[GUEST BLOG] Privacy and data rights of Netizens
The aim of this article is to analyse the privacy and data rights of the netizens in the cyberspace. A comparative analysis of the TRIPS Agreement and the Indian laws has also been made to give a holistic picture. Further, certain strategies for the companies have also been recommended.
The rights are essential for the survival of a welfare state like India. That is why we possess certain rights coupled with a corresponding duty on others to respect them. These rights may be personal rights like privacy or proprietary rights like data property. These rights, with necessary modifications, are also available to companies who though do not fall within the definition of “citizens” but yet are covered by the definition of “persons”1. The concepts of “privacy rights” and “data rights” have acquired great significance in the contemporary world where the boundaries of all nations have vanished due to the inevitable and essential presence of Internet. The advantages associated with the use of Internet are so overwhelming that none can afford to avoid its use. Thus, the solution lies in techno-legal solutions of the privacy and data violations rather than a pure legal action or avoidance of technology. The fight against privacy and data violation requires a “harmonized” and “coherent initiative” rather that individual and country based actions. At the same time it must be appreciated that it is not the “enactment” of a law but the desire, will and efforts to accept and enforce it in its true letter and spirit, which can confer the most strongest, secure and safest protection for any purpose. The enforcement of privacy rights requires a “qualitative effort” and not a “quantitative effort.
II. NETIZENS RIGHTS
The netizens rights can be grouped as:
(A) Fundamental and constitutional rights, and
(B) Statutory rights.
(A) Fundamental and Constitutional rights of netizens
The constitution of India confers certain Fundamental and Constitutional rights on the netizens. These rights can be personal rights or proprietary rights. The right to privacy (Article 21) is a personal right whereas the right to enjoy data property is a proprietary right (Articles 19(1) (g), Article 21 and Article 300A).
(i) Right to privacy
Article 21 of the constitution confers the right to privacy on the netizens. This is not expressly mentioned in it but the same has been enunciated by way of judicial interpretation by the Supreme Court. It is personal in nature and only the concerned netizens has a right to control it subject to the restrictions imposed by the law. India is a signatory to the international covenant on civil and political rights, 1966. Article 17 thereof provides for the ‘right of privacy’. Article 17 of the international covenant does not go contrary to any part of our municipal law. Article 21 has, therefore, to be interpreted in conformity with the international law. In Kharak Singh v state of UP (1963) justice Subba Rao, while expressing the minority view, laid down the foundations for the development of law of privacy in India and observed that the concept of ‘liberty’ in article 21 was comprehensive enough to include privacy. In Gobind v State of MP (1975) the Supreme Court observed that ‘right to privacy’ must encompass and protect the personal intimacies of the home, the family, marriage, motherhood, procreation and child bearing. In R.Rajagopal v State of TN (1994) the Supreme Court held that the right to privacy is a ‘right to be let alone’. None can publish anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. In P.U.C.L. v union of India (1997) the Supreme court held that the right to hold a telephone conversation in the privacy of one’s home or office without interference can certainly be claimed as right to privacy. Telephone tapping would, thus, infringe article 21 of the constitution of India. In Mr. X v Hospital Z (1998) the Supreme Court held that the right to privacy may, apart from contract, also arise out of a particular specific relationship, which may be commercial, matrimonial or even political. Public disclosure of even true private facts may amount to an invasion of the right to privacy.
(ii) Right to trade and profession
Article 19(1) (g) guarantees that all citizens have the right to practice any profession or to carry on any occupation or trade or business. This freedom is, however, not absolute and is subject to clause (6) of article 19. Thus, reasonable restrictions can be imposed to curtail this right. Thus, data property is protected by this article and so long the data are possessed and owned within the restrictive parameters of this Article, it will have the Constitutional protection.
(iii) Right to livelihood
Article 21 confers right to livelihood upon all persons. If the means of livelihood are taken away, then right to life is definitively violated. The apex court in Kapila Hingorani v State of Bihar (2003) held that the term “life”, includes livelihood and facets thereof. Thus, means of livelihood like data property cannot be taken away except by a procedure established by law. The right to hold data in privacy and enjoy its fruits and benefits is definitely a part of Article 21 as it helps in the earning of livelihood. The holding of crucial data brings certain strategic and financial advantages over the competitors that help in earning a livelihood better that the others.
(iv) Right to property
Article 300A of the constitution confers a right on all persons to hold and enjoy their properties. Thus a person cannot be deprived of his property save by authority of law. Any violation of this right can be challenged in a court of law. The expression “property” is of wide amplitude and it includes tangible as well as intangible properties, including data property. Thus, data property cannot be taken away except by authority of law and an unlawful deprivation of data property will be remedied at law.
