With the advent of Puttaswamy[1] judgement, one aspect of constitutional law jurisprudence that has been put to motion in the Indian context is that the data protection rests on right to privacy and security of personal information and adverse consequences from its use or misuse are bound to arise. Under the scheme of Indian Constitution, the right to privacy is covered under Article 21, Article 19 reasonably restricted by the reasonable restriction clauses, the reasonable nexus is governed by Article 14. Blackstone[2] defines the right of privacy is this regard as, “the right to be let alone” or the right of a person to be free from unwarranted public scrutiny, if he chooses. On one hand, where the synthesis of personal information of the individuals, is important for the stringent control by the state for the purposes of state security, crime prevention or in the interest of public policy. ‘Personal data’, according to the General Data Protection Regulation are any information which are related to an identified or identifiable natural person[3]. It also lays down the standards whereby the data shall be processed under the heads of special categories[4]. It is needless to mention that the personal data should be protected as there has to be no intrusion in preserving it where an individual reasonably expects it to be respected, the intrusion would lead to the rise of liability unless it is not justified[5]. In today’s digital age, the inconsistent right to privacy and data protection standards need to be addressed and they need to be in the line of public interest. The balancing of interest of public and private nature – is what the crux of this right depends upon, the more compelling the public interest, the ardent is the need for the State and its authorities to have the personal information.[6] More often, the inconsistent provisions impact the way the State and its authorities comply with the law thus creating a demand for more reasonable and accountable right to privacy and data protection standards. This has led to the debate whereby the model of data protection should be ‘right based’ or ‘consent based’.
This project covers the various aspects of right to privacy and data protection policies in the United States and European Union and what are the various issues and challenges faced by the individuals relating to it. The U.S. position of right to privacy and data protection is mostly present implicitly in the U.S. Constitution Bill of Rights and Amendment 14 (Civil Rights) and also include Amendment I (Privacy of Beliefs), Amendment III (Privacy of the Home), Amendment IV (Privacy of the Person and Possessions), Amendment V (Privilege against Self-Incrimination) and Amendment IX (General Protection for Privacy) along with the federal legislations (though not comprehensively) in the Fair Credit Act, 1970, Privacy Act, 1974, the Cable Communications Policy Act, 1984, Electronic Communications Privacy Act, 1986 and Video Privacy Protection Act, 1986. Also, European Union relies on Article 8 of European Convention of Human Rights (ECHR), Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Article 7 and 8 of European Charter of Fundamental Rights which covers the right to privacy and protection of personal data. The Data Protection Directive, 1995 is also a significant legal instrument in this regard, the General Data Protection Regulation (GDPR) of 2016 also lays framework for the same.
The subject matter has been traced on the basis of historical perspective and categorised under the following heads that include the beginning, phase of evolution and development of the same.
The right to privacy was not directly incorporated in the constitution, it was never even a part of the constituent assembly debates; but the judiciary interpreted the concept. During the year 1954[7], in the case of M.P. Sharma v. Satish Chandra[8] the apex Court decided in the favour of search and seizure when it came in conflict with privacy.[9] In 1962, while deciding Kharak Singh v. State of U.P.[10] case of surveillance of history sheeters observed that right to privacy is not a guaranteed right under Constitution of India but it is an essential ingredient of Article 21 under the expression, ‘personal liberty’ which was relied upon in the RM Malkani case[11]. The right was actively negated by state but recognised by the courts, but the ‘compelling interest’ test from the American jurisprudence was applied in 1975 matter of Gobind v. State of M.P.[12] which held that in cases of compelling public interest (here, crime prevention and public safety), the right has to be curtailed: which was also relied upon by PUCL v. Union of India[13]. The Supreme Court also gave strength to Article 20(3), the right against self-incrimination and closely aligned with privacy, right to remain silent was recognized.[14]
In the year 2013, where questions that related to right to privacy were situated around the Aadhaar, a scheme of government whereby a citizen could get a unique ID after the submission of their fingerprints and iris scans was challenged in K.S. Puttaswamy (Retd.) v. Union of India[15] where the Supreme Court recognized the right to privacy as a fundamental right for the first time, thereby overruling MP Sharma and Khadak Singh, paving the way for data protection from the private sector entities and limiting the use of sensitive personal information to the government for general welfare. Indian position in the data protection regime had previously been recognised in the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) and now in the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services Act, 2016. Other aspects touching upon privacy and data protection are covered under various sector specific laws. Right to privacy is also a part of various international instruments associated with India like Universal Declaration of Human Rights (UDHR), 1948 (Article 12) and International Covenant on Civil and Political Rights (ICCPR), 1966 (Article 17).
