Trilegal co-founding partner Rahul Matthan has drafted a proposal for the department of personnel training a create an Indian privacy and data protection law that would regulate the storage and disclosure of personal information.
The approach paper requests views of the public and experts and sets out the issues involved in Indian privacy legislation.
Matthan told Legally India: “At this stage it is just an approach paper. But we hope that it will have the momentum to get converted into a bill sooner than later.”
Is there a need for privacy protection?
India does not currently have a general data protection statute. Nevertheless, the judiciary has derived a "right of privacy" from the rights available under Articles 19(1)(a) (the fundamental right to freedom of speech and expression) and 21 (the right to life and personal liberty) of the Constitution of India. However, all cases that deal with the right to privacy have been decided in the context of Government actions that resulted in private citizens being denied their right to personal privacy. No privacy judgment has granted private citizens a right of action against the breach of privacy by another private citizen. To that extent, the data protection and personal privacy jurisprudence in the country is not yet fully developed.
India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government. While many agencies of the government collect personal data, this information is stored in silos with each agency of the government maintaining information using different fields and formats. Government databases do not talk to each other and given how differently they are organized, the information collected by different departments cannot be aggregated or unified.
Data privacy and the need to protect personal information is almost never a concern when data is stored in a decentralized manner. Data that is maintained in silos is largely useless outside that silo and consequently has a low likelihood of causing any damage. However, all this is likely to change with the implementation of the UID Project. One of the inevitable consequences of the UID Project will be that the UID Number will unify multiple databases. As more and more agencies of the government sign on to the UID Project, the UID Number will become the common thread that links all those databases together. Over time, private enterprise could also adopt the UID Number as an identifier for the purposes of the delivery of their services or even for enrollment as a customer. Once this happens, the separation of data that currently exists between multiple databases will vanish.
Such a vast interlinked public information database is unprecedented in India. It is imperative that appropriate steps be taken to protect personal data before the vast government storehouses of private data are linked up and the threat of data security breach becomes real.
Similarly, the private sector entities such as banks, telecom companies, hospitals etc are collecting vast amount of private or personal information about individuals. There is tremendous scope for both commercial exploitation of this information without the consent/ knowledge of the individual consent and also for embarrassing an individual whose personal particulars can be made public by any of these private entities. The IT Act does provide some safeguards against disclosure of data / information stored electronically, but there is no legislation for protecting the privacy of individuals for all information that may be available with private entities.
In view of the above, privacy of individual is to be protected both with reference to the actions of Government as well as private sector entities.
Is there a need for such legislation?
Notwithstanding the concerns around the risks posed by this vast interconnected public information database, there are issues being raised about the need to even have a legislation in the first place. The argument being made is that given the technical and highly dynamic nature of personal data, a heavy legislative approach is probably unwarranted. Instead, industry self- certification could achieve the same results without the downsides of putting in place a legislative and regulatory framework.
In order to implement this, various industry verticals would need to appoint independent certifying agencies to prescribe data standards and to overlook compliance with data protection principles. The system is voluntary but relies on peer pressure to ensure that conscientious corporations remain compliant with their obligations in order to continue to be accepted by their customers and business ecosystem.
While this suggestion does offer a lighter touch, it does not give the individuals, whose data is at risk, any form of legal remedy in case of a breach of their personal privacy by the self certifying organizations. In the event any such organization commits a data breach, the individual whose data has been lost will have no legal recourse. Data protection can only be ensured under a formal legal system that prescribes the rights of the individuals and the remedies available against the organization that breaches these rights. It is imperative, if the aim is to create a regime where data is protected in this country, that a clear legislation is drafted that spells out the nature of the rights available to individuals and the consequences that an organization will suffer if it breaches these rights.
It is possible to develop a hybrid approach where a statute is enacted to provide the contours within which all organizations, private and public, are to conduct themselves with regard to personal information that they collect. Industry associations could then define more detailed guidelines and practices that member organizations would need to follow with specific reference to the specific issues of that industry.
The full paper is available for download from the ministry’s website here.
Photo by alicia rae
threads most popular
thread most upvoted
comment newest
first oldest
first
several meetings and also held discussions with stakeholders groups (civil society
organizations, local practitioners, business and banking representatives)." Wonder whether the real stakeholders(the people) were informed about it through National dailies. The paper in the link reads last date for opinions is 25th October!!!!! Bad, extremely bad.
The RTI Act establishes the right of citizens to "inspection of works, documents, records; held by any public authority." Section 8 of the Act lists the items which are exempt from disclosure. The Act provides that “information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individuals should not be disclosed.”
Indeed, the RTI Act does not confer any privacy rights with regard to information not held by the government. The most prominent Indian case in this regard is perhaps that of Phoolan Devi v. Shekhar Kapoor and Others, [57 (1995) Delhi Law Times 154] which involved filming the biography of Phoolan Devi. The defendant entered into an agreement with Phoolan Devi, for the sole right to make a story on her life, with certain additions and alterations. When the movie was made and exhibited, Phoolan Devi raised an objection regarding certain scenes, and sought an injunction against the exhibition of the film containing the objectionable portions on the ground that they violated her privacy.
The Delhi High Court drew a line when it came to consent/ agreement and held that an agreement does not give a license to make a film in total disregard to Phoolan Devi’s right to privacy, or to show her being raped, gang raped, paraded nude or sexually abused as a child. The court held that the “defendants ha[d] no right to exhibit the film . . . violating the privacy of plaintiff's body and person” and issued an interim order restraining the exhibition of the film.
The case was settled before final orders could be passed. However the interim order is a precedent to show that Indian courts do recognize a right to privacy under tort law.
It is very important for a country like India to have data protection law to protect individual private data. Many countries have data protection laws to protect data misuse by third parties. In order to stop misuse of the data from third parties we need Data Protection Law in India.
threads most popular
thread most upvoted
comment newest
first oldest
first