Background

On 24 August 2017, in a nine-judge bench decision, the Indian Supreme Court located a fundamental right to privacy within the Indian Constitutional jurisprudence. Previously, the right to privacy has had a dubious existence in India’s judicial history, and it has been suggested that privacy is inherently a Western concept. However, essays by Ashna Ashesh, Vidushi Marda, and Bhairav Acharya — cited in the Puttaswamy judgment — dispelled this notion, by attempting to locate the constructs of privacy in Classical Hindu [link], and Islamic Laws [link]; and Acharya’s article in the Economic and Political Weekly, which highlighted the need for privacy jurisprudence to reflect theoretical clarity, and be sensitive to unique Indian contexts [link].

Through the six opinions in the Puttaswamy judgment, the Supreme Court discussed various aspects of the right to privacy, reading into it the constitutional values of dignity and liberty. In Amber Sinha’s three-part essay, he dissected these components of the right, discussing the sources, structure and scope of the right in detail. [link] Further, a visual guide prepared by Amber Sinha, and Pooja Saxena provides a rich story of privacy in independent India, as well as a visualisation of the various types of privacy the court located within the broader constitutional right. [link]

Privacy, Public Places and Surveillance 

“Privacy attaches to the person and not to the place where it is associated.” - Justice Chandrachud, Puttaswamy

The right to privacy initially focused on protecting “private” spaces. These included spaces such as the home, from state interference. This drew from the belief that “a person’s home is their castle”. However, this idea of privacy is not limited simply to a person’s home. Privacy rests in ‘person’ and not in ‘places’. Therefore, even outside one’s home, other spaces could also acquire the character of private spaces, and even public spaces can afford a degree of privacy.

In a paper for the Centre for Development Informatics, Aayush Rathi and Ambika Tandon discussed the wholesale implementation of CCTVs in New Delhi. They deconstructed the narrative that equates greater surveillance with greater safety, more so in the case of women’s safety. Borrowing from feminist approaches to surveillance and privacy, they focussed on lived experiencess of surveillance with a focus on women living in informal settlements in New Delhi to argue that the ‘gaze of CCTV’ is intersectionally mediated and cast upon those already marginalized. [link]

Similarly, in a three part blog series for AI Policy Exchange, Arindrajit Basu and Siddharth Sonkar explain Automated Facial Recognition Systems (AFRS) while defining key privacy related legal and policy questions underpinning the adoption of AFRS. They go on to answer these questions by interrogating the existing data privacy laws in light of the mosaic theory of privacy, noting the dangers of ‘data-veillance’ and the need to recognize necessary safeguards. [link]

Biometrics 

“The integrity of the body and the sanctity of the mind can exist on the foundation that each individual possesses an inalienable ability and right to preserve a private space in which the human personality can develop.” - Justice Chandrachud, Puttaswamy

Biometrics was central to the Puttaswamy judgment, as it was the collection of biometric data by the government to build the Aadhaar system that triggered this case, and the urgent need to commit the State to guarding residents’ fundamental right to privacy.

Privacy of information

“Informational privacy is a facet of the right to privacy.” - Justice Chandrachud, Puttaswamy

In the age of Big Data, the collection and analysis of personal data has tremendous economic value. However, these economic interests should not be pursued at the expense of personal privacy. Similarly, modern technology provides excessive opportunities for governments to monitor and survey the lives of citizens. Informed consent and meaningful choice while sharing information is central to the idea of informational privacy. 

Based on publicly available submissions, press statements, and other media reports, Arindrajit Basu and Amber Sinha track the political evolution of the data protection ecosystem in India, in EPW Engage. They discuss how this has, and will continue to impact legislative and policy developments. [link]

Pandemic and privacy

Given the outbreak of the Covid-19 pandemic, and the eager techno-solutionism displayed by the government in adopting invasive and potentially unconstitutional technologies during these times, the principles elucidated in Puttaswamy are now more important than ever in upholding our rights. As Lord Atkin had stated in his famous dissent in the case of Liversidge v Anderson: “amid the clash of arms, the laws are not silent,” it is important to ensure that any potential solutions to the problems created by the pandemic are circumscribed by the constitution. 

In an essay for the Economic & Political Weekly (EPW), Amber Sinha, Pallavi Bedi and Aman Nair interrogate the techno-solutionist response underpinning the shifts towards the digital in the governance agenda of the Indian State in the last two decades. They focus on the government's vaccination efforts during the pandemic to ground their arguments highlighting the issues of accessibility and privacy. [link]

Writing for the Deccan Herald, Aman Nair and Pallavi Bedi note how pandemic technology infringes upon data privacy, resulting in surveillance and exclusion. They suggest that the trade-off between privacy and pandemic technologies is unjustified given India’s digital divide that makes digital-driven approaches inefficient. [link]

