Recommendations for Modifications to Personal Data Protection Bill 2006

By
Naavi

(Version 1)

 [October 17, 2008, as  a part of the celebration of the Digital Society Day 2008, a seminar was organized in Bangalore on “Privacy Rights and Data Protection”  by Digital Society Foundation of India, Karnataka Institute for Law and Parliamentary Reform and KLE Society’s Law College, Rajaji Nagar, Bangalore. The seminar was attended by law professors, students, advocates as well as IT professionals and Police officers. The seminar discussed the various issues surrounding Privacy rights and Data protection legislation and practice in India. In particular the draft of the Personal data protection Bill 2006 which is before the Indian Parliament was discussed in detail to recognize the suggestions that can be made to amend the proposed legislation where required. The following note captures the views of Naavi in this regard presented during the seminar… The annexure contains the material distributed to the participants..Naavi]

Section 2(c ) may be modified as follows:

 “personal data” means data which relate to any individual living or dead from which the person holding the data can identify the individual with  or without any information already in his possession and includes the Name, Address, Telephone Number, e-mail address, PAN card number, Driving License Number, Employee ID number, IP address, etc.

  Following subsection to be added to Section 2.

 (f) “Sensitive Personal data”  means any personally identifiable data pertaining to the health, financial position, legal aspects, religious or political beliefs  or such other class of data that may be notified from time to time, including e-mail address, IP Address, telephone/mobile number, MAC address/IMEI number,  PAN Card Number, CVV Number of a Credit card or such other identifiers notified for such purpose and does not include data which is “De-identified” in such a manner that it is not possible to identify the individual to whom the data belongs.

(g) “Data Subject” means the individual to whom the sensitive personal data belongs or his legal representative.

(h) “Data Processor” means any individual or organization whether private or Government which processes sensitive personal data.

 Section 3 shall be modified to include: ..and such other agencies or purposes which may be notified by the National Data Controller in public interest.

 Section 5 shall be modified to include:

 Every person whose personal data or details have been processed or disclosed for direct marketing or for any commercial gain or for the purpose of harassment, or any other criminal intention, without consent shall be entitled to compensation for damages in such manner as may be prescribed.

 Section 5 should also include a clause on “Mandatory Disclosure” where the data processor is mandated to disclose information in the interest of the Nation to an appropriate authority. 

Section 9 shall be modified to introduce graded punishments from fine only  to fine and imprisonment upto 7 years depending on the gravity of the offence, repetitive nature and the malicious intentions of the offender.

 Section 11 shall be modified either to remove the words “Shall be tried summarily” or the imprisonment term under Section 9 shall be reduced to 2 years instead of 3 years to avoid conflict with Section 260 of CrPC

 Section 10 shall be suitably modified to state that “Company” includes persons or organizations defined as “Intermediaries” under the Information Technology Act 2000. It may also be stated under explanation that this section over-rides the provisions of Section 79 of the Information Technology Act 2000

 Section 6 shall be modified as follows:

The appropriate Government shall, by notification in the Official Gazette,

Appoint a National Data Controller and as many Data Controllers as may be necessary for over viewing the complaints relating to processing and disclosing of personal data and claim for compensation: …”

 Following section may be added at the appropriate place: 

(X-1) Any person collecting sensitive personal data shall disclose the purpose of collection to the data subject and shall use the data only for such purpose and shall take such steps as may be necessary to provide an option for the data subject to opt-out of the information collection system, protect the data while in his possession, ensure that the data is accessed by persons only on a “need to know basis” and shall remove the data or archive it at a safe location after the purpose for which it was collected has been fulfilled. All data processors shall disclose a “Privacy Policy” a copy of which is made available to the data subject. Whenever the policy document is modified, the data subject shall be individually notified and provided with a fresh opt-out option. A copy of the Privacy policy and all its subsequent versions shall be lodged with the National Data Controller who shall maintain a repository of such documents with free online access to public.

 (X-2) The data processor shall ensure that the sensitive data held by him shall be accurate.

(X-3) The  data subject shall have the right to obtain a certified copy of the information as held and used by the data processor free of cost at any time and to raise objection if any on the accuracy of the data. The data processor shall ensure that the data is suitably modified. In the event the data processor does not agree with the objection raised by the data subject, he shall report the incident to the data commissioner and classify the data as “Disputed”. In the event the data is disclosed  for any purpose such disclosure shall be qualified with the objection.

 (X-4) In the event data is disclosed by the data subject to any authority including those permitted under section 3 of the Act or under the consent of data subject or his representative, such disclosures will be subject to the protections envisaged under this act and this shall be suitably brought to the  notice of the person to whom the disclosure is made.

 (X-5) Whenever data disclosure is requested by any authority, the requirement shall be classified as “Intelligence” and “Administrative”  . All disclosures requested under the “Administrative” category shall be reported by the data processor to the data subject. Disclosures requested by the authorities permitted under the section 3 to access information for “intelligence” purpose shall not be disclosed to the data subject. The request for disclosure under “Intelligence” shall be made by either the DGP of the State or the Chief Commissioner of Income Tax-Vigilance or such other officer as may be designated for the purpose under a notification to be published in an official gazette by the State or Union Government.

 (X-6) The Data Controller of the State shall be the authority for registration of data processors and no person shall carry on the business as a data processor and collect sensitive personal information without being duly registered. The National Data Controller shall implement policies and procedures for the registration, maintenance of registration and de-registration. In the event a registered data processor is de-registered, a notice shall be given to all data subjects about the fact of de-registration and further collection of sensitive personal data shall be stopped. Data already in the hands of the data processor shall be disposed of as per the directions of the data controller in the de-registration order.

 (X-7) The National Data Controller shall notify a “Data Encryption Policy” consistent with the objectives of this act and shall act as the authority for escrow of data encryption keys where necessary.

(X-8) No data shall be exported from India unless the country to which it is being imported has a suitable data protection legislation or the exporter enters into a suitable Business Associate Agreement extending the obligations under this Act to the associate and copies of such agreement shall be lodged with the National Data Controller.

(X-9) For the purpose of addressing grievances and disputes arising out of contravention of any of the provisions of the Act, the Government shall appoint one or more “Data Protection Adjudicator/s”. The Data Controllers including the National Data Controller shall also be subject to the authority of the adjudicator. The Data protection Adjudicator shall have powers equivalent to a Civil Court as well as a Magistrate and shall have overriding powers over any other Court below a High Court. Appeals against the decisions of the Adjudicator shall be referred to the High Court.

(X-10)  Every data processor who collects information from the public on the web shall disclose the privacy policy on the website along with the contact address of the person responsible for the collection and processing of the information along with the contact details of the owner of the website including the “Who Is” information of the domain name.

 [PS: The above indicates the essence of the changes proposed. The exact wordings of the proposed changes may be revised as may be necessary.] 

Na.Vijayashankar

(Naavi)

+919343554943