Latest news with #Puttaswamy
Hindustan Times
18 hours ago
- Business
- Hindustan Times
Right to privacy not absolute: HC backsnight ban on gaming
The Madras high court on Tuesday upheld the constitutional validity of Tamil Nadu's online gaming regulations, which include Aadhaar-based verification, a midnight-to-5am gaming ban, and prohibition of minors from participating, dismissing petitions by gaming companies and ruling that the right to privacy is not absolute when weighed against public health concerns. A division bench of justices SM Subramaniam and K Rajasekar said the Tamil Nadu Online Gaming Authority (Real Money Games) Regulations, 2025, were reasonable restrictions aimed at curbing gaming addiction. The ruling reinforces state authority to regulate online gaming and could set a precedent for other states grappling with potential addiction and negative social consequences associated with real money games. The court held that the state was well within its legislative competence to enact the law in the interest of public health, public order, and regulation of trade and commerce. 'More often than not, the first right that is pleaded for in cases such as this is the right to privacy as upheld by the Supreme Court in Puttaswamy case (2017). But it must be essentially understood that the Puttaswamy case did not affirm the right to privacy as an absolute right,' the bench said. It added: 'The character of the right was transformed into a fundamental right thereby immediately bringing within its fold the reasonable restrictions that are available to all other fundamental rights. So the right to privacy carries with it, its own limitations and cannot be claimed in absolute. When put on a scale, a compelling public interest outweighs the right to privacy.' Gaming platforms including Play Games 24x7, Head Digital Works, and Junglee Games India had opposed the mandatory Aadhar verification raising concerns about privacy and questioning if the State's verification methods were compliant with adequate standards of privacy and security. They also contended online skill games were already governed under central law and that Tamil Nadu's regulations amounted to indirect prohibition of legitimate activity. Senior counsels Mukul Rohatgi and Sajjan Poovayya, representing the petitioners, contended that the state law conflicted with the Information Technology Act and intruded into the Centre's domain. The Union government through the Additional Solicitor General ARL Sundaresan, had argued that the central Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 already governed online gaming. It said that the central framework provides for a self sufficient regulation for the online real money games including the standards of due diligence, grievance redressal mechanisms, and age-appropriate access, etc, all of which were intended to provide a harmonised national framework for online real money games of skill. The court rejected these submissions, invoking the doctrine of pith and substance to conclude that the legislation's core objective was 'public health,' placing it within the state's domain. 'In true essence, the Online Real Money Games is a trade activity, which if left unregulated has immediate implications on the health of the public. So, the fundamental purpose of this piece of legislation is to protect public health and regulate trade within the State, which squarely falls within the legislative competence of the State,' the judgment stated. Citing expert committee findings, the court noted at least 47 suicides between 2019 and 2024 linked to online real money gaming addiction. The court observed that night hours saw higher addiction levels, with research showing increased dopamine levels and diminished self-control during that time, justifying the midnight-to-dawn ban. On Aadhaar-based verification, the bench noted such verification was a robust two-step authentication process aimed at confirming age and identity to prevent misuse. 'The scope for manipulation is comparatively lesser,' the court held. The bench said that while real money games like rummy and poker may involve skill, their digital format poses distinct risks, including anonymity, lack of physical cues, and higher potential for addiction. 'The players may not even know against whom the game is played. So it is imperative that the government take adequate steps to streamline and regulate these unexplored waters to ensure fair play and secure the physical and financial safety of the players,' the court noted. On concerns that the law was paternalistic, the court held that protecting public health and well-being is a constitutional responsibility. 'Laws and policies must be shaped with that goal at the core,' it said. The court concluded that the 2025 Regulations were a necessary response to a growing public health crisis and aligned with Article 39 of the Directive Principles of State Policy, which mandates the State to frame laws that protect people's welfare.
