1

The Privacy Bill, 2011

This briefing note contains a summary of the third working draft of the Privacy Bill, 2011 dated 19th April, 2011 which aims to create a statutory right to privacy in India. This note also contains an analysis and comments on the significant features of the enactment. It is important to note that the Privacy Bill, 2011 which as per media reports is to be introduced by the government in the next session of parliament has not been formally made public or a consultation process has been followed in its drafting. In case of any questions or comments please contact me at mail@apargupta.com. I would like to acknowledge the work put in by an Akansha Nehra, an intern at my office in making this note. 1. The Privacy Bill, 2010 : a broad level view a) It creates a statutory Right to Privacy by means of a broad definition and then creates specific of protections for it. Recognising the Right to Privacy not to be absolute, the Bill identifies various privacy breaches that are permitted. In the Bill, certain prohibited acts are also identified for which civil remedies as well as criminal sanctions are created. b) The government interception and telephone tapping mechanism is changed moderately from the existing system. The modification is with respect to several procedural safeguards which are put into place to avoid unauthorised and unnecessary tap orders. c) A regulatory mechanism is created through the Data Protection Authority of India. It will exercise supervision over private parties which will engage in the collection and storage of personal data. d) Further, in the system suggested, the Bill identifies specific officers/position holders in various entities (that may be involved in various breach of the right) who shall be held responsible, in case of any wrong act or any default. e) Disputes under the Bill will be referred to the Cyber Appellate Tribunal which has been set up under the Information Technology Act. These disputes are primarily in the nature of claims by individuals against private data controllers. 2. INDEX: CONSTITUENTS OF THE BILL The Bill contains fifteen chapters and ninety four sections and has been divided in the following manner Chapter I II Section Number 1, 2 3 Name Preliminary Right to Privacy

III IV V VI VII VIII IX X XI XII XIII XIV XV

4-13 14-23 24 25-26 27-28 29-31 32-42 43-48 49-62 63-66 67 68-84 85-94

Privacy of Communication and Prohibition from its Interception Procedure for Interception of Communication Prohibition of Surveillance and its Regulation Use of Photographs, Fingerprints, Body samples of persons, DNA samples, and other samples taken at Police Station Health Information Privacy Privacy relating to Data Obligation and Procedure for collecting or processing or using or disclosing data Residuary The Data Protection Authority of India Grants, Funds, Accounts and Audit and Annual Report Settlement of Disputes Offences and Penalties Miscellaneous

3. SCOPE OF RIGHT TO PRIVACY 1. Section 3(1) provides for the Right to Privacy and stipulates that every individual has a right to privacy and the same is subject to any law for the time being in force or an order of the Court. It is important to bear that this acts as an carve out since any the privacy right under the Privacy Bill which is created is subject to existing laws. The privacy rights are in addition to existing laws and not in derogation to them. Hence any existing law which is in conflict with any of the mandates of the Privacy right under Section 3 enjoys preference and legal validity. 2. Interestingly though, several laws have been made exempt from the privacy right under Section 90. Though ordinarily these laws would have been exempt as per Sec. 3(1), the draftsman seems to be leaving nothing to chance by excluding statutes such as the Right to Information Act; The Prevention of Corruption Act; from the ambit of the privacy right. It is also important to comment on a saving provision under Section 89, which makes space for any nature of right to be also included in the scope of the statutory right of privacy, which may be subsisting already. 3. Section 3(2) provides for an inclusive definition by providing for 12 kinds of manifestations of privacy, which are listed below:

a) b) c) d) e) f) g) h) i) j) k)

Confidentiality of communication Confidentiality of private/ family life Protection of honor and good name Protection from search, detention, or exposure of lawful communication between and among individuals Privacy from surveillance Confidentiality of banking and financial transactions Confidentiality of medical and legal information Protection from identity theft (criminal, financial, identity cloning, medical) Protection from use of photographs, fingerprints, DNA samples, and other samples taken at police stations or other places Privacy of health information Protection of data relating to an individual.

