The New Telecom Bill-2: Structure of the Bill

(Continued from previous article)

The New Telecom Bill (NTB) is divided into the following 10 different Chapters.

Chapter Sections Title
1 1 Short Title, Extent and Commencement
2 2 Definitions
3 3-11 Licensing, Registration, Authorization and Assignment
4 12-18 Right of Way for Telecommunication Infrastructure
5 19-22 Restructuring, Defaults in Payment and Insolvency
6 23-26 Standards, Public Safety and National Security
7 27-31 Telecommunication Development Fund
8 32 Innovation and Technology Development
9 33-34 Protection of Users
10 35-46 Miscellaneous
11 47-51 Offences
12 52-53 Repeal and Savings
Schedule 1 Spectrum Assignment for Government functions or purposes in view of public interest or necessity
Schedule 2 Broadcasting services requiring license as of the appointed date
Schedule 3 Offences and Penalties
Schedule 4 Penalties in breach of terms and conditions
Schedule 5 Telecommunication Infrastructure

Compared to the Communication Convergence Bill there is a distinct shift in the design of the Act from being “An act to set up a Communication Communication Commission” to a more practical face of the Act to address the issues that affect the users and protect the national interests.

It may be recognized that the TRAI Act and the Cable Television regulation Act have come into being since the old draft and hence some of the administrative issues were perhaps not required to be addressed now.

Let us take up the analysis of the Bill chapter by Chapter in the follow up articles.

Naavi

(continued)

1 The New Telecom Bill-1.. Recalling the old Communication Convergence Bill 2001
2 The New Telecom Bill-2: Structure of the Bill
3 The New Telecom Bill-3-User Focus
4 The New Telecom Bill-4-Offences
5 The New Telecom Bill-5…Civil Penalties
6 The New Telecom Bill-6 …Industry Regulation
7 New Telecom Bill-7: Spectrum as an Asset
8 The New Telecom Act-8: Right of Way
Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

The New Telecom Bill-1.. Recalling the old Communication Convergence Bill 2001

The Government of India has started its process of setting up the updating of IT laws by releasing the draft of the Indian Telecommunications Act 2022 (ITCA2022).

Before we set about studying the details of the proposed Bill, we need to understand that the previous attempt to repeal Indian Telegraph Act 1885 , the Indian Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950 were made in 2001 when a draft Communication Convergence Act was proposed.

This act did not get passed and later was forgotten. Now the new Telecom Act appears to revive the attempt to replace these acts. Hence several provisions of this new Act are similar to provisions suggested in the Communication Convergence Act and it would be educative to refer to the earlier act to understand if there has been any substantial changes.

I am not sure if the copy of the earlier Bill is easily accessible by others and hence I am reproducing here the links to the old Bill and some of the articles that had been published at that time on naavi.com (now the domain is occupied by another company) and now available in naavi.org.

The copy of the Bill is here

Links to a few other Articles written at that time is given below.

A re-look at these may help us formulate views on the new Telecom Bill.

Communication Convergence bill-What’s Wrong?

Having seen some of the positive aspects of the bill, let’s turn our attention on some of the negative aspects  of the Bill that needs some attention…

 Suggestions made by Naavi.com 

Communication Convergence bill-What’s Right?

In the recent seminar held at Chennai to discuss the Communication Convergence Bill draft, many media passed highly critical comments on the draft. They held that the draft Bill is “Draconian” and should not be passed in its present form.

It is to be accepted that the purpose of law is to ensure that there is an equitable distribution of scarce resources in the society. If legislation does not “Regulate”, there will not be “Freedom for All” but only “Freedom for the Privileged”. It is one of the fundamental duties of any Government that society needs to be regulated if it has to remain “Civilized”.

Read what Naavi.com has to say on What’s Right in the Draft Bill? 

