PRIVACY PART I: IT’S ORIGINS, AND DEVELOPMENT OF THE CONCEPT IN INDIA TILL 2011

HISTORY OF PRIVACY IN THE WESTERN WORLD

Privacy as we understand it today, is merely no more than 500 years old. Traditionally, hunter gatherer communities lived in such close proximity that privacy wasn’t a concern. Sex, breastfeeding, bathing, grooming, etc. were all familial and tribal activities without walls for privacy. Housing was merely a shelter of rocks and caves, with many cramped up, close by, to weather the cold, and/or keep safe from wild animals around fires at night, while the morning brought sunlight for all to see the so called ‘private’ acts. Agrarian communities later developed, and huts or some semblance of walls slowly emerged to provide privacy from ‘others’ – a concept that came about simultaneously with those walls to provide a distinction between family and tribe, relatives and neighbours. Homes still did not have internal walls that create rooms.

Like their tribal ancestors, the Greeks displayed some preference for privacy. Using their sophisticated understanding of geometry they created housing with the mathematically minimum exposure to public view while maximizing available light. However, the Greek penchant for solitude was not without its influential critics such as Socrates.1 Then came Romans with their landed gentry one one hand, who built large home with open spaces, and on the other were the rest that lived in apartments with thin walls. Since Romans embraced public sex, the development of privacy as a concept took a back seat in this era.

With the advent of Christianity from 4 AD onwards privacy was seen as isolation. Monks would seclude themselves to keep from the ‘sinful’ outdoors of society that originated from the Original Sin. Yet since society remained agrarian, living under roofs of homes without walls was the norm. Hence, till about 1200 AD the understanding of privacy was limited to seclusion. There was no Latin word equivalent to privacy. Privatio meant ‘taking away’ or ‘deprivation’!

From 1300 AD to 1600 AD the foundations of privacy as we know it today were built. Christianity saw a new turn with the Great Council that declared confession for the masses.2 “The new view was an invitation to introspection, to exploration of the conscience. The apparatus of moral governance was shifted inward, to a private space that no longer had anything to do with the community.”3 The Gutenberg’s printing press spread the word of the Church of solitude and private contemplation around to the masses. Essentially community rituals to gain salvation were now not enough, and that personal private introspection was essential. Works of poets, artists, and theologians of the time reflect abandoning of the world for the inner search for God within one’s heart. With the Black Death, hygiene levels across Europe changed and private beds in hospitals and homes were introduced. Sleeping together in a hall within the home also changed. The invention of brick chimney ushered in the need for support beams, and thus the coming into existence of internal separation walls, aiding in the formation of rooms, and a catering to the basic human desire to be warm. Individual rooms, within one’s private home had now become commonplace.

Privacy had thus now become a common concept that has evolved over time in Common Law as well. An invasion of privacy now gave a right to the individual to claim tort based damages. One of first cases on the said topic was Peter Semayne v Richard Gresham.4 The case related to the entry into a property by the Sheriff of London in order to execute a valid writ. Sir Edward Coke, while recognizing a man’s right to privacy famously said that “the house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose”.5 This case is one of the progenitors6 to the Knock-and-Announce Rule7 in the US, and is envisaged under the Fourth Amendment.8 In the US in Boyd v. United States9, the US Supreme Court held that “a search and seizure [was] equivalent [to] a compulsory production of a man’s private papers” and that the search was “an ‘unreasonable search and seizure’ within the meaning of the Fourth Amendment.” (Emphasis added)

Article 8 of the European Convention on Human Rights provides a right to respect for one’s “private and family life, his home and his correspondence”, subject to certain restrictions that are “in accordance with law” and “necessary in a democratic society”.10 The Charter of Fundamental Rights of the European Union (the “CFREU”), also recognises the Right to Privacy11 and Personal Data Protection12.

Article 12 of the Universal Declaration of Human Rights13, and Article 17 of the International Covenant on Civil & Political Rights14 both deal with and recognize the Right to Privacy as an essential right for individual existence.

