Act.
4. Limiting Collection- This principle requires that personal information can be collected only where it is necessary for identified purposes. Information should be collected by fair and lawful means.
5. Limiting use, disclosure, and retention- This principle requires that personal information cannot be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary for the fulfillment of specified purposes. Organizations should develop guidelines and implement procedures with respect to the retention of personal information. Personal information that is no longer required to fulfill identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information. Exceptions to this principle are enumerated in the Act.
6. Accuracy– This principle requires that personal information be as accurate, complete, and up-todate as is necessary for the purposes for which it is to be used.
7. Safeguards- This principle requires that physical, organizational, technical and/or other safeguards be taken to secure collected information, as necessary, given the sensitivity of the information. Specifically, safeguards against loss, theft, unauthorized access, disclosure, copying, use and modification must be put in place.
8. Openness-This principle requires that the data subject is informed by organizations of the policies and practices that relate to the management of personal information, in a form that is easily understandable and available.
Specifically, the information should include the following:
1. Name or title, and address, of the person accountable for the organization’s policies and practices, and to whom complaints or inquiries can be forwarded;
2. Means by which to access personal information held;
3. Description of the type of personal information held, along with a general account of its use;
4. Information that explains the organization’s policies, standards, or codes; and
5. What personal information is made available to related organizations such as subsidiaries.
9. Individual Access- This principle requires that if requested, an individual is informed of the existence, use, and disclosure of his or her personal information and be given access to that information. The reasons for denying access should be provided to the individual upon request. Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Exceptions to this principle are enumerated in the Act.
10. Challenging Compliance- This principle requires that organizations investigate all complaints received. An individual shall be able to address a complaint concerning compliance with these principles to the designated individual(s) accountable for the organization’s compliance. Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.