Very recently, WhatsApp privacy policy which is to share the confidential information to Facebook Inc., has raised concerns over the same; it envisages differential treatment and allegedly violates the privacy of the users.[16] It also involved the opt-out feature of the same if the user is not wanting to continue the same. A batch of PILs have been filed in the Supreme Court and Delhi High Court. Another Constitutional bench is also considering the issue of challenge to 2016 privacy policy.[17] Another case of Balu Gopalakrishnan v. State of Kerala and Ors.[18] also known as the ‘Sprinklr case’ which dealt with list of persons susceptible to COVID-19 in the state of Kerala disease by a USA based software company, Sprinklr Inc. breached right to privacy and sensitive information being monitored by third-party, as a consequence, 5 petitions were filed in the relation with contract of State of Kerala with Sprinklr Inc.[19]
The US Constitution came into effect in the year 1789, the right to privacy was not explicitly recognized by it; [20] but it came into existence by Supreme Court’s interpretation of Amendment I, III, IV and V. In the year 1890, Brandeis article[21] relating to ‘Right to Privacy’ acknowledged the said right thereby influencing American legal system and sought to consider whether there is a principle that protects individual privacy.
The Supreme Court had started recognition of ‘liberty’ in relation with privacy protection in line with Amendment XIV, starting from Pierce v. Society of Sisters[22]. In the year 1948, when UDHR came into existence, US started to consider the right to privacy in line with the instrument. In 1965 ruling of Griswold v. Connecticut[23], the Court viewed ‘comstock law’ that prohibited contraception as violative of right to marital privacy with partial reliance on Amendment IX. In 1967 case of Katz v. United States[24] the Court found that Amendment IV extends against unreasonable search and seizures to anywhere a person has reasonable expectation of privacy.[25]
Various legislations like Federal Privacy Act, 1974 brought in fair information practice on collection and use of personal information, other sectors like Health, covered by HIPAA, 1996, Gramm-Leach-Bliley Act, 1999 protected personal data of customers by financial institutions, E-Government Act, 2002 that performed the Privacy Impact Assessment (PIA), for any new technology that dealt with personal information, Red Flags Rule of 2010 that protected identity theft is also mentionable. Various state legislations separately dealt with data protection like California Consumer Privacy Act, 2020.
The European Union is a political and economic union of 27 member states primarily located in Europe, it was established with the idea of single market, enacting legislations etc. It came into existence in 1993 by Maastricht Treaty. [26] The very first instrument to recognize the right to privacy and data protection was the European Convention on Human Rights (ECHR) under Article 8, in the year 1953. [27] The 1975 case Golder v. United Kingdom[28] decided by European Court of Human Rights paved the way in this regard, deciding upon the client confidentiality of a prisoner.[29]
In the Council of Europe Convention No. 108, 1981, a fleshed out an instrument on data protection law was laid out which was later amended in the year 1999 allowing EU accession. The various other laws were the Data Protection Directive, 1995[30] which under Articles 1(1) and 1(2) laid out right to privacy with respect to personal data and its free flow among the member countries.
The Treaty on the Functioning of the European Union (TFEU) also incorporated the provisions relating to data protection in Article 16. The Charter of Fundamental Rights also incorporated Article 7 and Article 8 in the same relating to respect for private and family life along with the protection of personal data. The major breakthrough came in when the General Data Protection Regulation of 2016 – a comprehensive set of principles for data protection came in force. The European Court of Justice has also left no stone unturned in deciding for data protection and privacy in case series starting form unlawful treatment of medical data in Vinci v. ECB[31].