Convergence Bill- The Right of Way

One of the major concerns of the Infrastructure builders in the Telecom industry has been the delays in the implementation of  projects caused by legal hurdles in laying inter city and intra city cables. Hence the industry was keenly observing what was in store for them in the Communication Convergence Bill ……Read the Detailed Story

Convergence Bill- The Battle for the Spectrum

One of the important provisions of the Communication Convergence Bill refers to the policies regarding Frequency Spectrum Management covered under Chapter VI. …Read the Detailed Story

Communication Convergence Bill.. Offences and Penalties

A cursory glance of the provisions indicates that the law has been framed rather aggressively to protect the licensees and their facilities from being tampered with and misused by criminals. To that extent it is a welcome measure. However a thought may be spared to think whether the laws place too much of power in the hands of officials and police which can be misused for harassing honest Citizens who may appear to have strayed into  usage of facilities which may turn out to be unlawful…..Read the Detailed Story

Communication Convergence Bill..The Regulatory Framework

The Communication Convergence Bill (CCB) will operate a regulatory mechanism that will revolve around….Read the Detailed Story

Communication Convergence Bill..The objectives

One of the basic objectives of this Act is to provide for a regulatory mechanism, which facilitates convergence…..Read the Detailed Story

Communication Convergence Bill Draft is Now Here

The much awaited Communication Convergence bill draft is now available for public comments upto February 28. A Copy of the Bill is available Here.

Comments on the bill from naavi.com will be available through this column during the next few days.

The New Media Forum which was recently formed at Chennai would be conducting a seminar in Chennai shortly on Convergence bill and collecting the views from industry experts on the Bill. A consolidated memorandum would then be submitted to the Ministry regarding the comments of the forum.

Visitors who want to add their views are welcome to send their views to Naavi

Naavi

1 The New Telecom Bill-1.. Recalling the old Communication Convergence Bill 2001
2 The New Telecom Bill-2: Structure of the Bill
3 The New Telecom Bill-3-User Focus
4 The New Telecom Bill-4-Offences
5 The New Telecom Bill-5…Civil Penalties
6 The New Telecom Bill-6 …Industry Regulation
7 New Telecom Bill-7: Spectrum as an Asset
8 The New Telecom Act-8: Right of Way
Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Here is a new Avatar of Innovation. ..From Nothing Comes Some thing as FDPPI and Cyber Law College work together

( Pre-Registration for IDPS 2022 can be done here)

Innovation can come in many forms. When we arrange paid conferences or training programs, it is a common practice to provide “Early Bird Discount” to encourage interested persons to record their interest in the form of registering early. This will help the organizers to plan the resources properly.

But when organizations conduct valuable programs but offer it without a delegate fee, there is a problem in attracting early registrations. We need some innovative thought in incentivising early registrations.

FDPPI conducted its flagship program namely IDPS 2021 last year with 18 hours of intense information sharing. It was not merely a “Seminar” but was a serious “Knowledge Session”. FDPPI therefore claimed that more than Rs 18000/- worth training was being offered free.

About 1000 delegates might have attended the sessions at different points of time, some during the three  days of the program and some later. In total therefore FDPPI poured out Rs 18000×1000 (Rs 1.8 crores) worth of educational content to the community.

This year, FDPPI has planned to conduct IDPS 2022 over three days as virtual program between November 11, 12 and  13. Again more than 18 hours of live  content and around 18 hours of pre-recorded content are expected to be given to the community. This would mean around  36 hours of training .which should be worth more than Rs 36,000/- to each of the participants.

If about 2000 people take advantage of this tsunami of knowledge, the total value of training content offered to 2000 delegates is around Rs 7.20 crores.

It may look stupid that FDPPI is giving away this amount of data as a donation to the community. But that is FDPPI and it’s approach to public cause.

Having decided to make the program free for attendees, FDPPI faced a challenge on attracting early registrations so that the resource allocations can be done commensurate with the requirements.  But the challenge was how to incentivise early registration for a free program. The natural human tendency is to wait as long as possible to register for such programs, keep the organizers guessing and rush in the last minute. This could lead to disruptions since there could be limitations on the number of delegates even in a free program like IDPS 2022.

