Wednesday, March 09, 2016

Elements for the proposed privacy law

by Vrinda Bhandari and Renuka Sane

In our previous blog article, we made the case for enacting a privacy law in India, as privacy is valuable for citizens in and of itself, and securing privacy strengthens democracy. Questions of privacy are back in the limelight with the proposed finance bill for giving statutory backing to Aadhar, and the fresh concerns about lacune in its privacy provisions.

In the question of privacy, citizens need protection from the State and from firms. The latter has become a more important issue with the rise of big data. Some go so far as to see data as a new asset class, equivalent of oil or gold. The case for a privacy law was also made by the 2012 Justice Shah Committee Report of the Group of Experts on Privacy, which relied upon a globally accepted set of privacy principles to form the foundation of a proposed Privacy Act in India. The principles are:

  • Notice: of information practices and during collection of information
  • Choice and Consent: provided to users through opt in/opt out provisions and taking consent only after proper notice has been given
  • Collection limitation: to limit the amount of information collected
  • Purpose limitation: which is similar to use limitation
  • Access and corrections: by users, of personal information held by data controllers
  • Disclosure of information: to third parties, after providing notice and obtaining required informed consent from the users
  • Security: safeguards to prevent unauthorised access, use, modification, de-anonymisation, disclosure etc.
  • Openness: of internal privacy policies and practices of data controllers in a transparent and accessible manner
  • Accountability: to ensure compliance with these principles

The principles in the Committee Report seem to have been accepted by the Government in a draft 2014 leaked version of the Privacy Bill (although, notably, this draft has not been made available online for perusal). In this (second) article, we present the critical components of a privacy law for India. Our next (third) article will apply these design principles to evaluate the Information Technology Act, 2000 (IT Act) in India.

Design elements of a national privacy law

Component 0: Objective of the privacy law

A discussion of the elements of a privacy law must begin with the objective that the law seeks to achieve. A privacy law must lay down the framework of how the public and private sector collect, manage, use and share personal information. Personal information is that which is about an individual, and through which the individual can be identified. Further, the law must provide for ways of dealing with inevitable conflicts between privacy and security.

Component 1: What is the value of personal data?

The law is shaped by the value we place on personal data. For instance, Article 8 of the European Charter of Fundamental Rights recognises an individual's right to the protection of personal data concerning him or her; the underlying premise of the Charter is that privacy is a comprehensive fundamental right. Since the Supreme Court of India is currently deciding whether privacy is a fundamental right, it becomes all the more important to express the value of privacy and personal data in our proposed law and connect it to Article 21 of our Constitution. The law should therefore address, either explicitly or implicitly, the value of personal data and the importance of privacy. However, it is important to recognise that while the right to privacy should include authority over personal data, it should not be limited to it. The right to privacy must be understood by using frameworks of dignity and liberty to extend it to the right to be left alone.

Component 2: What should be the scope and ambit of the law?

The law needs to address the question of what constitutes personal or sensitive data to which the law would apply. This definition should be wide enough to ensure the broad applicability of the law, and should be able to account for technological changes that enable indirect identification of an individual.

Section 1 and Section 2 of the Data Protection Act in England differentiate between personal data and sensitive data respectively. The latter includes individual's political opinions, racial/ethnic origins, religious beliefs, physical/mental health conditions, commission or alleged commission of any offence and membership to a Trade Union. The Act imposes additional conditions on the processing of sensitive personal data. The US, on the contrary, takes a slightly more restrictive approach, with very few Federal or State privacy laws defining personal information to include information that on its own does not actually identify a person.

In an environment such as India with high possibility of discrimination based on caste, religion, health outcomes (for example, having HIV), as well as sexual preferences (for example, homosexuality has as yet not been decriminalised), we propose that the law treat personal and sensitive data separately, as in the UK. Another reason is that in the US, different sectors have their own privacy frameworks, making it possible to have differential levels of protection given the area in question, whereas in India, these pertain to one comprehensive law. Sensitive personal data should be defined in an exhaustive and narrow manner and extend to passwords, financial and biometric information, medical records, political opinion, ethnicity/caste, sexual orientation, and religious beliefs. It should have stronger protections in terms of collection, use and consent. Although 'sensitive personal data or information' has been defined under the Information Technology Act (IT Act), the definition is fairly limited and has been criticised. Thus, as it currently stands, this definition should not be adopted in our proposed law. 

