A comprehensive privacy law is virtually shelved, as the government plans to amend the IT Act to ensure only data privacy 

Five long years and several revisions later, the right to privacy bill is now wedged tightly between the department of personnel and training (DoPT) and the department of electronics and information technology (DeitY). The government does not seem to be in a mood to formulate a comprehensive law on privacy with provisions for data protection, physical and bodily privacy as well as safeguards against interception and surveillance.

The government would rather amend the IT Act, 2000, to introduce sections related to data protection or, say, data privacy. This essentially means that the intelligence agencies will be able to continue to carry out surveillance and interception without checks and balances. Other forms of privacy violations too won’t have a well-defined legal remedy.

The demand for a right to privacy law gained wider support after the Nira Radia tapes controversy of 2010, wherein telephonic conversations between that corporate lobbyist on one hand and journalists, politicians and business leaders on the other were taped by the income tax department in 2008-09. After the tapes were leaked, the DoPT had prepared a legal framework on the right to privacy in 2010. It came out with the first draft of the bill a year later. The intelligence agencies including the Intelligence Bureau (IB) and Research and Analysis Wing (R&AW) have been resisting an omnibus law since then.

So it didn’t surprise many when communications and IT minister Ravi Shankar Prasad gave a calibrated response to a question in the Rajya Sabha about the proposed legislation. ​“The government has initiated the process of drafting the legislation to protect privacy of individuals breached through unlawful means in consultation with various stakeholders,” Prasad said on April 29.

It is important to note here that on July 23, 2015, attorney general Mukul Rohatgi had argued before the supreme court that privacy is not a fundamental right. He was countering the view that Aadhaar, which is issued after collection of biometric and demographic data, violates an individual’s right to privacy. The matter is still under consideration of the apex court.

What is privacy?

In a layman’s words, privacy is an individual’s right to keep their personal matters secret. The supreme court terms it as an individual’s right to be left alone. Although the Indian constitution doesn’t have a specific article on privacy, the apex court has interpreted the right to privacy as an integral part of people’s fundamental right to life and personal liberty.

In recent decades, individual privacy is increasingly under attack. From physical trailing to interception and surveillance, the government and private corporations have resorted to all possible means to watch over people. In addition, Google and Facebook, among other internet giants, have emerged as the world’s major data controllers, knowing more about citizens than their respective governments.

Except a few cases where citizens have moved court to defend their rights, most of tracking and surveillance carried out by the agencies or private corporations go unnoticed in the absence of legal or judicial recourse. The right to privacy bill, which was revised several times between 2011 and 2015, was a step towards providing legal remedy in such cases.

Status

At present, the files related to the privacy bill are gathering dust at the DoPT. ​“It is a political decision,” a senior official, aware of the matter, told Governance Now. In December, the DoPT issued an advisory to the DeitY suggesting changes in the IT Act, 2000. This was in response to DeitY’s repeated requests, ascertaining the status of the right to privacy bill. [DeitY is the nodal agency dealing with rules and regulations for information technology and business process outsourcing industry. It also oversees Aadhaar and Digital India: two key programmes aimed at making citizens’ interaction with government electronic and hence traceable.]

The DeitY was told to work on data privacy provisions, as the IT industry is losing contracts for want of a statutory mechanism, the senior official said.

It is a fact. The European Union maintains a list of countries, ranking them based on their ​‘data adequacy’ – ascertaining the level of protection of personal data in those countries. ​“India is not in that list,” said Vinayak Godse, senior director, data protection, Data Security Council of India (DSCI), a Nasscom body. ​“Our (Indian IT industry’s) share in the US outsourcing market comes to 55 – 60 percent. But we handle only 24 – 28 percent of the European Union market,” Godse said. According to an industry estimate – though there is no empirical data to prove it – the Indian companies lose somewhere between $2.5 billion and $7 billion a year. No doubt the initial push for the privacy law, said cyber law expert Apar Gupta, came from the industry.

Aruna Sharma, secretary, DeitY, confirmed to Governance Now that the department did receive the DoPT advisory last year, terming the right to privacy as a ​“delicate and complicated issue”. [In December 2015, when the DoPT issued the advisory, the DeitY was headed by JS Deepak. He currently holds the charge of the telecom department.] ​“Privacy, however, is not limited to digital data. It (right to privacy) doesn’t come under DeitY’s business rules,” Sharma said.

