You are here: Home / Internet Governance / Blog / Privacy / When Data Means Privacy, What Traces Are You Leaving Behind?

When Data Means Privacy, What Traces Are You Leaving Behind?

Posted by Noopur Raval at Jul 18, 2011 06:00 AM |
How do you know yourself to be different from others? What defines the daily life that you live and the knowledge you produce in the span of this life? Is all that information yours or are you a mere stakeholder on behalf of the State whose subject you are? What does privacy really mean? In a society that is increasingly relying on information to identify people, collecting and archiving ‘personal’ details of your lives, your name, age, passport details, ration card number, call records etc, how private is your tweet, status update, text message or simply, your restaurant bill?

The CIC (central information commission) that arbitrates decisions on RTI appeals in case of conflict of interest provides interesting notions of what the State thinks is privacy. Ironically, the cornerstones of RTI that is privacy and its invasion are yet to be defined in the context of the judiciary. Then, how does the CIC decide what is private enough and what can be revealed to anyone? Of course, it relies on the discretion of its judges who attempt to draw from a range of sources that include the principles of natural justice drawn from western jurisprudence to quotes by Gandhi and Aristotle to the UK Data Protection Act, 1998 and US Torts that define invasion of privacy. To begin with, let us examine who constitutes the private sphere. As ruled in case of Mr. Ajeet Kumar Khanna vs Punjab & Sind Bank on 29 July, 2008 and Mr. G. Atchaiah vs State Bank of India on 22 August, 2008, the appellant can seek information only for himself/herself. Anyone outside the self, commonly believed as the personal connection, sons, daughters, parents or even spouse is not allowed information of a relative. One needs a distinct power of attorney for right to information. The contradiction is that one does not need to state the purpose for asking information, thereby making unnecessary any connection with the person you want information about.

CIC has been increasingly relying on the UK Data Protection Act, 1998 to make a correlation between data and privacy. Hence, to map privacy and its invasion, the RTI act depends on the UK Data Protection Act that classifies the following as sensitive personal data: 

We have no equivalent of UK's Data Protection Act, 1998, Sec 2 of which, titled Sensitive Personal Data, reads as follows: In this Act "sensitive personal data" means personal data consisting of information as to:

 

  1. The racial or ethnic origin of the data subject
  2. His political opinions
  3. His religious beliefs or other beliefs of a similar nature 
  4. Whether he is a member of a Trade Union
  5. His physical or mental health or condition
  6. His sexual life
  7. The commission or alleged commission by him of any offence
  8. Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
While this blanket reference to sensitive personal data does not account for nuances in the Indian context, it also does not capture the essence of public-private interaction. It is mostly at the intersection of the public domain and the individual that the demarcation occurs. While personal family photographs lying in my attic may constitute a beautiful memory that can be proudly displayed on my walls, it is when one acknowledges the dual nature of any information source, the potential of these photographs to contribute to larger politicized information narratives, that their access and usage comes to define the real crux of the privacy debate.

The US Restatement of the Law, Second, Torts, defines the Intrusion to Privacy more generally in the following manner: “One, who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Of course, we don’t know whether a father paying for bills and wanting access to his daughter’s cell phone records can be seen as highly offensive to a reasonable person in the Indian context. In the context of the recent Padmanabhswamy Templetreasure trove found in Kerala, since under the Ancient Monuments and Archaeological Sites and Remains Act 1958, such sites qualify as sites of ‘national importance’ and imply a certain larger public interest, would one be able to access such 'nationally personal data' pertaining to a temple (public space) owned by a family trust registered with the government (publicly private), containing a national treasure lying locked on geographical territory (public) that is rightly shared by all citizens? 
 
Here’s how the CIC defined the personal and the extent of personal in the context of state as illustrated in Mr. Kanhiya Lal vs MCD, GNCT, Delhi on 13 June, 2011.To qualify for this exemption the information must satisfy the following criteria:

It must be personal information
Words in a law should normally be given the meanings given in common language. In common language we would ascribe the adjective 'personal' to an attribute which applies to an individual and not to an institution or a corporate. From this it flows that 'personal' cannot be related to Institutions, organizations or corporate. (Hence, we could state that section 8 (1) (j) cannot be applied when the information concerns institutions, organizations or corporate). The phrase 'disclosure of which has no relationship to any public activity or interest' means that the information must have some relationship to a public activity. Various public authorities in performing their functions routinely ask for 'personal' information from Citizens, and this is clearly a public activity. When a person applies for a job, or gives information about himself to a public authority as an employee, or asks for a permission, licence or authorisation, all these are public activities. The information sought in this case by the appellant has certainly been obtained in the pursuit of a public activity. We can also look at this from another aspect. The State has no right to invade the privacy of an individual. There are some extraordinary situations where the State may be allowed to invade on the privacy of a Citizen. In those circumstances special provisos of the law apply, always with certain safeguards. Therefore it can be argued that where the State routinely obtains information from Citizens, this information is in relationship to a public activity and will not be an intrusion on privacy.

In that case, does data at several layers demand for us to relook privacy from the subject positions we acquire at different levels and hence, the larger private collectives that we partake of?