constitutionlaw Archives - Enhelion Blogs

Life and personal liberty can be considered as inalienable rights which an individual enjoys by virtue of being a human. These rights are inseparable from a dignified human existence.^[1] According to J S Mill, “privacy is an aspect of liberty grounded on the permanent interests of man as a progressive human being”.^[2] It exists in every human being, irrespective of socio-economic status, gender or orientation.

Until a few years ago, there was a lack of clarity with respect to the scope of the right to privacy under the Indian Constitution. However, in 2017, the nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India[3] held that privacy is a fundamental right, as part of the right to life and personal liberty under Article 21. However, it cannot be considered as an absolute right and is subject to invasion by state, only if such an invasion is based on “legality, need and proportionality for safeguarding this cherished right”^[4].

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

It is pertinent to note that privacy should not only be protected in the physical world but in cyberspace as well. The use of the Internet and social media has become very common in India owing to the availability of smart devices, lower internet tariffs and global connectivity.

The social media platforms, on one hand, provide an effective platform to freely express oneself to a large audience, and on the other hand, risk the exposure of certain sensitive personal data of the users. In certain situations, the user is aware of the information being collected by the social media networking sites, however, there might also be instances where the user is completely unaware of the information trail he is leaving online, over which he has no control. Such information can be used by potential offenders to commit physical crimes. For example, in 2016, a group of thieves pretended to be Police officials, entered a hotel in Paris where Kim Kardashian,[5] an American model, was staying for the time being and robbed her at gunpoint. It was later found out that the thieves were following Kim’s Instagram posts where she uploaded pictures wearing costly jewellery and tracked down Kim’s location using her Instagram. This instance shows how potential cybercrime offenders can exploit social media platforms to commit conventional crimes. This example was just one of many instances where information either provided or retained by the social media sites could be made use of for purposes unknown to the user, thus violating the user’s privacy. Therefore, just like any other aspect of life, privacy is an indispensable part of social media life as well.

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

The existing and emerging legal framework governing the right to privacy vis-à-vis social media in India

The Information Technology Act, 2000 (I.T. Act)[6]

The right to privacy in social media has been protected in India even before privacy was even recognized as a fundamental right. The Information Technology Act, 2000 is considered comprehensive legislation dealing exclusively with the aspects of privacy in the realm of cyberspace.

Section 43A of the I.T. Act obligates a body corporate that possesses, deals or handles any sensitive personal data or information in a computer resource, to implement and maintain reasonable security practices and procedures. If the body corporate fails to do so, and as a result, there is a wrongful loss or wrongful gain to any person, such body corporate can be made to pay damages to the affected person.[7] The provision further defines ‘body corporate’[8] and ‘reasonable security practices and procedures[9].

Furthermore, the I.T. Act, under Section 69A, authorizes the Central Government to block public access to any information through any computer resource under certain grounds[10]. This provision has been relied on by the Government to ban various Chinese apps, including the social media site TikTok, over privacy concerns.[11]

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) [SPDI] Rules, 2011[12]

With respect to the reasonable security practices and procedures which the body corporate is required to implement under the I.T. Act, section 43A has to be read with the SPDI Rules of 2011. These rules provide a detailed framework for the implementation of section 43A.

The Rules firstly define ‘personal information[13] and ‘sensitive personal data or information.[14] It obligates the body corporate to-

Provide a privacy policy for handling personal information, including sensitive personal information, to the users[15]. The same has to be published on the website of the body corporate[16];
Obtain the consent of the user providing sensitive personal information, regarding the purpose of usage, before collecting such information[17];

Take prior consent of the user before disclosing any sensitive personal information of the user to a third party[18];

Have a documented policy containing managerial, technical, operational and physical security control measures that are proportional to the information assets being protected with the nature of business.[19]

Therefore, it is evident that the SDPI Rules primarily cover privacy concerns over sensitive personal information. However, such protection has not been provided to the personal information of the user.

