AUTHORED BY - NAMRATA N WAGHMARE

& PRAJAKTA PIMPALSHINDE

The advent of the internet has revolutionized access to information, empowering individuals to explore new ideas, practices, and perspectives with unprecedented ease However, these technological advancements have also introduced significant privacy challenges. The pervasive mining of private information for unethical and illegal purposes has raised serious concerns regarding security breaches, identity theft, and unauthorized governmental surveillance. Moreover, the ethical implications of data practices employed by social media platforms have come under scrutiny, highlighting the tension between innovation and privacy protection. As human beings inherently value their privacy and seek to maintain control over personal information, the increasing vulnerability of private data posed by modern information technology has underscored the need for robust legal frameworks. This article explores the evolving legal landscape of privacy in India, examining the intersection of privacy rights with the rapid development of science and technology. It underscores the importance of balancing innovation with the protection of personal privacy, and the ongoing efforts to establish a robust legal framework that adequately addresses the challenges posed by the digital age.

Key words: Information, technology, security breach, identity theft, privacy rights.

Technology has had a profound impact on many aspects of our lives, mainly privacy. The growth of the internet and the widespread use of digital devices have made it simpler for individuals and organizations to share and access information[1]. However, this increased connectivity has also led to new privacy and security concerns. In this article we’ll see how technology has affected privacy rights, why it is important to protect the privacy and what are existing legal framework to combat the issue and what other legal remedies could be introduced. One of the most significant effects of technology on privacy is the extensive collection, storage, and sharing of personal information online. As people increasingly use social media, online shopping, and other digital platforms, they willingly share personal information like their name, address, phone number, and credit card details. Companies use this data for targeted advertising, data mining, and various other purposes. However, this same information can be exploited by hackers and malicious actors, leading to identity theft, fraud, or other crimes. The advancements in data analytics and machine learning have further increased these concerns. Organizations and individuals must take steps to secure their personal and sensitive information and be aware of the laws and regulations that govern privacy and cybersecurity.

At the core of this study the key question is how well do the current legal frameworks in India tackle the complex challenges presented by the fast-evolving field of digital privacy and data protection? This research seeks to comprehensively examine the existing legal frameworks, scrutinize their efficacy, and propose recommendations for potential enhancements[2]. Moreover, it aims to stimulate thoughtful discussions on shaping a more resilient framework for digital privacy and data protection in the country, considering the implications of The Digital Personal Data Protection Act, 2023. Policymakers can benefit from informed recommendations to enhance legislative frameworks, businesses can adapt strategies to ensure compliance with evolving regulations, and individuals can better understand and advocate for their digital rights. In navigating this research, the goal is not only to analyze the existing state of affairs but also to contribute proactively to the ongoing dialogue surrounding the challenges posed by the digital age.

Emerging technologies, such as Artificial Intelligence (AI), have a profound impact on digital privacy. AI’s advanced data processing and analysis capabilities can enhance service delivery and generate valuable insights. However, these same capabilities can also be used to scrutinize personal data for profiling and decision-making without sufficient human oversight, potentially violating individual privacy without consent. Thus, AI represents both a significant opportunity and a potential threat to digital privacy, necessitating the development of strong privacy policies to regulate its use.

Similarly, data analytics—while powerful in providing insights into user behaviours and improving service personalization—can pose risks to privacy if not managed properly. Extensive data collection and analysis may infringe on individual privacy rights unless accompanied by practices such as data minimization and anonymization. Balancing the benefits of data analytics with privacy considerations is crucial[3].

As technology continues to evolve, individuals must remain informed about these changes and their privacy implications. This includes understanding the privacy policies of digital services, utilizing privacy tools and settings, and keeping systems updated to address any technical vulnerabilities.

The integration of Internet of Things (IoT) devices into everyday life introduces significant privacy concerns. These devices collect, process, and transmit large amounts of potentially sensitive data, which can lead to privacy breaches if not properly secured. Users should be vigilant about the security settings and data management practices of their IoT devices.

Finally, advancements like facial recognition technology pose serious challenges to digital privacy norms. While offering potential benefits for security and access control, they raise concerns about the loss of anonymity in public spaces and the potential for misuse in surveillance. This highlights the urgent need for legal and ethical guidelines to regulate the use of such powerful technologies in a privacy-conscious era. Encryption plays a pivotal role in strengthening digital privacy. It involves encoding information such that only authorized parties can access it. By leveraging encryption technologies, users can ensure that even if their data is intercepted, it remains unreadable and thus, safe. Encryption is extensively used in protecting sensitive data transmission and storage, including in email services, messaging apps, and cloud storage, thereby enhancing individual digital privacy.

