Open Internet and Freedom of Information – A Reality Check

Last Updated at: Dec 16, 2020
Open Internet and Freedom of Information.

What the constitutional principles state about privacy and how the evolved tech tools need to adapt to the same? A brief discussion on major supreme court judgments (KS Puttuswamy vs UoI), What IT Act rules provide for data protection? Do cookies and disclaimers preempt/ exempt big data and IT companies? What does the Srikrishna Committee Report provide for data protection? India’s new data protection bill and what to expect? Let’s see what is the Open Internet and Freedom of Information.

Can there be a balance between the growth of IT Companies and access to information and the right to privacy?

Legal Provisions for Privacy in the Digital Age

  • Information Technology Act, 2000

The (Indian) Information Technology Act, 2000 deals with the payment of compensation (in civil cases) and punishments (in criminal cases) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.

Section 43A of the IT Act states that “when a body corporate, possessing, dealing or handling any sensitive personal data or inormation in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” There is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.

Sections 66C and 66E provide punishment for identity theft and violation of privacy respectively.

Section 72 of the Act provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document, or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees or with both.

Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may penalise with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of the information is present in breach of lawful contract.

However, under Sec 69, which is an exception to the general principle of the maintenance of privacy and secrecy of personal information, the Government may order or direct any agency to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource, including information of private nature, in the interest of the sovereignty or integrity of India, defence of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

get legal advise

  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Rule 3 of the 2011 Rules provides a list of items that is to treat as “sensitive personal data”, and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that uses for authentication purposes), physical, physiological and mental health condition, etc. It further clarifies that any information that is freely available or accessible in the public domain does not consider to be sensitive personal data.

The rules provide reasonable security practices and procedures. The body corporate or any person who on behalf of the body corporate collects. Further, receives, possesses, stores, deals or handles information to follow while dealing with “Personal sensitive data or information”. In case of any breach, the body corporate or any other person acting on behalf of the body corporate, the body corporate may liable to pay damages to the person.

Constitutional Rights

Although the Constitution of India does not explicitly grant the right to privacy, courts have, on multiple occasions, granted the right to privacy under existing provisions such as Art 19(1)(a) – freedom of speech and expression and Art 21 – the right to life and personal liberty. However, these rights are subject to reasonable restrictions that fall under Art 19(2) imposed in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence.

In the 1975 Supreme Court judgement of Govind v. State of MP, the right to privacy was recognised as a fundamental right. The right is to include and protect the personal intimacies of the home, marriage, family, motherhood, etc. But it also observes that it is subject to “compelling state subject”.

In Justice K.S. Puttuswamy (Retd.) & Anr. v. Union of India & Ors., the question before the Supreme Court was whether any right to privacy is guaranteed under the Constitution of India and if it is, what is the source of this right, as there is no express provision for preserving one’s privacy. Initially, the Attorney General of India has an argument that privacy is not a fundamental right to Indian citizens. The case was then to a larger bench held that privacy is a constitutionally secure right. Arising out of Article 21 of the Indian Constitution. The protection under Article 21 is not absolute and is subject to certain restrictions. That is imposed to promote a legitimate state interest, should not be arbitrary. Further, should be proportionate to the object of the law.

The New Indian Personal Data Protection Bill

The Indian Government released the draft Personal Data Protection Bill in 2018. A high-level group led by a former SC judge B.N. Srikrishna known as the Srikrishna Committee tasked with updating India’s data privacy laws to current standards produced the draft.