Human experiences are a manifestation of one’s senses; optimally it could be defined as a crude understanding of the world. However, it is of utmost necessity that certain concepts are understood in their clear objective and subjective parlance. One such concept is of fundamental rights; a crude understanding of them will minimalize their existence. Therefore, an elaborate understanding of a right is of utmost necessity, otherwise the existence of a right will be fragile. This seems like the state of affairs with privacy rights in India.
The Supreme Court has been courageous enough to crusade on the untamed terrain of privacy rights, but the efficacy of the job done is still subject to jurisprudential scrutiny. Though in 2017 India became one of the countries recognising privacy as a fundamental right yet it is suffering from institutional void to support the cause of privacy. One of the biggest drawbacks of recognizing privacy but not working on its peripheral sphere is that it will affect the core value of privacy itself. The peripheral sphere which we are talking about is the sphere of ‘Data Protection Law’. The cause of Data Protection Law is to buttress the realm of ‘Informational Privacy’.
Let us rewind to 2017 for better understanding the facets of privacy we are dealing with here. In 2017, the Supreme Court through the majority opinion (delivered by Justice Chandrachud) in K.S Puttuswamy v. UoI recognized privacy rights, under which Justice Chandrachud and Justice Kaul (concurring opinion) broadly laid down three facets of privacy. These are bodily privacy, privacy of the mind and informational privacy. The third sphere of informational privacy or Right to Self-determination (as known in European Jurisprudence) talks about the idea of control of ‘one individual over his or her information’, this can broadly be summarised as ‘Ownership over Data’.
As the modern era is digital, where most information about an individual flows on the internet, it by default becomes a necessity that the facet of ‘Informational Privacy’ should be protected digitally. This can only happen through a sound data protection law. India has come up with legislative endeavors on the provocation of the Supreme Court, yet their endeavor ironically is still a ‘Bill’ pending in parliament. At present literally, there is no safeguard against digital intrusion either by the ‘State’ or a ‘Non-State’ actor.
A classic example of intrusion in digital life is the 2016 U.S election, under which it was alleged that information about five million Facebook users was harvested for voter-profiling and millions of U.S voters were targeted on the basis of their preferences, either through custom-audience or through search-engine manipulation. This was an instance where a political analyst firm, Cambridge Analytica was accused of using ‘Non-State Actors’ (Facebook, Google) for manipulating political actions relating to the U.S Presidency.
However, this incident had an effect on masses around the globe, with the European Union taking stringent steps against Facebook and Goggle. The EU even summoned the CEOs of Facebook and Google (Mark Zuckerberg and Sundar Pichai) for answering questions of voter-profiling. Interestingly, in India (a country with a billion plus population; 40 per cent of whom are surfing the internet) there is no serious discussion on this topic. Indian masses (including government) seem reluctant to take any step in this direction.
To better understand the theme of the paper we need to understand the sphere of ‘Spatial privacy’. For long the world has followed the U.S jurisprudence on privacy, more broadly categorised as ‘My Home is My castle’. The phrase means that anything which I do inside my house shall not be a concern for anyone let alone the State (4th amendment of the U.S Constitution became the basis for the theme of ‘My Home is my Castle’; which safeguards any citizen of America from any illegal intrusion in his house by the State). Thus, the house naturally becomes a place of sanctuary from the outside world.
This sphere of spatial privacy (My home is my castle) was further extended to include other places, where one will have a reasonable expectation of privacy. This elaboration of the theme ‘My Home is my castle was done in the case of ‘Katz v. U.S (1967); however, the test of ‘Reasonable Expectation of Privacy’ was given by Justice Taft in the case of Olmstead v. U.S (1928)]
Indian jurisprudence too did not stay immune to its American counterpart. To a large extent the Justice Chandrachud judgment was dependent on the judgment of Katz v. U.S. While overturning Kharak Singh v. State of U.P, Justice Chandrachud affirmed that there are certain facets of life which should be immune from State’s scrutiny, this was further affirmed by Justice Kaul’s judgment when he agreed that there are certain facets which are immune from intrusion. This sphere of spatial privacy is present in Indian jurisprudence since 1975 when the judgment of Gobind v. State of M.P came in, where Justice Mathew had recognized the spatial privacy of marriage.
Thus, the zone of privacy is well and truly recognized by jurisprudence of India; which intrinsically brings along the test of ‘Reasonable Expectation of Privacy’. India by default recognizes this test, for without this test it will be hard if not impossible to identify spheres where privacy should be granted.
One such sphere of privacy could be my laptop; the activities of my laptop construct a separate zone of privacy under which no one has a right to interfere. However, every right is subject to certain limitations, so this argument is more consolidated by the facet of ‘Informational Privacy’ under which I have control over my information. The very fact that various social-media websites and search engines are able to track my movements by attaching a unique code to my IP address (which is intrinsically linked to my laptop or any other device which I am using) reveals my digital movement and conduct, which to be honest seems like a bare violation of my digital life. This goes against the principle of ‘My house is my castle’. Yes, digital life is not my home but it is similar to my home, where I express myself without any obstruction and any fear of intrusion.
If you visit any social media website today or search engine (visit the more popular one) and click on the ‘Privacy Terms’ you will come to know that all these major websites are tagging special codes on your IP address. It doesn’t matter if you are logged in or not, and they can track your digital movement and come to know about your behavioral patterns and then use the same behavioral reading for target advertisement or behavioral manipulation (which happened in the 2016 U.S elections).
It has to be kept in mind that a sound ‘Data Protection Law’ is the need of the hour to bring in a space for digital autonomy, which for long has been conspicuous with its absence. However, the present bill (Personal Data Protection Bill, 2018) has made severe inflows in favour of ‘State’ machinery. It needs to be taken note that ‘Data Protection Law’ is more of a bargaining tool rather than a submission of the user to the will of the ‘State’. There are three main parties to this negotiation – The User (Citizens of India), MNCs (Social Media Giants) and the State (Government of India/States). All of them need to come to the table and reach a consensus. However, this does not seem like a case with the present Data Protection Bill. If you look at sections 13, 14, 19 and 20 you will realise that (un)impeding power has been bestowed on the Government of India to process any personal information as it pleases in name of public interest.
Further, if you read section 40 of the bill, it talks about ‘Restriction on the cross-border transfer of personal data’ under which every data fiduciary (State and Non-State actors: MNCs, any other individual) shall ensure the storage of personal data to which this act applies on a server or data centre located in India. This means that Facebook which hosts around 400 million users from India is bound under this provision to store one set of all that information within India. Via section 13, 14, 19 and 20 of the bill, the Government of India can easily access that piece of information; hence, exposing a threat of ‘Excess State’ on the citizens of India, whose whereabouts and behavior can easily be under Government’s scrutiny, thus violating the contours of Constitutionalism.
Under this corrigible scenario, the only solution which offers itself is that we start from scratch and bring in more inclusive and user-friendly data protection provisions into existence. A sound data protection law is of utmost necessity for maintaining ‘Digital Dignity’.
The writer is Assistant Professor, National Law University, Odisha.