Thus we see that the concept of privacy of the individual has permeated into each and every aspect of western regulation of human behaviour.

PRIVACY IN INDIA BEFORE 2011

For India, or rather the Indian subcontinent, historically, the cultural dynamics and societal structure have always determined the concept of Privacy.15 Indian ethos weighs Privacy on the touchstone of society, village, community, and family. The general understanding is that things that are to be kept Private are either shameful or wrong. Personal choice is driven by the compliance to rules of society, village, community, and family (Eg. arranged-marriage, caste rules of occupation and education, socializing and social association, religious behaviour and festivities, sexual orientation, etc.). Hence, Privacy as we understand in the western world is something of a non-existent concept unless it is to do with very private matters of sex, breastfeeding, bathing, grooming, etc. Western notion of Privacy has evolved around the individual, whereas Privacy in the Indian subcontinent has evolved around the family, relatives, or community. Thus when we speak of something private in India, it automatically means to be kept within the family, relatives, or community. Linguistically PRIVACY translates to ekaant in Hindi, or gopniyata. Literally, the former means ‘solitude’ in English and the latter means ‘secrecy’. So there does not strictly exist a term that translates literally to PRIVACY as understood in the western world and defined by the Oxford English Dictionary, that is, “the state of being free from the attention of the public” or “the state of being alone and not watched or interrupted by other people”.

Privacy as the west understands, was introduced in India only after the colonization of the subcontinent. Western concepts of privacy along with rules to secure the same were gradually introduced within the Indian legal system, and gradually trickled into the legal subconsciousness of the urban masses, and now even the enlightened rural masses. Various enactments for India by the British included Privacy in one form or another.

The Indian Evidence Act, 1872 (the “IEA”) recognizes privileged communication, a form of private communication, between a married couple16, and attorney-client17.

The Indian Contract Act, 1872 governs contract law in India and forms the basis of contract law jurisprudence in India. Confidentiality Agreements under the Act are valid and so are confidentiality clauses in contracts.

After India attained independence from British colonial rule, the Constitution of India under Article 21 guaranteed the Fundamental Right of an individual to Life & Liberty by stating that that “[n]o person shall be deprived of his life or personal liberty except according to procedure established by law”. The provision has been interpreted to have the widest meaning possible in a number of cases by the Supreme Court of India and various High Courts across India. This Article is also said to include the “free[dom] from encroachments on his [sic] private life” by the minority opinion of Justice Subba Rao in Kharak Singh v State of Uttar Pradesh & Ors.18. This was the first time when the apex court of India even considered the Right to Privacy as a Fundamental Right in line with the Fourth Amendment of the US Constitution.19 The matter considered by the Hon’ble Supreme Court was, whether the surveillance by domiciliary visits at night against an accused would be an abuse of the right guaranteed under Article 21 of the Constitution of India, thus raising the question as to whether Article 21 was inclusive of a Right to Privacy. The Hon’ble Supreme Court held that such surveillance was, in fact, in contravention of Article 21. The majority judges further went on to hold Article 21 does not expressly provide for a privacy provision, and thus the Right to Privacy could not be construed as a fundamental right. However, Justice Subba Rao stated that “[i]t is true our constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty” (emphasis added). He further observed that:

“[e]very democratic country sanctifies domestic life; it is expected to give him rest, physical happiness, peace of mind and security. In the last resort, a person’s house, where he lives with his family, is his “castle”: it is his rampart against encroachment on his personal liberty. The pregnant words of that famous Judge, Frankfurter J., in Wolf v. Colorado [[1949] 238 US 25] pointing out the importance of the security of one's privacy against arbitrary intrusion by the police, could have no less application to an Indian home as to an American one. If physical restraints on a person's movements affect his personal liberty, physical encroachments on his private life would affect it in a larger degree. Indeed, nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy. We would, therefore, define the right of personal liberty in Article 21 as a right of an individual to be free from restrictions or encroachments on his person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures. It so understood, all the acts of surveillance under Regulation 236 infringe the fundamental right of the petitioner under Article 21 of the Constitution.”