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

The Personal Data Protection Bill, 2019[20] (PDP Bill)

Taking into account the limited protection provided to privacy on social media by section 43A of the I.T. Act read with the SDPI Rules of 2011, and the judgement of the Apex Court in the Puttaswamy case[21] recognizing privacy as a fundamental right, the Personal Data Protection Bill, 2019 was finally drafted to provide a robust framework on privacy and data protection in India.

The Bill defines ‘personal data’[22], ‘sensitive personal data[23], ‘data principal’[24], ‘data fiduciary’[25] and ‘consent’[26].

By dealing with the loopholes of the existing legal framework in India, the PDP Bill obligates the processing of ‘personal data of an individual only for specific, clear and lawful purposes [27]. It further provides that processing of personal data should be carried out in a fair and reasonable manner to ensure the privacy of data principal and for the purpose consented to[28]. Furthermore, personal data should be collected only to the extent necessary for the purpose of processing.[29]

With respect to the consent of data principal, consent should be obtained prior to processing of personal data[30] and should be specific vis-à-vis the purpose of processing[31]. Furthermore, with respect to consent for the processing of sensitive personal data, it should be obtained after giving the choice to the data principal to separately consent for purposes of the use of different categories of sensitive personal data[32].

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

The PDP Bill has not yet become law and is currently referred to the Standing Committee[33].

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[34]

The Government of India notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which replaced the Information Technology (Intermediaries Guidelines) Rules, 2011.

Under the Rules, the intermediary is required to publish its privacy policy on its website[35]. Further, the intermediary is required to periodically inform its users that in case of non-compliance with privacy policy, it has the right to terminate the account of such users [36]. However, the Rules do not talk about the elements and aspects of the privacy policy, leaving it to the whims and fancies of the intermediaries in the absence of a privacy and data protection framework in India. Furthermore, the provision of traceability of originator of information[37] under Rule 5(2) has the implication of violating the privacy of the users as for tracking the first originator of a message/information, the intermediary should have access to the metadata of the entire chain of the conversation. Therefore, in order to comply with the traceability requirement, the significant social media intermediaries will have to break end-to-end encryption, thereby compromising the privacy of communication.

WhatsApp privacy policy issue

The current privacy policy change by WhatsApp is undoubtedly the best example to illustrate the concern of the right to privacy on social media. Before understanding the implications of policy change in 2021, let us first understand the policy change in 2016.

WhatsApp was launched in 2010 and was bought by Facebook in 2014. Facebook affirmed that it would not change the privacy policy of WhatsApp. However, in 2016, WhatsApp announced a change in its privacy policy to be effective from the 25^th of September 2016. The new policy sought to collect information like phone numbers, names, device information etc. of every WhatsApp account, and share the same with the parent company, Facebook. As a result, a petition was filed in the Delhi High Court challenging the change of the policy. In Karmanya Singh v. Union of India,[38] the Delhi High Court rejected the petition but directed WhatsApp to delete the data collected till 25^th September 2016 from its servers. The information shared post-25^th September was allowed to be shared according to the new policy. Aggrieved by the decision, the petitioners appealed to the Supreme Court, where this case is presently pending.[39]

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

In January 2021, WhatsApp came up with a new privacy policy that basically does not touch upon the end-to-end encryption feature, however, WhatsApp can now share user metadata with its parent company and its subsidiaries[40]. WhatsApp gave two options to its users- either accept the policy and continue using the platform, or the WhatsApp account will be eventually deleted. Therefore, in essence, an opt-out option for the new policy change was not provided to the users.

Taking these developments into account, an application[41] was filed in the Apex Court challenging the new privacy policy. The application claimed that WhatsApp was offering lower privacy protection in India as compared to Europe[42]. The primary issue in the case is whether the ‘opt-out’ provision simply opts out of the application in totality i.e. whether WhatsApp is obligated to provide a specific option of ‘Not sharing data with Facebook. The case is currently pending in the Supreme Court.