4. PRIVACY OF COMMUNICATION AND INTERCEPTION 1. After creating the right to privacy under Sec. 3(2), the Bill provides prescriptions for the confidentiality of communication and safeguards for their interception under Chapters III and IV of the Bill. It is important to bear that the privacy right in India is essentially a set of procedural safeguards. The more safeguards the stronger the privacy right. The expanse of the legal provisions recognises that the most prevalent privacy breach is with respect to the interception of communications. 2. The terms, confidentiality has been defined as, a process of sharing facts, ideas, opinions, thoughts, and information through speech, writing, gestures, sound, images, signals or pictures, graphs, symbols, diagrams between two or more individuals through telephonic conversations, radio messages, electronic mode (including internet or satellite) or postal letter or any other mode. Interception further has been defined as, undertaking the stopping of transmission of any communication, or interception or detention thereof (including tapping of the telephone conversation or copying of data). The interception safeguards are explained in a tabular form below:

Feature Privacy is not Absolute

Provision Section 4 stipulates the right of any citizen of India, to have his communication protected from interception. But, the same is not an absolute right and is limited by the provisions of the Bill under discussion.

Rule of Privacy

There are two conditions precedent to intercept a communication legally. Firstly, the conditions under Section 5(2) of the Indian Telegraph Act, 1885 must be satisfied.

Condition [Procedure] Secondly, an order must be issued by an officer not below the rank of Home Secretary [Ministry of Home Affairs, Government of India] and the Home Secretaries of the State Governments which records the satisfaction of these conditions. The provision applies to any surveillance. It also applies to activities incidental to interception. An exception is created with respect to the authorities that can make such an order, and it is permitted that this power can be delegated to another officer of a stipulated rank. Exception Further, in emergent situation (the kinds have been specified) interception can be made without an order under Section 5, after obtaining subsidiary approvals from the Central and the State governments (stipulated officers). Under Section 6(2), such subsidiary approval giving authority has to within 3 working days place the order before an appropriate authority and seek confirmation. Such authority should send a confirmation within 7 working days. If no confirmation is received, then the interceptions will have to be discontinued and any further interception will require permission of the Union Home Ministry or the State Home Secretary, as the case maybe. The system proposed by the Bill identifies two bodies. One is the Requisitioning Service Agency (Government) and the other is the Service Provider (the Telecommunications Company or the ISP). Each has been required to appoint nodal officers and the transaction of exchange of any information collected shall occur only between them. Strict guidelines are provided for such exchange, as the same has been asked to follow a method of exchanging appropriate acknowledgement letters, etc.

Application

Secondary Procedure

Deemed Discontinuance

System Employed

Liability of Service Provider

Further, the Service Providers have been placed with responsibility, as they have to every fifteen days submit a list of authorizations, to the Security agencies for confirmation of authenticity of the directions received by them. Further, stipulations are provided with respect to secrecy, maintenance of data, destruction of records etc. This will check unauthorized tap orders purportedly emanating from government as noticed in the recent decision of Amar Singh v. Union of India WP(C) 39/2006 (available at http://www.indiankanoon.org/doc/1082001/) . The authority must maintain the records of such orders, the intercepted communication, etc. The Order must contain appropriate details with respect to the communication being intercepted, the authority permitting the same, etc. The Bill provides that the option of intercepting a communication should be limited to that much as is necessary, 1 and that the said permission will cease to have effect on the expiry of 2 months, unless renewed.2 It also provides that if any other alternative mechanism exists to collect the said information, it should be used instead. The order or confirmation should be tabled before the concerned Review Committee, within one week, which should look into the relevancy of each order on its own motion.

Liability of Requisitioning Security Agency

Validity of Order

Review Committee

1 2

Section 9 Section 10(1)

The interception mechanism sought to be created by the Privacy Bill, 2011 is further explained below:

Centre Level Security Agency seeks Approval 2. 1. Emergent Situation

AUTHORITY1 3. Home Secretary, Ministry of Home Affairs, 4. Government of India

AUTHORITY2 Head or Second Senior Most Officer, Authorised Security or Law Enforcement Agency

Within 3 working days intimate about the interception Confirm such interception back within 7 working days
If NO Confirmation, Interception of NO EFFECT

Seek approval of Authority1 Order/Confirmation sent within one week Review Committee

Pass an order within 2 months With respect to relevancy of the order Pass directions for destruction of the record or continuation of the order