We presently anticipate a cap of 1000 simultaneous attendees though the registrations can be much higher. Hence there could be a need to prioritize or expand the capacity. This requires data and registrations could provide the data required to expand the capacity if required and hence early registrations are important for FDPPI.

FDPPI has now found a novel way to incentivise the early registrations.

Naavi and Cyber Law College are conducting a virtual event on October 17, 2022 at 4.00 pm (Upto 7.00 pm) to impart knowledge on the following:

a) Why ITA 2000 continues to be relevant now and even after the new Data Protection Act comes in
b) Provisions of CERT IN guidelines and need for compliance
c) Use of Compliance Management Rating (CMR) as an online evaluation of CERT In guidelines similar to DTS
d) Essence of Section 43A and how it is likely to transform when the new data protection Act comes in
e) Essence of ITA 2000 compliance and Risk management framework

This program is scheduled for October 17th because it is a day which Indian IT industry needs to always remember as the day when the Indian Digital Society was born. On October 17, 2000, the ITA 2000 was notified and gave recognition to electronic documents, digital signature, digital contract, digital evidence etc and therefore the “Digital Society” itself was recognized on that day.

Today when we are thinking of the Digital India and a Digital India Act which is a combination of the amended ITA 2000, the proposed Personal Data Protection Act and the Amended Telecom Bill, we have to remember  that all these new generation legislations are subordinate to the mother of all IT legislation which was ITA 2000. Even if ITA 2000 is completely replaced by a new law and killed, it is like the death of the originator of a family with age and the descendants are still recognized as  children or grand children of the old man. Similarly the new Telecom Act, the New ITA 2000 and the New PDPB 2019 are all descendants of ITA 2000.

Celebrating the birth  of the ITA 2000 is therefore still a respect that we need to give to  Information Technology Act 2000. (ITA 2000).

Hence Naavi/Cyber  Law College went about planning to conduct the program on October 17th under the title “Digital India Act in the making”, which it proposed to conduct charging a fee of Rs 500/-.

Sensing the opportunity to use this occasion to incentivise the pre-registrants of IDPS 2022, FDPPI has offered to sponsor the fee of all the pre-registrants as an incentive for their early registration.

Not to fall behind in this philanthropic act of FDPPI, Cyber  Law College has also decided to donate this money back to FDPPI as sponsorship of IDPS 2022.

Hence Registration to a free program of IDPS 2022 is providing a free pass to a Paid training program, an incredible but welcome development.

From “Nothing”,  comes “Something” thanks to the innovative thinking of FDPPI and Cyber Law College.

I therefore request interested persons to register in large numbers to IDPS 2022 and get a free entry to the webinar on October 17 . It would benefit the participants as well as FDPPI.

Naavi

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

HC order Changed after dictation and uploading

A Very dangerous instance of “Unauthorized Access and Modification” of a Court order has been reported from Madras and it appears that the Supreme Court has been seized of the issue.

The case listing was as follows

As per the report the order was dictated in the open Court and later uploaded in the Court website. However subsequently when certified copy was provided, the order appeared different.

The difference was substantial since it is said that the first order required one party to deposit Rs 115 crores in a Bank and this was omitted in the subsequent order. Hence there is a prima facie financial benefit of Rs115 crores in the short term that occurred because of the change.

At this time, it is not clear if the Judges changed their order and did not inform the advocates or whether there was hacking of the earlier order.

Prima-facie there appears to be a Section 66 offence of unauthorized modification of the order on the server of the Madras High Court. One of the advocates has downloaded the order probably not Section 65B certified. But for a recognition of a criminal offence it is not necessary to stand on the formality of evidence being certified and the Police can investigate the server files and determine who made the modification.

If this was “Authorized”, then the judges who authorized the uploading of a revised order were perhaps in the wrong and needs to explain their action.

Naavi

Also Refer:

Verdictum.in

Copy of SC order

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Cut paste approach or Zero based approach?..Shape of Things to Come-23

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.


Reports emanating in the press indicate that the Government of India may come up with a  new draft of data protection law sooner than earlier expected. According to the above report quoted in PTI on September 22, the bill may be presented in the “Next Few Days”.

