Life and personal liberty can be considered as inalienable rights which an individual enjoys by virtue of being a human. These rights are inseparable from a dignified human existence.[1] According to J S Mill, “privacy is an aspect of liberty grounded on the permanent interests of man as a progressive human being”.[2] It exists in every human being, irrespective of socio-economic status, gender or orientation.
Until a few years ago, there was a lack of clarity with respect to the scope of the right to privacy under the Indian Constitution. However, in 2017, the nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India[3] held that privacy is a fundamental right, as part of the right to life and personal liberty under Article 21. However, it cannot be considered as an absolute right and is subject to invasion by state, only if such an invasion is based on “legality, need and proportionality for safeguarding this cherished right”[4].
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
It is pertinent to note that privacy should not only be protected in the physical world but in cyberspace as well. The use of the Internet and social media has become very common in India owing to the availability of smart devices, lower internet tariffs and global connectivity.
The social media platforms, on one hand, provide an effective platform to freely express oneself to a large audience, and on the other hand, risk the exposure of certain sensitive personal data of the users. In certain situations, the user is aware of the information being collected by the social media networking sites, however, there might also be instances where the user is completely unaware of the information trail he is leaving online, over which he has no control. Such information can be used by potential offenders to commit physical crimes. For example, in 2016, a group of thieves pretended to be Police officials, entered a hotel in Paris where Kim Kardashian,[5] an American model, was staying for the time being and robbed her at gunpoint. It was later found out that the thieves were following Kim’s Instagram posts where she uploaded pictures wearing costly jewellery and tracked down Kim’s location using her Instagram. This instance shows how potential cybercrime offenders can exploit social media platforms to commit conventional crimes. This example was just one of many instances where information either provided or retained by the social media sites could be made use of for purposes unknown to the user, thus violating the user’s privacy. Therefore, just like any other aspect of life, privacy is an indispensable part of social media life as well.
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
The existing and emerging legal framework governing the right to privacy vis-à-vis social media in India
- The Information Technology Act, 2000 (I.T. Act)[6]
The right to privacy in social media has been protected in India even before privacy was even recognized as a fundamental right. The Information Technology Act, 2000 is considered comprehensive legislation dealing exclusively with the aspects of privacy in the realm of cyberspace.
Section 43A of the I.T. Act obligates a body corporate that possesses, deals or handles any sensitive personal data or information in a computer resource, to implement and maintain reasonable security practices and procedures. If the body corporate fails to do so, and as a result, there is a wrongful loss or wrongful gain to any person, such body corporate can be made to pay damages to the affected person.[7] The provision further defines ‘body corporate’[8] and ‘reasonable security practices and procedures[9].
Furthermore, the I.T. Act, under Section 69A, authorizes the Central Government to block public access to any information through any computer resource under certain grounds[10]. This provision has been relied on by the Government to ban various Chinese apps, including the social media site TikTok, over privacy concerns.[11]
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
- The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) [SPDI] Rules, 2011[12]
With respect to the reasonable security practices and procedures which the body corporate is required to implement under the I.T. Act, section 43A has to be read with the SPDI Rules of 2011. These rules provide a detailed framework for the implementation of section 43A.
The Rules firstly define ‘personal information[13] and ‘sensitive personal data or information.[14] It obligates the body corporate to-
- Provide a privacy policy for handling personal information, including sensitive personal information, to the users[15]. The same has to be published on the website of the body corporate[16];
- Obtain the consent of the user providing sensitive personal information, regarding the purpose of usage, before collecting such information[17];
- Take prior consent of the user before disclosing any sensitive personal information of the user to a third party[18];
- Have a documented policy containing managerial, technical, operational and physical security control measures that are proportional to the information assets being protected with the nature of business.[19]
Therefore, it is evident that the SDPI Rules primarily cover privacy concerns over sensitive personal information. However, such protection has not been provided to the personal information of the user.
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
- The Personal Data Protection Bill, 2019[20] (PDP Bill)
Taking into account the limited protection provided to privacy on social media by section 43A of the I.T. Act read with the SDPI Rules of 2011, and the judgement of the Apex Court in the Puttaswamy case[21] recognizing privacy as a fundamental right, the Personal Data Protection Bill, 2019 was finally drafted to provide a robust framework on privacy and data protection in India.
The Bill defines ‘personal data’[22], ‘sensitive personal data[23], ‘data principal’[24], ‘data fiduciary’[25] and ‘consent’[26].
By dealing with the loopholes of the existing legal framework in India, the PDP Bill obligates the processing of ‘personal data of an individual only for specific, clear and lawful purposes [27]. It further provides that processing of personal data should be carried out in a fair and reasonable manner to ensure the privacy of data principal and for the purpose consented to[28]. Furthermore, personal data should be collected only to the extent necessary for the purpose of processing.[29]
With respect to the consent of data principal, consent should be obtained prior to processing of personal data[30] and should be specific vis-à-vis the purpose of processing[31]. Furthermore, with respect to consent for the processing of sensitive personal data, it should be obtained after giving the choice to the data principal to separately consent for purposes of the use of different categories of sensitive personal data[32].
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
The PDP Bill has not yet become law and is currently referred to the Standing Committee[33].
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[34]
The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which replaced the Information Technology (Intermediaries Guidelines) Rules, 2011.
Under the Rules, the intermediary is required to publish its privacy policy on its website[35]. Further, the intermediary is required to periodically inform its users that in case of non-compliance with privacy policy, it has the right to terminate the account of such users [36]. However, the Rules do not talk about the elements and aspects of the privacy policy, leaving it to the whims and fancies of the intermediaries in the absence of a privacy and data protection framework in India. Furthermore, the provision of traceability of originator of information[37] under Rule 5(2) has the implication of violating the privacy of the users as for tracking the first originator of a message/information, the intermediary should have access to the metadata of the entire chain of the conversation. Therefore, in order to comply with the traceability requirement, the significant social media intermediaries will have to break end-to-end encryption, thereby compromising the privacy of communication.
