Privacy, Surveillance & Monitoring, with glance of Digital Personal Data Protection Act 2023.
[By: Sandeep Arya]
Data is new Oil and Analytics is combustion engine, of 21st Century, Current are times where every aspect of Human Life is generating data, every moment Society is evolving on the basis of data, data collection, data processing, data handling, data managing, and Analytics, interpretation and processing of data/personal data/digital personal data.
Human behavior can be predicted, maneuvered, effected and altered to the level of accuracy with help of proper data and right tool of analytics and resultant advice thereto. Consequent is the birth of new breed of professionals called ‘data scientist’ emerged in last decade, more prominently.
With the commencement of era and embarking of IT (Information Technology) in its late 90s and revolution of it in late 2000s, several aspect of Human Behavior and day- to -day life, be it E-commerce, Internet, Web based services and Electronic related Business processes taking shift from conventional Paper- based processes business practices.
The current Policies of Union Government with the vision to Digitally Develop the Nation as whole with last mile OFC connectivity as the instrument for transition into a developed nation and an empowered society has made Government to make law which is at par and in line with International bench marks, be it Privacy law of U.S.A or European union laws related to Privacy and GDPR.
At the same time Technology brings in many challenges especially when it has to work with Human intelligence and interplay of individual rights and technological tool used in completion of one transaction and process.
Surveillance & Monitoring
It is imperative to discuss on current changing scenario evolving the new laws related to Personal Data Protection, Individual Privacy and Surveillance exercised by the State over Individual/s
Few expression and definitions are relevant for appreciating the purpose and clear intent of the law/s in this context;
Surveillance as per Cornell law School definition could be defined as: The continuous or prolonged observation of a targeted individual, group, or organization by clandestine means to gather information relative to an open criminal investigation.
Or in general terms Surveillance means close observation of a person or group especially the one who are under suspicion or the act or observing or the condition of being observed .
Therefore Surveillance pre-supposes elements which involve Individual, an act, human movement, Image, perspective profiling, facts, and overall day-to day activities and engagement.
Which as per law of the day in India, fall under the definition of ‘Data’ and ‘Personal Data’.
The IT Act defines Data under section 2 sub Section (o)
“Data” means as representation of information, knowledge, facts concepts or instructions which are being prepared or have been prepared in a formalised manner and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
Section 2 sub section (h) of The Digital Personal Data Protection Act 2023 defined data as;
“Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
Primarily, its subjects can be divided in two broad persons;
A. Individual/Human Beings also referred in law as ‘Data Subject’ in EU Laws or Data Principal under Indian Law.
B. Legal Entities.( are kept out of preview of DPDP Act 2023)
The Data Principal or Data Subject are Individuals who are at the centre of all Data and Privacy laws be it GDPR (EU Law) or DPDP ACT, 2023 (Indian Law).
Data/Information can be further categorised in following heads as shown in table below:
Information about an individual’s personal history
Knowledge & belief*
Information about what a person knows or believes
Information that uniquely or semi- uniquely indentifies a specific individual
Information that identifies an Individual’s financial account
Information about an individual’s educational or professional career
SOME BROAD CATEGORIES OF PERSONAL INFORMATION
Right to Privacy- Considered in European laws as right to respect for Private or Personal life – which emerged in International Human Rights Law in the Universal Declaration of Human Rights adopted in 1948 as one of the Fundamental Protected Human Rights.
ECHR (European Convention of Human Rights)-provide that Every individual Minor or Major has the right to respect for his or her private and family life, Home and Communications & Correspondences.
Interference with this right by a public authority or State is prohibited, except where the interference is in accordance with the law and procedure established by law.
Right to respect for private life and the right to personal data protection although are closely related, are distinct rights.
Balancing the individual rights of ‘Privacy’ and ‘Protection of Personal data’ which are inherent in article 21 of the Constitution which were re-confirmed by several Judgments of Apex Court including in judgment of Justice K.S Puttaswamay (Retd.) in August 2017 holding that
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.
Law that contains the provision related to surveillance and Monitoring are primarily found in Section 5 of the Indian Telegraph Act 1885, and Information Technology Act 2000.
Section 5 of the Indian Telegraph Act, provide for the Power for Government to take possession of licensed telegraphs and to order interception of messages. Sub section 1 and sub section 2 of section of Section 5 details on the situation, circumstances and procedure where and when such power can be exercised by the Government/s or by Authorised officer.
Section 69 of the IT Act provides for relevant law on the point which is;
Sec. 69. Power to issue directions for interception or monitoring or decryption of any information through any computer resource.”
However said laws prescribes and focus on conventional model and mode of surveillance viz. interception of telecommunication and other mode of communications.
Then, Section 72 provides for Penalty for Breach of Confidentiality and Privacy.
Section 43-A provides for Compensation for failure to protect data.
Detailed mechanism for handing the Sensitive Personal Data (SPD) and ancillary rules and law are enacted currently under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rule 2011.
Whereas relevant provision and rule and processes for Surveillance, Monitoring and interception find their place in The Information Technology (Procedure and Safeguards for interception, Monitoring and Decryption of Information) Rules 2009. (Section 43-A Stands Omitted by the DPDP Act 2023)
With regard to Monitoring, Collecting of Traffic Data is governed by The Information Technology (Procedure and Safeguards for interception, Monitoring and Collecting Traffic data or Information) Rules 2009.