A major theme in the discussion of Internet privacy revolves around the use of cookies[4]. Cookies are small pieces of data that web sites store on the user’s computer, in order to enable personalization of the site. However, some cookies can be used to track the user across multiple web sites (tracking cookies), enabling for example advertisements for a product the user has recently viewed on a totally different site. Again, it is not always clear what the generated information is used for. Laws requiring user consent for the use of cookies are not always successful in terms of increasing the level of control, as the consent requests interfere with task flows, and the user may simply click away any requests for consent. Similarly, features of social network sites embedded in other sites (e.g. “like”-button) may allow the social network site to identify the sites visited by the user.

The rise of cloud computing has intensified privacy concerns. Previously, user data and programs were stored locally, limiting access to data and usage statistics by program vendors. With cloud computing, both data and programs are hosted online, creating uncertainty about how user- generated and system-generated data are utilized. Additionally, the global nature of cloud storage complicates the identification of applicable laws and the authorities that can access the data. This issue is especially pronounced with data collected by online services and apps, such as search engines and games, where it is often unclear which data is collected and how it is communicated.

Users frequently face limited choices, sometimes having no option but to use the application without full transparency on data handling.

Social media platforms present unique privacy challenges. The issue extends beyond merely restricting access to information; it involves addressing the moral implications of encouraging users to share extensive personal data. Social networks often prompt users to provide more data to enhance their profiles and increase site value, creating a temptation to exchange personal information for service benefits. Users may be unaware of the full extent of data they are sharing, as seen with features like the "like" button. Simply limiting access to this information doesn't address the root problem; instead, efforts should focus on guiding user behaviour regarding data sharing.

One approach to reducing the temptation to share is implementing strict default privacy settings. While this can limit access for other users, it doesn’t necessarily restrict the service provider’s access. Such measures may also impact the functionality and benefits of social networking sites. An alternative is adopting an opt-in approach, where users must actively choose to share data or subscribe to services, potentially leading to more acceptable outcomes. However, the effectiveness of this approach depends significantly on how the options are presented to users[5].

Users generate loads of data when online. This is not only data explicitly entered by the user, but also numerous statistics on user behaviour: sites visited, links clicked, search terms entered, etc. Data mining can be employed to extract patterns from such data, which can then be used to make decisions about the user. These may only affect the online experience (advertisements shown), but, depending on which parties have access to the information, they may also impact the user in completely different contexts. In particular, big data may be used in profiling the user (Hildebrandt 2008), creating patterns of typical combinations of user properties, which can then be used to predict interests and behaviour. An innocent application is “you may also like …”, but, depending on the available data, more sensitive derivations may be made, such as most probable religion or sexual preference. These derivations could then in turn lead to inequal treatment or discrimination. When a user can be assigned to a particular group, even only probabilistically, this may influence the actions taken by others. For example, profiling could lead to refusal of insurance or a credit card, in which case profit is the main reason for discrimination. When such decisions are based on profiling, it may be difficult to challenge them or even find out the explanations behind them. Profiling could also be used by organizations or possible future governments that have discrimination of particular groups on their political agenda, in order to [6]find their targets and deny them access to services, or worse.

As networked devices like smartphones become more common, they increasingly collect and transmit data through various sensors, such as GPS, movement sensors, and cameras. GPS sensors can track precise locations, while even without GPS, approximate locations can be determined via wireless networks. This location data, linking the online and physical worlds, can pose privacy risks like stalking or burglary. Cameras on these devices can also capture private images, raising concerns about user awareness and control. While some devices indicate camera activation with a light, this can be manipulated by malicious software. Overall, the privacy implications of reconfigurable technology[7] hinge on users' awareness of how their data is managed and used.

Devices connected to the Internet extend beyond user-owned gadgets like smartphones to include a wide range of Internet of Things (IoT) devices. These include RFID chips in passports and public transport systems, which can leak data such as nationality, and "dumb" RFIDs in products that could trace individuals. In homes, smart meters and connected appliances generate data on electricity use, water consumption, and environmental preferences, potentially enabling profiling and monitoring. As more household devices become interconnected, privacy concerns grow, particularly regarding data collection, user autonomy, and transparency. Users must be aware of features like microphones in connected devices and how their data is handled.

