Comments on the Privacy Bill, 2011

The last post contained an analysis of the third working draft of the Privacy Bill, 2011 dated 19th April, 2011 which aims to create a statutory right of privacy in India (download here). This post contains certain comments on the key features of the Privacy Bill. Also to gather what forms of privacy are being created by the Bill, two popular privacy taxonomies (solove and prosser) are utilized to contrast the privacy rights created by the Bill. A lot of the suggestions here make reference to the analysis posted before as well as to various provisions of the bill without extracting them. Hence it is suggested that readers may keep both of them handy to gather context.

In case of any questions or comments please contact me at I would like to acknowledge the work put in by Akansha Nehra, an intern at my office in helping me with this note. A pdf is embedded at the end of the page since a lot of formatting is lost in wordpress.

I. Definitions

1. Broad Comments

For a law of its ambit, the Bill seems to be short on definitions. This will certainly cause problems when the law is put into operation. For eg. several key terms such as “good name”, “honour” which have been included under Sec. 3 as forming the right to privacy have been left undefined.

2. “interception”

Considering the evolution in the modes of communication and fast evolution of the IT sector, the law has to be such as to be able to cater to all future technologies. Rather than covering the modes of interception, the definition of, “interception” is still stuck to physical formats of performing the interception.

3. Individual

The definition of “individual” as provided in the Bill is said to refer only to a citizen of India. Here, it seems to be that the Privacy right under the Bill will be available only to citizens. Further confirmation is provided by the Preamble to the Bill which also states the same. Though, this does not seem in line with recent press reports.[1]

Due to the wording, the privacy right under Sec. 3 does not cover the classes of persons who enjoy the right to privacy as identified under Article 21. At present the right to privacy under Article 21 is available to all persons irrespective of them being citizens or not.

The definition will also have implications in interplay with a the UIDAI project which (as per the last draft of the UIDAI bill) extends to “residents” and not “citizens”.[2] The coverage of the Privacy Bill may circumvented with respect to the UIDAI, as it may be reasoned that the UIDAI is on the basis of residence and there is no way it can be ascertained who is a citizen in the UIDAI database.

4. “Personal Information”

The Bill defines the subject of the “personal information” as an identifiable individual. However, the exact yardstick of defining an identifiable person has not been provided. This seems to have been inspired in part from the EU Directives on Data Protection.

A concern with respect to the definition is with respect to individual bits of data which are gathered without being

Advertisement for the automatic (dial) telepho...

Image via Wikipedia

linked to a singular indentifiable person. Streams of data may not be captured only with respect to an identifiable individual. Such data in isolation may not reveal much. However, when such data is aggregated it may lead to privacy harms. Further, the reason for the insertion of a rider on to the identification of the subject data is not completely clear.

Another, important feature of this definition is that it specifically excludes a range of information. These are with respect to employers gather information of their employees. This may create practical anomalies in todays fluid work environment where organisations engage various individuals beyond a pure employee-employer relationship. It is questionable whether the collection of data of such people by organisations will be protected by the Bill. There may also be implications for workplace privacy.

5. “Surveillance”

The definition provided in the Bill attempts to explain the concept of surveillance consisting of three ingredients, (a) covertly and without a persons knowledge; (b) following; or (c) watching over a person.

Further, it specifically provides for listening or filming devices. This is again technologically very specific. Interestingly, the question that remains is whether this will include sting operations. I believe that the prohibition on surveillance would extend to sting operations as there is no exception for it as it is provided for data collection and disclosure.

II. Right to privacy

The scope of this right is provided in Section 3. The construct of Section 3 is very interesting, as in the beginning itself it provides for a saving provision.

The features of the definition are:

1. Citizen as an Individual

The right that is provided for in this Bill is only of a Citizen of India, and does not cover any other person.

2. Limited Right

This right of a citizen as enshrined in this draft section is in fact a limited right. This is inferred from the fact that carve outs are created in more than one aspect. Unlike, other substantial rights having a ‘Notwithstanding’ clause, it is a ‘Subject to’ clause and the same is limited by :

a) Order of a Court

b) Any law for time being in force. Interestingly, these are not the only carve outs. Under section 90, the provision of this Act has been excluded from Applicability of this Act:

a) Cases covered under Right to Information Act or any other law relating to disclosure

b) Criminal law relating to corruption, misappropriation, cheating, etc.

c) Acts illegal under Narcotics Drug and Psychotropic Substances Act, 1985

d) Economic offences or offences under Essential Commodities Act, 1955, Food Adulteration Act, Acts dealing with environment

e) Offences under Army Act, and other Terrorists related Acts

f)  Offences relating to Defence Forces

g) Others explicitly excluded.

