India: Privacy Laws in India – Big Brother’s Watching You - (and you can´t do a thing about it!)

"Gradually the scope of legal rights broadened; and now the right to life has come to mean the right to enjoy life--the right to be let alone", - The Right to Privacy, by Samuel Warren and Louis D. Brandeis. It’s astonishing how legal experts in the United States recognized the need to conserve "individual privacy" as early as 1890. However, the lack of an explicit privacy legislation did not hinder their efforts to develop an elaborate edifice of privacy protection principles that form the bedrock upon which contemporary privacy protection regulation rests. As the authors of the above article stated, "The intense intellectual and emotional life, and the heightening of sensations which came with the advance of civilization, made it clear to man that only a part of the pain, pleasure, and profit of life lay in physical things. Thoughts, emotions, and sensations demanded legal recognition, and the beautiful capacity for growth which characterizes the common law enabled the judges to afford the requisite protection, without the interposition of the legislature."

People often think of privacy as some kind of right. Unfortunately, the concept of a 'right' is a convoluted way to start analyzing the idea of privacy, because a right is usually equated with a kind of absolute standard. It would be more useful to think about privacy as a facet of an individual’s personality that one would want to harbor exclusively for themselves. "Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others."². Drilling down to a deeper level, privacy turns out not to be a single interest, but rather has several dimensions:

• Privacy of the person - Sometimes referred to as 'bodily privacy' This is concerned with the integrity of the individual's body. Issues include compulsory immunisation, blood transfusion without consent, compulsory provision of samples of body fluids and body tissue, and compulsory sterilisation;
• Privacy of personal behaviour - This relates to all aspects of behaviour, but especially to sensitive matters, such as sexual preferences and habits, political activities and religious practices, both in private and in public places. It includes what is sometimes referred to as 'media privacy';
• Privacy of personal communications - Individuals claim an interest in being able to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organisations. This includes what is sometimes referred to as 'interception privacy'; and
• Privacy of personal data - Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. This is sometimes referred to as 'data privacy' and 'information privacy'.

Globally, the right to privacy is one of the most carefully guarded rights, especially in an age, where vast amounts of personal information is provided, used, traded and even stolen. With the close coupling that has occurred between computing and communications, particularly since the 1980s, the concept of Privacy can only be ignored at one’s own peril.

This article attempts to examine various privacy legislation models in the United States and their pro-active approach towards addressing various facets of individual privacy; consider the tentative efforts made by the Indian judiciary to protect individual privacy in India by invoking generic concepts like "right to life" and highlight the absence of a privacy model in India that adequately conserves individual privacy or addresses the emergent issues that have arisen given the rapid advancement and convergence of divergent modes of communication in India vis-à-vis a similar privacy enforcement model in the United States.

An originating point of reference in the process of evolving an information privacy law would involve examining the privacy statutes found under other jurisdictions, primarily, the American privacy legaislation, an "ideal law" that has kept pace with the rapidly evolving facets of individual privacy.

The Federal Privacy Statute lays down a detailed and structured mechanism for both collating of and disclosure of personal information gathered by customer service companies, or any organizations, which may be involved in the process of gathering personal information in the United States. Some of the relevant provisions are relating to, Conditions of disclosure, Accounting of Certain Disclosures, Access to records, Organization requirements, Organization rules, Civil remedies, Rights of legal guardians and Criminal penalties. However, these regulations are subject to both general and specific exemptions, which are laid down in the Statute.

The Federal Privacy Act of 1974 lays down exhaustive conditions of disclosure whereby no agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be; (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; (2) required under section 552 of this title; (3) for a routine use as defined [ … … ]; (4) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of […]; (5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable; (6) to the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the US government, or for evaluation by the Archivist or the designee of the Archivist to determine whether the record has such value; (7) to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought; (8) to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual; (9) to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee; (10) to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the General Accounting Office; (11) pursuant to the order of a court of competent jurisdiction; or (12) to a consumer reporting agency in accordance with [ …].