The legislative framework along with the case laws is covered in this head in the jurisdictions of India, EU and US and it is analysed hereby:
Indian Constitution does not specifically recognize the right to privacy but it is implicit under Article 21. [32] After being considered whether the right is guaranteed in the case of MP Sharma and Khadak Singh, it was in the latter case that minority opinion of Subba Rao, J. found that privacy right is included under the term ‘personal liberty by relying upon A.K. Gopalan[33] case. The apex Court also preferred an evolutionary aspect of the right by not negating it in Gobind. Similar prospect was considered in the case of R. Rajagopal and Anr. v. State of Tamil Nadu[34] that Article 21 has a right to be let alone and safeguard of privacy. The right, though, cannot be curtailed except according to procedure established by law.[35] In PUCL, the right was restricted under the purview of reasonable restrictions under Article 19(2).
The Puttaswamy judgement finally accepted the right to privacy as a fundamental right, though since RC Cooper v. UOI[36] is said to have gained the status of due process of law to decide the cases relating to concerns of privacy under Article 21. It is pertinent to note that the law of privacy has to be under the reasonable nexus[37] of Article 14, that is it has to be non-arbitrary and should ensure fairness.[38]
Apart from the constitutional guarantees of the right to privacy, the various legislations like Indian Contract Act, 1872, Information Technology Act, 2000 and the rules made thereunder, Indian Penal Code, 1860, The Copyright Act, 1957 and recently put together Personal Data Protection Bill, 2019. Some sector specific legislations like Mental Health Act, 1987, Indian Medical Council Regulations, 2002, Indian Telegraph Act, 1885, State Bank of India Act, 1955, Banking Companies Act, 1980, Credit Information Companies Act, 2005 and Regulations, 2006 and Public Financial Institutions Act, 1983.
The US Constitution has no express provisions of privacy rights, the legislative concerns of the framers, [39] however, were protected in the ‘bill of rights’ as Privacy of Beliefs (Amendment I), Privacy of the home against military use (Amendment III), Privacy against the unlawful searches (Amendment IV) and Privilege against self-incrimination (Amendment V).[40] There is also an addition of Amendment IX which deals with rights retained by people in relation with those which are not expressly provided in the bill of rights. The Amendment XIV also includes various facets of right to privacy like, marriage, child nurturing etc. as interpreted by the Supreme Court. During the 1920s, in the case of Meyer v. Nebraska[41] it was held that the private decisions regarding the education of children by their parents should not be interfered by State. In the year 1969, by relying upon Griswold, Supreme Court in the case of Stanley v. Georgia[42] decided that the right to privacy extends to a person’s own home where he can possess or watch pornography, Marshall, J. also purported that State does not have the power to control men’s minds. In another case, Roe v. Wade[43] the Supreme Court struck down a law prohibiting abortion as an aspect of right to privacy. The Courts went on to interpret the laws relating to sodomy in 2003 case of Lawrence v. Texas[44] as violative of the liberty clause enshrined in the Amendment XIV of the Constitution.
The right to privacy is also recognised as a set of various torts recognized by Prosser[45] in his Article as the improvement of Brandeis Article recognizing right to privacy as an invasion on: a) intrusion on mental and physical seclusion, b) public disclosure of private facts, c) publicity in false light and d) misappropriation of a person’s name.[46]
The notable legislations on the data protection regime are: Fair Credit Act, 1970, Privacy Act, 1974, the Cable Communications Policy Act, 1984, Electronic Communications Privacy Act, 1986 and Video Privacy Protection Act, 1986 and for the private sector: The Federal Trade Commission Act, 1914, Gramm-Leach-Bliley Act, 1999, The Health Insurance Portability and Accountability Act (HIPAA), 1996 and Children Online Privacy Protection Act, 1998 along with States which have their separate laws.