(B) Statutory rights of netizens
The Fundamental and Constitutional rights are supplemented by certain statutory rights. The statutory rights of netizens can be grouped as:
(a) Personal rights, and
(b) Proprietary rights.
(a) Personal rights
The statutory law of privacy is the recognition of the individual’s right to be let alone and to have his personal space inviolate. It is scattered in various statutes and is not recognised as such. For instance section 228A of IPC, 1860 prohibits the disclosure of the identity of a victim. Similarly, the ITA, 2000 also contains provision for the vindication of privacy rights. For instance, if a person authorised under the act, rules or regulations, secures access to any electronic record, information, document etc without the consent of the person concerned and discloses the same to any other person then he shall be punished with imprisonment up to 2 years, or with fine up to Rs.1 lakh, or with both2.
The following provisions of the Information Technology Act, 2000 reflect India’s concern for protection of privacy rights of its citizens, as available against private individuals, in the realm of information technology:
(1) Long Arm Jurisdiction- Sec.1 (2) read with Sec.75 of the Act provides for an extra-territorial application of the provisions of the Act. Thus, if a person (including a foreign national) contravenes the privacy of an individual by means of computer, computer system or computer network located in India, he would be liable under the provisions of the Act.
(2) Unauthorised Use- If a person makes an unauthorised use of the computer, computer system or computer network of another person by accessing, downloading, introducing computer contaminant, damaging, disrupting, denying access etc.3, he will automatically violate the privacy of the owner. Such a person shall be liable to pay compensatory damages not exceeding rupees one crore to the person so affected. Thus, the right to privacy includes the right of an individual to be free from restrictions or encroachments on his person or property, whether these are directly or indirectly brought about by calculated measures4.
(3) Computer Tampering-The privacy of a person will also be intruded if his computer source documents are tampered with. The person tampering with such computer source documents shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both5.
(4) Computer Hacking- If a person causes wrongful loss or damage to any person, by destroying, deleting or altering any information residing in his (owner’s) computer resource or diminishes its value or utility or affects it injuriously by any means, he commits hacking and thus, violates the privacy of the owner. The person hacking shall be punishable with imprisonment up to 3 years or with fine, which may extend up to Rs.2 lakhs, or with both. However, an innocent infringer will not be liable if he proves that he committed the act without any intention or knowledge6.
(5) Network Service Provider’s Liability- A network service provider shall be liable for violation of privacy of a third party if he makes available any third party information or data to a person for the commission of an offence or contravention. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. None can publish anything concerning the above matters without his consent, whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages7. However, a network service provider will not be liable if he proves that the offence or contravention was committed without his knowledge or he had exercised all due diligence to prevent such commission8.
(6) Liability of Companies- Where the privacy rights of a person are infringed by a company, every person who at the time of contravention was incharge of and was responsible to the company for the conduct of its business as well as the company shall be guilty of the contravention and liable to be processed against and punished accordingly. However, such person shall not be liable if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention9.
These provisions provide sufficient protection against privacy violations by private individuals by misusing the information technology10.
(b) Proprietary rights.
The proprietary rights, in the form of data property, are available under both the Trade Related Aspects of Intellectual Property Rights (TRIPS) Agreement and the Indian Copyright Act, 1957.
The TRIPS Agreement recognises the protection of “data property” in Article 10(2) of the TRIPS Agreement. Article 10(2) of the Agreement provides that “compilation of data” or “other material”, whether in machine-readable or other form, which “by reason of the selection or arrangement” of their contents constitute intellectual creations shall be protected “as such”. The Article further provides that such protection, which shall not extend to the data or material itself, shall be without prejudice to any copyright subsisting in the data or material itself. A closer perusal of the Article reveals the following facts:
(i) It is the ‘compilation” of data or other material, which is protected under TRIPS Agreement. The “compilation” of a subject matter of Copyright is protected under almost all the legal systems. This is also protected in the Berne Convention. Further, by using the words “other materials” the ambit of this Article has been extended to even “non-data items”.