The previous section introduced information privacy as a combination of the privacy of personal communications and of personal data. Information Privacy is the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves. The continuing increase in public concern about information privacy should therefore be seen as a reaction to the ways in which information technology is used by organisations, rather than to information technology itself. Privacy laws mostly focus on 'data protection', i.e. they protect data about people, rather than people themselves. This is unfortunate because, although data protection is a more pragmatic concept than the abstract notion of privacy (and it's therefore easier to produce results), it's not what humans actually need.

Information privacy is valued very highly by individuals. But it is under threat from particular kinds of management practices, and from advances in technology. This section explains the concept of 'data surveillance'. To do so, it is first necessary to define some underlying terms. Surveillance is the systematic investigation or monitoring of the actions or communications of one or more persons. The primary purpose of personal surveillance is generally to collect information about the individuals concerned, their activities, or their associates. There may be a secondary mode of mass surveillance with an intention to deter a whole population from undertaking some kinds of activity. Two separate classes of surveillance are usefully identified:

Identification is a process whereby a real-world entity is recognised, and its 'identity' established. Identityis operationalised in the abstract world of information systems as a set of information about an entity that differentiates it from other, similar entities. The set of information may be as small as a single code, specifically designed as an identifier, or may be a compound of such data as given and family name, date-of-birth and postcode of residence. Important examples of these techniques are, names - or what the person is called by other people; codes - or what the person is called by an organisation; knowledge - or what the person knows; tokens - or what the person has; biometrics - the term 'biometrics' is used to refer to those person-identification techniques that are based on some physical and difficult-to-alienate characteristic, such as appearance - e.g. the familiar descriptions of height, weight, colour of skin, hair and eyes, social behaviour - e.g. habituated body-signals; general voice characteristics; style of speech; bio-dynamics e.g. the manner in which one's signature is written; statistically-analysed voice characteristics; keystroke dynamics, natural physiography - e.g. skull measurements; teeth and skeletal injuries; thumbprint, fingerprint sets imposed physical characteristics - e.g. dog-tags, collars, bracelets and anklets; brands and bar-codes.

Authentication is the process whereby a degree of confidence is established about the truth of an assertion. A common application of the idea is to the authentication of identity. This is the process whereby an organisation establishes that a party it is dealing with is, a previously known real-world entity; or a previously unknown real-world entity. In addition, there are many circumstances in which organisations undertake authentication of value, e.g. by checking a banknote for forgery-resistant features like metal wires or holograms, and seeking pre-authorisation of credit-card payments.

Thus, the US Federal Privacy Statute seems to be a fairly comprehensive statute with regard to securing, protecting and use of personal information relating to individuals. However, the US Privacy Act was enacted in 1974 and since then, technology has evolved at a spectacular pace resulting in newer, emergent and still-evolving facets of individual privacy. However, it would be far to say that the United States has enacted various legislations (discussed later in the paper) that are seemingly adequate in the effort to conserve and protect individual privacy.

The United States government has dealt in full measure with these emerging privacy issues in the United States by enacting a slew of statutes and legislations and making a concerted effort towards the conservation of individual privacy. Some of the key legislations enacted by the US government are, the Bank Secrecy Act, Cable TV Privacy Act of 1984, Electronic Communications Privacy Act, Fair Credit Reporting Act , Family Educational Right to Privacy Act, Freedom of Information Act, Privacy Act of 1974, Right to Financial Privacy Act of 1978 and the Video Privacy Protection Act of 1988 as also the Children’s Online Privacy Protection Act (COPPA). The main goal of COPPA and the rules there under is to protect the privacy of children using the Internet. Key Provisions of the Final Rule Privacy Notice on the Web Site, Verifiable Parental Consent, Choice Regarding Disclosures to Third Parties, Online Activities for which Parental Consent is Not Required, Coverage of Information Submitted Online, Role of Schools in Obtaining Consent for Students, Safe Harbor Program, and Enforcement

About.com v. Doe (S.D. N.Y., filed April 11, 2000). The operator of an online chat service filed suit against an anonymous person who had been entering the company's chat rooms and posting obscene messages allegedly intending to harass others. The operator invoked a surviving portion of the Communications Decency Act prohibiting the use of a telecom device to transmit obscene , lewd, or indecent comments with the intent to annoy or harass another. By filing the suit, the plaintiff gained the ability to issue subpoenas to ISPs to learn the identity of the defendant.

