Right to Privacy: Here's how it will impact sectors like job search portals, banking, matrimonial sites and more

One of the key questions being raised after the right to privacy verdict is on the extent of its impact on the privacy practices of private companies. A previous article assessed the extent to which a fundamental right to privacy can be enforced directly in Court against a private person. This article looks at certain sectors — social media, job search portals, matrimonial sites, banking and insurance sectors, to assess the impact of this verdict on their privacy practices.

Fundamental rights (FRs) vis-à-vis the state and private persons

Before looking at the individual sectors, it must be understood that generally, fundamental rights are enforceable only against the State. In the case of private companies, fundamental rights are enforceable, but to a limited extent.

First, alternate remedies will have to be looked at. These may be found in other laws, in contracts between the parties and so on. An important effect of the right to privacy verdict is the SC’s direction to the government to ‘place a robust regime for data protection’. Such a data protection law , will provide people with direct solution against private parties for privacy violations.

Only when other remedies are absent or inadequate, will the Courts consider a writ petition (filed for enforcement of fundamental rights) against a private person. To summarise the position:

Private bodies performing public functions: FRs can be enforced against certain private persons only, such as a private company performing a public function.

Matter of public interest: If in the WhatsApp Facebook  case, the SC issues general privacy guidelines, similar to the Vishakha guidelines , then these will apply to all private companies. This approach will show that when there is a matter of public interest involving violation of fundamental rights, any private company can be sued.

Outcome of WhatsApp Facebook case: Any action of the SC against WhatsApp, in this case, will indicate what action may be taken against a private person for violating FRs.

Now, let’s consider certain specific private companies:

Communication services Existing privacy laws under the Information Technology Act and the IT Reasonable Security Practices Rules do not apply to all the SMSes, contact lists, and other data in the possession of communication services like WhatsApp. They only cover ‘sensitive personal data’, a limited category of data like biometric data, financial data, sexual orientation, and so on.

In the absence of an alternative remedy, the WhatsApp Facebook case before the SC will determine if communication services like WhatsApp are a ‘private company performing a public function’. This verdict will impact all similar services like Hike, Telegram, Skype and so on, and any directions passed will be applicable to them as well. This gives hope for immediate relief from any violative privacy practices, without having to wait for the data protection law to be framed.

Job Portals Recent reports allege that Monster.com sold user data to third parties . An enquiry has been ordered into this by a court, stating that such information cannot be shared without ‘informed consent’. Though people expect data on such portals to be shared only with prospective employers, there is nothing to prevent the sharing with anyone.

The data in the possession of such job portals, such as professional qualifications and experience, are not protected under the IT Rules, leaving it to be decided by the Terms and Conditions of the website. Section 72A of the IT Act is unlikely to provide protection against such practices if the T&Cs of the company permit it, as is often the case. A data protection law, again, can force a change in such practices.

Matrimonial websites Matrimonial websites can lead to a host of privacy violations, including sale of data, identity theft using that data, and so on. There was a report was of matrimonial websites specialising in divorcees, acquiring information illegally of new divorcees from matrimonial courts.

Such illegal acquisition of data and leakage of data can be addressed by a data protection law, since no data can be taken without the person’s consent. At this point, it isn’t clear what the provisions of the data protection act will be. Hong Kong’s privacy laws, for example, have strict laws against direct marketing, with penalties of HK$500,000. Such provisions can prevent such violations.

Insurance sector The insurance sector is highly regulated. Persons employed in this field are required to disclose a huge amount of data, which is essential to maintain the trust and integrity needed in this highly sensitive field. However, provisions for protecting against privacy violations are missing .

A data protection law can remedy such lacunae in insurance laws. In addition, the fundamental right to privacy may be enforceable directly against certain insurance companies such as LIC, which is established by statute, making it a statutory corporation, and thus a state authority.

Banking sector The situation in the banking sector is similar to the insurance sector. Some banks like the State Bank of India are, like LIC, also established by statute. Some banking laws, however, provide people with the option of approaching either the banking ombudsman or the RBI for privacy violations.

For example, under the Credit Information Companies Regulations, 2006, an individual has the right to approach the RBI for a privacy violation by a Credit information company. Case law has also established that banks have a duty of secrecy towards their customers established under contract. In addition, the IT Act will also apply for disclosure of financial data.

If all such remedies are inadequate, then the data protection law, and finally the direct enforcement of the fundamental right to privacy can be turned to.

M-wallets In the case of privacy violations by m-wallets, there are certain remedies — the IT Act for disclosure of sensitive data including financial data, and for disclosures in breach of contract, the RBI allows recourse to the banking ombudsman for redressal of grievances under the Circular on Pre-paid Payment Instruments , and the Draft Meity Rules for PPIs require a Grievance Officer to resolve customer grievances. When these remedies are inadequate, the data protection law can be turned to.

Internet Service Providers and Telecom Service Providers This piece by Shourya Bari argues extensively that internet service providers are private bodies performing a public function, taking into consideration (among other things) their ability to regulate people’s fundamental right to speech, in terms of censorship. A similar argument can be made for TSPs. Based on this, it can be argued that a privacy violation by an ISP or a TSP can be addressed through suing for enforcement of a fundamental right to privacy.

Take it or leave it approach may no longer work While the data protection act, when enacted, will finally define the extent of protection available, private entities can be expected to no longer be able to take the take-it-or-leave-it approach to their services. The Supreme Court in its right to privacy verdict, in particular, Justice SK Kaul’s verdict, has laid huge emphasis on the importance of informational privacy in the digital change.

Soon, a change should be seen in the privacy practices of private companies, with privacy practices tailored to the expected law and the fundamental right to privacy.