In the decision of Gobind v State of M.P.20 the right of the police to make domiciliary surveillance was challenged to be inconsistent with the right to privacy embodied under Article 21 of the Constitution of India. The Hon’ble Supreme Court held: “The right to privacy in any event will necessarily have to go through a process of case-by-case development. Therefore, even assuming that the right to personal liberty, the right to move freely throughout the territory of India and the freedom of speech create an independent right of privacy as an emanation from them which one can characterize as a fundamental right, we do not think that the right is absolute.” (Emphasis added).

In R. Rajagopal and Anr. v State of Tamil Nadu,21 the Supreme Court held that “The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be left alone”. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. None can publish anything concerning the above matters without his consent — whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a controversy.” (emphasis added).

The Right to Privacy finally fructified into a Fundamental Right with the decision of People’s Union for Civil Liberties (PUCL) v Union of India22, that could be curtailed only in accordance with procedure established by law, a procedure that is fair, just, and reasonable. Plainly put, it means that any invasion of privacy must now be justified on the basis of ‘a law’ that has to withstand the touchstone of such a procedure (warranting invasion) to be fair, just, and such an invasion into the privacy of the individual needs also to be reasonable.23

Today, confidentiality is woven into varied relationships and aspects of professional relationships. Doctor-Patient confidentiality is governed by the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 under Regulation 7.14.24 Insurers are required to maintain total confidentiality of policyholder information, unless it is legally necessary to disclose the same to statutory authorities under Regulation 19(5) of the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, and many other such regulations governing insurance surveyors, TPAs, brokers, agents, and other intermediaries.

Violation of privacy under the Information Technology Act, 2000 (the “IT Act”) attracts criminal liability.25 Personal data and information breach attracts civil liability to pay damages by way of compensation under the IT Act.26 This also covers sensitive personal data or information of individuals including medical data including mental health, and sexual orientation.27 Such data can be collected and handled only by written consent of the individual, and there are detailed procedures of handling such data by companies or individuals collecting such data.28 However these provisions are enforceable only against private actors and not against the government. As we shall see later the Personal Data Protection Bill, 2019 (the “Personal Data Bill, 2019”) would cover state actors’ liability.

In 2005, the Credit Information Companies (Regulation) Act29 (the “CICRA”) was enacted. The primary purpose of the CICRA was to regulate Credit Information Companies (“CIC”)30 and ensure efficient distribution of credit. It authorizes companies to conduct the business of ‘credit information’31. Essentially, CICRA regulates the business of credit information of all individuals by CIC’s including credit rating of individuals/borrowers, inter alia other functions. The protection of such data is also vested with CICs and the same are subject to certain Privacy Principles envisaged under S.20 of the CICRA. These Privacy Principles govern the “collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information”. They are circumscribed by and complemented by Regulation 10 of the Credit Information Companies Regulations, 2006 (“CICR”) that encompass accuracy, security, secrecy, adequacy of data collected, limitation on the use of data, that is, the purpose for which the Credit Information Reports can be made available and the procedure to be followed by specified uses for getting such reports.32

Despite the ad hoc and niche application of privacy protocols as enumerated hereinabove, the need for a dedicated Privacy Law was still felt.

Originally posted at: https://manuluvshahalia.blogspot.com/2021/08/PrivacyPart-I.html

1He is said to have stated: “For where men conceal their ways from one another in darkness rather than light, there no man will ever rightly gain either his due honour or office or the justice that is befitting”.

2The Fourth Council of the Lateran was convoked by Pope Innocent III on 19 April 1215, and the Council gathered at Rome's Lateran Palace beginning 11 November 1215. Canon 21 was passed that ruled Omnis utriusque sexus, commanding every Christian who had reached the years of discretion to confess all his, or her, sins at least once a year to his, or her, own priest. This was the first time that confessions took the shape of the Catholic Confessional as it is known today.