United States v. Simons, 206 F.3d 392 (4^th Cir., Feb. 28, 2000). A government employee was charged with violating federal laws when the employing agency identified incriminating documents on his computer. The court held that the employee did not have a reasonable expectation of privacy as to the fruits of his Internet use, where the agency had notified employees of limitations on their Internet use and a policy of periodic audits to ensure compliance.

Electronic Privacy Information Center v. Nat'l Security Agency (D. D.C., filed Dec. 3, 1999). A Privacy watchdog group (EPIC) sued NSA. EPIC alleged that NSA is monitoring domestic Internet traffic as part of "Echelon" surveillance network, in violation of U.S. privacy laws, which was upheld by the Court.

U.S. West v. Federal Communications Commission, 182 F.3d 1224 (10^th Cir., Aug. 18, 1999). Court struck down FCC rules requiring phone companies to obtain affirmative "opt-in" permission from customers to share customer information (e.g. calling patterns) with third parties. Applying First Amendment analysis, the court held that the rule did not adequately define the government interest protected by the regulations, and that due to availability of "opt-out" procedure the regulations were not narrowly tailored to protect privacy.

Finally in, Bohach v. The City of Reno, 932 F. Supp. 1232 (D.Nev. 7/22/96): Police officers did not have a reasonable expectation of privacy in the content of their internal email, and privacy and wiretap statutes did not immunize them from employer action against them based on monitoring of email ; and United States v. Maxwell, 45 M.J. 406, 1996 C.A.A.F. 116 (1996): A military officer who challenged the constitutionality of an FBI search of his computer files was held to have had a reasonable expectation of privacy in his personal America OnLine email transactions.

When the government keeps such a vast store of personal information, it can be accessed by sophisticated computer systems. Thus, the issue of privacy--which we might define as independence within a structured group -- arises.

i. Are we creating a more efficient system in which basic services are available to all, or a surveillance state in which our every deed is monitored?

ii. How much does the government need to know in order to serve its citizens properly?

iii. Is there a limit to how much information should be collected?

Governments must strike a balance between allowing citizens to live autonomously and running an organized society. High levels of autonomy allow people to break the rules: to commit crimes, to enter countries illegally, to not pay taxes. Society suffers for the sake of individual privacy. Conversely, if society as a whole is considered more important than the individuals who make it up - when governments keep track of everything to ensure that nobody breaks the rules -- then freedom of an individual, one of the most fundamental human rights, is effectively eliminated.

In the Indian context, the rapidly growing services sector has resulted in both Indian and trans-national corporate entities building up vast, exhaustive and detailed customer databases with a view to providing personalized services such as insurance, personal banking, credit cards etc. These databases contain confidential personal information and may be used by corporates for their own purposes or for that of its affiliates. Also, these databases form a valuable corporate asset, which finds many takers in the market for individual information.

In this regard, any use, disclosure and retention of such information needs to be strictly regulated, through an established privacy enforcement regime. Any prospective Indian privacy law would need to incorporate several facets of the above model, which, comprehensively deals with the collection, and use of personal information. With the emergence of an increasingly uniform set of norms governing commercial legal issues across the globe, it becomes imperative for Indian law makers and the legislature to take note of the void that prevails in the critical area of individual privacy protection.

Privacy under the Constitution of India

In the Indian context, although there is no statutory enactment expressly guaranteeing a general right of privacy to individuals in India, elements of this right, as traditionally contained in the common law and in criminal law, are recognised by Indian courts. These include the principles of nuisance, trespass, harassment, defamation, malicious falsehood and breach of confidence. In addition, several pieces of discrete legislation also recognise this right: for example, the Children Act 1960, which prohibits the publication of names and other particulars of children involved in proceedings under the Act; the Hindu Marriage Act 1955, which imposes similar restrictions on the publication of reports concerning proceedings of matrimonial disputes; and the Copyright Act 1957, which prohibits the unauthorised publication of certain documents, photographs, etc. The Code of Criminal Procedure, 1973, also permits restrictions to be imposed on the publication of reports concerning certain legal proceedings, eg. rape trials.