The European Union protection of privacy deals with a person’s private and family life, his home and correspondence subject to the lawful restrictions necessary in a democratic society under Article 8 of the European Convention on Human Rights of 1953. Following the ratio of Goldberg, European Court of Human Rights (ECHR) has decided Silver v. United Kingdom[47] that dealt with censorship of prisoner’s correspondence regarding conditions under privacy protection of Article 8. Rotaru v. Romania[48] raised the concerns for data protection under the regime and called for a need to regularize public information that is systematically collected. Also, in the case of S and Marper v. United Kingdom[49] it was held that the retention of DNA information in respect of persons arrested was violative of Article 8. The various judicial interpretations led to the landmark judgement of Aycaguer v. France, it was observed that the unreasonable informational storage of DNA Database violates the right enshrined in Article 8.
The EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was concluded within the Council of Europe in 1981 under which privacy of individuals was taken in account keeping in view, the flow of personal data that undergoes processing. It has been updated since the year 1985 and a new instrument on artificial intelligence has also been added.[50] The Directive on Privacy and electronic communications [2002/58/EC] was modified in 2009 for issues of retention of traffic and location data.
Based on the Treaty of Lisbon, EU data protection law of the Treaty on the Functioning of the European Union (TFEU) had also been adopted which was later revised in the year 2009. Article 16 lays down that the Parliament and the Council lay down rules that are in relation with the protection of individuals with regard to processing of personal data and using it within the scope of Union Law. The Article 7 and 8 of the Charter of Fundamental Rights which came into force in 2009 too, also form the legal basis of the EU instruments on data protection and privacy viz. respect for private and family life and protection of personal data processed fairly, on the basis of consent or any other lawful basis.[51] European council approved of the programme of AFSJ for 2010-14, known as Stockholm Programme on the guidelines of Article 68 of TFEU to protect personal data in EU.
Data Protection Directive was also coined in 1995 which was later replaced by the General Data Protection Rules, 2016[52] [Regulation (EU) 2016/679] which worked for processing of sensitive personal data and its free movement, the aim was to protect the EU from data breaches to ensure smooth business transactions, the data was received strictly on consent, there was a right to be forgotten in place, right to transfer data to some other service provider and right to know about data deletion and attacks of hacking on it. It applied on companies working in and out of EU and warnings and orders imposed with fines on undertakings that break rules. Data Protection Law Enforcement Directive of 2016 [(EU) 2016/680] dealt with the prevention of crime and state’s safety by deciding the way personal data has to be processed to fight crime and terrorism. Regulation 2018/1725 was also passed to process personal data and ensure its free movement.
Article 13 of Directive (EU) 2016/681 dealt with passenger name record (PNR) to analyse data for investigation and prevention of crime. Chapter VI and Chapter VII on data protection safeguards and data protection 2016/794 and 2017/1939 on Europol and European Public Prosecutor’s Office. Article 45 of GDPR decides whether a country outside the EU works with a safe data protection regime or not. The EU-US Umbrella protection deals with prevention of criminal offences to ensure safety and cooperation to fight crime and terrorism. Some sector specific resolutions also exist in the EU and the major supervisory authorities are European Data Protection Supervisor (EDPS) and European Protection Data Board (EPDB).
The cases of European Court of Justice are also relevant in this regard for the interpretation of the same. The Bavarian Lager (appeal)[53] dealt with relationship with privacy and right to access to proceed with sensitive data. The case of V. v. Parliament[54] dealing with the provisions of ECHR Art. 8 ECHR Art. 10 Regulation 45/2001 Art. 10 relating to upkeep of health data and sex life was also discussed in length. In deciding the Regulation 45/2001 of Art. 8(b) Gert-Jan Dennekamp v. European Parliament[55]who can access the rights to have information on the matter was underlined.
The various findings of the study that form its crux are interwoven and presented under this head that pertains to the issues and perspectives that have led to the spark of discourse on the need for strengthening the right to privacy and regime of data protection.
