During the discussion on the Data Protection white paper in Bangalore on 13th instant by three members of the Expert Committee led by the Chairman Justice B.N.Srikrishna, several interesting issues came up for discussion. While it is difficult to recall all the points discussed, I am trying to capture some of the interesting points raised along with my comments here.
The comments made here are not that of the expert committee members and should not be construed as views either accepted or rejected by the committee at this point of time. Justice Srikrishna was however a great listener and tried to probe the persons raising questions to understand the issue as much as possible. The ministry representatives have made suitable notes and they are likely to be discussed by the committee later and taken into account before a bill is recommended.
- One of the suggestions made was that the law should be people oriented and principle based.
Comment: In India, we still does not have a law on Privacy protection. Except for the fact that we know Supreme Court considers Privacy as a fundamental right of a person under Article 21 of our constitution under “Right to life and personal liberty”, we donot have a definition of what is “Privacy”.
The first question that the Indian Data Protection Act (IDPA) has to address therefore is whether we have one section in which we define what is Privacy. i.e. Do we incorporate a clause in the definitions, stating “Privacy means…..”.
The problem however is that the nine member bench of the Supreme Court itself did not take up the responsibility of defining what is “Privacy” and some of the judges in their respective individual orders (not forming part of the final signed collective operative order under the judgement of 24th August 2017 which we refer to today as the Puttawamy Privacy judgement) made different comments stating different aspects of our life as elements of “Privacy”.
This law therefore cannot take upon itself the responsibility of defining what is “Privacy”.
Currently, Information Technology Act 2000 (ITA 2000) has a definition of “Personal Information” and “Sensitive Personal Information” and has prescriptions of how it has to be protected by Body corporates,(under Section 43A) , how it has to be collected and protected by intermediaries (Section 79 of ITA 2000), what compensation may be available for wrongful loss arising therefrom (Section 43,66, 72A), how long the data has to be preserved (Section 67C), how the data can be intercepted and collected by Government agencies for national security reasons (Sections 69,79A, ,70B) etc,. All these are essential ingredients of a Data Protection Act in respect of “Data in electronic form”.
Will IDPA also address these issues?.. If so, will it be overlapping with ITA 2000/8 provisions? is one of the decisions that the committee needs to arrive at.
The IDPA as is being envisaged is addressing to what is referred to in the Puttaswamy judgement as “Information Privacy”. This definition is dependent on the definition of “Privacy” and a judgmental decision on “Which information addresses to Privacy”. For example, will an IMEI number be considered as “Personal Information”? if so, is it simply “Personal information” (PI) or is it “Sensitive personal Information” (SPI)? . Is an IP address a PI?, Is E Mail address a PI?. except for “Biometric” or “Password” there may not be a consensus of what is to be included or excluded from the definition of PI and where the line of demarcation has to be drawn between PI and SPI and whether the classification has to be even further refined as PI-Level I, PI-Level 11, SPI-Level I, SPI Level II etc needs to be decided.
In such an uncertain environment, the law cannot be “Prescriptive” at all. It has to be necessarily “Principle based”.
Now, if ITA 2000/8 already has a “Principle based”- “Due diligence” and “Reasonable Security Practice” already defined, what does the new IDPA do in repeating the same things in a different statute?
In this context, a question arises whether it is a good idea to simply make amendments to ITA 2008 to meet the objectives of the proposed IDPA.
If required, a new chapter can be added to ITA 2008 called “Chapter on Data Protection” and incorporate the requirements of registration of data controller etc., which are not adequately covered in ITA 2000/8.
Links to all the three parts of this report of the consultation are available here