WhatsApp privacy policy issue
The current privacy policy change by WhatsApp is undoubtedly the best example to illustrate the concern of the right to privacy on social media. Before understanding the implications of policy change in 2021, let us first understand the policy change in 2016.
WhatsApp was launched in 2010 and was bought by Facebook in 2014. Facebook affirmed that it would not change the privacy policy of WhatsApp. However, in 2016, WhatsApp announced a change in its privacy policy to be effective from the 25th of September 2016. The new policy sought to collect information like phone numbers, names, device information etc. of every WhatsApp account, and share the same with the parent company, Facebook. As a result, a petition was filed in the Delhi High Court challenging the change of the policy. In Karmanya Singh v. Union of India,[38] the Delhi High Court rejected the petition but directed WhatsApp to delete the data collected till 25th September 2016 from its servers. The information shared post-25th September was allowed to be shared according to the new policy. Aggrieved by the decision, the petitioners appealed to the Supreme Court, where this case is presently pending.[39]
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
In January 2021, WhatsApp came up with a new privacy policy that basically does not touch upon the end-to-end encryption feature, however, WhatsApp can now share user metadata with its parent company and its subsidiaries[40]. WhatsApp gave two options to its users- either accept the policy and continue using the platform, or the WhatsApp account will be eventually deleted. Therefore, in essence, an opt-out option for the new policy change was not provided to the users.
Taking these developments into account, an application[41] was filed in the Apex Court challenging the new privacy policy. The application claimed that WhatsApp was offering lower privacy protection in India as compared to Europe[42]. The primary issue in the case is whether the ‘opt-out’ provision simply opts out of the application in totality i.e. whether WhatsApp is obligated to provide a specific option of ‘Not sharing data with Facebook. The case is currently pending in the Supreme Court.
It is pertinent to note that WhatsApp was able to come up with a privacy policy of ‘take it or exit it’ because of the lack of privacy and data protection framework in India. In such a situation, users have to rely on the privacy policies of the company as the I.T. Act read with SDPI rules provide very limited protection in this regard. If the PDP Bill had become law, WhatsApp would never be able to come up with a policy like this as the provisions of the Bill ensure that information is collected only for a specific purpose for which consent of data principal is explicitly taken and that the data fiduciary takes consent for processing sensitive personal data separately for each different purpose[43]. This provision would have prevented WhatsApp from taking consent for both purposes (for a chat with friends and family and chat with businesses) together, as messages with business entities could reveal sensitive personal data like health information, sexual orientation, etc. However, the scope of Clause 11(3)(c) should be expanded to include ‘personal data’ rather than ‘sensitive personal data of the data principal, just like Article 7(2) of the GDPR.
Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!
[1] Opinion of Justice D Y Chandrachud in Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.
[2] Jack Stillinger, Introduction in John Stuart Mill Auto biography, OXFORD UNIVERSITY PRESS, 7 (1971).
[3] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[4] Id, part T(3)(H).
[5] VANITY FAIR, https://www.vanityfair.com/style/2016/10/solving-kim-kardashian-west-paris-robbery (last visited Apr. 26, 2021).
[6] The Information Technology Act, 2000, No. 21, Act of Parliament, 2000.
[7] Id., § 43A.
[8] Id., explanation (i).
[9] Supra note 7, explanation (ii).
[10] If such information is prejudicial to the sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or incites the commission of any cognizable offence relating to above.
[11] BBC, https://www.bbc.co.uk/newsround/53266068 (last visited Apr. 26, 2021).
[12] The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
[13] Id., Rule 2(1)(i).
[14] Supra note 12, rule 3.
[15] Supra note 12, rule 4.
[16] Id.
[17] Supra note 12, rule 5.
[18] Supra note 12, rule 6
[19] Supra note 12, rule 8.
[20] The Personal Data Protection Bill, 2019.
[21] Supra note 3.
[22] Supra note 20, cl. 3(28).
[23] Supra note 20, cl. 3(36).
[24] Supra note 20, cl. 3(14).
[25] Supra note 20, cl. 3(13).
[26] Supra note 20, cl. 3(10).
[27] Supra note 20, cl. 4.
[28] Supra note 20, cl. 5.
[29] Supra note 20, cl. 6.
[30] Supra note 20, cl. 11(1).
[31] Supra note 20, cl. 11(2)(c).
[32] Supra note 20, cl. 11(3)(c).
[33] PRS INDIA, https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 (last visited Feb. 26, 2021).
[34] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
[35] Id., rule 4(1)(a).
[36] Supra note 34, rule 4(1)(c).
[37] Supra note 34, rule 5(2).
[38] Karmanya Singh v. Union of India, 233 (2016) DLT 436.
[39] SC OBSERVER, https://www.scobserver.in/court-case/whatsapp-facebook-privacy-case (last visited Apr. 26, 2021).
[40] The latest clarifications from WhatsApp drew a differentiation between “messages with friends or family” and “messages with a business”. It claims that the new privacy policy pertains to the latter alone and the former remains unchanged. WhatsApp has clarified that some “large businesses might need to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts”.
[41] Supra note 38.
[42] In Europe, by virtue of General Data protection Regulation, though WhatsApp privacy policy talks about data sharing with Facebook, however, the users can rectify, update or erase information that the platform controls.
[43] Supra note 20, cl. 11(3)(c).