We at FDPPI have already declared the focus of our IDPS 2022, a virtual summit to be eld on November 11,12  and 13 as “Shape of Things to Come” ready to discuss the new draft in as much depth as possible.

As a reference frame we have also been working on our own draft of what should be considered as an ideal law and we have been discussing this in the series of articles of which this is the 23rd.

Initially the Government was talking of a common law for both personal and non personal data and revision of ITA 2000 simultaneously with this new law. However, if the Government wants to release a draft for public comments immediately, then it is more likely that the draft will confine itself to personal data protection.

In such a scenario, there are two options before the Government. First is to pick the GDPR or the PDPB 2019 and cut and paste most of the provisions as is available and make some cosmetic changes to create the New Data Protection Act of India (NDPAI).  The second approach would be to design the law as a zero based approach, forget GDPR and create a law afresh.

While the Government may take the easy path of using the existing GDPR and import it to the NDPAI so that there is easy acceptability of the industry, it would be an opportunity missed if we donot think of creating the law from basic principles.

Though we are aware that the probability of the Government adopting the second path which is more challenging and requires more conviction on the principles, we would continue to place some of our thoughts in this direction  so that it goes on record that some thing was suggested even if it was not accepted.

Probably several years from now, some of these principles may become part of the regulations through amendments or through rules.

Since there is some urgency to place these thoughts in public domain before the Government commits itself to a draft of its own which becomes a rigid set of provisions difficult to change, we are providing here some key requirements of the law .

While there is plenty of scope for improvement of these suggestions, we need to start some where to know what can be changed and hence let us proceed further.

The basic aspects that the law has to cover is “Applicability”,” Rights of Data Principals” “Obligations of Data Fiduciaries”, “Prescribed penalties” and “Formation of a regulatory authority”.

Obligations of Data Fiduciaries would include compliance requirements and protection of Rights of data principals.

The details of whether the Data Fiduciary may be called the Data Controller or a Data Guardian etc is a matter of further details which we have tried to cover earlier and will be part of the detailed requirement.

In this article we are trying to take on record the “Rights” that a person needs to be guaranteed through this Act and how the declaration of Rights itself fixes the applicability.

The draft presented here is a “Rights Based Drafting of the Privacy and Data Protection Act” and does not follow the GDPR through cut and paste though all the requirements of GDPR may finally find  a place in the Act in a different manner.

This draft revolves around the concepts of

a) Protected Right

b) Protected Data

c) Protected Person.

Protected Data refers to what other laws may call “Personal Data”. “Protected Person” refers to the “Data Principal or Data Subject” . Protected Right refers to the “Right to Privacy and the subordinated rights such as right to access, correction, etc).

The obligations to protect the right lies with  the Government as well as every organization which has a duty under the constitution to protect the right.

How the obligations are to be discharged is the “Transparency and Accountability” or “Compliance aspects” covered in GDPR.

These form the real essence of the entire law though the Government draft is likely to focus on the “Regulator” and what would be his authority etc. Industry is also concerned about the detailing of the obligations including the cross border transfer and privacy activists will focus on how to criticise the powers of the Government, exemptions etc.

Our approach to construct the law from “Protected Right” is more basic in approach and is the Zero based approach.

In this approach therefore we will first indicate the core objective of the law by declaring the concept of “Protected Right” as follows.

 Protected Right

(a) The right to privacy shall be a right that is protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.

(b) Any data  whether in oral, written or electronic form that is likely to have an impact on the Protected Right shall be construed as “Protected Data” and shall be collected, processed, generated, stored, or disclosed  or otherwise used as per the provisions laid down in this Act.

(c) The “Right to Privacy” under this Act shall be applicable to the following category of “Protected Persons”

i. Living natural persons who is a recognized citizen of India irrespective of his place of residence

ii. Living natural  persons who is a recognized citizen of a sovereign country recognized by India and under authorized residence in the territory of India

(d)Protection under this Act shall not be available to

        1. Natural persons who are under unauthorized residence in India
        2. The information related to a juridical person including proprietary or single person owned business entities.
        3. Protection of Right to Privacy under this Act is not applicable to a deceased individual

If we closely observe the above, these provisions defines the “Right to Privacy” which is not presently present in a statutory Act and is always derived from  Supreme Court judgements.  The definition covers both the Information Privacy and Physical Privacy  and extends the definition of Information privacy to oral and written document dimension also.

