Inviting Participants for a roundtable discussion on ” Privacy & Data Protection”

INBA has taken the lead to prepare a response as Invited by the Justice Srikrishna Committee on the recent White Paper on Data Protection.

INBA along with DMA is set to organise a round table meet on the theme of Data Protection and Privacy on 22nd December 2017 (Friday) at DMA conference hall, India Habitat Centre Lodhi Road, New Delhi

Right to Privacy: 5 bills yet no law, how Parliament has dealt with personal data protection

At least five bills by private members were tabled in Parliament over the years seeking protection of privacy of an individual. But, no specific privacy law is in place. The last bill was introduced by Baijayant Panda of the BJD earlier this year . IT Act, 2000 is the only law expressly dealing with Right to Privacy.

Despite several private member bills, Parliament has not yet enacted any specific law defining privacy and providing protection against breach of privacy of individuals in India. The Privacy Bill, 2011 was drafted by the UPA-II government but was hanging fire since then.

History of PRIVACY BILLS IN PARLIAMENT

The latest Bill was introduced in Parliament by BJD’s Baijayant Panda proposing to bring privacy under the ambit of legislation. This was not the first Bill on privacy introduced in Parliament. Panda himself had introduced a Bill in 2009 before the UPA-II drafted its Privacy Bill.

Panda’s latest attempt through the Data (Privacy and Protection) Bill, 2017 is pending before the Lok Sabha. His previous private member bill was titled the Prevention of Unsolicited Telephonic Calls and Protection of Privacy Bill. It aimed at protecting individuals from receiving unsolicited telephone calls by tele-callers on behalf of business promoters.

The 2009-private member bill tried to define privacy stating that “every person shall have the right to privacy and freedom to lead and enjoy his life without any unwarranted infringement.”

Apart from Panda, Rajya Sabha MP Rajeev Chandrasekhar had tabled a privacy bill in 2010. Two more bills seeking to secure citizen’s private data were introduced in 2016 by Trinamool Congress Rajya Sabha MP Vivek Gupta and BJP Lok Sabha MP Om Prakash Yadav. But, none of the privacy bills had secured the nod of Parliament.

Panda’s Bill is different from the rest in the sense that it seeks to make the consent of an individual for collection and processing of personal data mandatory. The Bill states that the individual will have the sole right and the final right to modify or remove personal data from any database, public or private. Panda’s Bill seeks to deal the “exceptions” to the right to privacy to be considered on case-by-case basis.

EXISTING LAW ON PRIVACY

In the absence of a specific law on privacy, this right is legally viewed under the Information Technology Act, 2000. The Act has some express provision guarding individuals against breach of privacy by corporate entities.

The Act was amended in 2008 by the previous UPA government to insert Section 43A which made the companies compromising sensitive personal data liable to pay compensation.

Exercising its powers under Section 43A of the IT Act, 2000, the government framed eight rules to protect privacy of an individual. These all relate to seeking permission by a company before accessing privacy data of individuals and fixing liabilities for violation of the same.

Beyond this, the right to privacy is dealt with under Article 21 of the Constitution. The Supreme Court in its historic verdict on August 24,2017 declared the right to privacy as part of the right to life and personal liberty guaranteed under Article 21.

PRIVACY BEFORE SUPREME COURT JUDGMENT

Two years after referring the right to privacy question to the Constitution Bench, the Supreme Court on August 24,2017 declared privacy as a fundamental right. In August 2015, while hearing the Aadhaar case, the Supreme Court had decided to settle the question that had been popping up before it since 1954.

In 1954, an eight-judge bench in MP Sharma vs Satish Chandra case and in 1962 a six-judge bench of the Supreme Court in Kharak Singh vs State of Uttar Pradesh case had equated the right to privacy with right to personal liberty but rejected its status as fundamental or constitutional right.

The Supreme Court followed the same principle while overruling the Delhi High Court judgment that decriminalized homosexuality. The Delhi High Court had ruled reading down of a provision in the IPC Section 377 that makes the act a crime upholding the right to privacy. But, the apex court upheld the Section 377 of the IPC stating that framing laws did not come under the jurisdiction of courts.

But, now the Supreme Court has settled the principle declaring privacy as the fundamental right. Parliament will now have to make a law on Right to Privacy.

