Right to privacy in India
- Intelligence agency’s concerns regarding privacy bills
- Present privacy related laws in India
- Problems with the IT Act
- Right to privacy bill, 2011
- Recommendations by Justice AP Shah
- Relevance of Shah Principles in the present scenario
- Way ahead
Right to privacy in India
With the government’s push for the digital payments and government reforms such as, Jan DhanYojana, Aadhaar and Digital India underway, the challenges related to cyber security come in the front.
With all these reforms and changes, citizens could find themselves vulnerable to data misuse and without any rights to protect that information and data.
In this light, Privacy has become the quintessential issue of our times, but it continues to be violated every day. Yet Right to Privacy has not been explicitly stated in the Indian Constitution.
The time is ripe for the government to begin the process of architecting a comprehensive privacy and data security framework.
Intelligence agency’s concerns regarding privacy bills
As it is well known that intelligence agencies have been at the foremost in the privacy debates due to their demands of data related to individuals, whom they want to keep in their watch, these agencies have shared their concerns regarding privacy bills, that:-
- A comprehensive law will put restrictions on their activities and hence will impact national security.
- They are feared of being dragged at the court, every time they procure data.
- They are concerned that at every Court case, judges will take stand against them.
Let’s have a critical look at the present structure of the laws related to privacy in India.
Present privacy related laws in India
At present, provisions under Information Technology Act, 2000 deals with the privacy related issues of India. These provisions are:-
Section 43A of the IT Act:-
- Deals with implementation of reasonable security practices for sensitive personal data or information
- Provides for the compensation to the person affected by wrongful loss or wrongful gain.
Section 72A provides:-
- For imprisonment for a period up to 3 years and/or a fine up to Rs. 5,00,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person.
Data that qualifies for the protection:-
- Protected data is referred in the I.T. Rules as ‘sensitive personal data or information’.
- Rule 3 of the I.T. Rules has an inclusive/open-ended definition of Protected Data.
Protected Data includes the following data points pertaining to any individual:
- Banking and financial information;
- Sexual orientation;
- Medical records and history; and
- Biometric information
Problems with the IT Act
IT act which provides for the data protection, is suffering of the following limitations:-
- The categories included in the sensitive personal information are inadequate.
- Emails and chat logs as well as records of internet activity, including online search history, are particularly vulnerable to abuse and misuse, these should be included in the categories.
- Section 43A only covers corporate bodies engaged in commercial or professional activities, excluding government agencies, such as UIDAI, which gathers huge amount of individual data.
- Section 72A put the onus on the petitioner to prove not just the privacy violation, but also the gain or loss due to privacy violations.
Right to privacy bill, 2011
- The 2011 Bill recognized the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India.
- It creates a statutory Right to Privacy by means of a broad definition and then creates specific of protections for it.
- A regulatory mechanism will be created through the Data Protection Authority of India.
- Bill identifies specific officers/position holders in various entities (that may be involved in various breach of the right) who shall be held responsible, in case of any wrong act or any default.
- Disputes under the Bill will be referred to the Cyber Appellate Tribunal which has been set up under the Information Technology Act.
However, Privacy bill has gone through several changes since 2011 and not yet been finalized by the government.
Recommendations by Justice AP Shah
In 2012, group of experts headed by former chief justice of Delhi high court justice AP Shah submitted its report highlighting the multidimensional nature of privacy.
Committee provided the following recommendations:-
Committee recommended nine ‘national privacy principles’ to be followed by all organizations dealing with people’s data:
- Choice and consent,
- Collection limitation,
- Purpose limitation,
- Access and correction,
- Disclosure of information,
- Openness and
- These principles were incorporated in the 2014 version of the privacy bill.
- Committee’s recommendations include setting up the office of a national privacy commissioner rather than the proposed data protection authority of India.
- Commissioners will exercise broad oversight functions in matters related to interception/access, audio and video recordings, use of personal identifiers, and the use of bodily of genetic material.
Relevance of Shah Principles in the present scenario
- As in the present case, privacy policies are difficult to understand due to their difficult language. Hence it makes the first two principles (Notice and Choice)
- Also, in surveys, consumers claim to value their privacy but in practice, they sacrifice it for incremental convenience.
- In the time of ‘Big Data’, massive collection of data is happening on the daily basis and the new uses are beyond the purpose for which it was collected.
- The principle of collection limitation directly conflicts with the Big Data.
- Smart data is growing. It will be integrated into the scalable Smart Cities project as the IoT proliferates.
- The principle of access, which calls for people to be able to review their personal data, will become unworkable as data is continuously collected.
- Data insecurity intensifies as more devices join the system.
- Shah principles have been outdated with the invention of Big Data and Smart Data.
- The solution for which is to modify the principles, wherever there is need for that.
- As the principles notice and choice, focus on the data collection and people blindly agree to collection and multiple uses. The main focus should be on the data use.
- A use-focused model will categorize data uses on the basis of harm.
- Data can be tagged at the moment of its creation with a list of permissible uses.
- For instance, one’s phone’s roving location can be shared in real time with other phones to plot travel times, but not with the employer.