Additionally the guaranteed right is restricted to living natural persons who are citizens of India irrespective of the place of residence and non citizens if they are residing in India.

This definition excludes illegal residents in India from protection. Naturally it excludes the business entities and deceased persons.

The exact manner in which the protection is provided will reflect in the compliance part of the law.

Having defined the basic objective of the law as to protect the Privacy right, the next section will be as follows.

Dimensions of the Right to Privacy

 The Right to Privacy as envisaged under this Act  shall be recognized as the choice of an individual to be “let alone”  and extends to the following dimensions 

(a) Physical Privacy related to the right of the person to prevent or otherwise regulate a third person  gaining access to the physical proximity of the individual

(b) Information Privacy related to the right of the person to prevent or otherwise regulate a third person gaining access to the information in electronic form that provides access to the mind space or neuro space of an individual

The clause (a) here refers to the kind of privacy which Supreme Court decisions like the Kharak Singh Case addressed declaring the “Home as castle”

Clause (b) refers to the kind of privacy which the Puttawamy case addressed as the “Right to be let alone” which is a “State of Mind”. Additionally clause (b) recognizes the distinction between “Right of Choice” relevant in the general privacy understanding which belongs to a conscious mental activity and  “Neuro Space” where the conscious choice is not available to an individual.

Thus this law will make India the second country in the world to address the Neuro Rights and we can claim it is progressive and contemporary.

Next, the rights which are covered in the GDPR and other laws are covered through a section on “Subordinate Rights”. These regulations may be stated as under.

Subordinated Rights

The Protection of the Right to Privacy as per Section 3.2 includes subordinated Rights prescribed under this Act includes

Every person whether an individual or a juridical person shall process data which is identifiable as related to a protected person subject to mandatory adherence to the personal data processing principles such as

i) Purpose Limitation: 

No protected data shall ordinarily be collected or used in any manner  except for a clearly identifiable purpose or purpose which can be considered as incidental to the main purpose except when the requirement is to explore and discover new uses for which a special “Discovery Consent” is obtained from the protected person.

ii) Collection Limitation

No person shall collect elements of protected data more than what is required for the specified purpose.

iii) Retention Limitation

No person shall retain protected data more than what is required for the specified purpose.

iv)  Accuracy of Data

Every person using protected data shall endeavour to keep it accurate and ensure that incorrect data is duly corrected subject to production of reasonable evidence about the inaccuracy of the data and the accurate data.

v) Informed Consent

Every person collecting and using protected data shall ensure that the protected person to whom the protected data belongs shall be duly informed about the purpose of collection and use, the manner of usage, the time of retention etc and obtain a verifiable consent.

vi) Right to Information about processing

 The protected person shall also have the right to request for information about the processing of protected data related to him any time after the collection and during the time the data is in use subject to such right being  exercised responsibly.

vii) Right to Withdrawal of Consent

The protected person shall also have the right to request to withdraw the consent already provided subject to reasonable notice.

viii) Automated Decision Making

Any automated means of collection or use through a computing device shall be attributed to the person who caused the device to collect or use the data in a specified manner and shall be responsible for the consequences of any subsequent disclosure  to a human being and automated decision that may cause a harm to the protected person.

ix) Right to Restrict disclosure of Profiling

Any person who has generated a profile of a Protected person shall not disclose it to any other person except with a specific consent of the protected person.

x) Right to Portability

A protected person shall have the right to request porting of protected data excluding the profile created thereof to the protected person only.