After considering the various facets and aspects of Indian position under the various provisions of Constitution, it can be said that before Puttaswamy and after Puttaswamy, the development of privacy and data protection has come a long way in a sense that it has given rise to a lot of other legislations in the background as well, though the right is implicit in the Article 21, 14 and 19 of the Constitution and no express provision actually contains it; the very important aspect is that it very necessary for the self-determination and dignity of the individual, whenever the case of existence of privacy rights has to be decided in the ratio of the recent trends of the Constitution, it has to be looked into whether the reasonableness and proportionality is valid there or not, but we will have to go a long way in deciding the same, as the construction of this expression is quite narrow at the present moment. With the advent of recent cases of the WhatsApp privacy policy and Sprinklr case, it has to be seen whether the standards of efficacy in the data protection trends are respected or not, as when individuals consent to the privacy policy of a platform, it is the very responsibility of that entity to respect it and preserve it in the most practicable manner.
The US Constitution has come a long way in recognising the right to privacy in various Amendments of the bill of rights and the ‘liberty’ clauses, but the main thing still stays that they would have to reduce the domain of extent to which a person can exercise their privacy as a right as absolute rights are not possible in that regard. The problem looms over the structuring of rights as well, whereby the federal and state laws have different provisions which overlap each other, this brings an ardent need for a comprehensive and consolidated legislations relating to privacy rights and data protection so as to ensure a balance between the private and public sector and the ways under which certain transactions and interactions of life take place. This multifarious approach of the US can weed out the inconsistencies of the existing privacy regime, the other issue that US faces is that under various legislations of it, the general standards or conventions are used as the basis on which the rights would function and not by the standards whereby it should function in order to achieve the legislative intention behind it.
The European Union has the best standards of privacy and data protection till date, be it on the basis of its international backing as a fundamental human right, incorporation in the fundamental rights charter, or under the treaty for the functioning of the same and the very comprehensive GDPR, the various reactions of the Courts of international and national nature of the member states have interpreted it in the best possible manner and various aspects of the law are now included within the jurisprudence, but also keeping in consideration the various intrinsic and stringent aspects it covers, calls for the more careful application and adoption in the sphere of its member countries which they should be very careful of and practice judiciously, the close deadlines on the member countries to implement the instruments should be avoided and the chance should also be given to various players in GDPR to make the privacy and data rights more reasonable, rational and accountable. The information being managed at so many spheres in the digital age creates various concerns for the privacy leaks and that should be cared about.
[1] (2015) 8 SCC 735.
[2] Henry Campbell Black, M.A., Black’s Law Dictionary 1434 (St. Paul, Minn., West Publishing Co., 4th edn., 1968).
[3] General Data Protection Regulation, 2016, Art. 4.
[4] General Data Protection Regulation, 2016, Art. 9.
[5] Campbell v. MGN, [2004] UKHL 22.
[6] Peter Semayne v. Richard Gresham, 77 ER 194.
[7] A short history on right to privacy, available at: https://www.governancenow.com/gov-next/egov/a-short-history-right-privacy (Visited on March 22, 2021).
[8] AIR 1954 SC 300.
[9] M.P. Jain, Indian Constitutional Law 1168 (LexisNexis Publications, Gurgaon, 7th edn., 2014).
[10] AIR 1963 SC 1295.
[11] R.M. Malkani v. State of Maharashtra, AIR 1973 SC 157.
[12] AIR 1975 SC 1378.
[13] (1997) 1 SCC 301.
[14] Selvi v. State of Karnataka, 2010(7) SCC 263.
[15] (2015) 8 SCC 735.
[16] WhatsApp’s Privacy Fight in Indian Courts, available at: https://www.bloombergquint.com/law-and-policy/whatsapps-privacy-fight-in-indian-courts (Visited on March 24, 2021).
[17] Karmanya Singh Sareen v. Union of India, 2016 SCC Online Del 5334.
[18] W.P. (C). Temp No. 84 of 2020.
[19] Global Freedom of Expression, available at: https://globalfreedomofexpression.columbia.edu/cases/balu-gopalakrishnan-v-state-of-kerala-and-ors/ (Visited on March 25, 2021).
[20] History of Privacy Timeline/ available at: https://safecomputing.umich.edu/privacy/history-of-privacy-timeline (Visited on March 26, 2021).