CHALLENGES BEFORE PARLIAMENT

After the Supreme Court declared privacy a fundamental right, it is left to Parliament to define what constitutes privacy under the ambit of right to life and personal liberty.

Parliament will also have to define reasonable restrictions in the case of right to privacy as it involves, already pointed out by intelligence agencies, the issues of national security.

With these restrictions, defining privacy is going to be big challenge for the parliamentarians. “You cannot define right to privacy in absolute terms. Codification of right to privacy right will be a big problem. It will be a challenge for Parliament to accurately define what constitutes privacy,” .

“The Supreme Court has just set the principle that privacy is a fundamental right. There is a long way to go and legislators have a tough job on their hands. This can be compared with the Supreme Court verdict wherein it defined legal aid as fundamental right. The court had held that right to life means having a dignified life and stated that legal aid is essential to achieve this in certain cases,”.

“Privacy is a matter of illustration and interpretation. It is not a close ended right rather an open ended right. It will take time before the nature of the right to privacy settles down. It will have to pass the test of reasonable restrictions when it is codified,” .

Under the existing provisions of the Constitution, the fundamental rights are subject to following reasonable restrictions:

Security of State
Friendly relations with foreign states
Public order
Decency or morality
In relation to Contempt of Court
Defamation
Incitement to an offence
Sovereignty and integrity of India

While as India debates privacy as a right, a look at how the world views it.

During the course of hearing, senior lawyer Kapil Sibal, representing the states of Karnataka, West Bengal and Puducherry in the privacy debate, argued that while privacy is not mentioned in the Constitution of United States of America and Australia, it is treated at par with a fundamental right.

Petitioners have argued in the Supreme Court that while the word ‘privacy’ is not mentioned in the Constitution, fundamental ideas of liberty and freedom cannot exist without privacy.

UNITED STATES OF AMERICA

Privacy is not exactly mentioned in the Constitution of the US, but the Fourth Amendment to the Constitution is largely seen as the one protecting the right to privacy.

The Fourth Amendment to the Constitution of United States states that “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”.

Post WikiLeaks, concerns over privacy and data protection have seen a rise in US. According to a November 2014 study by Pew Research Centre on ‘Public Perceptions of Privacy and Security in Post-Snowden Era’, 91 per cent of the adults it surveyed agreed that consumers have lost control over how personal information is collected and used by companies.

EUROPE

The EU Data Protection Directive, adopted by the member countries of the European Union (EU) in 1995, looks after protection of personal data and regulates free movement of such data.

The European Commission is now bringing a new set of rules on data protection which will be enforced by the member countries of the European Union by May 2018.

The objective of the new rules, according to the European Commission, is to give citizens control over their personal data, and to simplify the regulatory environment for business.

Besides, Article 8 of the European Convention of Human Rights (ECHR) guarantees right to respect for private and family life. All members of the European Union are signatories to the ECHR.

The Article states, “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.

AUSTRALIA

The Privacy Act, 1988 regulates handling of personal information about individuals. The Act includes 13 Australian Privacy Principles (APPs), which regulate the use and access of personal data.

A nine-judge Supreme Court bench unanimously held that privacy is a fundamental right and protected under the Constitution of India.

In a landmark and historic judgment, a nine-judge bench of the Supreme Court on August 24,2017 unanimously declared right to privacy a fundamental right under Article 21 of the Constitution, setting off far-reaching implications in terms of law and citizenship .

A nine-judge Constitution bench headed by Chief Justice JS Khehar ruled that “right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution”.

The nine judges also unanimously overruled the two earlier judgments of the apex court that right to privacy is not protected under the Constitution: the MP Sharma verdict of 1950 and that of Kharak Singh of 1960.

The contentious issue of privacy had emerged when the apex court was dealing with a batch of petitions challenging the Centre’s move to make Aadhaar card mandatory for availing the benefits of various social welfare schemes.

There has, however, been no Supreme Court ruling specifically on Aadhaar . The verdict, however, could derail the world’s largest biometric identification programme that the government has been pushing for a while.