Government and public administration have undergone radical transformations as a result of the availability of advanced IT systems as well. Examples of these changes are biometric passports, online e-government services, voting systems, a variety of online citizen participation tools and platforms or online access to recordings of sessions of parliament and government committee meetings. In elections, information technology impacts voter privacy throughout the voting process[8]. Secret ballot requirements aim to prevent vote buying and coercion, demanding that voters keep their choices private. While polling stations can enforce this privacy, mail-in and online voting are more vulnerable to breaches of confidentiality since privacy cannot be guaranteed technologically, and voters might be observed during the process. Information technology influences how voters maintain this privacy and how authorities can verify it.

E-democracy initiatives could reshape privacy in politics. Additionally, online platforms and social media can compromise privacy by enabling targeted misinformation and behavioural profiling, making it harder to protect preferences and increasing the risk of opinion manipulation.

Information technology enhances surveillance capabilities by improving traditional systems like CCTV with features such as facial recognition and integrating data from Internet-of-Things devices. This technology also powers "surveillance capitalism," where social media and online platforms collect extensive personal data, sometimes without clear consent, for purposes ranging from targeted advertising to potentially malicious activities like election interference.

In early April 2021, during the Kumbh Mela festival in Haridwar, India, AI-enabled cameras and drones monitored pilgrims for mask-wearing and physical distancing as COVID-19 cases surged. While these technologies aimed to enhance safety, they also raised concerns about privacy and individual freedoms. In recent years, Indian police have increasingly used fingerprint and facial recognition technology (FRT) for surveillance in various public spaces, including during protests against controversial laws. These technologies, often prone to high error rates and biases, have led to privacy violations and wrongful arrests.

Digital surveillance in India extends beyond policing to broader datafication, where personal data is extensively collected and analysed by both the state and private entities. The proposed Social Registry Information System, intended to integrate with India’s Aadhaar biometric system, aims to track individuals' lives comprehensively, raising significant privacy concerns. This shift towards pervasive surveillance compromises privacy, a fundamental right linked to freedom of expression and protection against discrimination.

In the context of India's expanding digital surveillance without a comprehensive data-protection law, the Supreme Court has recognized privacy as a fundamental right. However, the current surveillance regime reflects an emerging challenge. As the European Union considers regulations on surveillance technologies and data privacy, the need for robust protections in a rapidly evolving digital landscape becomes increasingly critical.

The Right to Privacy was not directly envisaged by the Constitution makers and as such does not find a mention in Part III of the Constitution relating to Fundamental Rights. In the MP Sharma vs Satish Chandra case[9], the Supreme Court decided in favour of the practice of search and seizure when contrasted with privacy.

In 1975, the Indian Supreme Court's decision in Gobind vs State of MP[10] marked a significant moment for privacy rights, introducing the compelling state interest test from American law. This test requires that an individual's right to privacy may be overridden by a compelling state interest, which must be convincingly justified. Over time, the scope of privacy in India has broadened to include sensitive personal data, such as medical records and biometric information.

In 1997 in the matter of PUCL vs Union of India[11], commonly known as telephone tapping cases, the Supreme Court unequivocally held that individuals had a privacy interest in the content of their telephone communications.

The Indian Constitution does not explicitly guarantee the right to privacy. However, Indian courts have interpreted Article 21—the right to life and liberty—to encompass a limited right to privacy. This interpretation was challenged in the 2015 case Justice K.S. Puttaswamy vs. Union of India[12]. On August 24, 2017, the Supreme Court ruled that privacy is a fundamental right, integral to the right to life and personal liberty under the Constitution. The Court clarified that this right is not absolute and is subject to reasonable restrictions, similar to other fundamental rights.

Presently, there is no specific legislation dealing with privacy and data protection. The protection of privacy and data can be derived from various laws pertaining to information technology, intellectual property, crimes and contractual relations.

In the absence of a specific law on privacy, this right is legally viewed under the Information Technology Act, 2000. The Act has some express provision guarding individuals against breach of privacy by corporate entities. The Act was amended in 2008 to insert Section 43 A which made the Companies compromising sensitive personal data liable to pay compensation.

Exercising its powers under Section 43A of the IT Act, 2000, the Government framed eight rules to protect privacy of an individual. These all relate to seeking permission by a company before accessing privacy data of individuals and fixing liabilities for violation of the same[13].