[21] Louis Brandeis, “The Right to Privacy” 4 Harvard Law Review 193 (1890).
[22] 268 U.S. 510 (1925).
[23] 381 U.S. 479 (1965).
[24] 389 U.S. 347 (1967).
[25] Nuzhat Parveen Khan, Comparative Constitutional Law 322 (Satyam Law International, Delhi, 2nd edn., 2018).
[26] Gloria González Fuster, “The fundamental right of data protection in the European Union: in search of an uncharted right” 26 International Review of Law, Computers & Technology 73 (2012).
[27] Human Rights Working Group, 2016, available at: https://lawschoolsgloballeague.com/wp-content/uploads/2017/01/Human-Rights-Group-Paper-2016 (Visited on March 24, 2021).
[28] (1975) 1 EHRR 524.
[29] S.K. Kapoor, International Law and Human Rights 1232 (Central Law Agency, Allahabad, 4th edn., 2016).
[31] Case F-130/07.
[32] Data Protection and Privacy Issues in India, available at: https://elplaw.in/wp-content/uploads/2018/08/Data-Protection-26-Privacy-Issues-in-India (Visited on March 25, 2021).
[33] AK Gopalan v. State of Madras, 1950 SCR 88.
[34] (1994) 6 SCC 632.
[35] PUCL v. Union of India, (1997) 1 SCC 301.
[36] (1970) 1 SCC 248.
[37] Maneka Gandhi v. Union of India, (1978) 1 SCC 722.
[38] Shivam, “Arbitrariness analysis under Article 14 with special reference to Review of Primary Legislation” 11 ILI Law Review 184 (2016).
[39] The Right of Privacy, available at: http://law2.umkc.edu/faculty/projects/ftrials/conlaw/rightofprivacy.html (Visited on March 27, 2021).
[40] D.D. Basu, Comparative Constitutional Law 432 (LexisNexis Publications, Gurgaon, 3rd edn., 2014).
[41] 262 U.S. 390 (1923).
[42] 394 U.S. 557 (1969).
[43] 410 U.S. 113 (1973).
[44] 539 U.S. 558 (2003).
[45] Daniel, "Prosser's Privacy Law: A Mixed Legacy" 98 California Law Review 6 (2010).
[46] The Evolution of Privacy, available at: https://www.cga.ct.gov/PS98/rpt%5Colr%5Chtm/98-R-1455.htm (Visited on March 26, 2021).
[47] (1981) 3 EHRR 475.
[48] [2000] ECHR 192.
[49] [2008] ECHR 1581.
[50] New Guidelines on Artificial Intelligence and Data Protection, available at: https://www.coe.int/en/web/data-protection/-/new-guidelines-on-artificial-intelligence-and-personal-data-protection (Visited on March 25, 2021).
[51]Charter of Fundamental Rights, available at: https://www.citizensinformation.ie/en/government_in_ireland/european_government/eu_law/charter_of_fundamental_rights.html#:~:text=The%20Charter%20of%20Fundamental%20Rights,with%20the%20Treaty%20of%20Lisbon. (Visited on March 26, 2021).
[52] Personal Data Protection, available at: https://www.europarl.europa.eu/factsheets/en/sheet/157/personal-data-protection (Visited on March 25, 2021).
[53] C28-08 P.
[54] CST, F-46/09.
[55] T-82/09.
[56] Sheshadri Chatterjee, “Issues of personal data protection and privacy policy: A comparative analysis for different countries” 4 International Journal of Law 2 (2018).
[57] Jeffrey Rosen, “The Unwanted Gaze: The Destruction of Privacy in America Random House” 124 International Journal of Legal Studies 42 (2000).
[58] Daniel Solove, “Conceptualizing Privacy” 90 California Law Review 4 (2002).
[59] Neil M Richards, “The Dangers of Surveillance” 126 Harvard Law Review 7 (2013).
[60] Helen Nissenbaum, “Privacy as Contextual Integrity” 79 Washington Law Review 119 (2004).
Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.