Mint
20-05-2025
- Business
- Mint
Flight safety 2.0: Online booking platforms must guard the privacy of our personal data
The Digital Personal Data Protection (DPDP) Act of 2023 has been viewed as a crucial step in safeguarding Indian data and privacy in digital spaces. With the growing reliance on the internet for various services globally, online businesses have seen a significant surge, particularly in fields like airline ticket reservations. Services such as MakeMyTrip and Goibibo that allow one to make bookings online, as well as the websites of airlines like Indigo, Air India, etc, have transformed how people plan and book a trip. These websites deal with and store private information that includes names, contact details, travel plans, payment method details and even data from official identity-proof documents such as passports and PAN or Aadhaar cards. Also Read: Use verifiable credentials to grant us agency over our digital data All these pieces of information fall under the definition of 'personal data' under Section 2(t) of the DPDP Act because they can be used to identify the person to whom it belongs. Even though online reservations are convenient, they raise privacy concerns. There are risks of mass data breaches and the unauthorized use of an individual's data stolen from these databases. Data minimization: Under Section 4 of the DPDP Act, online platforms for flight bookings, classified as 'data fiduciaries,' must seek the express and informed consent of users before they process their personal data. The Supreme Court, in its K.S. Puttaswamy vs Union of India judgment, held that privacy is a basic constitutional right flowing from Article 21 of the Constitution. This necessitates not only explicit consent, but also data minimization, the principle of which entails collecting, processing and storing only the least personal data required for a specific purpose. Online travel agencies often collect a huge amount of information, even though some of it may not strictly be required for reservations. For instance, the details of a user's occupation are often requested for profession-based discount offers. But under the DPDP law, the right to privacy demands that only necessary data shall be procured and processed. Also Read: Private companies can use Aadhaar infrastructure for identity checks again Security and accuracy: Section 8 of the DPDP Act places an obligation on data fiduciaries like online travel agencies to ensure the security and accuracy of personal data collected. The security measures that are required to be implemented include encryption as well as secure payment gateways for customers to pay, in addition to periodic audits. In Google India Pvt Ltd vs Visakha Industries Ltd (2019), the Supreme Court clarified the liability of intermediaries to safeguard the data of their users. Data erasure: Section 12 of the Act grants people a number of rights, including the right to correct, complete, update or erase their data. This will mean that customers can ask an airline or travel agency to delete their data after the end of their journey (or whenever required). This is in line with directives provided by various court judgments, like the landmark judgment of K.S. Puttaswamy and the 2023 case of Mrs. X vs Union of India, where the court emphasized the need for people to be in control of their personal data. Penalties: The DPDP Act prescribes stringent punishments. It imposes a large fine for a failure to secure personal data, especially in case of a data breach. This measure is expected to make airlines and reservation systems tighten their internal data security systems and thereby decrease the possibility of data breaches. In 2018, the UK Information Commissioner's Office imposed a fine of £20 million on British Airways after the details of over 400,000 clients were leaked through a breach. This could happen with any airline. In fact, in the Air India data breach of 2021, the personal data of approximately 4.5 million individuals was reportedly compromised, an event that led the air carrier to establish stricter internal security measures. Also Read: Mint Quick Edit | Digital access: A welcome new basic right Cross-border data transfers: Another major challenge could be the cross-border transfer of data in case of international travel via foreign airlines through bookings done on domestic platforms. The movement of personal information across national boundaries poses a problem, as different jurisdictions follow different laws. For instance, the EU's General Data Protection Regulation has stringent norms for cross-border data transfers and requires additional safeguards, whereas India's DPDP law is a bit more lenient and permits cross-border transfers unless explicitly prohibited. The law gives the Indian government the authority to blacklist countries for data transfers. As a result, companies in the civil aviation sector will have to navigate varying regulatory requirements and adjust their policies accordingly whenever a country is blacklisted. Also Read: We finally have clarity on the role of consent managers under India's privacy law Flight safety 2.0: The DPDP Act is aimed at providing an environment of openness and trust in digital services, as it endeavours to protect personal data through well-defined rules related to data protection. Online booking platforms will have to revise and refine their procedures for collecting, storing and processing data in order to comply with the law. Such adjustments will likely lead to higher expenditure, as online platforms will be required to implement robust cyber security protocols, conduct regular employee training and periodically review the digital systems procured from third-party vendors to ensure compliance. Overall, these measures will not only enhance the security and reliability of travel booking platforms, but also foster greater confidence and trust among their users. The author is a former member of the Rajya Sabha, former CAG bureaucrat and founding partner of A&N Legal Solutions LLP.