Scaremongering

The intelligence agencies have been crying hoarse that a comprehensive law will put restrictions on their activities and hence will impact national security. They fear that they will be dragged to courts. ​“They believe that the courts will always take an anti-establishment stand,” said the senior government official.

Another senior official, who had been involved in the formulation of the privacy bill, said, ​“The agencies do a lot of things which are not allowed by the law – snooping and following up. Once people have right to privacy, there will be a restriction on police and intelligence agencies. You are not sure how courts will interpret it.”

> The making and unmaking of privacy law in India

> May 2010: A committee of secretaries (CoS) discussed the issue of data privacy for the first time. A decision was taken to constitute a group of officers under the personnel secretary with members from revenue, home, NATGRID, legal affairs, IT and S&T ministries or departments.

> October-November 2010: A draft approach paper was finalised. The group of officials found that the approach paper primarily dealt with the issue of privacy of personal data and a recommendation was made that ​‘umbrella’ legislation may be drafted based on general principles of data privacy which are accepted worldwide.

> January 2011: A draft data protection bill was prepared and discussed by the group of officials. A decision was taken in that meeting that rather than dealing only with data privacy issues, the ambit of the Act should be enlarged to include infringement of privacy by telephone tapping, surveillance, etc., as well. DoPT in consultation with the legislative department drafted the right to privacy bill. May 27, 2011: The CoS discussed the right to privacy bill. It made some recommendations and asked DoPT to redraft it.

> October 2012: A planning commission appointed group of experts headed by Justice AP Shah submitted its report on privacy to the government.

> January 17, 2013: The redrafted bill was discussed by CoS and it was decided that the DoPT would discuss with the secretaries of telecom, electronics and IT, home and law, so as to harmonise relevant issues, including position on interception and surveillance.

> August 26, 2013: The national security advisor convened a meeting to express the concerns of intelligence agencies, such as IB and RAW, relating to the bill and its potential impact on their functioning.

> January 2014: The draft right to privacy bill 2014 was finalised. It provided greater exemptions to intelligence agencies in comparison to previous drafts, but fell short of giving blanket exemptions, as demanded by the agencies.

> July 23, 2015: Attorney general Mukul Rohatgi told the supreme court that privacy is not a fundamental right.

> March 16, 2016: The Lok Sabha passes the Aadhaar bill, rejecting five amendments proposed by the Rajya Sabha, including one to do away with a provision related to ​‘national security’ which overrides privacy clauses in the bill and gives sweeping power to the government.

> April 29, 2016: Communications and IT minister RS Prasad told the upper house that the right to privacy bill is still at the initial consultative stage.

According to Vinayak Godse, there is a lot of fear-mongering by the agencies in relation to right to privacy. ​“Agencies should be accountable to data they collect. Under its data protection rules, the EU has defined exceptions but it provides safeguards as well,” he said.

A comprehensive law

Rejecting the ​‘fear’ of the agencies, public policy experts and jurists have invariably demanded a comprehensive law on privacy. ​“We need an omnibus privacy law to harmonise 50-odd sectoral laws and policies that affect the right to privacy and also to make it clear to courts whether it is or it isn’t a constitutional right to privacy,” said Sunil Abraham, executive director, Centre for Internet and Society (CIS), Bengaluru.

Merely amending Section 43A of IT Act (‘compensation for failure to protect data’), Abraham said, would only add to the complexity and lack of clarity of the current situation.

“We will continue to be plagued by legal and regulatory uncertainty, thereby retarding growth of Make in India, Digital India and Startup India,” he said.

The report of the government-appointed group of experts headed by former chief justice of Delhi high court justice AP Shah highlights the multidimensional nature of privacy and outlines provisions not only for data protection, but also communication interception and surveillance and what is known as ​“bodily” and physical privacy.