Under the Indian Constitution, Article 21 of the Indian Constitution is a fairly innocuous provision in itself i.e. "No person shall be deprived of his life or personal liberty except according to procedure established by law" However, the above provision has been deemed to include within it’s ambit, inter-alia, the Right to Privacy – " The Right to be left alone"³ - as the Supreme Court termed it. The concept of right to privacy finds it’s genesis in the case of Gobind v. State of Madhya Pradesh⁴ wherein the Supreme Court of India in it’s ruling, (speaking through Matthew J.) cited the Preamble of the Constitution of India which is designed to "assure the dignity of the individual". Further, in a detailed exposition on Right to Privacy, the Supreme Court in R. Rajgopal v. State of TN⁵ laid down that, the right to privacy is implicit in the right to life and liberty guaranteed to a citizen under A.21 of the Constitution, a citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish (meaning "make known to the public") anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical, unless they are part of public records. However, the Supreme Court made the above observations in the context of search and surveillance orders, be that as it may, admittedly the Court made its first foray in evolving the concept of Right to Privacy, which in any event would necessarily have to go through a process of case-by-case development.

The Right to Privacy is further encompassed in the field of Torts. The tort of Defamation involves the right of every person to have his reputation preserved inviolate. It protects an individual’s estimation in the view of the society and its defenses are ‘truth’ and ‘privilege’, which protect the competing right of freedom of speech. Essentially, under the law of torts, defamation involves a balance of competing interests. The only concession for an action, which involves infringement of right to privacy, would be for reasons of, prevention of crime, disorder, or protection of health and morals or protection of rights and freedom of others.

There exist certain other means by which parties may agree to regulate the collating and use of personal information gathered, viz. by means of a "privacy clause" or through a "confidentiality clause" Accordingly, parties to a contract may agree to the use or disclosure of an individual’s personal information, with the due permission and consent of the individual, in an agreed manner and/or for agreed purposes. Under Indian laws, the governing legislation for contractual terms and agreements is the Indian Contract Act. Therefore, in a contract which includes a "confidentiality clause" i.e. where an organization/company agrees to maintain the confidentiality of information relating to an individual, any unauthorized disclosure of information, against the express terms of the agreement would amount to a breach of contract inviting an action for damages as a consequence of any default in observance of the terms of the contract⁶.

In the case of an insurance contract, globally, contracts of Insurance are contracts of "Utmost good faith" (Uberrimae Fidei) and the contract is voidable where all material facts are not disclosed. However, the duty of utmost good faith is reciprocal and the insurance company has a corresponding duty to disclose clearly the terms of its offer and duly abide by them. Therefore an insurance proposal, which contains a confidentiality clause regarding personal information provided by the customer, cannot be disclosed without his prior consent. Any breach of such term would invite an action for breach of contractual terms by the insurer-customer. In India, a state-owned insurance corporation would typically include in it’s proposal; an Indemnity clause whereby the customer agrees "that such authority (corporation) having such knowledge or information (regarding the customer), shall at any time be at liberty to divulge any such knowledge or information to the corporation". By agreeing to the above clause, the insurance corporation indemnifies itself against any disclosure related action by the customer, however, such clause/term for disclosure should be construed narrowly and any mala fide disclosure could invite an action against the company, which discloses the information, based on equity and good faith, despite the presence of a standard indemnity clause in the original agreement.

In regard to a customer- insurance company relationship, an insurance company may, solicit personal information about an individual wherein details could be sought, relating to an individual’s family, cultural background, ethnic origin, caste, childhood, education, medical history, information regarding one’s immediate family, their age, profession etc. or, in case of data processing companies, there may be queries with regard to an individuals’ professional pursuits, income, investment decisions, preferences, spending patterns and so on. Despite an express authorization from their customers, with regard to sharing of personal information by corporate entities, there may still be instances where disclosure of certain sensitive and embarrassing information could invite legal action from an individual, claiming that the actions of a company which made an unauthorized disclosure resulted in causing such mental agony, anguish, and social stigma, which he would not have otherwise had to bear or face.