With advancement of technology and availability of several new tools Surveillance and Monitoring, could also be done through Personal Data, and Digital Personal Data, process, analytics and image etc., which impliedly concedes to Data Privacy and violation or un-authorised use of such data wold be terms as Data breach and breach of applicable law/s.
For Instance large surface and common areas in Cities like New Delhi and Mumbai, Bengaluru Hyderabad, Chennai etc. public places, Streets, Roads, and Airports, Railway boarding platforms, / Metro Rail, Places of recreations and amusements are fairly covered under CCTV surveillance, even in small urban cities Banks, ATM booths , Shopping Mall and Shops, are under CCTV Surveillance/ Covered, where either Private party or Government Agencies have access CCTV systems, to all Camera and monitoring Surveillance systems, Government Agencies have authority to have access of data recorded through such CCTV systems under the law, from even private parties and they are obligated to provide access to Government Authorities.
Similarly several communications devices provide for live location tools which can help the tracking of any individual in fact in many cases such devices contains several Sensitive data of person including, Medical, Finance, and Personal data.
Therefore, Data Privacy ,Protection and surveillance are interlinked in case of any breach could lead to putting the Data Principal’s/ Subject’s in great difficulty, unless it is sanctioned by law or categorically consented by the Data Principal as per law, consent here has defined and definite mean under the law, which has been prescribed under the DPDP Act 2023, there is proper procedure of obtaining the consent and even for the withdrawal of consent, in Data Protection laws, terms like ‘implied consent’ or ‘consent by non-objection’ has not relevancy.
Hence in all such cases where data is collected under some surveillance tool, the Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA) be carried out by the Data Fiduciary /Controller and Processor. Unless otherwise provided by the law.
In present DPDP Act 2023, Government/s both and local and Union level are exempted from this law, certain exemptions are provide under section 16 and 17 of the PDPA Act 2023. Therefore certain Authorities who are obligated to maintain Public order and Intelligence agencies shall remain outside the preview of DPDP Act 2023, and will continue to function for specified objectives under their special laws related to such monitoring and surveillance.
The DPDP Act 2023 shall apply to all equally except to the Data Fiduciaries/ Persons which have been exempted. To put it reverse order it applies to all barring specifically exempted bodies, which shall be clarified one Rule framed and Notified under the DPDP Act 2023.
Therefore everyone who touches the benchmark of data collection/processing will have to comply Individual or Body Corporate.
Section 43-A of Information Technology 2000 Act (as amended) provides for compensation for failure to protect personal data and mentions sensitive personal Data;
43-A. Compensation for failure to protect data.–Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
It has become more imperative for an Individual to Store and keep their Digital Data very carefully and exercise due caution and care while using office and outside Computer System or similar Devices provided by third parties. At the same time it is very important of Companies and Organizations to educate their workforce and employees about type and extent of ‘personal data’ should employee store in their Office Device and Computers etc. or to have clear policy and implement it under the Law which could be either Privacy by Design or Privacy by Default. The access of Computer rights available with Companies with Computer Systems of the Employees and personal digital data handling. There could be cases in times to come where data is breached from the end of third Party and Companies are made answerable for the same by their employees, in absence of proper Mechanism of Data handling, processing and controlling.
Personal Data of Individual is governed by current laws which are IT Act 2000 (as amended) and other subordinate Rules and Sub-Regulations of IT Act and Digital Personal Data Protection Act 2023. Surveillance and Monitoring are done and sanctioned under the law as applicable and available to the Government/Agencies under the Indian Telegraph Act 1885(as amended) and IT Act 2000(as amended) and other local acts and Regulations. In order to draw a case of Un-authorised surveillance/Monitoring and consequent data breach both law will come into play, against the person who violates it. The organization who collects the data and fall under the DPDP Act 2023 will have to be compliant with it.
The Organization which do not come under the DPDP ACT said law will have to be compliant with requirement of IT Act and to keep themselves safe from such falls of ‘data breach’, should develop and adopt the Mechanism as advised under the GDPR and DPDP Act 2023. The process and procedure with regard to the implementation and functioning of Indian Data Protection Board in details shall be clarified once the Board is formed and Rule are Notified by the Government of India on DPDP Act 2023, as per media reports rule and Board formation is likely to be notified in few month’s time.
Final Remark: Its very old maxim in law which says, 'ignorantia juris non-excusat, meaning thereby ‘Ignorance of law is no excuse in, Therefore weather you fall under the preview of DPDP Act / GDPR or not but you cannot be ignorant and un-aware about DPDP Act 2023 and its implications.
1. Information Technology Act. 2002.
2. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rule 2011.
3. The Information Technology (Procedure and Safeguards for interception, Monitoring and Decryption of Information) Rules 2009.
4. The Indian Telegraph Act 1885.
5. Digital Personal Data Protection Act 2023.
6. European Union GDPR Law.
7. Cornell Law Dictionary.
8. Judgement in Justice K S Puttaswamy (retd.), & Anr. Writ petition (civil) no 494 of 2012.