Component 3: Whom should the law cover? 

The scope of the national privacy law should make absolutely clear its territorial applicability and personal jurisdiction. Under EU law, the fundamental right of privacy covers all persons targeted by the State (through law enforcement/surveillance), irrespective of their nationality or domicile. However, under American law, foreign intelligence surveillance, whether the FISA (Foreign Intelligence Surveillance Act) or Patriot Act or Freedom Act, differentiates between US and non-US citizens, unlike American law governing ordinary criminal investigations.

In India, the draft 2014 Privacy Bill seems to have extended the right to privacy to all residents of India, unlike the 2011 draft, which limited its scope to Indian citizens. This expansive scope is consistent with the idea of privacy being a fundamental right emanating from Article 21 of the Constitution (which applies to all persons), and should be a part of the proposed privacy law. Even otherwise, given the inter-connected nature of most transactions and existing supply chains, it makes business sense if foreigners residing in India are entitled to the same privacy protections as Indian citizens.

Component 4: What principles should govern collection and retention of personal data?

A national privacy law should include a separate chapter on the responsibilities of the data controller (including government) while collecting, retaining, processing, and sharing data. This helps regulate and limit the scope of their seemingly unrestricted powers.

Schedule 2 of the UK Data Protection Act incorporates the Collection Limitation and Consent principle, which limits the collection of personal information and requires the consent of the data subject. The EU further incorporates data minimisation principles (through Article 6(1)(b) and (d) of 95/46/EC and Article 4.1(b) and (c) of 45/2001/EC) limiting collection of information to only what is relevant and necessary to accomplish a specified legitimate purpose. With respect to the retention of data, different countries and companies adopt different time limits, although the EU's 2015 Data Protection Reform has now added the right to be forgotten, which permits the deletion of data relating to an individual under specific circumstances.

In India, the proposed privacy law should also similarly incorporate such opt-in/opt-out principles relating to consent. It should also explicitly provide users with the right to withdraw consent, after which their data should be deleted from the system. Guidance can be taken from the EU to introduce the idea of proportionality and narrow tailoring of exceptions while balancing rights, and data minimisation principles. The privacy law should provide a minimum time limit for retention, while specifying the manner and format of preserving data. Specific provisions should deal with requests from law enforcement agencies, especially in the context of the recent Apple vs FBI debate and its implications for India.
While notice and consent are the bedrock of all privacy laws, they do not take into account consent in the context of changed privacy policies (as in Snapchat); or market failures arising out of cognitive biases inherent in understanding complex privacy notices and giving consent. Thus, the privacy law should focus on context and use frameworks that make privacy policies easier to read and accessible, and should deal with cases of changed privacy policies.

Component 5: How should data be used and processed? 

With the rise in big data, data is collected both actively (e.g. when we provide it to use an app) and passively (e.g. our GPS tracking our location on Google Maps even without the internet), and can be stored easily and cheaply. This has resulted in a shift in the focus from Collection to Use Limitation, supported by a White House Report that advocates the framework of context and use of data and with the code that operates on the data. The EU and Canada are attempting to tackle this problem by emphasising data protection by design and data protection by default, which rely on in-built data protection safeguards as companies' default privacy settings, instead of trying to achieve the same through compliance with regulatory frameworks.

Along with incentivising such design-oriented solutions, the proposed Indian privacy law should incorporate the principle of Purpose/Use Limitation and indicate the shift in the focus from Collection to Use limitation for the reasons outlined above. Although different rules may apply to private entities and the government intelligence apparatus, we do not endorse the draft 2014 Privacy Bill's seemingly complete exemption of the latter when they act in the interest of sovereignty, integrity, security or the strategic, scientific or economic interest of India. Such a blanket exemption undermines the right to privacy and precludes a judicial determination of balancing privacy with security concerns based on the facts of the case, which is especially dangerous given the government's extensive surveillance abilities.

