In 2017, the democratically- elected Modi government stood before the Apex Court and claimed full and complete right over the lives of its citizens. It argued that privacy was an “elitist” concern, that its surveillance powers had no constitutional limits and that Right to Privacy was not a fundamental right guaranteed by the Constitution of India. The court rejected this claim unanimously.
Thrice thereafter, the government attempted to circumvent the Supreme Court’s strict policy with respect to the Right to Privacy. Firstly, through the obligatory, unrestrained and unsubstantiated use of Aadhaar card, secondly, by issue of a tender to build surveillance systems, and recently by mandating the use of ‘Arogya Setu’ mobile application.
This article critically examines the violation of privacy rights by the storage of data and its use for physical and medical purposes of the individual. Specifically, it will examine the DNA Technology (Use and Application) Regulation Bill  and its shortcomings. The analysis will be supplemented by a discussion on provisions and case laws that already exist. The article argues that security of private data and DNA collection for criminal investigations and certain civil reasons are both genuine justifications which need to be reconciled with the Right to Privacy through appropriate policy interventions.
Right To Privacy: Present Legal Framework
On a universal level, Right to Privacy is considered a fundamental human right. It has been recognized by the UN Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Right (ICCPR), and various other international treaties and conventions. The right exists together with other elements of human dignity. Many nations have even recognized Right to Privacy as a constitutional right, including the USA, Ireland and India.
India is still without a comprehensive data protection regime. While the Ministry of Information and Technology introduced the Data Protection Bill before the Lok Sabha in 2019, it has not been passed. Thus, India lacks a comprehensive legal framework on Data Protection that can govern public and private authorities and regulate the rules of privacy and use of sensitive data. The provisions and laws of current laws like the Information Technology Act, 2000 (IT Act)  have limited applicability. The provisions of the IT law are tailored to deal with breaches of privacy by corporate bodies. It does not recognize state intervention and lacks safeguards to protect individuals’ private data.
However, there are certain constitutional provisions which provide for Right to Privacy. The Supreme Court of India has in several instances mulled over the status of the Right to Privacy and whether it is part of the Constitution. Right to Privacy is encompassed under Article 21  of the Indian Constitution, which is the fundamental right to life and personal liberty. The scope of this fundamental right is multi dimensional and expansive.
In M.P. Sharma v. Satish Chandra , an eight judge bench of the Supreme Court unanimously held that the right to privacy is not considered as a fundamental right. This was the first time the Court engaged in the discussion surrounding the right to privacy. This was reiterated by the six judge bench in the case of Kharak Singh v. State of Uttar Pradesh . In his dissenting opinion, Judge Subba Rao held that nothing can be more detrimental to a man than invasion of his privacy.
After about eleven years, in the case of Gobind v. State of Madhya Pradesh , the Supreme Court held that Right to Privacy is implicit under Article 21 of the Indian Constitution. The importance of the right was recognized and it was also held that the right can only be denied when an important countervailing interest is shown to be superior.
In R Rajagopal v. State of Tamil Nadu , right to privacy was recognized as a right implicit under Article 21 of the constitution. The same was upheld in the case of People’s Union for Civil Liberties versus Union of India . However, in Mr X v. Hospital Z , the court observed that the right is not absolute in nature and can be subject to restrictions.
The issue of privacy was reignited when Aadhaar registration was made mandatory when availing social benefits. The issue of whether the right to privacy was a fundamental right or not was referred to a larger bench of nine judges to comprehensively settle the matter.
The status of the right was cemented, when in the case of K.S Puttaswamy v. Union of India  a nine judge bench of the Apex Court held that Right to Privacy was a fundamental right. It was declared that “privacy of the individual is an essential aspect of dignity”. It was also held that the right will not lose its significance amongst the Golden Trinity (Article 14, 19 and 21) of the Indian Constitution.
The Supreme Court held that the right will not be absolute and can only be encroached by procedure established by law that is in a fair, just and reasonable manner. To emphasize on what is implied by legitimate encroachment on privacy, a threefold test was laid down in the same case. First, there must be a governing law in existence to justify the encroachment. Second, the intrusion must be to fulfill a legitimate interest of the state. Third, the extent of interference should be proportionate to the need for such interference. In the concurring opinion by Justice Kaul, he further went on to include a fourth element which is Procedural safeguards in order to prevent state abuse.
