Justice BN Srikrishna discusses Data Privacy at DM Harish School of Law

Former Supreme Court Judge, Justice Srikrishna delivered a guest lecture on the right to privacy as part of the Master Guest Lecture Series 2023-24 at DM Harish School of Law.
Justice BN Srikrishna at DM Harish School of Law
Justice BN Srikrishna at DM Harish School of Law

Retired Supreme Court judge, Justice BN Srikrishna recently delivered a guest lecture on The Right to Privacy Under Law as a part of the Master Guest Lecture Series 2023-24 at DM Harish School of Law, which functions under the aegis of HSNC University, Mumbai.

Justice Srikrishna's lecture, which was the second lecture in the lecture series, focused on privacy concerns and data protection. He spoke of the importance of safeguarding personal information in an era where data is easily accessible and also cited real-life examples to underline the risks and consequences of data breaches.

Anil Harish, Partner, DM Harish & Co, Trustee and President of the HSNC Board, Trustee of the DM Harish Foundation and eminent visiting faculty at DMHSL' Senior Advocate Haresh Jagtiani, who is also a Trustee of the DM Harish Foundation; and Shobha Jagtiani, Partner, DM Harish & Co and Trustee of the DM Harish Foundation also attended the lecture.

Justice Srikrishna addressing the students
Justice Srikrishna addressing the students

In 2006, when British mathematician and data science entrepreneur Clive Humby coined the phrase ‘data is the new oil’, he meant to say that data, like oil, is not useful in its raw state. It needs to be refined, processed and turned into something useful. Its value lies in its potential. Humby would have never imagined the current all-pervasive impact of his quote.

Years later, in 2019, business tycoon Mukesh Ambani used the same quote while making a strong pitch for the protection of the data of Indian users amidst a raging debate in the country over whether the data of Indians is safe with foreign companies.

Unlike oil, data is something that can be used and reused. For youngsters, data sharing is a reality today - but so is data control. People are waking up and want control over how their data is used - real, ongoing control over a transparent exchange of value, rather than superficial one-time “consent” used as a fig leaf for extractive data policies. Hence data protection is a hot topic today.

Justice Srikrishna began his lecture by sharing about the concept of privacy in ancient India.

In India, we had this concept of privacy much before the EU’s General Data Protection Regulation (GDPR) idea ever took shape - way back in the 1st century, he said.

He then shared about Pandit Vishnu Sharma, a wise scholar who wrote the Panchatantra and his advice to the princes on the nine things to be always kept private - age, financial position, domestic quarrels, mantra given by one's guru, medical history, sexual affairs, charity, accolades and criticism which one gets in life. He cited several cases on how there have been conflicting judgements on both sides.

One interesting case he cited was a ruling of the Madras High Court, where a man sued his doctor for revealing that he had AIDS to his potential bride’s family, as a result of which his upcoming marriage was cancelled. The High Court rejected his claim that his right to confidentiality had been violated and ruled against his claim for damages.

Further, Justice Srikrishna discussed about the connection between ethics and data, showcasing examples related to privacy and data protection. He  traced the development of data protection laws and reiterated the need for enacting a strong law for the protection of the rights of individuals vis-à-vis their personal sensitive data and its usage.

The need for protection of personal data first arose post the Supreme Court verdict in the case of Justice KS Puttaswamy Vs Union of India wherein it was held that the right to privacy is a fundamental right as per the Constitution of India.

Based on this judgement, in 2017, the Ministry of Electronics and Information Technology (MeitY) established a Committee under the leadership of Justice Srikrishna, termed as the Srikrishna Committee. This Committee was responsible for drafting the bill for the protection of digital personal data.

Finally, after various discussions and sessions within the Committee, in August 2023, the bill was passed in both the houses and on 11 August 2023 the Digital Personal Data Protection (DPDP) Bill, 2023 was granted assent by the President of India. 

During his speech, Justice Srikrishna touched on many themes such as the recognition of privacy as a right by Indian courts, conflicting decisions as to the availability of such right, the establishment of UIDAI and development of Aadhaar card as a unique identity card, challenge to unique identity number/ account as an invasion to the right to privacy, the judgement of the Supreme Court in Puttuswamy’s case upholding of right of privacy as a fundamental right, setting up of the Committee to formulate the principles of law with regard to right of privacy, the report of the Committee and the Draft Bill submitted by the Committee in 2018, the report in 2018 envisaged data privacy, data principles, protection of data as a fundamental right, obligations of both Data Principal and Data Fiduciary, Data Protection Authority, violation of Data Protection Act and privacy, impact of the PDP Act on the Right to Information Act (RTI Act) and other laws, the Draft Bill was sent to the Joint Parliamentary Committee (JPC) for consideration, how the JPC suggested 89 amendments and after three years the Bill itself was withdrawn and how, later, the Bill of 2022 formulated and placed in Parliament, the DPDP Act of 2023 and comments on the PDP Act, 2023.

He also focused on the question of the dividing line is between the two fundamental rights, namely the freedom of speech and the right to privacy.

The DPDP Bill also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach, as well as rights of the persons whose data is being used.

Justice Srikrishna explained the salient features of the Bill. He noted that it would apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  Personal data may be processed only for a lawful purpose upon consent of an individual. 

Justice Srikrishna then stressed on ‘informed consent.' For consent to be informed and specific, the person must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep' (when information is used for a purpose that is not the original specified purpose).

The data subject must also be informed about his or her right to withdraw consent any time. The withdrawal must be as easy as giving consent, it was observed.

Consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion. Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure and delete the data once its purpose has been met.

Justice Srikrishna also illustrated his points with practical examples, emphasising data privacy concerns in the age of Artificial Intelligence (AI).

The lecture was followed by a Q&A round and many students asked their questions and engaged in healthy discussions on the positives and negatives of the privacy laws.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.

Bar and Bench - Indian Legal news