It is pertinent to note that WhatsApp was able to come up with a privacy policy of ‘take it or exit it’ because of the lack of privacy and data protection framework in India. In such a situation, users have to rely on the privacy policies of the company as the I.T. Act read with SDPI rules provide very limited protection in this regard. If the PDP Bill had become law, WhatsApp would never be able to come up with a policy like this as the provisions of the Bill ensure that information is collected only for a specific purpose for which consent of data principal is explicitly taken and that the data fiduciary takes consent for processing sensitive personal data separately for each different purpose[43]. This provision would have prevented WhatsApp from taking consent for both purposes (for a chat with friends and family and chat with businesses) together, as messages with business entities could reveal sensitive personal data like health information, sexual orientation, etc. However, the scope of Clause 11(3)(c) should be expanded to include ‘personal data’ rather than ‘sensitive personal data of the data principal, just like Article 7(2) of the GDPR.

Learn more about Constitutional Law with Enhelion’s Online Law firm certified Course!

[1] Opinion of Justice D Y Chandrachud in Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.

[2] Jack Stillinger, Introduction in John Stuart Mill Auto biography, OXFORD UNIVERSITY PRESS, 7 (1971).

[3] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.

[4] Id, part T(3)(H).

[5] VANITY FAIR, https://www.vanityfair.com/style/2016/10/solving-kim-kardashian-west-paris-robbery (last visited Apr. 26, 2021).

[6] The Information Technology Act, 2000, No. 21, Act of Parliament, 2000.

[7] Id., § 43A.

[8] Id., explanation (i).

[9] Supra note 7, explanation (ii).

[10] If such information is prejudicial to the sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or incites the commission of any cognizable offence relating to above.

[11] BBC, https://www.bbc.co.uk/newsround/53266068 (last visited Apr. 26, 2021).

[12] The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[13] Id., Rule 2(1)(i).

[14] Supra note 12, rule 3.

[15] Supra note 12, rule 4.

[16] Id.

[17] Supra note 12, rule 5.

[18] Supra note 12, rule 6

[19] Supra note 12, rule 8.

[20] The Personal Data Protection Bill, 2019.

[21] Supra note 3.

[22] Supra note 20, cl. 3(28).

[23] Supra note 20, cl. 3(36).

[24] Supra note 20, cl. 3(14).

[25] Supra note 20, cl. 3(13).

[26] Supra note 20, cl. 3(10).

[27] Supra note 20, cl. 4.

[28] Supra note 20, cl. 5.

[29] Supra note 20, cl. 6.

[30] Supra note 20, cl. 11(1).

[31] Supra note 20, cl. 11(2)(c).

[32] Supra note 20, cl. 11(3)(c).

[33] PRS INDIA, https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 (last visited Feb. 26, 2021).

[34] The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

[35] Id., rule 4(1)(a).

[36] Supra note 34, rule 4(1)(c).

[37] Supra note 34, rule 5(2).

[38] Karmanya Singh v. Union of India, 233 (2016) DLT 436.

[39] SC OBSERVER, https://www.scobserver.in/court-case/whatsapp-facebook-privacy-case (last visited Apr. 26, 2021).

[40] The latest clarifications from WhatsApp drew a differentiation between “messages with friends or family” and “messages with a business”. It claims that the new privacy policy pertains to the latter alone and the former remains unchanged. WhatsApp has clarified that some “large businesses might need to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts”.

[41] Supra note 38.

[42] In Europe, by virtue of General Data protection Regulation, though WhatsApp privacy policy talks about data sharing with Facebook, however, the users can rectify, update or erase information that the platform controls.

[43] Supra note 20, cl. 11(3)(c).