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data. Based on Fair Credit Reporting Act and Graham Leach Bliley Act, the CICRA has created a strict framework for information pertaining to credit and finances of the individuals and companies in India. The Regulations under CICRA which provide for strict data privacy principles have recently been notified by the Reserve Bank of India.

The Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter commensurate with the gravity of the offence. Section 63B of the Indian Copyright Act provides that any person who knowingly makes use on a computer of an infringing copy of computer program shall be punishable.

It is pertinent to mention here that the Indian courts recognise copyright in databases. It has been held that compilation of list of clients/customers developed by a person by devoting time, money, labour and skill amounts to “literary work” wherein the author has a copyright under the Copyright Act. As such if any infringement occurs with respect to data bases, the outsourcing parent entity may have recourse under the Copyright Act also.

The law came into effect August 11, 2023 and covers personal data collected in digital format, or collected by other means and later digitized. The law is intended to protect personal information for citizens in the world’s most populous country, and increase accountability for organizations that handle a lot of such data, including those with online operations and that run mobile apps.

In the following seven cases, the Supreme Court had upheld the Right to Privacy:

“The Cyber Law & Data Governance Division, operating under the Ministry of Electronics and Information Technology (MeitY), assumes a pivotal role in shaping India's digital landscape. Since the inception of the Information Technology Act in 2000, this division has been at the forefront, fostering electronic transactions, providing legal validation for e-commerce, facilitating e- governance, preventing computer-based crimes, and implementing robust security measures.

A notable recent addition to the division’s initiatives is the Digital Personal Data Protection Act of 2023, a landmark legislation that adeptly balances individual privacy rights with the imperative to process digital personal data for lawful purposes. The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules of 2021 further showcase the division's commitment to regulating social media intermediaries, online gaming, and safeguarding digital citizens. The establishment of a Grievance Appellate Committee reflects the division's dedication to resolving social media grievances where grievance officers couldn't provide relief to the social media users in India.

Moreover, the division actively pioneers frameworks for data governance and protection, crucial for establishing an open, safe, trusted, accountable, and adaptable cyberspace. Acknowledging data protection as a fundamental right for Indian citizens, the division formulates policies to safeguard these rights. Furthermore, the division delves into the legal implications of cutting-edge technologies such as IoT, Blockchain, and Artificial Intelligence, while also addressing aspects of Competition Law, Company Law, Copyright Act, and Intellectual Property Rights (IPR) protection within the domain of information technology. In essence, the division operates as a guardian of digital rights, ensuring a secure cyberspace that is indispensable for the nation's digital economy growth.”

In the year 2017, the government of India, through its Ministry of Electronics and Information Technology, appointed a committee of ten members under the chairmanship of Justice B.R. Krishna (a retired Supreme Court judge). This committee was supposed to submit a detailed report on the introduction of the data privacy law in India. The committee finally submitted its report on the data protection framework on July 27, 2018.

After receiving the recommendations of the committee and a draft privacy law bill, the bill remained in limbo. Its first draft was made public in July 2018 and then revised again in December 2019. The Bill was then referred to a joint parliamentary committee for its report, which submitted its report two years later, that is, in December 2021. Later, the government decided to withdraw the bill as there were too many proposed changes to be incorporated. Later in November 2022, the Ministry of Electronics and Information Technology released a draft bill for public consultations. Finally, in August 2023, the government introduced the Digital Personal Data Protection Bill, 2022. After much consultation and amendment, the Digital Personal Data Protection Bill of 2023 was finally passed and it received the President’s assent after six years.

An Act provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The Act also seeks to achieve the following:

The Bill is concise and SARAL, that is, Simple, Accessible, Rational &Actionable Law as it—

For enforcing his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.

The DPDP Act, the result of over five years of debate and negotiation, represents the beginning of formal personal data protection regulation. How effectively personal data privacy is safeguarded will depend on the regulatory developments and institutional frameworks established in the coming years. While the new law lays the essential groundwork, it alone is insufficient to ensure real data privacy.

It is uncertain whether earlier drafts of the bill would have provided significantly better privacy protection. However, the evolution of the law’s content reflects a shift in the government's approach to privacy. The current version of the law, by imposing lower compliance costs on Indian businesses compared to earlier drafts, is a positive development.

In general, the law is both modest and practical, which is a good thing. Nevertheless, its practicality sometimes comes at the expense of privacy interests. The significant discretionary authority granted to the central government means that the effectiveness of privacy protection will largely depend on the government's dedication to upholding it.