Comments on the Privacy Bill, 2011

The last post contained an analysis of the third working draft of the Privacy Bill, 2011 dated 19th April, 2011 which aims to create a statutory right of privacy in India (download here). This post contains certain comments on the key features of the Privacy Bill. Also to gather what forms of privacy are being created by the Bill, two popular privacy taxonomies (solove and prosser) are utilized to contrast the privacy rights created by the Bill. A lot of the suggestions here make reference to the analysis posted before as well as to various provisions of the bill without extracting them. Hence it is suggested that readers may keep both of them handy to gather context.

In case of any questions or comments please contact me at mail@apargupta.com. I would like to acknowledge the work put in by Akansha Nehra, an intern at my office in helping me with this note. A pdf is embedded at the end of the page since a lot of formatting is lost in wordpress.

I. Definitions

1. Broad Comments

For a law of its ambit, the Bill seems to be short on definitions. This will certainly cause problems when the law is put into operation. For eg. several key terms such as “good name”, “honour” which have been included under Sec. 3 as forming the right to privacy have been left undefined.

2. “interception”

Considering the evolution in the modes of communication and fast evolution of the IT sector, the law has to be such as to be able to cater to all future technologies. Rather than covering the modes of interception, the definition of, “interception” is still stuck to physical formats of performing the interception.

3. Individual

The definition of “individual” as provided in the Bill is said to refer only to a citizen of India. Here, it seems to be that the Privacy right under the Bill will be available only to citizens. Further confirmation is provided by the Preamble to the Bill which also states the same. Though, this does not seem in line with recent press reports.[1]

Due to the wording, the privacy right under Sec. 3 does not cover the classes of persons who enjoy the right to privacy as identified under Article 21. At present the right to privacy under Article 21 is available to all persons irrespective of them being citizens or not.

The definition will also have implications in interplay with a the UIDAI project which (as per the last draft of the UIDAI bill) extends to “residents” and not “citizens”.[2] The coverage of the Privacy Bill may circumvented with respect to the UIDAI, as it may be reasoned that the UIDAI is on the basis of residence and there is no way it can be ascertained who is a citizen in the UIDAI database.

4. “Personal Information”

The Bill defines the subject of the “personal information” as an identifiable individual. However, the exact yardstick of defining an identifiable person has not been provided. This seems to have been inspired in part from the EU Directives on Data Protection.

A concern with respect to the definition is with respect to individual bits of data which are gathered without being

Advertisement for the automatic (dial) telepho...

linked to a singular indentifiable person. Streams of data may not be captured only with respect to an identifiable individual. Such data in isolation may not reveal much. However, when such data is aggregated it may lead to privacy harms. Further, the reason for the insertion of a rider on to the identification of the subject data is not completely clear.

Another, important feature of this definition is that it specifically excludes a range of information. These are with respect to employers gather information of their employees. This may create practical anomalies in todays fluid work environment where organisations engage various individuals beyond a pure employee-employer relationship. It is questionable whether the collection of data of such people by organisations will be protected by the Bill. There may also be implications for workplace privacy.

5. “Surveillance”

The definition provided in the Bill attempts to explain the concept of surveillance consisting of three ingredients, (a) covertly and without a persons knowledge; (b) following; or © watching over a person.

Further, it specifically provides for listening or filming devices. This is again technologically very specific. Interestingly, the question that remains is whether this will include sting operations. I believe that the prohibition on surveillance would extend to sting operations as there is no exception for it as it is provided for data collection and disclosure.

II. Right to privacy

The scope of this right is provided in Section 3. The construct of Section 3 is very interesting, as in the beginning itself it provides for a saving provision.

The features of the definition are:

1. Citizen as an Individual

The right that is provided for in this Bill is only of a Citizen of India, and does not cover any other person.

2. Limited Right

This right of a citizen as enshrined in this draft section is in fact a limited right. This is inferred from the fact that carve outs are created in more than one aspect. Unlike, other substantial rights having a ‘Notwithstanding’ clause, it is a ‘Subject to’ clause and the same is limited by :

a) Order of a Court

b) Any law for time being in force. Interestingly, these are not the only carve outs. Under section 90, the provision of this Act has been excluded from Applicability of this Act:

a) Cases covered under Right to Information Act or any other law relating to disclosure

b) Criminal law relating to corruption, misappropriation, cheating, etc.

c) Acts illegal under Narcotics Drug and Psychotropic Substances Act, 1985

d) Economic offences or offences under Essential Commodities Act, 1955, Food Adulteration Act, Acts dealing with environment

e) Offences under Army Act, and other Terrorists related Acts

f) Offences relating to Defence Forces

g) Others explicitly excluded.