The court distinguished between anonymity and privacy. The status of the right in case of a health crisis was also discussed. It was observed that with the aim of facilitating appropriate policy interventions, a valid state interest can be asserted if the state preserves the anonymity of the citizen/individual. The significance and necessity of a data protection law and its absence leading to a void in the application of privacy laws was also realized by the court.
DNA Technology (Use and Application) Regulation Bill, 2018
DNA is a set of instructions contained in a cell inside the human body. Each person has a unique DNA, which means it can be used to accurately locate/identify the person. The technology has applications in several fields, such as Criminal Investigations (It can be used to identify the potential offender with staggering accuracy), identification of unknown dead bodies, etc. To provide some legal backing to the technology in India, the DNA Technology (Use and Application) Regulation Bill was introduced in the Parliament in the year 2018.
The Bill empowers investigatory authorities to collect DNA samples of suspects and victims. Written consent of the individual is very essential while doing so. However, in cases where the individual is arrested for a crime that prescribes punishment of more than 7 years, written consent is not essential.
While the Bill allows for DNA data collection for criminal matters, it also allows the same for certain civil matters. These matters may include legal disputes related to Parentage, Ancestry, IVF (In-Vitro Fertilization) or Medical Negligence. The data thereby collected will be stored in central and regional databases and can also be used in future after the initial purpose has lapsed.
Shortcomings of the Bill
The Indian Parliament is to bring into force a law regulating the use of DNA. Because of the uniqueness of the DNA of every person, this technology can be used to accurately identify a person. For a very long time, this technology has been in use globally to identify suspects and victims in criminal cases. In civil cases, it is used to determine parentage etc. In medicine, DNA is used to identify the susceptibility of a person to a certain disease. It is very important to take the consent of the person who’s DNA sample is being taken and for the same reason many issues have been raised recently in regards to the law being compatible with the fundamental Right to Privacy.
The samples, once collected, are analysed by the DNA laboratory and stored in a DNA data bank. They can be used to know more about a person’s physical and medical history, going beyond the reason for collection, which was only for identification of a person. This loophole in the Bill infringes the Right to Privacy guaranteed to all Indian citizens under the Indian Constitution. In the UK and USA, the DNA collected is specifically only used for identification purposes and not otherwise. Since the DNA Bill does not provide for consent in civil cases, it goes against the Right to Privacy as the data collected can reveal a person’s physical and mental traits against their consent.
Additionally, the law is ambiguous on whether the law intends to regulate DNA tests conducted in medical and diagnostic settings and how such data is to be stored. For instance, if the test is done for a medical reason, it can be used to identify a person as well. The bill needs to undergo exhaustive scrutiny by a cross-section of specialists and wider deliberation before being enacted, since it is dangerous in its present conception.
The DNA Technology (Use and Application) Regulation Bill has certain loopholes and shortcomings which violate the Right to Privacy. The Bill is ambiguous on various issues such as the use of DNA only for limited purposes and whether the law intends to regulate DNA tests conducted in medical and diagnostic settings and how such data shall be stored. This is done in the context of the present position of Right to Privacy in the Indian Constitution under Article 21, which is accepted.
The bill needs to undergo exhaustive scrutiny by a cross-section of specialists and wider deliberation before being enacted. Security of private data and DNA collection for criminal and certain civil reasons are both genuine justifications for use of DNA, but they need to be reconciled through appropriate policy interventions since it can clash with the Right to Privacy.
- DNA Technology (Use and Application) Regulation Bill, 2018.
- Information Technology Act, 2000.
- The Constitution of India, art 21.
- 1954 AIR 300.
- 1963 AIR 1295.
- AIR 1975 SC 1378.
- 1995 AIR 264.
- AIR 1997 SC 568.
- 1998 Supp (1) SCR 723.
- (2017) 10 SCC 1.
BY SAHAJ PREET KAUR | SYMBIOSIS LAW SCHOOL, PUNE