WHAT THE LANDMARK VERDICT MEANS:

The verdict would have a bearing on the challenge to the validity of the Aadhaar scheme on the grounds of its being violative of the right to privacy.
The verdict is also likely to have a bearing on the challenge to WhatsApp’s new privacy policy. The top court is hearing a challenge to the Delhi High Court’s September 23, 2016 order by which it allowed WhatsApp to roll out its new privacy policy but stopped it from sharing the data of its users collected up to September 25, 2016, with Facebook or any other related company.
The petitioners, who argued for privacy, had contended that the right to privacy was “inalienable” and “inherent” to the most important fundamental right which is the right to liberty.
They had said that right to liberty, which also included right to privacy, was a pre-existing “natural right” which the Constitution acknowledged and guaranteed to the citizens in case of infringement by the state.
The batch of petitions had challenged the mandatory use of Aadhaar cards as an infringement of privacy. There have also been concerns over data breach.
The Centre had termed privacy as a “vague and amorphous” right which cannot be granted primacy to deprive poor people of their rights to life, food and shelter.
The Attorney General of India had contended that right to privacy cannot fall in the bracket of fundamental rights as there were binding decisions of larger benches that it was only a common law right evolved through judicial decisions.
In a survey conducted earlier this year with over 10,000 people, a majority of citizens had showed concerns about the privacy of their data and said that a law was needed to regulate it.
Those surveyed said they are concerned about the privacy of their data, especially in this digital age and 89 per cent of them voted in favour of a privacy law, according to a survey conducted by citizen engagement platform Local Circles.
People showed major concern about the leaking of Aadhaar details, duplicate PAN cards being issued, mobile numbers and email addresses being sold by vendors, credit cards being hacked due to personal information being easily available in the market and the like.

White Paper on Data Protection framework for India – Public Comments invited

Government of India has constituted a Committee of Experts under the Chairmanship of former Supreme Court Justice Shri B N Srikrishna to study various issues relating to data protection in India and make specific suggestions on principles to be considered for data protection in India and suggest a draft Data Protection Bill. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”

Instrumentally, a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential if India is to lead its citizens and the world into a digital future committed to empowerment, experiment and equal access.

A White Paper has been drafted to solicit public comments on what shape a data protection law must take. The White Paper outlines the issues that a majority of the members of the Committee feel require incorporation in a law, relevant experiences from other countries and concerns regarding their incorporation, certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise, and specific questions for the public. On the basis of the responses received, the Committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject.

Srikrishna Panel Releases White Paper For Stakeholder Views On Data Protection [Read White Paper]…

The Justice B N Srikrishna Committee, formed to draft a data protection and privacy Bill, in a white paper on 27^th November,2017 & suggested setting up a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal data, defining penalties and compensation in the case of a data breach.

The committee, studied the privacy and data protection laws of many countries, including the US, Singapore, Australia and the EU, has released an over 200-page document inviting comments from the public on various issues such as the definition of personal data and proposed penalties for misuse of data. The deadline for sending feedback is December 31, implying the government is unlikely to table a data protection Bill in the winter session of Parliament.

The Committee, which has met thrice since its formation, is of the opinion that both the government and the private entities be brought under the ambit of the proposed law. At present only private or corporate entities are governed by the Reasonable Security Practices and Sensitive Personal Data or Information Rules under the Information Technology Act.

The Committee appears to be taking a middle path between the EU privacy law, where protection of personal data is equated with protecting the fundamental right to privacy, and the US law, which focuses on protecting the individual from excessive state regulation.

The Committee has divided the white paper into three substantive parts, including scope and exemptions; grounds for processing, obligation on entities and individual rights; and regulation and enforcement. The Committee is of the view that certain exemptions should be granted by law for collecting information for investigating a crime, apprehension or prosecution of offenders, and maintaining national security and public order. But the paper stated, “An effective review mechanism must be devised.”

The panel suggested strict penalties be imposed on data controllers in cases of violation. “A civil penalty of a specific amount may be imposed on the data controller for each day such violation continues, which may or may not be subject to an upper limit. An upper limit may be a fixed amount or may be linked to a variable parameter, such as a percentage of the annual turnover of the defaulting data controller,” the paper read

In a Nutshell the White Paper lays down the following seven principles on which the data protection framework in India must be based:

Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.
Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims. …
Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria….
Data minimization– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject. …
Controller accountability– The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data for processing. …
Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralized enforcement mechanisms. …
Deterrent penalties– Penalties on wrongful processing must be adequate to ensure deterrence….