Let's Build a Responsible Cyber Society



Privacy Concerns in Indian IT law

The 18th annual Computers, Freedom and Privacy (CFP) Conference was held in the United States between May 20th and 23rd and focused on Technology Policy Issues. Policies ranging from spyware and national security, to ISP filtering and patent reform, e-voting to electronic medical records, and more was addressed by expert panels of technologists, policymakers, business leaders, and advocates.

It is reported that during the conference a discussion arose on the Indian Information Technology Act 2000 (ITA 2000) and the polices for protection of Privacy in India. The immediate provocation for the discussion was the demand made by the Indian Government on Black Berry managers (Research in Motion-RIM, a Canadian Company) for providing  access to the decryption of the data under transmission. According to the earlier indications, Indian Government has demanded that the servers of Black Berry should be in India and it should have an access for decryption of data.

Status of Privacy Law in India

 In India, there is no specific law for privacy protection. We derive privacy protection right from Article 21 of the Constitution which provides the right to any citizen for "Civil Liberty". It states that "No person shall be deprived of life or personal liberty except according to procedure established by law". The Supreme Court has interpreted this article as to provide a right to privacy to the citizens.

But some legal experts feel that this provision only provides a right against the Government and is not a general provision that can be considered as providing "Privacy Protection". Hence they are demanding for  a "Data Protection" legislation either as a part of ITA 2000 or otherwise.

Under ITA 2000, Section 69 provides a right to intercept electronic information and order decryption in national interest. This right is given to the "Controller of Certifying Authorities" (In the proposed amendments, CERT is designated as the authority for this purpose) who has to record his reasons in writing. Failure to comply can result in imprisonment up to 7 years. Liability for Financial compensation is also provided under Section 44 for non compliance.

This section came in for specific criticism in the CFP 2008. Even Section 80 of the Act which provides powers to the Police for search and arrest without warrant also seems to have come in for critical remarks at the CFP.

However, it is necessary to recognize that India does have some provisions of Cyber Crime law which is also available for privacy protection. For example, under Section 66 of ITA 2000, "Diminution in value of information residing inside a computer resource" is punishable with imprisonment upto 3 years. Here, "Diminishing the value" is to be implied when "Sensitive Private Data" is compromised. Similarly provisions of Section 43 of the Act can be claimed by a victim to seek compensation for unauthorized access of his private data.

These provisions can be used both against private persons as well as the Government agencies subject to the limitations imposed by the operation of Section 69. Note that there is accountability for the Controller since he has to record his reasons in writing before using his powers under this section. Also the provisions of Section 80 also has certain limitations built in since it does not provide any powers to the Police in a "Private" place.

These provisions which can be interpreted as safeguarding the privacy protection rights are however not widely recognized for their "Privacy Protection Potential" and hence has escaped the attention of the CFP.

Action Required

What is required now is to ensure that these legal provisions are applied properly and not misapplied as in the case of a techie in Bangalore who was arrested by Pune Police for a defamatory remark alleged to have been posted on a social networking site. (In this case the Police also arrested a wrong person due to a wrong interpretation of IP address by the ISP). There has been other instances of Police mis-interpreting law to book cases under section 67 of ITA 2000 calling certain documents "Obscene" when it was not in fact so. There has been one such case in Bangalore where a techie is being harassed for over 6 years by what appears to be a false accusation.

At the same time genuine complaints of "Privacy Invasion" or "Data Misuse" or often turned away as not falling under ITA 2000.

These are and should be the concerns of the Privacy Protection Brigade in India. It is not the law to be blamed but the slack implementation. Hence, if there are people in India who want to work in the sphere of improving the privacy rights of individuals, they should set up programmes to ensure that the "Complaint Registration mechanism" and "Pre Trial investigation process" of the Police is brought under suitable disclosure and monitoring norms.

One such suggestion is an overhauling of the "Complaint Registration Mechanism" at the Police Stations aimed at "Transparency" and "Accountability". 

To start with,  there should be an online complaint lodging mechanism which should create a public database of complaints lodged at Police Stations (Whether registered or not), the reasons for non registration if any, and a status report (Without affecting the confidential nature of investigations).

One fear of such disclosures is the possibility of nuisance complaints and tarnishing of image of honest persons. These were the same reasons under which the efforts of the Chief Vigilance Commissioner of India to place names of allegedly corrupt persons on a website was opposed a few years back.

The fear is of course genuine. However if along with every complaint, the defense statement is also displayed on the web, the negative effect can be reduced. Further, any irresponsible complaint can be made a subject matter of a defamation liability or an automatic fine. Further,  a remark about the past "Failed Complaints History" of the complainant may also be provided on the web itself so that readers can themselves evaluate if the complaint is genuine or not before a final verdict comes up.

I suggest therefore that contrary to the indications provided at CFP 2008, what we need in India for Privacy Protection is not to  attack the law but to bring about a change in the process of law implementation.

Can we hope for some reformations voluntarily from the Police at least in some progressive state in India?


June 8, 2008