Current laws and license agreements in India which allow for surveillance entail a significant potential for abuse, since the country lacks sufficient privacy safeguards . A privacy law is deemed necessary to ensure that data is not retained indefinitely, that data is not shared and disclosed to unauthorised third parties and that unauthorised parties do not have access to collected and intercepted data. In a democratic regime, surveillance should be targeted and carried out under a judicial warrant and the absence of privacy legislation deprives individuals from necessary safeguards. While the Information Technology Act and its Rules do entail some provisions for data protection and regulate certain types of surveillance, they appear to be inadequate. This is partly due to the fact that there is currently no law in India which establishes the right to privacy and as Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, represent a decisive step in creating a legal regime in India for data protection, but nonetheless appear inadequate in addressing issues relating to the collection of, access to, sharing of, disclosure and retention of data5 . Furthermore, they do not ensure the establishment of an independent body, such as a Privacy Commission, to oversee the handling of personal data and to address potential cases of breach.
Justice AP Shah Privacy Principles
The Planning Commission of the Government of India held meetings of the Group of Experts on Privacy Issues throughout 2012, which was chaired by Justice AP Shah, the former chief justice of the Delhi High Court . The CIS participated in these meetings and helped draft the Report of the Group of Experts on Privacy by the Justice AP Shah committee . This report entails a list of recommended national privacy principles, which should be followed in the creation of a privacy law. According to the report, the national privacy principles of India should be the following:
• Principle of Notice
• Principle of Choice and Consent
• Principle of Collection Limitation
• Principle of Purpose Limitation
• Principle of Access and Correction
• Principle of Security
• Principle of Openness
• Principle of Accountability
The first principle of notice states that the data collector should notify all individuals of its information practices, before any personal information is collected about them. Additionally, this principle also requires data controllers to notify individuals when their personal data has been breached, when such data has been legally accessed by third parties and when the data controller’s privacy policy changes. The second principle of choice and consent states that the data controller should provide individuals the choice to opt-in or opt-out with regards to the provision of their personal data, as well as that individual consent should only be taken by the data controller after providing. The third principle of collection limitation states that the data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent from the individual taken. The fourth principle of purpose limitation states that personal data collected and processed by data collectors should be adequate and relevant to the purposes for which they are processed. In other words, a data controller should only collect, process, disclose, make available or otherwise use personal data for the purpose as stated in the notice after taking consent from individuals. The fifth principle of access and correction applies to individuals. In particular, this principle states that individuals should have the right to access their personal information which is being held by a data controller and to make corrections or to delete information when it is inaccurate .
The sixth principle of disclosure of information prohibits the data controller from disclosing personal data to third parties, unless informed consent has been provided by the individual for such disclosure. This principle also states that disclosure of information for law enforcement purposes must be in accordance with the laws in force. The seventh principle of security states that data controllers should be responsible for ensuring the security of all personal data that they have collected or which is in their custody.. The eighth principle of openness requires data controllers to take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals. Finally, the ninth principle of accountability states that the data controller should be accountable for complying with measures which give effect to the privacy principles.
Such measures should include mechanisms to implement privacy policies, including tools, training, education, as well as external and internal audits. In the report, the Group of Experts on Privacy recommended that such national privacy principles are applied to the cases of interception of communications, access to data and audio and video recording. In particular, it is emphasized that, with regards to the interception of communications and access to data in India, the principles of notice, choice and consent, and access and correction should be applied. With regards to audio and video recording in India, the application of the same principles, additionally including the principle of collection limitation, is recommended. Furthermore, the Group of Experts on Privacy also recommended the enactment of a privacy law in India which would include the establishment of Privacy Commissioners, as well as of self-regulating organisation (SROs) and co-regulation, which would supplement the role played by the Privacy Commissioners to ensure the implementation and enforcement of policies for a wide range of sectors and industries. Additionally, the Group of Experts recommended the establishment of a system of complaints which would include Alternative Dispute Resolution Mechanisms (ADRs), as well as the inclusion of offenses, penalties and remedies in the Privacy Act.
Eduindex News 