While the controversial Aadhar Bill has been passed in Parliament, debates on whether it is a money bill at all, and on inadequate privacy protections in the Bill continue. The most recent laws in India around privacy and data protection are the provisions of the Information Technology Act 2000 (IT Act) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (2011 Rules). It is likely that if privacy protections in the Aadhar Bill are redrafted, the provisions of the IT Act would be used as a reference.
This worries us. In our previous articles on this blog, we have made a case for the need to enact a comprehensive national privacy law and sketched the design elements of such a law. In this article, we evaluate the IT Act provisions against these design elements. This analysis has valuable implications in three directions: (a) It helps us think about amendments for the Aadhaar Bill, 2016, which would strengthen privacy; (b) This helps us understand the flaws in the IT Act and in the 2011 rules, which need to be fixed, and (c) This helps us think about the future legislative journey of the Privacy Bill of 2014.
We will now walk through the design elements of a privacy law, and use that conceptual framework to analyse the IT Act and the 2011 rules.
Component 0: Objective of the privacy law
While the IT Act does not exclusively deal with the right to privacy, the 2011 Rules lay out a framework to govern the collection, management, use, and sharing of personal data or sensitive personal data or information (SPDI). Currently, these are the most detailed provisions relating to personal data in India, although, as we will discuss, there are many shortfalls.
Component 1: What is the value of personal data?
A well-designed privacy law should indicate the value it places on privacy and personal data. The 2011 Rules under the IT Act do not recognise that a right to privacy applies to every individual. They also do not articulate the value of the right itself. What this implies is that when there is a security-privacy conflict, as is inevitable, the government can easily disregard the privacy of individuals by citing public interest or security considerations.
One of the main reasons behind the recent Apple vs FBI standoff in the US is that the FBI's law enforcement arguments are being countered by referring to the importance of the right to privacy in American law and jurisprudence, and how accessing mobile phones is equivalent to accessing an individual's 'innermost thoughts and private affairs'. In India, however, it is likely that in such a similar situation, law enforcement priorities would prevail.
Component 2: What should be the scope and ambit of the law?
As explained in our previous post, good design principles require a privacy law to properly define personal data and SPDI, and treat them both separately.
Section 43A of the IT Act, introduced in 2009, deals with security practices and procedures relating to possessing, dealing or handling of any SPDI by body corporates. It thus only seems to apply to SPDI, and not personal information more generally. A conjoint reading of the IT Act and the 2011 Rules, however, creates a slight ambiguity. While Section 43A only mentions sensitive personal data, the Rules drafted thereunder define both 'personal information' (Rule 2(1)(i)) and SPDI (Rule 3) separately. However, the Rules seem to use these terms interchangeably - thus, Rule 4 mandates body corporates to provide a privacy policy for both types of information, whereas Rules 5(1) and (4) on the collection of information and Rule 6 on disclosure only focus on sensitive personal data. Moreover, clarifications issued by the Government in May and August 2011 through a Press Note stipulate that the intent of the Rules is to 'protect sensitive personal information'. Thus, the law does not clearly indicate whether, and if so, how, it treats personal and sensitive personal information separately.
Moreover, the definition of SPDI is fairly limited - while extending to passwords, financial and biometric information, medical records etc., it excludes email/home addresses, electronic communication records, political opinion, ethnicity/caste, religious beliefs, and user details (the last was included in a previous draft). Even the terms it includes, such as 'biometric information' are left undefined. In fact, Rule 2(1)(b) defines 'biometrics' in terms of technologies analysing human body characteristics, but is silent on what constitutes biometric information.
Component 3: Whom should the law cover?
A well-designed privacy law should extend to all residents of India and should be enforceable against the public and private sector. Section 43A (and the 2011 Rules) apply to 'body corporates', requiring them to maintain reasonable security practices and procedures while possessing, dealing or handling any SPDI in a computer resource.
Section 43A defines 'body corporate' in a manner that excludes any government agencies or non-profits. Such a blanket exemption is unwelcome, especially in the backdrop of the Aadhar Bill of 2016, whose privacy protections are inadequate to ensure the accountability of the government (which is in charge of the largest personal data collection effort in human history). For instance, Section 29(4) of the Bill creates a vaguely worded exception to the prohibition against making an Aadhar number or core biometric information public except for purposes as may be specified by regulations. Governments and charities should also be covered under the ambit of the IT Act.
Component 4: What principles should govern collection and retention of personal data?