By Karan Kumar Khaitani

“It shall be the duty of every citizen of India to cherish and follow the noble ideals which inspired our national struggle for freedom.”[1]

The recent spate in instances of invoking sedition laws against human rights activists, journalists and public intellectuals in the country have raised important questions on the undemocratic nature of these laws, which were introduced by the British colonial government.

While sedition laws are part of a larger framework of colonial laws that are now used liberally by both the central and state governments to curb free speech, the specificity of these laws lie in the language of ‘disaffection’ and severity of the punishment associated with them. Sedition laws were used to curb dissent in England, but it was in the colonies that they assumed their most draconian form, helping to sustain imperial power in the face of rising nationalism in the colonies including India. Targets of this law included renowned nationalists like Mahatma Gandhi, Bal Gangadhar Tilak and Annie Besant. It is ironic that these laws have survived the demise of colonial rule and continue to haunt media personnel, human rights activists, political dissenters and public intellectuals across the country.

In the Universal Declaration of Human Rights, 1948 (UDHR), Article 19 states that “everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

Restrictions on the freedom of expression can be justified if they are provided by law or if they are in pursuance of a legitimate aim in international treaties such as the protection of national security, public order, public health or morals. There needs to be a necessity to restrict the right in the form of a pressing social need and there needs to be a strict scrutiny regarding the justification of the restriction. What needs to be seen is not just the necessity of the law that seeks to restrict the freedom but also the individual measures taken by the State. When a law restricts freedom of expression by reference to national security or public order imperatives, and that law is couched in general terms, specific justification needs to be provided by the State in prosecution (for compliance) with Article 19 of the ICCPR.

A colonial legacy like sedition law, which presumes popular affection for the state as a natural condition and expects citizens not to show any enmity, contempt, hatred or hostility towards the government established by law, does not have a place in a modern democratic state like India. The case for repealing the law of sedition in India is rooted in its impact on the ability of citizens to freely express themselves as well as to constructively criticise or express dissent against their government. The existence of sedition laws in India’s statute books and the resulting criminalization of ‘disaffection’ towards the state is unacceptable in a democratic society. These laws are clearly colonial remnants with their origin in extremely repressive measures used by the colonial government against nationalists fighting for Indian independence. The use of these laws to harass and intimidate media personnel, human rights activists, political activists, artists, and public intellectuals despite a Supreme Court ruling narrowing its application, shows that the very existence of sedition laws on the statute books is a threat to democratic values.

Section 124A should be scrapped in my view and the following law should be debated, discussed and enacted:

“Unlawful activity”, in relation to an individual or association, means any action taken by such individual or association

(i) Which directly incites through violent means, on any ground whatsoever, the cession of a part of the territory of India or the secession of a part of the territory of India from the Union,

(ii) Which has, as a direct consequence of such action, the result of disrupting the sovereignty and territorial integrity of India;”

It is time we come out of the narrow closet of ideas of ‘nationalism’ and ‘Indian Culture’, and prevent ourselves from putting the larger goals such as upholding the principles of democracy at stake. For it will be a dangerous delusion if we continue to believe that the use or rather, the abuse of a law as arbitrary as Section 124-A of IPC cannot drive the people of the nation into a revolution and a dreadful retaliation against the state.[2]

At this juncture, it is important to point out that the democratic edifice of our country is not fragile to be easily shattered by ways of speeches in public places or by printing an article in the print media. In other words, the unity and integrity of India and the legitimacy of the Indian state are not as weak as it was in the case of the British colonial regime to be threatened and shattered by the speeches or the writings of a section of the political class.[3]

With this, I would like to conclude with the words of Gandhi Ji:

“Affection cannot be manufactured or regulated by the law. If one has no affection for a person, one should be free to give the fullest expression to his disaffection, so long as he does not contemplate, promote or incite to violence.”

[1] Article 51(b), Constitution of India, 1950

[2] India’s Democracy in great Danger, Youth ki awaaz, 3^rd March 2016

[3] Sedition Law and Indian Democracy, Law Teacher, 2016