3David R. Loy, A Buddhist History of the West: Studies in Lack (State University of New York Press, 2002) at 37-38.

477 ER 194: [1604] All ER Rep. 62.

5(Emphasis added). The concept of privacy further developed in England in the 1760s which saw a growth in the intensity of litigation against state officers, who using general warrants, conducted raids in search of materials relating to John Wilkes's publications. Eg.: Entick v Carrington, [1765] EWHC KB J98 (Holding that the state may act lawfully only in a manner prescribed by statute or common law. It was also part of the background to the Fourth Amendment to the United States Constitution and was described by the Supreme Court of the United States in Boyd v. United States, 116 U.S. 616, 626 (1886) as “a ‘great judgment’, ‘one of the landmarks of English liberty’, ‘one of the permanent monuments of the British Constitution’, and a guide to an understanding of what the Framers meant in writing the Fourth Amendment”). Recently, in the case of Campbell v Mirror Group Newspapers Ltd., [2004] UKHL 22, the court held that if “there is an intrusion in a situation where a person can reasonably expect his privacy to be respected, that intrusion will be capable of giving rise to liability unless the intrusion can be justified”.

6The other being Entick v Carrington, supra.

7Which requires law enforcement officers to announce their presence and provide residents with an opportunity to open the door prior to a search.

8“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

9116 U.S. 616 (1886).

10Article 8, ECHR: Right to respect for private and family life: –

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

11Article 7, CFREU: Respect for private and family life.: Everyone has the right to respect for his or her private and family life, home and communications.

12Article 8, CFREU: Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

13Article 12, UDHR: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

14Article 17, ICCPR:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

15Osama Manzar & Udita Chaturvedi, “Understanding the Lack of Privacy in the Indian Cultural Context: What Does Privacy mean for the Indian Masses?”, Opinion Piece, Digital Empowerment Foundation, September 2017 [https://defindia.org/wp-content/uploads/2017/09/Understanding-the-Lack-of-Privacy-in-Indian-Cultural-Context.pdf]

16S.122, IEA: Communications during marriage.— No person who is or has been married, shall be compelled to disclose any communication made to him during marriage by any person to whom he is or has been married; nor shall he be permitted to disclose any such communication, unless the person who made it, or his representative in interest, consents, except in suits between married persons, or proceedings in which one married person is prosecuted for any crime committed against the other.

17S. 126, IEA: Professional communications.—No barrister, attorney, pleader or vakil shall at any time be permitted, unless with his client’s express consent, to disclose any communication made to him in the course and for the purpose of his employment as such barrister, pleader, attorney or vakil, by or on behalf of his client, or to state the contents or condition of any document with which he has become acquainted in the course and for the purpose of his professional employment, or to disclose any advice given by him to his client in the course and for the purpose of such employment: Provided that nothing in this section shall protect from disclosure— (1) Any such communication made in furtherance of any illegal purpose; illegal purpose; (2) Any fact observed by any barrister, pleader, attorney or vakil, in the course of his employment as such, showing that any crime or fraud has been committed since the commencement of his employment. It is immaterial whether the attention of such barrister, pleader, attorney or vakil was or was not directed to such fact by or on behalf of his client. S.127, IEA: Section 126 to apply to interpreters, etc.— The provisions of section 126 shall apply to interpreters, and the clerks or servants of barristers, pleaders, attorneys, and vakils.

18[1962] 1 SCR 332 :: AIR 1963 SC 1295.

19The Right to Privacy as a Fundamental Right was first considered by the Supreme Court of India in the case of M. P. Sharma and Ors. v Satish Chandra, District Magistrate, Delhi and Ors., 1954 SCR 1077, wherein the warrant issued for search and seizure under Sections 94 and 96 (1) of the Code of Criminal Procedure was challenged as being ultra vires the Constitution and its guaranteed Fundamental Rights. The Court unanimously held (in Para 17): “A power of search and seizure is in any system of jurisprudence an overriding power of the State for the protection of social security and that power is necessarily regulated by law. When the constitution makers have thought fit not to subject such regulation to constitutional limitations by recognition of a fundamental right to privacy, analogous to the Fourth Amendment, we have no justification to import it, into a totally different fundamental right, by some process of strained construction. Nor is it legitimate to assume that the constitutional protection under Article 20(3) would be defeated by the statutory provisions for searches.”