There are instances of specific inter-personal relationships wherein one party might be obligated to maintain a certain measure of confidentiality. A doctor-patient, husband–wife, customer-insurance company or an attorney-client relationship; are instances where there exists a strong ethical obligation on the part of one party to protect the privacy of information relating to an individual which may expose him to social humiliation and/or ridicule. In the case of an attorney-client relationship, professional ethics prescribe that certain communications and conversations between the attorney and his client must remain outside the ambit of public knowledge and should be maintained as such. The above principle also receives legal recognition in S.126 of the Indian Evidence Act, 1872.

In the case of X v. Hospital Z⁷ [doctor-patient relationship], the Supreme Court held, "Right of Privacy may, apart from contract, also arise out of a particular specific relationship which may be commercial, matrimonial or even political. The Court further went on to hold that "… disclosure of even true private facts has the tendency to disturb a person’s tranquility. It may generate many complexes in him and may even lead to psychological problems. In the face of these potentialities, and as already held by this Court in it’s various decisions, the right to privacy is an essential component of the right to life as envisaged by A.21."

From the above discussion, there emerge two critical elements with regard to the assessment of the fairness of disclosure of personal information:

i. The nature and sensitivity of information with regard to an individual and the reasonable consequence of such disclosure

ii. The purpose or rationale for disclosing personal information by the organization/company making such disclosure.

There exists in India an impending need to frame a model statute which safeguards the Right to Privacy of an individual, especially given the emergence of customer-service corporate entities which gather extensive personal information relating to it’s customers. It’s evident that despite the presence of adequate non-mandatory, ethical arguments and precedents established by the Supreme court of India; in the absence of an explicit privacy statute, the right to privacy remains a de facto right, enforced through a circuitous mode of reasoning and derived from an expansive interpretation of either Constitutional law or Tort law.

The urgency for such a statute is augmented by the absence of any existing regulation which monitors the handling of customer information databases, or safeguards the Right to Privacy of individuals who have disclosed personal information under specific customer contracts viz. contracts of insurance, credit card companies or the like. The need for a globally compatible Indian privacy law cannot be understated, given that trans-national businesses in the services sector, who find it strategically advantageous to position their establishments in India and across Asia. For instance, India is set to emerge as a global hub for the setting up and operation of call centers, which serve clients across the world. Extensive databases have already been collated by such corporates, and the consequences of their unregulated operations could lead to a no-win situation for customers in India who are not protected by any privacy statute, which sufficiently guards their interests. Even within the present liberal global regulatory paradigm, most governments would be uncomfortable with a legal regime, which furthers commercial interests at the cost of domestic concerns.

Issues that would need to be addressed by any prospective privacy legislation in India are:

i. Limited Purpose

The particular purpose for gathering information by an organization must be specified at or before the time the information is collected.

ii. Safeguards

In the case of insurance companies or other customer service-related or data processing companies, the gathering and collation of personal information on individuals would need to be conserved and secured by a regulated data security system.

iii. Accountability

Corporates would need to establish a system whereby all information disclosure systems are duly audited/accounted and monitored, keeping in view the rationale/occasion for every disclosure made

iv. Prior Consent

Corporates could include express clauses in their agreements, which include an express authorization from the individual allowing the companies to use/disclose personal information for it’s own internal purposes or that of it’s affiliates or group companies.

v. Limits to Use, Disclosure and Retention

Any information sharing with other members of the insurance industry or with other corporate entities should be made only after seeking an express authorization from the customer.

vi. Information-Sharing

The confidentiality and sensitivity of such information makes it necessary for corporates to avoid any data sharing arrangement or customer information disclosure agreements without the prior consent of the individuals.

In conclusion, the issue that remains to be addressed, is not the shape of the prospective privacy legislation in India, or it’s intricacies, but the need to put in place a privacy law enforcement regime that addresses the nouveau-emergent privacy issues, in the context of convergence of various modes of communication, within a reasonable period of time. As Ronald Dworkin said in his article "Objectivity and Truth: You'd Better Believe It", " We want to live decent, worthwhile lives, lives we can look back on with pride not shame. We want our communities to be fair and good and our laws to be wise and just. These are enormously difficult goals, in part because the issues at stake are complex and puzzling." Complex as it may be, the concept of privacy protection is an area that needs our lawmakers attention, and rightly so.