“Privacy is not something that I am merely entitled to, it is an absolute prerequisite.”
With the evolution of technology and in the changing world, the sovereign states often face the challenge of governing and regulating the data of its people. In this era of cyber world, personal data of any individual is a very precious thing that needs to be secured. Data is borderless and can be accessible across the world by anyone and hence the state needs to protect the data of their individuals. Data of an individual is the data of the state. Since data can be easily hacked or compromised, various states have formulated Data Protection Laws in order to secure the personal data or information of its people.
Data protection means a set of privacy laws, policies and procedures which the state enacts to prevent the intrusion into the privacy of the individuals. Personal data of any individual means any data or information collected by any private organization or government, by accessing which the person can be identified by anyone.
Data Protection and right to privacy in India
In India, the Constitution did not originally grant right to privacy but the Hon’ble Supreme Court through a catena of judgments have recognized the right to privacy. In Justice K S Puttaswamy v. Union of India, the Supreme Court has held that the right to privacy is an integral part of Right to life and personal liberty under Art. 21 of the constitution.
Data protection is an essential element of right to privacy. However, India does not have any specific legislation regarding data protection but some part of data protection in covered under the Information and Technology Act, 2000. However, in December 2019, the Personal Data Protection Bill was introduced in Lok Sabha but it is still pending and India still lacks a comprehensive legislation regarding data protection. One can only hope that the country will have a legislation regarding the protection of data of the individuals.
India’s track record on the question of personal data protection
The question of privacy in India has always been under scrutiny ever since the Puttaswami judgment. Especially, in the backdrop of no concrete data protection law in the country, several measures by the Central Government in view of national security has been questioned over the years. For example, in year 2016 when the Aadhar Act was introduced eyebrows were raised when the government made it mandatory for Indians to link their bank account and other identities with the Aadhar card. This clout of skepticism even spread further when scope of the whole project had been expanded with private entities having the power to request authentication by Aadhaar for any reason subject to regulations by the UIDAI. Additionally, the process of biometric data collection posed some important concerns regarding individual privacy across the nation.
Similar concerns were raised in Vinit Kumar vs. CBI, when the central agency allegedly intercepted personal calls of the petitioner and levied charges of bribery against him. While the charges were left sub judice by the Bombay High Court, the extent of infringement into privacy still remained a matter of concern.
“as India rapidly moves into an era of digitisation, with technology being utilised for better delivery of welfare services and for innovation in almost all sectors, the need for a data protection framework is being felt very strongly to protect citizens and empower the government.”
-Shefali Mehta, The Dialogue
These concerns turned into a realty when in year 2021, a report exposed that several companies such as Air India, Domino’s, Facebook, Mobikwik, and Upstox – significantly compromised the personal data of crores of Indians.
The Criminal Procedure (Identification) Act, 2022
The Criminal Procedure (Identification) Act, 2022 was enacted to replace the old colonial law of Identification of Prisoners Act, 1920. Introducing the bill, Union Home Minister, said that it is being brought as the Identification of Prisoners Act, 1920 has become old and obsolete from the point of view of time and science. The Law Commission in its 87th Report in year 1980 also recommended amendment of the said colonial law to accommodate the ever-changing needs of modern digitalized nation.
Key Features of the Act
This Act provides for the collection of ‘measurements’ from any convict or person arrested for any offence punishable by law. Further, the magistrate can also compel any person to give such measurements if it is expedient to do so for any investigation or proceedings. The term ‘measurements’ has a very wide scope in the Act as it includes not only physical samples like fingerprints and footprints but it also includes biological samples, biometrics and behavioral attributes including signatures, hand writing, etc. Thus, any person against whom a proceeding is initiated, even for a petty case will be compelled to give his measurements and the key to his privacy. The Act has also lowered the rank of officer who can take the measurements. Under this Act, any police officer above the rank of head constable or a prison officer above the rank of head warder can collect such measurements even without the consent of the person. Further, refusal to give such measurements will be an offence under Sec. 186 of the Indian Penal Code. Thus, this Act seems to be very harsh as it will intrude into the privacy of the people by compelling them to provide their personal data from which they can be identified across the world. Even if a person is innocent but he refuses to give his measurements, it will also make him a convict under Sec. 186 IPC and then he will have to give his data.
The Act entrusts National Crime Record Bureau (NCRB) with the responsibility to collect, store and preserve the data collected under the Act for a period of 75 years. NCRB is also entrusted with power of sharing and dissemination of such data with any law enforcement agency. The data will be deleted from the records after 75 years, unless the person is acquitted by the court or is released without trial.
While on papers the purpose of this legislation seems to be having right intentions, it is not devoid of potential lacunas, particularly in context of personal data. The rest of this blog will address these problems.
Also read: The economy of Pakistan: What went wrong?
Does the legislation violate right to privacy?
The Supreme Court says yes!
In Justice K S Puttuswamy v. Union of India, the Hon’ble Supreme Court declared the Right to Privacy as a fundamental right under Art. 21 of the constitution i.e. Right to life and Personal liberty. The Court stated that autonomy over personal decisions, bodily integrity and personal information is a part of right to privacy. Further, it also observed that consent is an integral part for the dissemination of inherently personal data.
In Common Cause v. Union of India, the Hon’ble Supreme Court upheld the right of an individual against forceful intrusion into one’s body and gave autonomy over bodily integrity for an individual.
Personal data at risk!
In contemporary world, where there is a strict need for data protection laws in the country, this Act will collect, store and preserve the data of the people. This data will be stored by NCRB for a period of 75 years, and it can be accessed by various law enforcement agencies. In this age of widespread digital domain, such a collection of vast data of the individual will make them vulnerable. In the absence of any mechanism or legislation for the protection of such data, the privacy of the individuals will be at a huge risk as such individuals can be identified by anyone who can access such data and further cyber-attacks on such data is also a possibility.
The collection, storage and retention of personal data by the government is an intrusion in the right to privacy of the individuals. However, since the right to privacy is subjected to reasonable restrictions, a few important questions arise here such as: What is the standard of this reasonability? Is there a referable benchmark of reasonability or everything is fair in the name of national interest? And above all .. who decides?
The present situation clearly reflects a potential conflict between ‘right to privacy’ and need for collection and disclosure of personal data. Well .. this age-old conflict seems to be a never ending one and is it safe to say that another chapter has just begun.
We are currently living in a highly digitalized world and our government has rightly embarked upon the goal of enhancing digital literacy of average Indians. Contributing to this mission several telecom providers are making surfing data very affordable on daily basis. But the question for you and me still remains the same! Can we ‘safely’ share our personal data online when the legislations potentially make room for such data to be compromised. These skepticisms are in no way to question the Government’s decisions but are rather natural food for thought given India’s past track-record with right to privacy.
  (2017) 10 SCC 1
 AIR 2018 SC 1665
About the Author..
Adeel Ahmad Khan is a final year student pursuing my B.A.LL.B (Hons.) from Jamia Millia Islamia. He is passionate about reading and writing on socio-legal issues.