3. Inclusive Definition

The definition provided is by method of an inclusive definition, as it includes 11 acts that are manifestations of right to privacy under the Bill. Importantly they are not distinguished appropriately, as they stick to various forms of acts that are prohibited, unless permitted.

Thus, in substance privacy has not been defined. Though, protection of these manifestations of right to privacy has been discussed in detail in the forthcoming chapters of the Bill.

The definition explicitly includes the following manifestation of Right to Privacy:

a) Confidentiality of Communication

b) Confidentiality of his private/ family life

c) Protection of his Honor and Good name

d) Protection from Search, Detention, or Exposure of lawful communication between and among individuals

e) Privacy from his Surveillance

f) Confidentiality of his banking and financial transactions

g) Confidentiality of his medical and legal information

h) Protection from his identity theft (criminal, financial, identity cloning, medical)

i) Protection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other places

j) Privacy of his Health Information

k) Protection of data relating to individual.

Interestingly, there is no exception created for communications that involve government offices, or other ministerial pr governmental correspondences. What is apparent that due to the absence of an appropriate definition, the provisions are very loosely worded. For. e.g. what is the connotation intended to describe “family life”, “good name” etc.. Moreover, the last clause provided uses the term ‘data’, which is too broad and hence, may apply without limitation.

4. Analysis as per Taxonomy

Two popular taxanomies are presented below to understand what forms of privacy rights have will be created by the Bill. It is hoped from this exercise we may gather are we missing some forms of privacy or have we gone much beyond the traditional scope of “privacy rights”.

Sl. No. Prosser’s ClassificationUnder Privacy Bill, 2011Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairsConfidentiality of CommunicationConfidentiality of his private/ family lifeProtection of his Honor and Good nameProtection from Search, Detention, or Exposure of lawful communication between and among individualsPrivacy from his SurveillanceConfidentiality of his banking and financial transactionsConfidentiality of his medical and legal informationProtection from his identity theft (criminal, financial, identity cloning, medical)Privacy of his Health InformationPublic Disclosure of embarassing private facts about the plaintiffProtection of data relating to individualProtection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other placesConfidentiality of CommunicationConfidentiality of his private/ family lifeProtection of his Honor and Good nameConfidentiality of his medical and legal informationPublicity which places the plaintiff in a false light in the public eyeIntrusion upon the plaintiff’s seclusion or solitude, or into his private affairsAppropriation, for the defendant’s advantage, of the plaintiff’s name or likeness-

Sl. No. Solove’s ClassificationUnder Privacy Bill, 2011 Information CollectionSurviellancePrivacy of his Health InformationPrivacy from his SurveillanceInterrogationProtection from Search, Detention, or Exposure of lawful communication between and among individualsInformation ProcessingAggregationProtection from use of his photographs, fingerprints, DNA samples, and other samples taken at police stations or other placesIndentificationInsecuritySecondary useExclusionInformation DisseminationBreach of ConfidentialityConfidentiality of his medical and legal informationConfidentiality of his private/ family lifeConfidentiality of his banking and financial transactionsConfidentiality of his medical and legal informationConfidentiality of CommunicationDisclosure-Exposure-Increased AccessibilityProtection from his identity theft (criminal, financial, identity cloning, medical)BlackmailAppropriationDistortionInvasionIntrusionProtection of his Honor and Good nameProtection of data relating to individualDecisional Interference-

III. Assorted Suggestions

1. Appropriate Government

The provisions of the Bill do not make a notation for the responsibility on an appropriate government. For reference, variety of Acts make specific mention of the Central and State government separately. This is done keeping in mind the federal scheme in which state and central subjects are mentioned separately. Hence, even though telegraphs may be a central subject, law enforcement is a state subject. The absence of such a scheme may lead to questions as to the constitutional validity of the Bill.