3. Inclusive Definition

The definition provided is by method of an inclusive definition, as it includes 11 acts that are manifestations of right to privacy under the Bill. Importantly they are not distinguished appropriately, as they stick to various forms of acts that are prohibited, unless permitted.

Thus, in substance privacy has not been defined. Though, protection of these manifestations of right to privacy has been discussed in detail in the forthcoming chapters of the Bill.

The definition explicitly includes the following manifestation of Right to Privacy:

a)                 Confidentiality of Communication

b)                 Confidentiality of  his private/ family life

c)                  Protection of his Honor and Good name

d)                 Protection from Search, Detention, or Exposure of lawful communication between and among individuals

e)                 Privacy from his Surveillance

f)                   Confidentiality of  his banking and financial transactions

g)                 Confidentiality of  his medical and legal information

h)                Protection from his identity theft (criminal, financial, identity cloning, medical)

i)                   Protection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other places

j)                   Privacy of his Health Information

k)                 Protection of data relating to individual.

Interestingly, there is no exception created for communications that involve government offices, or other ministerial pr governmental correspondences. What is apparent that due to the absence of an appropriate definition, the provisions are very loosely worded. For. e.g. what is the connotation intended to describe “family life”, “good name” etc.. Moreover, the last clause provided uses the term ‘data’, which is too broad and hence, may apply without limitation.

4. Analysis as per Taxonomy

Two popular taxanomies are presented below to understand what forms of privacy rights have will be created by the Bill. It is hoped from this exercise we may gather are we missing some forms of privacy or have we gone much beyond the traditional scope of “privacy rights”.

Sl. No. Prosser’s ClassificationUnder Privacy Bill, 2011
Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairsConfidentiality of Communication
Confidentiality of  his private/ family life
Protection of his Honor and Good name
Protection from Search, Detention, or Exposure of lawful communication between and among individuals
Privacy from his Surveillance
Confidentiality of  his banking and financial transactions
Confidentiality of  his medical and legal information
Protection from his identity theft (criminal, financial, identity cloning, medical)
Privacy of his Health Information
Public Disclosure of embarassing private facts about the plaintiffProtection of data relating to individual
Protection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other places
Confidentiality of Communication
Confidentiality of  his private/ family life
Protection of his Honor and Good name
Confidentiality of  his medical and legal information
Publicity which places the plaintiff in a false light in the public eyeIntrusion upon the plaintiff’s seclusion or solitude, or into his private affairs
Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness

Sl. No. Solove’s ClassificationUnder Privacy Bill, 2011
Information CollectionSurviellancePrivacy of his Health Information
Privacy from his Surveillance
InterrogationProtection from Search, Detention, or Exposure of lawful communication between and among individuals
Information ProcessingAggregationProtection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other places
Secondary use
Information DisseminationBreach of ConfidentialityConfidentiality of  his medical and legal information
Confidentiality of  his private/ family life
Confidentiality of  his banking and financial transactions
Confidentiality of  his medical and legal information
Confidentiality of Communication
Increased AccessibilityProtection from his identity theft (criminal, financial, identity cloning, medical)
InvasionIntrusionProtection of his Honor and Good name
Protection of data relating to individual
Decisional Interference

III. Assorted Suggestions

1. Appropriate Government

The provisions of the Bill do not make a notation for the responsibility on an appropriate government. For reference, variety of Acts make specific mention of the Central and State government separately. This is done keeping in mind the federal scheme in which state and central subjects are mentioned separately. Hence, even though telegraphs may be a central subject, law enforcement is a state subject. The absence of such a scheme may lead to questions as to the constitutional validity of the Bill.

2. Information Technology Act, 2000

Interestingly, though the Bill refers to one IT Act, i.e. Indian Telegraph Act, 1885 in Section 5 of the Bill. It does not refer to the other IT Act, i.e. the Information Technology Act, 2000. Prior to the Privacy Bill, one of the sole laws on the subject of data interception and retention was the Information Technology Act. In 2009 specific rules have been made under the  Information Technology Act for the interception of electronic communications. It would be useful for the Privacy Bill to make reference to them.

3. Recording of Reasons

Section 7 contains provisions about what a tap order must contain. This includes details with respect to who made the order, the authority making the order, etc. It is suggested that it should also record the reasons why the tap order was passed.

