The approach paper requests views of the public and experts and sets out the issues involved in Indian privacy legislation.

Matthan told Legally India: “At this stage it is just an approach paper. But we hope that it will have the momentum to get converted into a bill sooner than later.”

Is there a need for privacy protection?

India does not currently have a general data protection statute. Nevertheless, the judiciary has derived a "right of privacy" from the rights available under Articles 19(1)(a) (the fundamental right to freedom of speech and expression) and 21 (the right to life and personal liberty) of the Constitution of India. However, all cases that deal with the right to privacy have been decided in the context of Government actions that resulted in private citizens being denied their right to personal privacy. No privacy judgment has granted private citizens a right of action against the breach of privacy by another private citizen. To that extent, the data protection and personal privacy jurisprudence in the country is not yet fully developed.

India is not a particularly private nation. Personal information is often shared freely and without thinking twice. Public life is organized without much thought to safeguarding personal data. In fact, the public dissemination of personal information has over time, become a way of demonstrating the transparent functioning of the government. While many agencies of the government collect personal data, this information is stored in silos with each agency of the government maintaining information using different fields and formats. Government databases do not talk to each other and given how differently they are organized, the information collected by different departments cannot be aggregated or unified.

Data privacy and the need to protect personal information is almost never a concern when data is stored in a decentralized manner. Data that is maintained in silos is largely useless outside that silo and consequently has a low likelihood of causing any damage. However, all this is likely to change with the implementation of the UID Project. One of the inevitable consequences of the UID Project will be that the UID Number will unify multiple databases. As more and more agencies of the government sign on to the UID Project, the UID Number will become the common thread that links all those databases together. Over time, private enterprise could also adopt the UID Number as an identifier for the purposes of the delivery of their services or even for enrollment as a customer. Once this happens, the separation of data that currently exists between multiple databases will vanish.

Such a vast interlinked public information database is unprecedented in India. It is imperative that appropriate steps be taken to protect personal data before the vast government storehouses of private data are linked up and the threat of data security breach becomes real.

Similarly, the private sector entities such as banks, telecom companies, hospitals etc are collecting vast amount of private or personal information about individuals. There is tremendous scope for both commercial exploitation of this information without the consent/ knowledge of the individual consent and also for embarrassing an individual whose personal particulars can be made public by any of these private entities. The IT Act does provide some safeguards against disclosure of data / information stored electronically, but there is no legislation for protecting the privacy of individuals for all information that may be available with private entities.

In view of the above, privacy of individual is to be protected both with reference to the actions of Government as well as private sector entities.

Is there a need for such legislation?

Notwithstanding the concerns around the risks posed by this vast interconnected public information database, there are issues being raised about the need to even have a legislation in the first place. The argument being made is that given the technical and highly dynamic nature of personal data, a heavy legislative approach is probably unwarranted. Instead, industry self- certification could achieve the same results without the downsides of putting in place a legislative and regulatory framework.

In order to implement this, various industry verticals would need to appoint independent certifying agencies to prescribe data standards and to overlook compliance with data protection principles. The system is voluntary but relies on peer pressure to ensure that conscientious corporations remain compliant with their obligations in order to continue to be accepted by their customers and business ecosystem.

While this suggestion does offer a lighter touch, it does not give the individuals, whose data is at risk, any form of legal remedy in case of a breach of their personal privacy by the self certifying organizations. In the event any such organization commits a data breach, the individual whose data has been lost will have no legal recourse. Data protection can only be ensured under a formal legal system that prescribes the rights of the individuals and the remedies available against the organization that breaches these rights. It is imperative, if the aim is to create a regime where data is protected in this country, that a clear legislation is drafted that spells out the nature of the rights available to individuals and the consequences that an organization will suffer if it breaches these rights.

It is possible to develop a hybrid approach where a statute is enacted to provide the contours within which all organizations, private and public, are to conduct themselves with regard to personal information that they collect. Industry associations could then define more detailed guidelines and practices that member organizations would need to follow with specific reference to the specific issues of that industry.

The full paper is available for download from the ministry’s website here.

Photo by alicia rae