The expert group, which submitted its report in October 2012, noted, ​“A framework on right to privacy in India must include… appropriate protection from unauthorised interception, audio and video surveillance, use of personal identifiers, bodily privacy including DNA as well physical privacy…”

The Shah committee report also points at the differences in provisions allowing for interception under the Telegraph Act and Information Technology Act: ranging from the type of interception, type and granularity of intercepted information and the destruction and retention requirements of intercepted material, among others. ​“These differences have created an unclear regulatory régime that is non-transparent, prone to misuse and that does not provide remedy for aggrieved individuals,” the report highlighted.

The committee recommended nine ​‘national privacy principles’ to be followed by all organisations dealing with people’s data: notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. These principles were incorporated in the 2014 version of the privacy bill.

The committee also recommended setting up the office of a national privacy commissioner, and not data protection authority of India, as prescribed in the draft legislation. On the contrary, the Shah committee recommended that the privacy commissioner ​“may exercise broad oversight functions” in matters related to interception/​access, audio and video recordings, use of personal identifiers, and the use of bodily of genetic material.

What are internet giants doing? 

An omnibus privacy law, conforming to national privacy principles, and the office of the privacy commissioner, thus established, can also investigate global corporations either suo motu or based on individual complaints, said Abraham of CIS. At present, there is no way to ascertain if corporations including Facebook or Google are misusing the huge amount of data users post on their platforms. There has been no study at all to inform Indian users about how they are being tracked and for what purposes their data is being used.

“Recent studies have shown that the personal posts (messages) on Facebook have reduced significantly,” said Anja Kovacs, director, Internet Democracy Project. The scepticism about how your personal information will be used has increased. Less trust leads to censorship, she said. The reports show that Facebook is increasingly becoming a platform for sharing and posting news feeds, instead of personal or original posts.

“Facebook has made frequent changes in its privacy policy. Each time the privacy safeguards have reduced,” she said.

Mozilla’s privacy policy is still better, said Kovacs. It follows five principles: a) transparent data usage and sharing, b) advocating best practices, c) limited data, d) balancing user safety and experience and e) multi-layered security controls. As the data is held privately by these corporations, there is no way to verify if they comply with their own standards and policies. A lot of these things could be resolved if we have a strong privacy law and an empowered privacy commissioner.

But it now looks like a distant dream. The senior government official said that the DeitY was told that entitling every citizen with right to privacy and bringing intelligence agencies under a law is a long debate which will go on indefinitely. ​“The DoPT will not drop it, but it will not do anything about it,” the senior official said. ​“It was a calculated response given by the minister,” he said, referring to Prasad’s reply in Rajya Sabha.

> Is ​‘right to be forgotten’ part of right to privacy?

> In February, a writ petition defended an individual’s ​‘right to be forgotten’. The petitioner, an Indian living abroad, approached the Delhi high court, requesting it to order internet giant Google and the Indian Kanoon web portal to delink him from information pertaining to a criminal case between his wife and mother, in which he was not a party.

> Every time someone enters his name on Google search, it shows links related to the court case, jeopardising his chances of seeking better employment opportunities, said Rohit Madan, the petitioner’s lawyer. Madan is handling the case along with his colleague Akash Vajpai. > Their client was married nearly seven years ago. He worked for a firm based abroad (the name of the petitioner, his profession and the country of residence are being withheld to maintain anonymity). Later, the couple developed marital discord and started living separately. The petitioner’s mother filed a criminal case related to property against her daughter-in-law.

> The couple, however, resolved their differences and started living together in 2015. In 2016, the criminal case was also withdrawn. The petitioner approached Google India, which showed its helplessness. ​“They told us that they don’t have the powers to remove content. The power rests with the grievance officer at the US headquarters. They told us that it will open up a huge Pandora’s box for them,” Madan said. > ​“Living in India, we are subject to privacy norms of Google US. How strange it can be?” he asked.

> A mail was sent to Google’s grievance officer. It got an automatic, machine-generated response, stating that ​“we will get back”. > Madan then wrote to Indian Kanoon, requesting to remove the link of his client’s case, which had already been withdrawn. ​“They said they can remove the content only on a court order.” That’s when they went to the high court in February.

> The court asked all respondents – Google India, Google Inc, ministry of communications and IT, and Indian Kanoon – to revert by September, when the final hearing will take place. The court has asked the central government to clarify if the right to privacy includes right to be forgotten on the internet.