The proposed privacy law should incorporate principles relating to consent and specify time limits and methods for retention and preservation of data.
Rules 4 and 5 of the 2011 IT Rules incorporate the Choice and Consent principles, allowing users to opt-in/opt-out and even withdraw consent. However, there is currently no statutory definition or guidance dealing with data minimisation and proportionality (when there are conflicting rights). Further, since Rule 5 only governs the collection of SPDI, there is seemingly no requirement of consent for the collection of personal information, which is information capable of identifying any individual.
Retention of data is governed under Section 67C of the IT Act, which requires intermediaries (such as Facebook or Twitter) to preserve and retain certain information for certain duration and in a certain manner, as prescribed by the Central Government. Unfortunately, the government has failed to notify any Rules in this regard, and thus time limits for retention of data are currently completely voluntary in India. Further, Rule 5(4) of the 2011 IT Rules only directs body corporates to not retain sensitive personal data for 'longer than is required', and does not extend to the retention of 'personal information'. Thus, all data controllers are permitted to retain personal information regarding the data subjects for long after the specified purpose for which they were collected end. This undermines the importance of the right to privacy.
Component 5: How should data be used and processed?
A well-designed privacy law should indicate a shift to context and use frameworks and incorporate the idea of privacy by design.
The 2011 IT Rules contain this principle of Purpose/Use Limitation through Rule 5(5), which only permits using the information for the purpose for which it was collected. However, Rule 5(5) does not require a company to notify the data subjects if it changes its purpose, nor does it require destruction of data/personal information after the specified purpose is over. On the whole, the Act and the Rules seem to emphasise the importance of collection limitation more than use limitation.
Component 6: How should data be shared and transferred?
Another important design principle involves the regulation of sharing (disclosure) and transfer of personal and sensitive personal data to third parties and across borders. Like much else, Rule 6 of the 2011 Rules only governs the disclosure of SPDI and requires prior permission from the 'provider of information'. However, this is an undefined term, which can include either the original data subject, the intermediary, or a third party who is selling the SPDI further, thus introducing ambiguity in the law.
Rule 7 of the 2011 Rules allows transfer of SPDI within or outside India only if that body corporate or person adheres to the same level of data protection, if the transfer is necessary for the performance of a lawful contract or country or the user has consented to such transfer. This is consistent with international privacy principles and is welcome.
Component 7: What are the rights of users?
In our previous post, we specifically discussed incorporating three rights - of data portability, data breach notification, and access and correction of data. While the IT Act does not confer data subjects with the first two rights, Rule 5(6) of the 2011 Rules permits the (undefined) 'providers of information' to review and correct any personal information or SPDI. This lack of definition becomes problematic when one considers that if the phrase is interpreted to include an intermediary or third party, the data subject will be unable to exercise this valuable right of access and correction.
Component 8: What should be the supervision and redress mechanisms?
Security, Openness and Accountability principles require a privacy law to have proper supervision and redress mechanisms. India currently lacks any such strong regulator, privacy or data Commissioner or Ombudsman. Aggrieved users only have the option of approaching the consumer courts or proceeding under Section 43A of the IT Act (for negligent security practices causing wrongful loss or gain to a third party) before an Adjudicating Officer, who can only hear disputes less than Rs. 5 crore. Rule 5(9) of the 2011 IT Rules also envisage the appointment of a Grievance Officer by body corporates. However, in reality such an officer is an 'invisible man', considering that the Rules are silent about his minimum qualifications, duration, tenure, powers, and manner of reaching a decision, and no right of appeal is prescribed. Even the civil remedies prescribed under the IT Act are not easily enforceable. For instance, Section 48 provides for the establishment of multiple Cyber Appellate Tribunals, for appeals against the order of an Adjudicating Officer. Currently, only one Cyber Appellate Tribunal has been set up in Delhi and even that has been defunct since 2011, when the previous Chairperson retired. In fact, the last decided case seems to be of 30th June 2011, bringing to light the stark inefficiencies of the functioning of the IT Act.
Conclusion
This post has evaluated the functioning of the IT Act on the design principles elaborated by us previously. The IT Act and the 2011 Rules are probably the most comprehensive legislation currently in India regulating personal data and SPDI. However, as demonstrated, they are seriously inadequate. We believe that the government should learn from the experience of the IT Act to improve the IT Act, the Aadhar Bill and the upcoming national Privacy Act.
Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi. We thank Pratik Datta for useful comments.
No comments:
Post a Comment
Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.
LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.