The practical implications of such techno-solutionism can be troubling. In this blog-post, for instance, Pallavi Bedi writes about the privacy concerns haunting the Co-Win platform noting the lack of privacy policies governing the app, lack of clarity vis-a-vis data sharing between different apps such as Co-Win and Aarogya Setu and how it would violate user consent if it is used to develop digital health IDS. [link] In another blog post, Divyank Katira compares the benefits of Digital Vaccine Certificates with regular paper-based ones while focussing on the privacy implications of their use with recommendations on how to make the technology more privacy-respecting. [link]

Moving beyond the concerns raised by the adoption of digital measures by the government, Vipul Kharbanda examines other measures, such as releasing the names of COVID positive patients, putting up notices/posters or barricades around the houses of patients. He analyzes these measures against the existing privacy jurisprudence, including that laid down by the Puttaswamy judgment [link], [link].

The Consumer Protection (E-commerce) Rules, 2020 were first introduced in an attempt to ensure that consumers were granted adequate protections and to prevent the adoption of unfair trade practices by E-commerce entities. The amendments have proposed several rules which will protect the consumer with a restriction on misleading advertisements and appointment of grievance officers based in India. However, while on this path, the proposed rules have created hurdles in the operations of e-commerce, reducing the ease of business and increasing the costs of operations especially for smaller players; which could eventually pass on to the consumers.

In our submission to the Ministry of Consumer Affairs, we focussed our analysis on eight points: Definitions and Registration, Compliance, Data Protection and Surveillance, Flash Sales, Unfair Trade Practices, Jurisdictional Issues with Competition Law, Compliance with International Trade Law and Liabilities of Marketplace E-commerce Entities. 

A snapshot of our recommendations and analysis is listed out below. To read our full submission, please click here.

Definitions and Registrations

The registration of entities with the DPIIT must be made as smooth as possible especially considering the wide definition of E-commerce entities in the rules, which may include smaller businesses as well. In particular, we suggested doing away with physical office visits. 

Compliance

As a general observation, compliance obligations should be differentiated based on the size of the entity and the volume of transactions rather than adopting a ‘one size fits all’ approach which may harm smaller businesses, especially those that are just starting up. Before these rules come into force, further consultations with small and medium-sized business enterprises would be vital in ensuring that the regulation is in line with their needs and does not hamper their growth. Excessive compliance requirements may end up playing into the hands of the largest players as they would have larger financial coffers and institutional mechanisms to comply with these obligations.

There is some confusion in the law as to whether the Chief Compliance officer mentioned in the amended rules is the same as the “nodal person of contact or an alternate senior designated functionary who is resident of India” under Rule 5(1).

The safe harbour should therefore refer to due diligence by the CCO and not the e-commerce entity itself. The requirement for the compliance officer to be an Indian citizen who is a resident and a senior officer or managerial employee may place an undue burden on small E-commerce players not located in India. 

Data Protection and Surveillance

In the absence of a Personal Data protection bill these rules do not adequately protect consumers’ personal data and reduce the powers given to the Central Government to access data or conduct surveillance

Flash Sales 

Conventional flash sales should be defined. Clear distinction must be made between conventional flash sales and fraudulent flash sales. The definition should not be limited to interception of business “using technological means”, which limits the scope of the fraudulent flash sales. Further parameters must be provided for when a flash sale will be considered a fraudulent flash sale. 

Unfair Trade Practices 

The rules place restrictions on marketplace E-commerce entities from selling their own goods or services or from listing related enterprises as sellers on their platforms. No such restriction applies to brick and mortar stores, and this blanket ban must be rethought. 

 Jurisdictional Issues with Competition Law 

This rule brings the issue of ‘abuse of dominant power’ under the fora of the Consumer Protection Authority or the Consumer Disputes Redressal Commissions.  Overlapping jurisdiction of this nature could introduce regulatory delays into the dispute resolution process and  can be a source of tension for the parties and regulatory authorities. The intention behind importing a competition law concept such as “abuse of dominant position” in the consumer protection regulations may be understandable, such a step might be effective in jurisdictions which have a common regulatory authority for both competition law as well as consumer protection issues, such as Australia, Finland, Ireland, Netherlands. However, in a country such as India which has completely separate regulatory mechanisms for competition and consumer law issues, such a provision may lead to logistical difficulties.

Compliance with International Trade Law 

A robust framework on ranking with transparent disclosure of parameters for the same would also go a long way towards addressing concerns with discrimination and national treatment under WTO law. Further, the obligation to provide domestic alternatives should be clarified and amended to ensure that it does not cause uncertainty and open India up to a national treatment challenge  at the WTO.

Liabilities of Marketplace E-commerce Entities

Fallback liability is an essential component of consumers’ protection in the E-commerce space. However, as currently envisioned there is a lack of clarity surrounding the extent to which fallback liability is applicable on E-commerce entities as well as exemptions to this liability. We have recommended alternate approaches adopted in other jurisdictions, which include

1. Liability through negligence

2. Liability as an exemption to safe harbour