‘Not enforceable against private data collecting, tech firms’
After the Supreme Court’s judgment on right to privacy as a fundamental right, one question is repeatedly being asked as to what data collecting and tech companies have to do differently, after the order. First and foremost, companies need to be cognizant of the historical and landmark importance of the said judgment. The judgment has laid down foundational principles impacting privacy, both personal and data, and those principles must be followed in letter and spirit as part of good corporate governance best practices, by all data collecting and tech companies.
Following best practices on protection and preservation of users' privacy will immensely increase the stature of the said data collecting and tech companies in the eyes of their users, in particular, and ecosystem stakeholders, in general.
However, it needs to be understood that there is no specific mandate to do so. This is so because the fundamental right to privacy is only enforceable against state action under Part III of the Constitution of India. The net effect of the SC judgment is that any state action which is in violation of an individual or person’s right to privacy can be challenged in the writ jurisdiction. The challenge can be preferred either before the SC under Article 32 or before the high court under Article 226 of the Constitution of India. The net takeaway of this judgment is that in case the digital privacy of a person is impacted by state action, the same can always be challenged in a court of law. However, the said fundamental right is not enforceable against data collecting and tech companies, as they are not a state within the meaning of Article 12 of the Constitution.
Unfortunately, India does not have a dedicated law on privacy. As such, intermediaries such as data collecting and tech companies must comply with provisions of the Information Technology Act, 2000, and also rules and regulation made thereunder. These companies must have documented duediligence in place to ensure compliance with the law and also to ensure avoiding exposure to legal liability for third-party data or information made available on their platforms.
However, till such time the government does not come up with new guidelines for protecting privacy for service providers under the Information Technology Act, 2000, or through an effective law on privacy, there will be no additional requirements that will need to be complied with. But, it is good prudent corporate practice for companies to be always seen on the right side of the law and proactively doing things for protecting the privacy of their users.