A Group of experts constituted by the Planning Commission under the chairmanship of Justice A.P. Shah has analysed the various international privacy principles, national privacy principles and the existing privacy legislations in India and tendered a report (available here) to the Government of India. Due to its length which runs into 92 pages the present summary is posted which highlights significant aspects of the report.
It is important to underscore that the report has no force of law and is merely an exercise undertaken by the government towards the process of drafting a statute on Privacy in India. However it is felt that the report presents significant development in the area which will have implications towards the final bill which is presented in parliament.
I. Reasons for undertaking the Study
The introduction of national programmes like Unique Identification number, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), Privileged communications and brain mapping and wide range of transactions on the internet have increased the collection of information of citizens by the government, other institutions and service providers. Here even private service providers which collect data have been termed as “data controllers” bringing them under the proposed regulatory umbrella.
The Group has therefore made the following recommendations:
II. National Privacy Principles
The various international privacy principles like the EU Regulation of 2012, US Consumer Bill of Rights, OECD Privacy Principles, APEC Privacy Principles provide for commonly accepted privacy principles. While there are minor variations between these formulations, the report suggests that there is a set of globally accepted privacy principles. On this basis, the Group has proposed a set of National Privacy Principles enumerated as the distillation of global best practices which can be effectively implemented in Indian conditions. According to the report, these principles must establish:
(1) Safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information, personal identifiable information, sharing, transfer, and identifiable information.
(2) Rights of the data subject in relation to their Sensitive Personal Information, Personal Identifiable Information, and Identifiable Information.
The National Privacy Principles should include the following principles:
Principle 1: Notice
A data controller shall give simple-to-understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include:
- What personal information is being collected;
- Purposes for which personal information is being collected;
- Uses of collected personal information;
- Whether or not personal information may be disclosed to third persons;
- Security safeguards established by the data controller in relation to the personal information;
- Processes available to data subjects to access and correct their own personal information;
- Contact details of the privacy officers and SRO ombudsmen for filing complaints.
- Data breaches must be notified to affected individuals and the commissioner when applicable.
- Individuals must be notified of any legal access to their personal information after the purposes of the access have been met.
- Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.
Principle 2: Choice and Consent
A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In such cases the data controller shall have the option not to provide goods or services for which the said information was sought if such information is necessary for providing the goods or services. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required.
Principle 3: Collection Limitation
A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.
Principle 4: Purpose Limitation
Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.
Principle 5: Access and Correction
Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data . Access and correction to personal information may not be given by the data controller if it is not, despite best efforts, possible to do so without affecting the privacy rights of another person, unless that person has explicitly consented to disclosure.
Principle 6: Disclosure of Information
A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes must be in accordance with the laws in force. Data controllers shall not publish or in any other way make public personal information, including personal sensitive information.
Principle 7: Security
A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.
Principle 8: Openness
A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
Principle 9: Accountability
The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies; including tools, training, and education; external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the specific and general orders of the Privacy Commissioner.
III. Application of National Privacy Principles
The Group envisaged the National Privacy Principles as being applicable across sectors, legislation, policy, projects, and bodies in order to broadly harmonize privacy protection in India and address and readily adapt to emerging and changing technologies and practices.
They recommend the application of these principles to the following regimes which do not provide for adequate privacy safeguards:
a) Interception and Access
In India, interception and access is addressed by two legislations, the Indian Telegraph Act (TA) 1885 and the Information Technology Act (ITA) 2008. In addition to these legislations, the UASL and ISP licenses establish the ways in which service providers must assist the government in carrying out an interception through systemic access and proactive disclosure. However, the legislations and licenses differ in various respects creating scope for misuse.
The Group, therefore, suggests the present legislations be made consistent with National Privacy Principles. Though these principles wholly or partially uphold some principles like accountability (i.e. appointment of nodal officers responsible for the receipt and handling of interception orders), collection limitation (i.e. reasons for interception and possession of interception for prescribed period), purpose limitation (i.e. use of interception only for investigation) and security. The Group has further identified the areas where the principles may be affected and which are as follows:
- Consent and Choice: Individuals may not be given the choice of being monitored, and consent from the individual may not be required for an interception to take place.
