The Privacy (Protection) Bill, 2013 ("Bill") does not provide any definition of "privacy"; however, it focuses on the protection of personal and sensitive personal data of persons. This Bill shall have an overriding effect on all existing provisions directly or remotely related to privacy as section 3 provides that "no person shall collect, store, process, disclose or otherwise handle any personal data of another person except in accordance with the provisions of this Act an d any rules made thereunder." However, it provides an exception to this rule under section 4 by stating that "nothing in this Act shall apply to the collection, storage, processing or disclosure of personal data for personal or domestic use."
This article attempts to understand the proposed new legislation in the offing and examine if it will serve the purpose of the day and age when privacy concerns are violated everyday in social media and public places. Even the government projects like UIDAI that is collecting sensitive personal data of citizens have not been able to ensure protection of privacy.
1. The domain of personal data
"Personal data" has been described to mean any data, which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data. Sensitive personal data are the personal data as to the data subject's:
(i) Biometric data;
(ii) Deoxyribonucleic acid data;
(iii) Sexual preferences and practices;
(iv) Medical history and health;
(v) Political affiliation;
(vi) Commission, or alleged commission, of any offence;
(vii) Ethnicity, religion, race or caste; and
(viii) Financial and credit information.
This definition is different from the definition provided under The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that came into effect from April 13, 2011. Though the reasons for difference are unknown, yet the ambit of sensitive personal data has been enhanced, which is a good step. However, it does not seem logical why a person would generally keep political affiliation and caste and religion details sensitive and personal.
2. Protection of personal data
There are specific provisions related to collection, storage, processing, transfer, security, confidentiality, and disclosure of sensitive personal data in the Bill. Consent of the data provider is a must for undertaking all the aforesaid activities. However, there are several exceptions to this rule, which are as follows:
(i) Personal data may be collected without the prior consent of the data subject if it is:
(a) necessary for the provision of an emergency medical service to the data subject;
(b) required for the establishment of the identity of the data subject and the collection is authorized by a law in this regard;
(c) necessary to prevent a reasonable threat to national security, defense or public order; or
(d) necessary to prevent, investigate or prosecute a cognizable offence.
(ii) Any personal data may be processed for a purpose other than for which it was collected or received if:
(a) the data subject grants the consent to the processing and only that personal data that is necessary to achieve the other purpose is processed;
(b) it is necessary to perform a contractual duty to the data subject;
(c) it is necessary to prevent a reasonable threat to national security, defense or public order; or
(d) it necessary to prevent, investigate or prosecute a cognizable offence.
(iii) Prior to a disclosure of personal data, the data controller or data processor, as the case may be, seeking to disclose the personal data, shall inform the data subject of the following details in respect of his personal data, namely:
(a) when it will be disclosed;
(b) the purpose of its disclosure;
(c) the security practices, privacy policies and other policies that will protect it; and
(d) the procedure for recourse in case of any grievance in relation to it.
In addition to the above requirement of consent, no person shall collect, receive, store, process or otherwise handle any personal data without implementing measures, including, but not restricted to, technological, physical and administrative measures, adequate to secure its confidentiality, secrecy, integrity and safety, including from theft, loss, damage or destruction. Plus, the data collector has to ensure the quality, accuracy and the fact that the data is up to date.
Further, for the protection of sensitive personal information the Bill provides that notwithstanding anything contained in herein and the provisions of any other law for the time being in force:
(a) no person shall store sensitive personal data for a period longer than is necessary to achieve the purpose for which it was collected or received, or, if that purpose has been achieved or ceases to exist for any reason, for any period following such achievement or cessation;
(b) no person shall process sensitive personal data for a purpose other than the purpose for which it was collected or received;
(c) no person shall disclose sensitive personal data to another person, or otherwise cause any other person to come into the possession or control of, the content or nature of any sensitive personal data, including any other details in respect thereof.
No person shall carry out any surveillance or intercept any communication of another person without implementing measures, including, but not restricted to, technological, physical and administrative measures, to secure the confidentiality and secrecy of all information obtained as a result of the surveillance or interception of communication, as the case may be, including from theft, loss or unauthorized disclosure. Any person who carries out any surveillance or interception of any communication, or who obtains any information, including personal data, as a result of surveillance or interception of communication, shall be subject to a duty of confidentiality and secrecy in respect of it.
Every competent organization shall, before the expiry of a period of 100 days from the enactment of this Bill, designate as many officers as it deems fit as Privacy Officers who shall be administratively responsible for all interceptions of communications carried out by that competent organization. No person shall disclose to any other person, or otherwise cause any other person to come into the knowledge or possession of, the content or nature of any information, including personal data, obtained as a result of any surveillance or interception carried out under this Bill. Notwithstanding anything contained in this section,
(a) if the disclosure of any information, including personal data, obtained as a result of any surveillance or interception of any communication is necessary to prevent a reasonable threat to national security, defense or public order, or
(b) prevent, investigate or prosecute a cognizable offence, an authorized officer may disclose the information, including personal data, to any authorized officer of any other competent organization.
3. Punishment for offences related to personal data
If someone collects, receives, stores, processes or otherwise handles any personal data without following the provisions of the Bill, he/she shall be punishable with imprisonment and may also be liable to fine. The two crucial elements of crime are mens rea and actus reus. When in an offence it is not necessary to establish mens rea, they are strict liability offence and are generally the rare crimes. However, this principle has not been followed in the Bill, wherein a clear reading of the provisions related to offences provides that violation of the privacy conditions is a strict liability criminal offence requiring no assessment of either intent or consequence of the violation. Even the abetment and repeat offences and offences by companies have been made cognizable and non bailable under the Bill.
When offence is committed by companies, every person who, at the time of the offence was committed, was in charge of, and was responsible to, the company for the conduct of the business of the company, as well as the company shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. However, such person cannot be held liable if he proves that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence. So, if it is proved that the offence has been committed with the consent or connivance of, or is attributable to any neglect on the part of any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall be deemed to be guilty of that offence, and shall be liable to be proceeded against and punished accordingly.
The Bill has been proposed by the Centre for Internet and Society. Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit. The exceptions to the rule of privacy are also wide. It should be clearly stated that the one who receives, stores, processes or otherwise handles any personal data includes government or anybody/person authorized by the government on its behalf and that the liability of the government and its officials would be similar in cases of unauthorized collection, storage, processing or handling. As stated before the violation of the privacy conditions is a strict liability criminal offence requiring no assessment of either intent or consequence of the violation is a severe step and be considered revision. Intent should be an element along with the carelessness or negligence of the person. Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.