The digital revolution has brought immense benefits to the society at large, however it has also raised critical concerns regarding the protection of one's personal information. This article explores the concept of privacy as a fundamental right, the dilemma between national security and individual privacy, and the challenges posed by social media data collection.
The Right to Privacy: A Fundamental Right
The right to privacy is a fundamental right recognized internationally. It encompasses an individual's right to control his/her personal information, the right to be free from unwarranted government intrusion, and the right to make their choices about their lives. In India, the right to privacy is not explicitly provided for in the Constitution, however, the Supreme Court of India in the judgement of Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors. (2017) 10 SCC 1), held that the right to privacy is a fundamental right inherent in the right to life and personal liberty enshrined in Article 21 of the Constitution.
The Aadhaar Card Scheme: A Case Study
The Aadhaar Card Scheme, launched by the Indian government in
2010, is a prime example of the tension between national security
concerns and individual privacy rights. Aadhaar assigns a unique
identification number to every Indian resident based on their
biometric and demographic data. The government has time and again
argued that Aadhaar is essential for delivering social welfare
benefits, preventing fraud, and improving national security.
However, critics of the Aadhaar Scheme raise concerns about the
mass collection of biometric data, the potential for government
surveillance, and the lack of robust data protection safeguards.
The possibility of data breaches and the misuse of Aadhaar data by
private entities is another major concern.
Social Media and the Right to Privacy in India
The internet has become an integral part of life, connecting individuals, and offering platforms for communication, commerce, and information access. However, with every online interaction, people leave digital footprints that can be collected and analysed. This raises concerns about privacy.
Social media, while fostering self-expression, creates a potential minefield for privacy breaches. Platforms gather vast amounts of user data through “electronic tracks” for targeted advertising and personalization, raising concerns about profiling.
Recent changes to privacy policies by social media giants like X (formerly Twitter) allowing biometric data collection, and WhatsApp's data sharing with Facebook, further exacerbate privacy worries. The challenging Supreme Court case of Karmanya Singh Sareen & Anr. v. Union of India & Ors. (S.L.P. (C) No. 804 of 2017), reflects the legal battle on the matter of WhatsApp's data policy to protect user data and privacy rights.
Moreover, the General Data Protection Regulation (GDPR) and its compliance requirements for data retention state that any individual's “personal data must not be retained by any entity for longer than necessary for the purposes for which the personal data is processed”. The principle has been violated in many cases such as the recent Apple IOS update wherein deleted photos of users were resurfaced indicating retention of data in contravention to a user's actions.
Data breaches can be devastating, causing financial loss, reputation damage and possible legal suits over violation of one's privacy and personality rights. Several high-profile cases in the recent times illustrate the severity of the problem such as (i) the Domino's leak wherein around 13 TB of data from 18 million customers was released, (ii) the COVID-19 information breach where 81 crore Indians' test data was exposed in the public, (iii) the Air India data breach in which unauthorized access was granted to user credentials, leading to full access the payment methods and GST invoices of the company's users, and last but not the least, (iv) the Big Basket leak where a hacker leaked 20 million user records in public domain.
It is not an unknown fact that there is no standard enactment for data protection in India and the courts have largely depended on the Information Technology Act (2000) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (2011) to comply with data privacy issues, and cases. However, a comprehensive legal framework and implementation is yet to be structured through the Digital Personal Data Protection Act (DPDPA) (passed on 11th August 2023) and the proposed Digital India Act (to replace the existing Information Technology Act, 2000) which raise hope regarding the protection of one's personal data.
The DPDPA focuses on private and corporate organizations, imposes obligations on entities that process data, known as Data Fiduciaries, and outlines the rights and responsibilities of individuals whose data is being processed, known as Data Principals. Although the implementation of DPDPA is still a far way in the future, however, once enforced, DPDPA, shall serve as a holistic legislation for data protection in India providing a structured grievance redressal mechanism for both, digitally collected data and data collected physically, which is then later digitised.
Ensuring transparency, trust and online safety is the core of this contemporary legislature, it will aim to regularise large tech intermediaries such as Meta, Netflix and Amazon and will review the “safe harbour principle” safeguarding the rights of the citizens and promoting accountability.
The Path Forward
In conclusion, the digital age presents a complex data protection challenge and India, like many developing nations, grapples with this conundrum. The Aadhaar scheme and the practices of social media companies have highlighted the need for a robust implementation plan for the data protection legislation, DPDPA, to be read with the proposed Digital India Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.