Where the profile is reasonably suspected to be causing harm to the protected person the protected person may request for a copy of the profile subject to protection of any intellectual property rights or Trade secrets of the person who created the profile.

xi) Right to erasure

Where the protected data collected by a person has completed its usage as per the specified purpose, it shall be archived as may be required for evidentiary purpose under law and be erased from active usage systems.

xii) Right to Forget

Where the protected data has been archived by the person who has processed it, the protected person may further request that the protected data may be removed from the archive through anonymization or deletion subject to appropriate regulatory review.

xiii) Right to Reasonable Security

The protected data shall be secured against unauthorized access, modification and denial of access by all persons who have authorized access.

xiv) Right to Grievance Redressal

Protected person shall have the right to an appropriate grievance redressal mechanism as prescribed under the Act.

After thus defining the rights, it is suggested that the obligations of the Government bodies is defined in one section as follows:

Obligations of the Government

 (a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty  as envisaged in the Constitution of India

(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.

(c)All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty

(d) In the event of non compliance of the above, the designated person or in his absence the  person responsible for the activities  in the subject Government body shall be liable for disciplinary action

(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal 

Obligations of Non-Government Bodies

 All organizations other than the Government bodies shall adhere to the provisions of this Act as stated further and shall be liable to penalties and punishments as specified here under for any contraventions thereof.

The further chapters can provide the details of compliance where also there is scope for innovation which we shall discuss in subsequent articles.

Advantages and disadvantages of the above approach is open for debate.

Naavi


P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

  1. Introduction
2. Preamble 3.Regulators
4. Chapterization 5. Privacy Definition 6. Clarifications-Binary
7. Clarifications-Privacy 8. Definitions-Data 9. Definitions-Roles
10. Exemptions-Privacy 11. Advertising 12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data  14. Automated means .. 15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized? 17. Types of Consents 18.Cross Border Restrictions on Transfer
19.Neuro_rights-voice to skull  20.Whose Rights to be Protected 21. Rights before Applicability
22. Simplification of the Government Obligations
Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Can the Data Protection Obligation of the Government be simplified?..Shape of Things to come-22

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.


If we look  back at the history of Privacy and Data Protection law in India, one of the stumbling blocks is that there are unreconciled controversies about the exemptions that the Government agencies are provided either for Governance or for Law Enforcement.

Even in PDPB 2019, the most contentious section was  Section 35 which was an enabling provision which empowered the Central Government to exempt any agency of the Government from the application of the Act. Though the power was within the “Reasonable Exceptions” under Article 19(2) of the constitution, the section was interpreted as providing disproportionate powers to the Government.

Additionally, another empowering section viz Section 92 was seriously opposed as if it provided extraordinary powers of oppression on the private sector by the Government.

In comparison, Section 36 (a) which addressed exemptions for law enforcement nor Section 36(e) which addressed exemption for journalistic purpose did not evoke opposition.

Though these discussions are now redundant, it is likely that similar objections would surface once again when the new draft is issued by the Government and they will also be subject to individual judicial scrutiny if it becomes a law.

In the new Data Protection law which is being proposed for discussion by us, we therefore suggest a simplification of the provisions related to the coverage of the law on Government bodies.

Since Right to Privacy is a fundamental Right under the constitution, there is a duty to the Government to protect the right subject to reasonable exceptions. This follows the judgement of the Puttaswamy case and is yet to be incorporated in any statutory law. This new law is an opportunity to convert the Supreme Court observations to a statutory provision.

However the more micro level specification of the obligation of the Government the law attempts to cover, the more controversies may emerge. Hence it is suggested that instead of a section like Section 35 or 36(a) or 92, the provisions related to the coverage of or exemption from the provisions of the Data Protection law for Government agencies may be summarized as a part of defining the scope and applicability of the Act.

A suggestion in this regard which can be improved by others is to introduce the following set of sections to cover the obligations of the Government in steps.

Step 1: In the first  section which specifies the Title of the Act and its date of applicability, the following can also be added

This Act shall be applicable to whole of India and shall also apply outside India to the extent necessary to protect the Rights of the Citizens of India and the interest of the Country as envisaged in the constitution of India.