Component 6: How should data be shared and transferred?

Along with regulating the collection, use, and retention of users' data, a national privacy law should also regulate how such data is shared with third parties, including those that are across national borders.

Indian privacy law should follow a similar rule of only permitting transfer of personal or sensitive personal data if the other body corporate or person adheres to the same level of data protection, and if the transfer is necessary or the user has consented to it. This will assure data subjects of the privacy of their personal data, regardless of whether the data controller holds it in India or transfers it to its servers across the world. The 2014 Privacy Bill seems to have a similar provision, which should be a part of the proposed national privacy law.

Component 7: What are the rights of users? 

The proposed privacy law should also separately cover the rights of the data subjects, who are other important stakeholders in the privacy debate. Rights of data subjects should largely adhere to the Privacy Principles, and apart from those discussed above, should include data quality and integrity (along with concomitant rights of access and correction); data protection (to prevent unauthorised collection or use); and notification principles (of requests for accessing data, or regarding data breach). We specifically focus on three rights that are absent in the Indian context but should be part of our national privacy law.

  1. Data portability allows users to transmit their personal data across various service providers, as part of improving their access and control over their own data. This has the dual advantage of giving users flexibility and control while encouraging competition amongst service providers to introduce privacy-friendly policies.

  2. Data breach notification which gives data subjects the right to know when their data has been hacked - through notification by the data controller to the consumer or the national supervisory authority. This allows data subjects to take immediate action to limit the damage and also seeks to prevent data controllers from covering up their mistakes.

  3. Access to (and correction of) personal data : empowers data subjects by keeping them informed about where and how their personal data is being used. They also enable the confirmation of the veracity of the contents of the data and subsequent correction. Access and correction are especially important when we consider that apart from being processed by the particular data controller, the user's data is also being shared with third parties, and will thus enter multiple data systems. There are serious implications of incorrect data of, for e.g. financial records on creditworthiness and ability to secure a loan and the law needs to provide methods of access and correction.

Component 8: What should be the supervision and redress mechanisms?

The enforcement (and impact) of a privacy law will depend on having proper safeguards to prevent unauthorised access/misuse/deletion etc. of data and a grievance mechanism. In UK supervision occurs through the Information Commissioner's Office, which ensures that no personal data is processed without an entry in the register. In America, the Federal Trade Commission regulates industries within its jurisdiction, along with other sector-specific regulators such as the US Department for Health & Human Services, which examines complaints filed under HIPAA. In the EU, under the 2015 reforms a single supervisory authority will replace national level Data Protection Commissioners (who monitor the application of EC Directives in their jurisdiction) to facilitate ease of business across countries.

A strong supervision and enforcement system is necessary to make the guarantees of the national privacy law a reality and to ensure compliance. The 2014 Bill seems to focus on self-regulation and appointment of industry ombudsmen. We believe that such a law needs to be supplemented with a distinct redress mechanism system. The focus should be on strengthening civil remedies in the form of compensation to the data subjects for loss and fines imposed on the data controller for contravention of the law. At the same time, the role of such ombudsmen or Information Commissioners should not be monopolised by retired civil servants or judges. There should be cross-sector representation from civil society, academics, industry representatives and experts. The law should also be more narrowly tailored in its exceptions and should remove the complete exemption of government intelligence agencies, since that might only encourage mass surveillance in the ostensible name of security.


In our previous blog article, we made a case for enacting a privacy law in India. This article has examined the components of a privacy law. While there may be relative consensus on the adoption of the National Privacy Principles, translating them into specific provisions of the law entails considerable disagreement. This is further compounded by our poor drafting process (see here and here). The 2014 Privacy Bill takes a stab at drafting a comprehensive national privacy law, but the government, unfortunately, decided not to release the draft of the Bill to the public. In this context, we hope this article provides a starting point for such a debate.

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi. The authors thank Nandkumar Saravade and Chaitanya Ramachandran for useful comments.

No comments:

Post a Comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.