- Access and Correction: Individuals may not be able to access interception records pertaining to them during an investigation.
- Notice: Authorized agencies may be required to provide notice of legal access after an investigation is closed.
b) Audio and Video Recording
Audio & Video recording refers to the use of electronic recording devices ranging from CCTV cameras to mobile cameras, recording devices used by journalists and investigators for sting operations, and the use of satellites and mapping devices by data controllers – like Google Earth and Street View projects, and the use of unmanned aerial vehicles. Unfortunately, the use of such devices is still unregulated in India.
The Privacy Bill of 2010 prohibited the use of cellular phones with built in cameras unless the camera produces a sound of at least 65 decibels and flash a light. However, this Bill and the Mobile Camera Phone Users (Code of Conduct) Bill, 2006 have not seen the light of the day. Similarly, the use of CCTV cameras in public places, notice to individuals when monitoring premises and use of such recordings is not provided in any law.
In the same manner, the use of electronic devices by journalists and whistleblowers in conducting sting operations is not addressed in India. The Press Council Act 1978 also does not regulate the use of such electronic devices during sting operations.
The Group again suggests the applicability of National Privacy Principles to the use of audio and video recording equipments. These principles may affect the use in following respect:
- Collection limitation: These devices broadly monitor public spaces and it may not be possible to limit the type and quantity of information collected.
- Access & correction: Individuals may not be able to access information recorded about them, because it would cause undue overhead for organizations. An exception to this may be if individuals can demonstrate that access to the information is necessary and relevant.
- Consent & choice: It should be understood that when an individual enters a space that has provided public notice of audio and video recording, they are consenting to being monitored.
a) Right to Information Act
The group proposes the operation of RTI Act with minimum restrictions imposed on it by the Privacy Act. Further, the recipient of information under the RTI Act should not be considered a data controller as per the National Privacy Principles.
b) Freedom of Expression under Article 19
The freedom of expression and the protection of privacy conflict with each other and therefore, public interest should be considered the test to determine what should prevail over the other. Examples would include information relating to public figures, information on internet, disclosure by journalists and whistleblowers.
c) The Personal Information Security Rules notified in April 2011
These rules serve as the most comprehensive form of data protection in India. The Group suggests the Rules to be brought in line with the National Privacy Principles in the following manner:
- Data Breach: If a data breach occurs, affected individuals must be notified immediately.
- Legal Access: If information is legally accessed, the access must be notified at the close of the investigation.
- Process to access and correct: At the time of collection body corporates must provide notice of the processes available to data subjects to access and correct their own personal information.
2. Choice and Consent
- Mandatory provision: When provision of information is mandated by is should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within one year if published in public databases.
3. Purpose Limitation
- Adequate and Relevant: Personal data collected and processed by an organization must be adequate and relevant to the purposes for which they are processed.
- Change in purpose: If there is a change in purpose, this must be notified to the data subject.
- Destruction: After personal information has been used in accordance with the identified purpose, it must be destroyed as per the identified procedures.
- Data Retention: Data retention mandates by the government should be in compliance with the National Privacy Principles.
4. Access and Correction
- Confirmation of personal information: Data subjects should be able to confirm that an organization holds or is processing information about them.
- Copy of personal information: Data subjects should be able to obtain a copy of the personal data undergoing processing.
- Limitation to Access: The information may not be given or access permitted if it is not possible to do so without disclosing information about another person unless that persona has consented to the disclosure.
5. Disclosure of Information
- Notice of disclosure: Body corporate must provide notice of disclosure to third parties.
- Bound to Principles: All third parties must be bound to the National Privacy Principles.
- Conflicting Provision- Authorized Agencies: Information will be share with Government Agencies mandated under law without obtaining prior consent for the purposes of verification of identity, for prevention, detection, investigation including cyber incidents, prosecution, and punishments of offences. Rule 6
- External verification: All processes related to the handling of sensitive personal information [in addition to security systems] should undergo external verification on a regular basis.
