With
a tremendous increase in the usage of social networking website, an equally proportionate
concern has also arisen regarding the issue of privacy. Though there are a
number of judicial precedents dealing with issue of privacy in relation to telephone
interception, surveillance etc, hardly are there any precedents which can
sufficiently enlighten one to realise the scope of right to privacy in social
networking space. Is there a crucial difference between the privacy in physical
and online space? I argue that though there provisions, such as Section 72A of
the Information Technology Act, 2000 (“IT Act”), make one criminally liable for
negligently sharing personal data information, they are not sufficient for the purpose
of online social networking.
In
this issue of online space, the primary hurdle arises when seeks to identify
the data which requires protection. Not every data can be given protection, for
example, data which is already available in public domain. Also since the
nature of online space is different, the measure of protection should be
different. For instance, it is not as easy to locate a particular data in
physical space as one can locate it online using ‘google.com’; hence, data is more vulnerable in online space than in physical space. This problem ultimately directs one to identify the nature of
“privacy right” which one enjoys.
If
one looks at the dictionary meaning of privacy, there is a possibility of
getting an unclear and uncertain definition: ‘a state in which one is not
observed or disturbed by other people’.[1]And, if one sees definition of right to privacy provided by the Supreme Court, then there is a possibility of getting a very broad definition.
Clause 3 of the Draft National Privacy Bill, 2011 confers on every individual a right to privacy. Though a specific definition is not given, the clause contains a list of information which will be covered under the privacy right of an individual. Though there are a number of shortcomings in the (an exhaustive discussion on data protection and Privacy Bill will be done in one of the next posts). I herein discuss the existing legislations and legal principles which deal with the issue of data protection in online networking space.
Clause 3 of the Draft National Privacy Bill, 2011 confers on every individual a right to privacy. Though a specific definition is not given, the clause contains a list of information which will be covered under the privacy right of an individual. Though there are a number of shortcomings in the (an exhaustive discussion on data protection and Privacy Bill will be done in one of the next posts). I herein discuss the existing legislations and legal principles which deal with the issue of data protection in online networking space.
Online
Social Networking Space: How important is to protect the Right to Privacy?
With
the advent of online networking websites, there is now a parallel society – a
society where people, like physical world, socialise and interact with each
other – but more importantly, there is now a society which, unlike its physical
counterpart, does not have a secure legal regime of its own. Since the
existence of the members of this parallel society is recognised by the data
which they share, a need for its protection becomes significant.
Of
course, no one would feel comfortable if one’s data, which can even be sensitive in nature, is shared without
any restriction. For instance, consider the data shared by one on Facebook, considerably
the most popular social networking website. According to the Data Policy of Facebook,[2]it
receives different information from the users such as registration information,
information which users choose to share [photos, notes etc.], information which
others share about the user etc. While certain information (name, cover photos,
gender, network, username and ID) are always publicly available, other
information are not (wall posts, location, friend list etc.). As per the policy
of Facebook, the information of a user is used in connection with the services and features provided by it. Such
information can be used if Facebook has given a notice of its policy for using
such information. This means, if one is really concerned of the privacy on Facebook,
then it is better to read its data policy (For accessing full data policy of facebook, follow the link - https://www.facebook.com/full_data_use_policy)
Like
Facebook, other websites such as twitter, linkedin etc. have their own policies. In any case, these online
networking websites are in possession of an enormous amount of individual data.
This raises a question: “Is there
anything which legally regulates these websites, at least in India”?
Following the revelation of US National Security Agency’s (“NSA”) surveillance
program, there is now a series question about the reliability of major online
social networking websites. Since most of them have their headquarters in USA,
it becomes easier for NSA, and difficult for other countries, to regulate such
kind of activities. May be, we are paying the cost of the USA’s monopoly on web
world.
Scope
of Right of Privacy in India: How far does it extend to Social Networking
Sites?
