Does ITA 2000/8 address “Privacy Protection” and if so, does it do it effectively is a question that is lingering in the industry. It will continue to be a point of debate for the amended ITA 2017 (p). …This is in continuation of the discussions on the proposed amendments to ITA 2000/8 presently being discussed by an expert committee headed by Mr T.K.Vishwanathan. ….. Naavi
Protecting the Right to Privacy of an individual is a fundamental right claimed by citizens living in a democratic society and is closely associated with the right to freedom of expression, right to information and security. India has recognized the need for Privacy by interpreting the Article 21 of our constitution favourably but has not yet enacted a separate law which says “Privacy is right protected under law and any violation thereof leads to civil and criminal liabilities”. It is also not likely that in the near future any specific law will be passed in this regard.
However, ITA 2000 and more specifically ITA 2008 has addressed many concerns of Privacy Protectionists without being recognized as a “Privacy Protection Legislation”.
What ITA 2000/8 has done is to provide protection to the “Data” which indirectly protects the “Privacy”. Without being too obsessive, it is better if we recognize the role of ITA 2000/8/17(p) as the principle legislation for protecting the Privacy for which it is eminently suited particularly if a few minor changes are accommodated in the proposed amendments.
An effective law defines the rights, prescribes the punishments for violation and introduces mechanism for effective implementation.
Let us see how ITA 2000/8 address these issues and what can be done further to strengthen the Privacy Protection under ITA 2017 (P), equating “Privacy Protection” with “Data Security” for the current discussion.
The first task of law is to define the “Privacy Right”. In the context of its alter-ego of data security, Privacy Right gets defined by defining “Personal Information” that qualifies for protection.
Under ITA 2000/8 we have defined what is “Sensitive Personal Information” (SPI) without defining “Personal Information”. (PI). SPI was defined in ITA 2008 along with Section 43A which brought an obligation on the “Body Corporates” handling SPI to protect it with “Reasonable Security Practice”.
Though PI is not defined, Section 72A accords protection to PI and makes its breach a punishable offence with 3 years imprisonment.
Additionally, Section 43 read with Section 66 imposes penalties when the “Value of information is diminished” (which can be an effect of privacy breach).
Also Section 69/69A/69B while providing powers to some officials for interception, decryption and data mining, puts a bar on the others to do the same without attracting penalties.
Section 79 imposes the responsibility of Privacy protection on the “intermediaries” in clear terms through the rules of due diligence.
Grievance redressal is defined with reference to the provisions of due diligence under Section 79 and also by instituting the Adjudication and Cyber Appellate Tribunal (CyAT).
While we can debate the adequacy of these provisions in comparison to the EU standards such as the GDRP or US Standards such as the HIPAA, we cannot but acknowledge that ITA 2000/8 has covered most of the requirements of Privacy Protection (In the context of Data protection).
Without therefore saying so, ITA 2000/8 therefore provides protection of Personal Information. It is possible that some may not realize it until a separate act is legislated but it is not necessary.
It must be noted that under ITA 2000/8, any information which is processed in a computer device or meant to be processed in a computer device also is “Information”.
Hence it is possible to extend the “Data Protection Rights” as is available in different forms under Section 43, 43A, 66, 72,72A, 69, 69A, 69B, 7A, etc to information which is in a form other than as “Electronically Written”, such as “Voice which is Electronically spoken or meant to be processed in an electronic device”. This can extend “Privacy Protection” to “Voice” in certain circumstances.
The perception in the industry however is different. Most of the IT professionals in India think India does not have an adequate Privacy protection provisions in the country and cannot defend the regime with their EU counterparts. Probably they are interpreting the failures in implementation as failure of law and hence the clamour for a separate Privacy Protection Act has continued.
It is therefore an opportunity now to address some of these concerns in the proposed amendments for which some suggestions can be discussed.
Perhaps, a chapter can be dedicated in the ITA 2017(P) with the title “Privacy and Data Protection” where some provisions of Privacy and Data Protection is specifically mentioned. This will provide the required confidence to professionals who compare Indian legislation to EU legislation.
Defining Personal Information
One of the requirements that is perhaps required is to upgrade the definition of “What is Personal Information” from what is provided in the rules to Sec 43A, which states
“Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
This definition is restrictive to data with the Body Corporates and the Section 43A also restricts itself to Body Corroborates.
An improved definition that should be added in the Act itself to be applicable for all sections including Section 72A could be
“Personal Information” of an individual means any information related to a living person who is not a minor, or of unsound mind or an undischarged insolvent, which when in possession of a third person is capable of being used to identify the individual by such third person with reference to the individual’s Name and Physical location.
By defining the Personal Information in the above manner, we will be letting a “Netizen” preserve his “Anonymity and Pseudonomity” subject to certain conditions. Mere assumption of a “Pseudonym” or “Anonymous identity” on the information space would not be an offence unless such alter-identity is used to commit an offence.
Whenever an “Information” is required for “Law Enforcement” which means that there is a prima facie evidence that the information is suspected to be a “Tool of Crime”, the protective veil has to be lifted.
The focus of the regulation will be to introduce a due process under which alone the “Privacy Veil” is removed.
Also under this definition, “Right” ceases when a person loses his capacity to enter into valid contracts. This means that there is no “Privacy Right” of a person who has lost his mental capacity to take decisions. Of course how this has to be determined and by whom needs to be defined in law. Such issues are already addressed under HIPAA and should not be difficult.
Establishment of a “Privacy Board”:
In order to adjudicate on the Privacy issues, the current system of adjudication/CyAT may continue where the fact of a wrongful act is not under serious challenge. Where there are serious doubts as to whether an information should be subject to privacy or not, a “Privacy Board” may be constituted as a “Reference Advisory Body” to which the Adjudicator may refer an issue of a “Request for lifting of the Privacy Veil” or “Defence an alleged violation of Privacy Right by disputing the nature of information as not being subject to the protection”. Such a “Privacy Body” may be headed by the NHRC Chair person and may have representation of the Ministries of Home Affairs, Defense, Information Technology, Netizen/Privacy Right Activists etc.
Once the issue of proper “Definition” and the “Privacy Controller” is established, other aspects of protection can be defined in an acceptable manner.
Preventing International Abuse
The privacy laws just like IPR laws of some of the foreign countries are designed in such a manner that they can be used effectively to control business flow over riding the principles of free trade.
If India does not recognize this and take some steps within our own laws to ensure that Indians are protected against unfair foreign laws, we will be letting foreign forces build “Information Colonies” in India. We have seen how Mr Donald Trump has already protected the US interests by restricting the US privacy protection only for US citizens. India needs to also protect its interests in a similar manner against exploitation of Indian interests through unfair and excessive privacy regulation of foreign Governments.
For this purpose, it must be made mandatory that whenever a foreign entity has to invoke a Privacy Law against an Indian Company or individual (including the GDPR or HIPAA etc), prior clearance of the Privacy Board is required.
This will ensure that unfair and unreasonable business restrictions are not imposed on Indian entities in the guise of protecting “Privacy” .
An appropriate mechanism of Arbitration can be instituted by the Privacy Board to ensure that there is proper conduct on both sides and there is no scope for unfair use of privacy laws by international players.
These could be part of the new amended ITA 2017 and I urge the Committee to look into these suggestions seriously.
I wish organizations such as DSCI which celebrate the “Data Privacy Day” also do some thing more concrete in this direction.