The efficient tool which is coming around the world for regulating the conduct of social media and search engine websites is to draft a stringent personal data protection Act. India too is following in the same fervour and has drafted a Personal Data Protection Bill, 2019.
The nuanced origin of privacy rights as a fundamental right in 2017 brings along a tectonic(al) shift in the Constitutionalism-Jurisprudence in India. Especially, knowing that privacy necessarily tags along with it the questions of informational privacy, or more specifically the question of digital privacy. Knowing that social media and search engine websites have been at their superior best for tracking down individual behavior, the new branch of Constitutionalism, specifically digital constitutionalism would not only be working against the State actor but would necessarily also work against the Non-State Actors (Facebook, Google, etc.). Interestingly, the realm of digital constitutionalism has many takers with differing opinions. Brian Fitzgerald, an exponential writer in the field of informational constitutionalism (IC), tracks the origin and source of IC within the privacy laws such as patent laws, copyright laws, contract laws, and privacy laws. As per Fitzgerald, these laws represent the adequate constraint requisite for protecting the privacy and integrity of an Individual. However, there are other writers, who trace the origin of Digital Constitutionalism within the realm of Constitutional norms as what some call as a normative counteraction against the digital advancement. Under the normative counteraction, we trace the origin of DC within the already established norms of the constitution, so if I have to say that there cannot be any discrimination in any public place, it is an authority which I can draw from the norm of article 15 (2) of the Indian Constitution. Similarly, I will derive this norm against digital technology which might be discriminatory in public places. Similarly, Article 21 dignity-jurisprudence can be applied to informational privacy. So these normative counteractions can be expanded to work against the State and Non-State actor. However, the expansion of normative counteraction requires a two-fold approach, either, the Non-State actors like Facebook and Google are regarded as a part of ‘State’ and when I say ‘State’ I mean the State as defined under article 12 of the Indian Constitution. As once these entities (Facebook, Google, etc.) are regarded as ‘State’, they shall be as liable for protecting the dignity of an individual as the Government of India is. However, the Indian Jurisprudence has not expanded to an extent where it can recognize the Non-State actors as part of article 12. It was not until 1975 when under the judgment of Sukhdev Singh v. Bhagatram, that Justice K.K. Mathew exponentially defined the idea of ‘State’ and hinted that the idea of ‘State’ also includes the idea of entities discharging the function of State as well. This elaborative opinion of Justice Mathew found few takers in series of judgment following after Sukhdev Singh’s judgment, yet the opinion felt short to bring an overhauling change in the settled jurisprudence of ‘State’ as defined under article 12. Today’s settled rule of ‘State’ derives its authority from the Zee Telefilms v. UoI case 2005 famously known as the BCCI case where the triplet test was categorized by the Supreme Court for recognition of an entity as ‘State’: the test of Function, Finance & Administration. However, in between the last decade, there was a case of BCCI v. Cricket Association of Bihar 2015, where Justice T.S. Thakur had emphasized on the function test for recognition of ‘State’. Assuming that the ‘function test’ is core the essence for any entity to be recognized as ‘State’, the other question which naturally follows this thesis is whether social media and search engine giants like Facebook and Google are discharging functions of ‘State’. Let us Facebook for example; the company today is a multi-billionaire dollar organization with thousands of employees around the world, working round the clock to keep the people connected. However, that is one such feature of the social media giant, the company today is endeavoring to launch its own set of crypto-currencies known as a ‘libra’. As well as the Social Media giant also provides for stress-relief features such as ‘Mark yourself safe’ in case of any natural calamity strikes at your region. Apart from that Facebook has also become one of the prime sources of news/information for the world community at large today. Additionally, the company has also launched its own Supreme Court like an adjudicatory body, known as Facebook Oversight Board (FOB) (yet to become functional). The company already is running a parallel ‘State’, the only difference that could be thought between the State and the Facebook is while there is job-permanency in Government, the Facebook employee does not have that, further, there is a counter-argument to this theory that FB does not have democratic legitimacy to be equated with ‘State’. The latter argument does not seem viable knowing that the FB has over a billion users, so it is not like that the Company is not accepted and used.
The other argument which goes against this pseudo-dualism of private/public entity is the ‘incoherent criticism’ theory, the fact that a private organization can be allowed to work without considering fundamental rights just seems incoherent. Private spaces cannot be spots of discrimination or breach of dignity. Keeping this in mind there are substantive arguments for digital constitutionalism, originating from the normative reactions of the Constitution itself, when I say normative reactions, I mean that there is enough leverage under article 21 to work against cases of breach of informational privacy arising not only by the State but by the non-State actor as well.
The above argument helps us in consolidating the position of digital constitutionalism, one that can be traced to the existing norms of the Constitution. However, the question is whether the safeguarded provided by the existing norms are efficient to handle the situation of a data breach. The Supreme Court through K.S. Puttaswamy (2017) had recognized three facets of privacy: bodily privacy, the privacy of mind, and informational privacy. The third facet of privacy, is the troublesome one, as the judiciary recognized the advent of the digital era, it recognized informational privacy as an essential facet of this era and dignity (Article 21). Yet this recognition of a new facet of privacy does little or no work unless there is a normative safeguard to protect them. Ironically, the distinct safeguard for digital dignity (or informational privacy) in India is governed by three major regulations: the Information Technology Act, 2000, (IT Act, 2000), the SPDI rules, 2011 and Intermediary Guidelines Rules 2011. Yet most of these provisions have turned obsolete seeing the kind of technological advancement has been made in the last decade. The SPDI rules were specifically drafted to bring in a sense of accountability on the e-commerce websites and search engine websites, but these safeguards do not categorize the sensitivity of the information. The new Personal Data Protection Bill, 2019 categorizes personal data into broad themes of sensitive personal data and critical personal data.