2. Information Technology Act, 2000

Interestingly, though the Bill refers to one IT Act, i.e. Indian Telegraph Act, 1885 in Section 5 of the Bill. It does not refer to the other IT Act, i.e. the Information Technology Act, 2000. Prior to the Privacy Bill, one of the sole laws on the subject of data interception and retention was the Information Technology Act. In 2009 specific rules have been made under the Information Technology Act for the interception of electronic communications. It would be useful for the Privacy Bill to make reference to them.

3. Recording of Reasons

Section 7 contains provisions about what a tap order must contain. This includes details with respect to who made the order, the authority making the order, etc. It is suggested that it should also record the reasons why the tap order was passed.

Further, recording of reasons should be followed while making the order that is passed by the Authority1, when it confirms an order or that of the Review Committee when it reviews it. Most importantly a record of the reasons for passing such order must be maintained [in reference to Section 8].

4. Timelines for the validity of Tap Orders

The timelines drawn for the validity of the tap orders in the present Bill, are in line with pre-existing provisions that are being applied before this Bill was made. These provisions include Rule 3 of the Information Technology (Directions for Interception or Monitoring or Decryption of Information) Rules, 2009 [read from Section 69 of the Information Technology Act, 2000] and Rule 419A, Indian Telegraph Rules, 1951 [read from Section 5(2) of the Indian Telegraphs Act, 1889].

Thus, as a final provision under Section 11 of the Bill, an order for interception can last for at the maximum 6 months. Interestingly, the Bill does not guard against the abuse of successive tap orders with respect to the same data subject. Hence an interception can be continued infinitely by means of repeated orders being passed by the appropriate authority.

5. Retention and Destruction

As per the Bill, during the period of interception all records and details gathered have to be maintained and stored and when the interception ends all the data which has been gathered has to be destroyed. The timeline for such an action has been provided as 6 months from the date of order. Practically it may not be essential that once the investigation is done, the judicial recourse may be taken up immediately. Hence, the bill has a carve-out which says that if the material is functionally required it may be stored even after 6 months. In my view this may lead to abuse if the maximum permissible outer limit is not fixed by the Bill.

It is interesting to note that alongwith the materials gathered, even the tap orders directing the interception have to be destroyed when the interception is discontinued. It is to be noted that no system is provided of recording or maintaining of such tap orders. This seems to be worrisome and may lead to non-compliance with the safeguards which are inbuilt into the issuing of such tap orders (for e.g. recording of reasons for tapping).

It is thus suggested two forms of documents must be maintained by all bodies concerned when a tap order is issued. The first set contains the specifics of each case from which a person can be identified and the second set contains anonymized details listing the compliances. Whereas the first can be destroyed when the interception ends, the second one must be maintained for the purposes of auditing compliance with the protections under the Privacy Bill. In the end the form of Privacy which is being created under the Bill with respect to interception are a bunch of procedural safeguards. If there are no records and no audits on them authorities in charge of the tap orders are bound to take a lackadaisical approach towards procedural safeguards. In the end, why will a government authority ensure that reasons are recorded for each tap order, when it knows the tap order will be destroyed at the end of the interception and in now way it can be held accountable.

6. Assuring Authenticity

Section 16 is drafted to take care unauthorised and forged tap orders as was mentioned in Amar Singhs Case. It is suggested, that some attributes may be mentioned to make tap orders physically or technically distinguishable. This could mean in terms of physical tap orders having seals and emails and documents containing digital signatures.

7. Parting Comments

The Privacy Bill, 2011 is a complex piece of legislation. I do not have a quick or a short “take” on it. While I agree with the principle of having a privacy legislation beyond empty data protection provisions we have in place at present, we need a detailed study on the impact of the Bill. (With the non-disclosure of this draft Bill through official government sources, we also seem to be mixing up privacy with secrecy.)

At certain places it seems the Bill will not provide adequate protection from privacy harms emanating from the State. Also, some provisions may be problematic for private parties who seek to expose wrong doing through sting operations and investigative journalism. There may be some danger freedom of speech which cannot be fully comprehended. I am concerned through this law we may end up with a potholed privacy right, firm at some places and completely absent somewhere else.

Probably these are my fears, but I hope a public consultative process is followed before the Bill is introduced in Parliament


[1] http://www.business-standard.com/india/news/expats-tourists-may-also-get-right-to-privacy/440004/.

[2] http://post.jagran.com/uid-not-a-proof-of-citizenship-nilkeni-1308371957

PDF

[ipaper id=59525347]

Related articles

Comments are closed.