- Support to Privacy Commissioner: Body corporate should be held responsible for giving support to the Privacy Commissioner and complying with general/specific orders of the privacy commissioner.
V. The Privacy Act
According to the recommendation of the Group, the Privacy Act should put into place a regulatory framework for both public and private sector organisations. The ambit of the privacy legislation will extend to data being processed within India, and data that originated in India, even when it is transferred internationally. The recommendations in brief are as follows:
A. Privacy Commissioners: The Privacy Act should establish the central office of the Privacy Commissioner, regional level privacy commissioners, self-regulating organizations (SRO’s) at the industry level, and data controllers and privacy officers (if required) at the organizational level. The regulator shall be called the Privacy Commissioner, one at the national level (called the National Commissioner) and four at regional levels (Regional Commissioners). The Commissioners shall be primarily responsible for enforcement of the Privacy Act. Some of the powers of the Commissioners should include:
- Power to order privacy impact assessments on organisations, investigate complaints, and fine non-compliant data controllers.
- The Commissioners should have the power of investigation, including the power to summon documents, call and examine witnesses, and take a case to court if necessary. The Commissioner should investigate data controllers on receiving complaints from data subjects, or suomotu.
- The Commissioner should have the power to approve the privacy standards which SRO’s may have autonomously formulated in conformity with the National Privacy Principles.
- With respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight.
Data controllers and individuals should have the right to appeal the decisions of the commissioners.
B. Self-Regulating Organizations (SROs) and Co-regulation: The SROs and co-regulation shall supplement the role played by the Privacy Commissioners to ensure implementation and enforcement of policies for a wide range of sectors and industries. SROs shall have the responsibility to develop norms/standards in conformity with the National Privacy Principles. These norms shall provide for a co-regulatory framework once approved by the Privacy Commissioner. These norms/standards may include the appointment of an organizational level privacy officer for complaints to be raised to and resolved. The SROs shall also appoint a sector/industry wide ombudsman. The appointment of privacy officers and ombudsman are meant to reduce case pendency at courts and at the regulators’ office as well as to provide quick remedy/relief to consumers and citizens.
C. System of Complaints: The individual, international data provider, whistle blower, auditor, commissioner, and public prosecutor/law enforcement should have the ability to submit complaints to public/private data controllers, SRO’s, privacy commissioners, or the courts. The system of complaints could be as follows:
- Alternative Dispute Resolution mechanisms: Alternative dispute resolution (ADRs) mechanisms could be the first level of redress available to individuals and should be implemented by data controllers and SROs in specified verticals. If an individual has a complaint, they should approach the ombudsman at the data controller, and if not resolved, the individual should approach the SRO ombudsman. These mechanisms could reduce cost and increase efficiency in the delivery of justice, by reducing pendency at courts and at the office of the commissioner.
- The Central & Regional level commissioner: If a complaint is brought to the Central or Regional level commissioner, the commissioner should decide if the data controller was in violation, and if so, the extent of the fine. Data controllers and individuals should be able to appeal decisions issued by a commissioner. Compensation to the individual should be granted by the courts instead of the Privacy Commissioner. The Commissioner should be able to take a case to the courts.
- Court: The individual and the privacy commissioner should be able to take a complaint to the district level court, high court, or the Supreme Court of India and seek compensation for the harm caused by the violation.
- Remedies: Any person, who suffers damages caused by non-compliance with the principles or any obligation under the Act, should be entitled to remedy from the data controller to the full extent of the damages suffered. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.
D. Offences, Penalties, and Remedies: The infringement of any provision under the Act will constitute as an offence by which individuals may seek compensation for, and organizations/bodies held accountable to. As found in the UK Data Protection Act, and the Australian Privacy Act the following could be broad offences under the Act:
- Non-compliance with the privacy principles
- Unlawful collection, processing, sharing/disclosure, access, and use of personal data
- Obstruction of commissioner
- Failure to comply with notification issued by commissioner
- Processing data after receiving a notification
- Failure to appear before commissioner
- Failure to produce documents requested by commissioner
- Sending report to commissioner with false or misleading information