The efficient tool which is coming around the world for regulating the conduct of Social media and Search engine websites is to draft a stringent personal data protection Act. India too is following in the same fervor and has drafted a Personal Data Protection Bill, 2019. Interestingly, this is India’s second bill on Personal Data Protection, the first draft was prepared by retired Justice B.N. Srikrishna is known as the Personal Data Protection Bill, 2018, which was pretty much on the lines of the European General Data Protection Regulation (GDPR). However, the new draft of the bill titled Personal Data Protection Bill, 2019 has made some serious detachment from the old bill and has certain provisions that are friendly to the Government.
Now this second bill of PDP needs to be seen under the light of Digital Constitutionalism because PDP becomes an essential tool of restraining the power of State and Non-State actor. This model of Constitutionalism is typically based on the model given by Brian Fitzgerald, searching the Constitutionalism through the medium of statutory laws. Unlike its western counterpart: under the European model, the protection of personal data is regarded as a part of fundamental rights. Whereas in India, data protection has been given a status of statutory rights; so even though the informational privacy requires a strong guard of data protection, the Indian Judiciary has not recognized data protection as an essential part of data privacy so far. A statutory right per se does not have the same amount of assurance as that of a fundamental right, yet it will be too early to discard the personal data protection bill, 2019 for its statutory existence (yet to come).
THE PDP BILL, 2019: A NEW DAWN FOR DIGITAL DIGNITY
It is not a hidden fact that the 2016-U.S. election came as a big revelation for the world at large, it told us that the sanctuary of the house is not that safe place after all. The idea of a digital castle was shuttered by Facebook and other media websites, who as per the news around the world, collaborated with the political analyst firm Cambridge Analytic and manipulated voter choices in the United States. This does not end here, the reminiscence of it are still very fresh with cases being alleged in the Brexit movement in Europe and the Presidential election in Brazil. This is an unending tale with diverse authors across the globe. One of the former employees of the firm also mentioned that the firm had met a few political parties in India as well. This raises some serious threat to individual dignity and freedom of choice (which surely can be traced back to article 21 of the Indian Constitution) in India. Therefore, any legislative attempt to curb the outreach of social media needs to have a consensus ad idem of three parties: Government, the Social Media & Search Engine Websites, and the Consumers (Citizens) of Social Media. All these three parties have an interest in the making of a personal data protection act, therefore all their interest needs to find a place in the act.
The current PDP bill, 2019 does provide for more rights for the data principal (consumer of social and search engine website). The bill recognizes the right to be forgotten (read section 20), the right to erasure (read section 18 (1) (d)), right to correction, and the power of the data-principal to take back its consent. There are different categories of consent required for different categories of personal data (read section 11 of the Bill). All these rights seem like a good move for regulating the exercise of power by large corporations and certainly draws a structural balance of power between the data-principal and data fiduciary (State and Non-State actors taking information).
But it has to be kept in mind any form of digital constitutionalism, either coming from the normative counteractions or statutory laws, it has to work against both the State and Non-State actors. The conventional definition of constitutionalism: as a restraint against the State, cannot be a fully operational definition keeping the digital world in mind. Therefore, the implications of PDP Bill, 2019 have to be against the State and Non-State actors equally. Interestingly, various provisions of the PDP bill, 2019 tends to hint towards over-regulation, which is a classic tale of socialism, the bill started from being a role of parens patriae to turning into the eminent domain. The first default reaction of Governments across the globe against the Facebook fiasco was that of a guardian, and its citizens are like its children who are needed to be protected against the outreach of social media, but suddenly this role has turned into the eminent domain. Where the concerted power has shifted from the Non-State actor to the State actor, if sections 12, 14, and 35 are read carefully, there are enough leverage points for the Government agencies to process personal data without being bound by the regulations of consent. This tends to imbalance the power ratio among the three parties in interest and tends to tilt in favor of the Government. A more neutral role would be required by the Data Protection Authority to mediate the power ratio among the three parties.
REASONABLE EXPECTATION OF PRIVACY
The other theoretical notion which we need to explore in absence of any substantive enactment to safeguard personal data could be the theoretical test of ‘Reasonable Expectation of Privacy’. The reasonable expectation of privacy test was evolved in the U.S. Supreme Court through the rulings of Olmstead v. United States, Katz v. United States, and Timothy Carpenter v. United States. The test simply runs on the premise that ‘Would a reasonable person expect privacy within a particular space’. This subjectively objective test has been utilized by the U.S. Supreme Court for way too long. The Indian Supreme Court too in the case of K.S. Puttaswamy (2017) dealt with this theoretical question, where Justice Chandrachud had given recognition to this test, Justice Chandrachud used the phrase ‘legitimate expectation of privacy’, which in a way can be regarded as a passive acceptance of the test as evolved by the U.S. Supreme Court. However, Justice Nariman did not agree with this test in the judgment and rather showed dismay at this test, knowing that Indian Jurisprudence does not agree with ‘waiver right’, therefore applying any test of a reasonable expectation of privacy would have serious repercussion on non-waiver jurisprudence of India.
However, this brings forth a great jurisprudential inquisitiveness for us to ponder upon, is it possible that till the time no substantive enactment is made in, the test of a reasonable expectation of privacy could be applied to fill in the intricate gaps within privacy jurisprudence in India.
Ashit Kumar Srivastava is Assistant Professor of Law at National Law University-Jabalpur.