(ii) The compilation may be either in a machine-readable form or in some other form. The previous category includes storing of data in “computers” and its “parallels”, whereas the latter category includes storing of the data in the traditional paper mode. This storing of “data property” mandates protection of the same in IT law as well. The Copyright Act, 1957 protects “databases” as “literary works” under section 2(o) in an “inclusive” manner and it can cover more categories. Secondly, the concept of “compilation” used in this section is itself inclusive and the compilation of “databases” is one of them. Thus, “compilation” U/S-2(o), includes at least two forms of compilation. The one is compilations for the purpose of conferment of Copyright and the other is compilation for the purpose of Data Protection. Section 13(1) (a) of the Copyright Act uses the expression “original literary works not only in an “inclusive” manner but also in a “multifunctional” manner. The copyright Act protects original compilations as “both” copyright and databases. It would be wrong to suggest that copyright and data protection are one and the same thing. These two are different Intellectual Property Rights, which are expressly protected not only under the TRIPS Agreement but also equally under the Copyright Act. In fact, the definition of “literary work” is capable of accommodating “other materials” as well, which may be non-data in nature.
(iii) The data protection originates because of the “selection or arrangement” of the contents by using the “intellectual creations”. If there is no intellectual endeavor involved in it, then the same may not be protected as “data property but as Copyright, since the protection of copyright is not dependent upon the “quality” of the contents but their “expression” as such. Thus, all “databases” are capable of copyright protection but not all copyrightable material qualifies for the data protection. The requirement of “quality” is more demanding in data property than the copyright. A material may fail to qualify for data protection, but it can still be copyrighted. This point is clarified by the use of the words “as such’ in Article 10
(2) of the TRIPS Agreement.
Thus, the TRIPS Agreement and the Copyright Act, 1957 sufficiently safeguard databases. The data, information and details will get the protection of ‘Data Property” if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If not, still they will be protected as copyright. Even non-data items are also protected, both under the TRIPS Agreement and the Act11.
The following “Data protection principles” must be adhered to by the individuals and company handling the same:
(a) the data should be processed fairly and lawfully,
(b) the data should be obtained for specific and lawful purpose,
© the data should be adequate, relevant and not excessive,
(d) the data should not be kept for longer than necessary,
(e) the data should be processed in accordance with the rights of data subjects, and.
(f) measures should be taken against unauthorized or unlawful processing.
III. STRATEGIES FOR COMPANIES
The companies operating in cyberspace are at the risk of violating various laws including laws protecting privacy rights and data property. The companies must formulate sound strategies to deal with them.
The following strategies must be adopted by the companies for meeting various techno-legal requirements:
(1) The companies must be cautious of the “liability clause” of various statutes. They must appoint an “officer in default” who must be responsible for managing cyber law matters of companies.
(2) The web-site contracts made by the companies must be unambiguous and fair.
(3) The companies must restrict their liabilities under those contracts.
(4) The companies must adopt the well accepted standards of the contemporary practices.
(5) The privacy rights of the netizens should be properly safeguarded.
(6) Precautionary measures for the protection of valuable data, information, and trade secrets should be adopted.
(7) The companies must take care of IPRs violations of various segments.
(8) The companies must adopt sound advertisement policy.
(9) The companies must be very cautious while dealing with juveniles as they are protected by laws but not the companies.
(10) The companies must insure their business for uncertain risks.
The above discussion shows that the proposed change in the Information Technology Act, 2000 for securing privacy and conferring data protection is not only unwarranted but is equally based on misinterpretation of the provisions of the Information Technology Act, 2000, Indian Copyright Act, 1957 and the TRIPS Agreement. The concerns and apprehensions of the MNCs are far-fetched and unwarranted. The TRIPS Agreement and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases of MNCs. The data, information and details provided by the MNCs will get the protection of ‘Data Property” if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If they fail to satisfy the requirement of Article 10(2), still they will be protected as copyright. The brightest and the positive aspect of this situation is that even non-data items are also protected, both under the TRIPS Agreement and the Copyright Act, 1957. Similarly, both the Constitution of India and the Information Technology Act sufficiently protect the privacy concerns of the MNCs. Thus, the MNCs should concentrate on their “business initiatives” rather than wasting their resources and time on unnecessary concerns.
© Praveen Dalal. All rights reserved with the author.
* Arbitrator, Consultant and Advocate,
Supreme Court of India.
Contact at: email@example.com/ firstname.lastname@example.org
Telephone No: 9899169611.
1 In this article the expression “netizens” is covering both ‘persons” and “citizens” as per the need of the context.
2 Section 72 of IT Act.
3 Sec.43 of IT Act, 2000
4 Kharak Singh v State of UP, AIR 1963 SC 1295
5 Sec.65 of IT Act, 2000
7 Rajagopal v State of TN, (1994) 6 SCC 632
8 Sec.79 of IT Act, 2000
10 Praveen Dalal, “Privacy rights against private persons”, http://perry4law.blogspot.com/2005/04/privacy-rights-against-private-per…
11 Praveen Dalal, “The mandates of WTO”, http://perry4law.blogspot.com/2005/05/mandates-of-wto.html.