Further, recording of reasons should be followed while making the order that is passed by the Authority1, when it confirms an order or that of the Review Committee when it reviews it. Most importantly a record of the reasons for passing such order must be maintained [in reference to Section 8].

4. Timelines for the validity of Tap Orders

The timelines drawn for the validity of the tap orders in the present Bill, are in line with pre-existing provisions that are being applied before this Bill was made. These provisions include Rule 3 of the Information Technology (Directions for Interception or Monitoring or Decryption of Information) Rules, 2009 [read from Section 69 of the Information Technology Act, 2000] and Rule 419A, Indian Telegraph Rules, 1951 [read from Section 5(2) of the Indian Telegraphs Act, 1889].

Thus, as a final provision under Section 11 of the Bill, an order for interception can last for at the maximum 6 months. Interestingly, the Bill does not guard against the abuse of successive tap orders with respect to the same data subject. Hence an interception can be continued infinitely by means of repeated orders being passed by the appropriate authority.

5. Retention and Destruction

As per the Bill, during the period of interception all records and details gathered have to be maintained and stored and when the interception ends all the data which has been gathered has to be destroyed. The timeline for such an action has been provided as 6 months from the date of order. Practically it may not be essential that once the investigation is done, the judicial recourse may be taken up immediately. Hence, the bill has a carve-out which says that if the material is functionally required it may be stored even after 6 months. In my view this may lead to abuse if the maximum permissible outer limit is not fixed by the Bill.

It is interesting to note that alongwith the materials gathered, even the tap orders directing the interception have to be destroyed when the interception is discontinued. It is to be noted that no system is provided of recording or maintaining of such tap orders. This seems to be worrisome and may lead to non-compliance with the safeguards which are inbuilt into the issuing of such tap orders (for e.g. recording of reasons for tapping).

It is thus suggested two forms of documents must be maintained by all bodies concerned when a tap order is issued. The first set contains the specifics of each case from which a person can be identified and the second set contains anonymized details listing the compliances. Whereas the first can be destroyed when the interception ends, the second one must be maintained for the purposes of auditing compliance with the protections under the Privacy Bill. In the end the form of Privacy which is being created under the Bill with respect to interception are a bunch of procedural safeguards. If there are no records and no audits on them authorities in charge of the tap orders are bound to take a lackadaisical approach towards procedural safeguards. In the end, why will a government authority ensure that reasons are recorded for each tap order, when it knows the tap order will be destroyed at the end of the interception and in now way it can be held accountable.

6. Assuring Authenticity

Section 16 is drafted to take care unauthorised and forged tap orders as was mentioned in Amar Singhs Case. It is suggested, that some attributes may be mentioned to make tap orders physically or technically distinguishable. This could mean in terms of physical tap orders having seals and emails and documents containing digital signatures.

7. Parting Comments

The Privacy Bill, 2011 is a complex piece of legislation. I do not have a quick or a short “take” on it. While I agree with the principle of having a privacy legislation beyond empty data protection provisions we have in place at present, we need a detailed study on the impact of the Bill. (With the non-disclosure of this draft Bill through official government sources, we also seem to be mixing up privacy with secrecy.)

At certain places it seems the Bill will not provide adequate protection from privacy harms emanating from the State. Also, some provisions may be problematic for private parties who seek to expose wrong doing through sting operations and investigative journalism. There may be some danger freedom of speech which cannot be fully comprehended. I am concerned through this law we may end up with a potholed privacy right, firm at some places and completely absent somewhere else.

Probably these are my fears, but I hope a public consultative process is followed before the Bill is introduced in Parliament




Related articles

  • Aakanksha

    Sir, thank you for having such a clear analysis put on the subject. This definitely amplifies and clarifies the inherent complexities and contradictions in the Bill. It truely is amazingly put, especially the enforcement angle.

  • DC

    Do you have any idea on who has drafted the bill?

    • seems it came from the ministry of law and justice. earlier there was a consultation which was carried on my the department of Department of Personnel & Training, but that does not seem to have been carried over. you can access that here –

  • Pingback: the telephone tapping provisions of the jan lokpal bill | India Law and Technology Blog()

  • VC

    Apar, I wanted to download the pdf but it seems it is not embedded here, nor is the pdf of your previous post embedded on that page. Please see if you can update both pages, thanks.

    • Hi VC, 

      Thanks for visiting the blog! Due to a redesign, the links disappeared. Let me re-configure the scribd plugin and then I will embed them. Give me a week.