Over
a period of time, it has been recognised in India that right to privacy forms a
part of the Right to Life.[3]According
to the Supreme Court, Privacy and dignity of human life has always been considered
a fundamental human right of every human being.[4]As
far as the question of surveillance is concerned, in Bhavesh Jayanti Lakhani v. State of Maharashtra, it was held that
surveillance per se may not violate
individual or private rights including the right to privacy.[5]
In exceptional circumstance, particularly surveillance in consonance with the
statutory provisions may not violate such a right.[6]
In
India, the most important legislation which regulates the data privacy is
Information Technology Act, 2000 (“IT Act”). Under Section 43A of the IT Act,
if a body corporate, dealing/processing/possessing any sensitive personal data or
information, negligently causes any wrongful
loss or gain to any person, it can be held liable for compensation. Information
Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011 [“IT Rules”] enumerates seven forms of ‘sensitive
personal data or information’.[7]However,
IT Rules also provide that any information, which is available in public domain
or furnished under Right to Information Act, 2005 (“RTI Act”), will not be
considered as sensitive personal information.[8]A
clarification to the IT Rules states that the ‘rules are regarding sensitive
personal data or information and are applicable to the body corporate or any
person located within India’.[9]
Section
72A of the IT Act penalises a provider of service criminally if it, with the intent
of causing wrongful loss or gain, discloses the personal information which it
has received while providing the service. However, for becoming criminally
liable, such disclosure should be without
the consent of the person concerned. Relating this to the Facebook Data
Policy, it becomes clear that facebook, by notifying the users of its policy,
takes their consent. How many users actually read such policy is not very
clear. There is a possibility that a large number of users may not be reading
the Facebook Data Policy at all, or they may not be aware of any such policy.
Can, in this situation, they give their consent? The relevant part of Facebook
Data Policy reads as:
“………….While you are allowing us to
use the information we receive about you, you always own all of your
information. Your trust is important to us, which is why we don't share information we receive about you with others unless
we have:
·
received
your permission;
·
given you notice, such as by
telling you about it in this policy;
or
·
removed
your name or any other personally identifying information from it.
·
Of
course, for information others share about you, they control how it is shared…….”
In
order to ensure that one is aware of the kind of information which Facebook can share, it would be advisable to read
its data policy. There are a number of external applications, for e.g., flipkart
log in, which requires one’s explicit permission
before the personal data can be shared. At the same time, there are situations
when there an implicit consent can
also be taken, for example, by consenting to be a member of Facebook. It is the
latter form of consent which is problematic because, in this situation, a user’s
knowledge (and, what about consent?) of his data sharing depends on whether he
has read the data policy.
Even
if it is assumed that one has read the data policy of online networking
websites, there is hardly any bargaining power on their part. Because of this,
users are simply left with a choice to either use these websites or not use it.
In the contemporary period, when keeping one isolated from web world is nothing
less than a suicide, not using social networking websites is not a proper
solution. Hence, if one does not like Facebook’s policy, one may simply keep
oneself away from it.
Other
legislations in India which deal with data privacy are: Indian Penal Code, 1860,
Copyright Act, 1957, Credit Information Companies Regulation Act, 2005 etc. Yet
another legal mechanism through which data can be protected is the contractual
obligation (Facebook does this!). Though Copyright Act provides protection to a
database, the main purpose was not to protect the data of an individual. The
main purpose, for providing copyright protection to database as a literary
work, is to incentivise the creation of such works. So far as contracts are
concerned, obligations will be determined in accordance with the established
principles and legal provisions of contracts. Further, the claims under a
contractual obligation are usually of civil nature; hence, there is a less
possibility criminal prosecution unless, of course, there is an involvement of
the crime. Coming to the Indian Penal Code, Lord Macaulay, while drafting the
code, would not have thought of the problems underlying the internet world. It
is true that, with a liberal interpretation, IPC can be applied to offences committed
on online social space. But, it would still be insufficient since the purpose
of IPC was not to deal with the online space.
It
is clear that these legislations cannot sufficiently provide protection to the
data of an individual. A step, in the form of Privacy Bill, has now been taken.
In one of the next posts, I will analyse the effectiveness of the data
protection regime under the Privacy Bill.
[1] Oxford English Dictionary
[2] https://www.facebook.com/about/privacy
[3] People's Union for Civil
Liberties (PUCL) v. Union of India, (1997) 1 SCC 301, ¶ 17
[4] Ramlila Maidan Incident, In re,
(2012) 5 SCC 1 at page 118
[5] Bhavesh Jayanti Lakhani v. State
of Maharashtra, (2009) 9 SCC 551, ¶102
[6] Ramlila Maidan Incident, In re,
(2012) 5 SCC 1, 119
[8] RTI Act is applicable mainly to
public authorities
[9] http://pib.nic.in/newsite/erelease.aspx?relid=74990
No comments :
Post a Comment