20[1975] 2 SCC 148.

21[1994] 6 SCC 632.

22[1997] 1 SCC 301, holding that: “We have, therefore, no hesitation in holding that right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtailed “except according to procedure established by law”

23As held in R.C. Cooper v UOI, [1970] 1 SCC 248.

24Regulation 7.14: The registered medical practitioner shall not disclose the secrets of a patient that have been learnt in the exercise of his / her profession except– i) in a court of law under orders of the Presiding Judge; ii) in circumstances where there is a serious and identified risk to a specific person and / or community; and iii) notifiable diseases. In case of communicable / notifiable diseases, concerned public health authorities should be informed immediately.

25S.66E, IT Act, 2000: Punishment for violation of privacy.– Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both. Explanation.–For the purposes of this section– (a) “transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;(b) “capture”, with respect to an image, means to videotape, photograph, film or record by any means; (c) “private area” means the naked or undergarment clad genitals, public area, buttocks or female breast: (d) “publishes” means reproduction in the printed or electronic form and making it available for public; (e) “under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that–

1. he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or

2. any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

26S.43A, IT Act, 2000: Compensation for failure to protect data.– Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

27Under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “IT Personal Data Rules, 2011”) issued under S.87, IT Act, 2000, and defines Sensitive Personal Data or Information as under.— Rule 3: Sensitive personal data or information of a person means such personal information which consists of information relating to;—

1. password;

2. financial information such as Bank account or credit card or debit card or other payment instrument details;

3. physical, physiological and mental health condition;

4. sexual orientation;

5. medical records and history;

6. Biometric information;

7. any detail relating to the above clauses as provided to body corporate for providing service; and

8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

28See Rule 5 (Collection of Information), Rule 6 (Disclosure of Information), Rule 7 (Transfer of Information), Rule 8 (Security Practices and Procedures for securing Information).

29Available at: https://www.indiacode.nic.in/handle/123456789/2057?view_type=search&sam_handle=123456789/1362

30Defined as: u/S.2(e), CICRA: “ … a company formed and registered under the Companies Act, 1956 (1 of 1956) and which has been granted a certificate of registration under sub-section (2) of section 5.” Further, as per S.14, CICRA: “(1) A credit information company may engage in any one or more of the following forms of business, namely:—

1. to collect, process and collate information on trade, credit and financial standing of the borrowers of the credit institution which is a member of the credit information company;

2. to provide credit information to its specified users or to the specified users of any other credit information company or to any other credit information company being its member;

3. to provide credit scoring to its specified users or specified users of any other credit information company or to other credit information companies being its members;

4. to undertake research project;

5. to undertake any other form of business which the Reserve Bank may, specify by regulations as a form of business in which it is lawful for a credit information company to engage.”

31Defined as: u/S.2(d), CICRA: “… any information relating to—

1. the amounts and the nature of loans or advances, amounts outstanding under credit cards and other credit facilities granted or to be granted, by a credit institution to any borrower;

2. the nature of security taken or proposed to be taken by a credit institution from any borrower for credit facilities granted or proposed to be granted to him;

3. the guarantee furnished or any other non-fund based facility granted or proposed to be granted by a credit institution for any of its borrowers;

4. the creditworthiness of any borrower of a credit institution;

5. any other matter which the Reserve Bank may, consider necessary for inclusion in the credit information to be collected and maintained by credit information companies, and, specify, by notification, in this behalf.”

32For Regulation 10, CICR see: https://upload.indiacode.nic.in/showfile?actid=AC_CEN_2_11_00003_200530_1517807317795&type=regulation&filename=the_credit_information_companies_(regulation)_2005_-_regulations.pdf