5. OTHER MANIFESTATIONS OF RIGHT TO PRIVACY Along with the provisions for the breach of communications privacy, the Privacy Bill, 2011 also prescribes various safegaurds for the other forms of privacy which are mentioned under Sec. 3(2). These forms of privacy as well as the permissible breaches are presented in the table below:

Kind of Right

Stipulations and Limitations The right identified herein is in the light of use of materials like photographs, Nature of Material fingerprints, DNA samples, of any citizen of India. The use of such material by another person User is the ambit of the said provision and includes Government officer as well. This is applied in context of revealing material (ones personal or private Nature of information) in public which will adversely Prohibited Use affect his right to privacy, such as to amount to a civil wrong. This rule is relaxed by stating that such materials maybe collected with the consent Permitted Use of the individual or if it is needed under any other law (such as the Code of Criminal Procedure, 1973). This is implied to be used for the purposes Procedure to be stipulated (by means of law or consent) and taken care of after such use should be destroyed or returned. Nature of This rule applies to collection of health Information information in respect of an individual The use that is being analysed under this User provision is by another person, including a Government officer as well. This is applied in context of revealing such Nature of health information in public which will Prohibited Use adversely affect his right to privacy, such as to amount to a civil wrong. Nature of Permitted The use that is permitted is by collecting Use with his consent or under any other law. This is implied to be used for the purposes Procedure to be stipulated by his consent and after such use taken care of should be destroyed or returned. The information collected by said means, the nature of use, duration of retaining of Without Consent such information, and manner of disposal shall be as per the law. Such information, collected by whatever Conditional Use means, should not be revealed to the public

Use of materials collected at a Police Station

Health Information Privacy

Privacy relating to Data

This provision covers such person which has a place of business in India or if does not have a business in India, but has a Data Category of User Using Equipment in India Persons not having business in India, shall nominate a representative for collecting/using/processing/disclosing data. Nature of Permitted May be collected with his consent or under Use the said Bill or any other law If the processing of data meant for transmission outside India is by using Nature of Use equipment located in India, solely for the Excluded purpose of such transmission, it is permitted. Any disclosure by a person of information (as stipulated under this kind) of a person Violation of right without his consent or not in accordance to privacy with any law, shall be violation of the Right to Privacy. 11 exceptions to this right have been provided for under which a person may Exceptions collect/process/use/disclose, under Section 30. Nature of Collectable Personal Data Restriction on Collection of Personal data Restriction on Processing of Data Data is a part of the public record, or has been made public by said individual Individual has consented on collection of such data from an alternative source (other than public records) If it is collected directly, appropriate details must be disclosed to the individual. It has been provided that the data must be collected for the purpose for which permission has been sought and in a fair, appropriate and lawful manner. In case of data processing for an Unsolicited Commercial Communication, the data subject has the right to make an application to the Data Controller to discontinue such processing. No individual can be coerced to disclose certain details as a pre-condition to the provision of goods or services, in addition to information that is needed to functionally provide it.

Right of a Data Subject in situation of Data Processing

Features

Residuary

Provisions

A separate category of sensitive personal data has been identified and the use of such data requires distinct permissions, etc. Further there are specific provisions for Data Retention, Data Security and its Breach, Data Access and its correction as well Chapter X acts as the Residuary manifestations of an individuals right to privacy, and provides for acts of maintenance of records, use and disclosure of information, etc.

6. BODIES UNDER THE PRIVACY BILL, 2011 1. Data Protection Authority of India The Data Protection Authority of India has been set up as a regulatory body to administer the Privacy right created under the Privacy Bill, 2011. The Bill provides for 13 functions that the Authority performs. These include, ensuring compliance with the provisions with respect to data under the Bill by the bodies to which it applies, monitor developments in science and technology and policy to keep them upbeat with the rights, maintain appropriate network with respect to data controllers and the Registry, to attempt to increase and spread literacy in this aspect and involve public and also includes its power to investigate any data breaches, etc. The Authority has power to pass three types of orders, those seeking, disclosure, inquiry or inspection. 2. National Data Controller Registry This is in the form of an online database in order to facilitate the efficient and effective entry of particulars by data controllers. A data controller has the permission to process any personal data of any data subject, only after the data controller has made an entry in the registry. The database shall contain details of the purpose with which a data controller seeks to process any data. This shall be available to public free of cost. Appropriate data protection protocols and correction procedure are proposed to be prepared. 3. Appellate Tribunal Civil disputes such as claims for compensation under the Privacy Bill, 2011 are proposed to to be reffered to the Cyber Regulations Appellate Tribunal which is established under Section 48 of the Information Technology Act, 2000. The jurisdiction of the Tribunal conferred under Section 67 of the Privacy Bill, 2011 confers two types of jurisdictions. Firstly, original jurisdiction with respect to any dispute arising between an individual and a data controller. Secondly appellate jurisdiction with respect to any appeal from any order or direction or decision of the Authority [Data Protection Authority of India]. It is of interest that this