With this, we are providing for the extra territorial application and deriving powers of legislation from the “Right to Privacy” as a fundamental right in the constitution and recording  at the same time that there could be other Rights of Citizens and Duties of the Government as per the Constitution. It will also keep the statutory obligations to the citizens of India and in national interests and any other extension of the provisions to non-citizens will be subject to the specific rights granted under this statute. The details will be covered under the provisions on “Rights”

Step 2: The fundamental objective of the Act is recorded by defining the purpose of the Act with the following section.

Protected Right

The right to privacy of an Indian Citizen  shall pe protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.

With this section we are bringing the protection of Right to privacy into the statute in the words of the Puttaswamy judgement and providing the cover of “Due Process” for any exemptions claimed for right to privacy under the reasonable exception clause.

Step 3: We specify the obligations of the Government through the following words

Obligations of the Government

(a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty  as envisaged in the Constitution of India

(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.

(c) All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty

(d) In the event of non compliance of the above, the designated person or in his absence the person responsible for the activities  in the subject Government body shall be liable for disciplinary action

(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal law.

The sub section (a) defines the obligation of the Government as a “Duty” under the constitution and hence does not need any further elaboration in the law as to whether Consent is required in certain circumstances and not in others etc. This should cover even the law enforcement requirements of the Police, ED, CBI etc.

Any action of the Government which is in dispute will be a subject matter of a writ petition and hence in any case of dispute the Court can also decide about whether the action of the Government was within the powers of the constitution.

Even if a section like Section 35 of PDPB 2019 is written down, it will be challenged even before the adoption of the law itself. The suggested section protects the law being questioned in the Court until there is some specific action initiated by the Government.

Perhaps it can still be questioned for “Vagueness” but this vagueness is directly linked to the Constitution and nothing different from the vagueness prevailing now where there is no statutory provision on Right to Privacy and we need to depend only on the interpretation of the Supreme Court judgement.

Under sub section (b) all compliance measures are suggested without going into details such as whether DPIA is required, whether Privacy by Policy document is required etc. The Ministries will have flexibility to define their own “Reasonable Measures”. In PDPB 2019 this discretion was available under section 50 (Code of Practice) and the same is provided here in another manner.

Under sub section (c) a provision to bring accountability to an officer is indicated so that the head of the department may be freed from the liabilities unless no such designated person is appointed as Compliance officer.

Sub sections (d) and (e) prescribe the sanctions that can be imposed on the officials for negligence and where there could be malicious intentions.

This provision means that the Data Protection Authority need not impose any penalty upto Rs 5 crores etc. If there is a compensation payable to a data principal it can be provided by the adjudicator and the Government may be asked to pay. But one Government officer (Data Protection Authority) imposing an administrative penalty on another Government officer (Secretary of a Government department) need not arise. Under the provisions of PDPB 2019, such penalties are collected from the Government and again credited back to the Government which has no meaning and therefore can be avoided.

Having thus defined the obligations of the Government, the rest of the Act may focus on “Obligations of Non Government Organizations” where the compliance measures such as Privacy by Design Policy, Notice and Consent, DPIA, DPO, and Data Breach Notification etc can be specified.

The Grievance redressal for the data principal through Adjudication and Appellate Tribunal may still consider the Government body as a party and claims of compensation under Section 65 of the present PDPB 2019 may continue to be protected even against the Government body as the Data Guardian/Fiduciary.

The above is a suggestion for consideration by other experts. It has been made to simplify the applicability of the law to Government organizations and ensure that the problems that may arise  from them donot become a stumbling block to the passage of the law.

Naavi


P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

  1. Introduction
2. Preamble 3.Regulators
4. Chapterization 5. Privacy Definition 6. Clarifications-Binary
7. Clarifications-Privacy 8. Definitions-Data 9. Definitions-Roles
10. Exemptions-Privacy 11. Advertising 12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data  14. Automated means .. 15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized? 17. Types of Consents 18.Cross Border Restrictions on Transfer
19.Neuro_rights-voice to skull  20.Whose Rights to be Protected 21. Rights before Applicability
Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment