(Illustration: C R Sasikumar)
With the Supreme Court recognising privacy as a constitutional right, legal and technology experts are of the view that the move could have multifaceted ramifications for citizens. While on one side, corporates, including technology companies, would need to put in place robust privacy policies and security infrastructure to prevent breaches that could potentially be seen as violation of a consumer’s fundamental right to privacy, it will also be imperative for the government to prescribe laws and standards, which ensure that the private service providers have the necessary safeguards to prevent any violations.
“Now that there is so much pressure on the government, I expect that very quickly the corporates will start adopting policies to protect consumer privacy. Consumers will now have an intrinsic expectation of privacy, and the government should now come up with parameters for private service providers as to what steps they need to take to protect privacy,” said Pavan Duggal, a lawyer specialising in cyber laws.
In his judgment, Justice D Y Chandrachud has noted that “formulation of a regime for data protection is a complex exercise, which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State”. While for the government it means having guidelines and norms for non-state actors such as private companies to adhere to so that they don’t violate a citizen’s right to privacy, for the companies, it would mean reinforcing their cyber security infrastructure to prevent breach of data that could potentially hold them liable.
“In today’s world, there is no such thing as foolproof cyber security but what will come into question post this Supreme Court ruling is that if a company has come into possession of someone’s personal information with his consent for a particular purpose, did the company share it with someone in an unauthorised manner, or did the company take all the precautions that the consumer would have expected it to take to safeguard that information. So if the company has not taken the requisite safeguards, the consumer can certainly take it to court. But if it has taken all the necessary precautions and even then a breach occurs because of external factors, and that gives birth to an entirely new debate as to what is adequate security,” said R Chandrashekhar, president, Nasscom.
“One good thing about this is that the companies, whether it is a telecom company or some other customer service company, bank, etc, will know that they will be liable about breaches in security and privacy, and they will certainly pay strong attention to the data security arrangements. They will need to have chief information security officers, and report to the board if there is any breach, because all of it could potentially be a liability,” he added.
Apart from the cybersecurity aspect, Chandrashekhar also pointed out that the ruling could raise a legal debate over issues such as wilful consent and informed consent when it comes to customers sharing information with internet and social networking companies. In the paragraph 17 of his judgment, Justice Sanjay Kishan Kaul said: “‘Uber’ knows our whereabouts and the places we frequent. ‘Facebook’ at the least, knows who we are friends with. ‘Alibaba’ knows our shopping habits. ‘Airbnb’ knows where we are travelling to.
Social networks providers, search engines, e-mail service providers, messaging applications are all further examples of non-state actors that have extensive knowledge of our movements, financial transactions, conversations — both personal and professional, health, mental state, interest, travel locations, fares and shopping habits. As we move towards becoming a digital economy and increase our reliance on internet based services, we are creating deeper and deeper digital footprints — passively and actively.”
Even as he pointed out that there may be cases where collection and processing of big data may be “legitimate and proportionate”, the collected personal data “is capable of effecting representations, influencing decision making processes and shaping behaviour.” “It can be used as a tool to exercise control over us like the ‘big brother’ State exercised. This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford,” Kaul said in his judgment, and ruled that there is there is “an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors”.
Mishi Choudhary, president and legal director of non-profit Software Freedom Law Centre said that now privacy will have to be built-in for the themes that it concerns. “It should be privacy by design. If profiling is happening, citizens should be able to contest that. Valid consent must be explicit, data controllers will have to prove consent. We have to get out of this regime of opt out, where automatically we are opted in to everything, and unless we go through all the hoops and chunks to opt out, we’re opted in. There should be strict liabilities for data breaches, and large amount of damages that are available very swiftly and quickly,” she said.