10

Appellate Tribunal through this Bill will be given original jurisdiction where earlier it only sat as a court of appeal.

7. OFFENCES AND PENALTIES

Section

Provisio ns

Penalty Offence Offender

undertakes interception of any Communicatio n intercepts or has any personal information requests for such information on false pretence
Imprisome nt upto Fine upto Both

Other Details

68

69

Unauthorised Interception of Chap. III Communication and IV Disclosure of Intercepted Communication Chap. VIII Obtaining personal information on False Pretence

5 yrs

1 lakh

Both

3 yrs

50,000/-

Both

Exceptions

70

5 lakhs

From any person or Officer of the Government Conditions pertaining to maintenance of secrecy and confidentiality of information and unauthorised interception of communication Without Prejudice to liability under license or any other law For each surveillance Records which contain Individually identifiable Information or personal information

71

Chap. III and IV

Violation of conditions of License to Service Providers

Suspend/Revoke license
Service Provider

72

Chap. V

Undertaking surveillance in contravention of Section 24 Disclosure of other Personal Information

undertakes the surveillance Any officer or Employee of the Service Provider or the

5 years

1 lakh

Both

73 Chap.

5 lakhs

11

VIII

Government (who has possession of or access to Records of the Service Provider or Government

Information is such that disclosure is prohibited under this Bill or any other law or which affects the right of an individual

The offender knows disclosure is prohibited and wilfully discloses to one not entitled to know the same

74

Chap. VI

taking and using of photographs, fingerprints, DNA samples in public Not permitted declaration of Health Information

takes such material and uses them

of any Citizen of India

5 years

1 lakh

Both

75

Chap. VII

discloses it

6 months

1 lakh

Both

Information with respect any citizen of India (in contravention of provisions of this Bill)

Penalties Section With respect to Offence Offender 1st Time offence Second or Subsequent Offence [Extend to] Continuing Offence [For every day]

77

Chapter XI

Contravention of Directions of the Data Authority

Violator

1 lakh

2 lakhs

2 lakhs (for every day)

12

78

Chapter VIII

Data Theft

Person who (intentionally and without authorisation from Data Subject or Data Controller) acquires or gains access to any personal data Any person processing any personal data in contravention of Chapter II Any person processes personal data without first making an entry in the Registry

7 lakhs

10 lakhs

79(1) Unauthorised Processing of personal data

1 lakh

5 lakhs [For each subsequent offence]

Chapter IX 79(2)

5 lakhs

80

Chapter X

Contravention of Chapter X

1 lakh

5 lakhs [For each subsequent offence]

8. REMEDIES UNDER THE BILL The Bill recognises the right to privacy, in its various ambits. Hence, it also provides what all can be pursued in case of its violation. The following remedies are available to an aggrieved person. a) Compensation Any person who suffers damage can claim for compensation any damage caused to him by any data controller, under section 76. The damage must be due to any contravention on part of the data controller. Here it is sought to be clarified that the amounts described in the table are with respect of penalties. These penalties operate as fines. They are intended to deter illegal conduct. However, compensation which is provided under Sec. 76 acts as a remedy aims to restitute the loss of the person complaining of damage. b) Civil Remedies

13

Section 84 provides that the individual, whose right to privacy has been adversely affected, may bring a civil action against such persons have caused such violation. This is addition to any criminal proceedings existing against such person (violator). c) Criminal Remedies Chapter XIV provides for various offences that may be committed under the nature of right provided for under this bill. But, the rider is provided for under Section 82, where any Court may take cognizance of offence under this Bill, solely on the compliant made by the Authority.