The data protection regime in India is in a state of flux. The year of 2017 has been a humdinger of a year for data privacy laws. On August 24, 2017 the constitutional bench of Supreme Court1 decided that the right to privacy was, after all, a fundamental right.2 The Supreme Court also noted in the matter that "the government has initiated the process of reviewing the entire area of data protection, it would be appropriate to leave the matter for expert determination so that a robust regime for the protection of data is put into place. We expect that the Union government shall follow up on its decision by taking all necessary and proper steps." Following the judgment in re Puttuswamy, the Committee of Experts on a Data Protection Framework for India chaired by Justice B. N. Srikrishna released a white paper on November 27, 2017.3 The Ministry of Electronics & Information Technology (MeitY) issued a press release on December 28, 2017 seeking public comments on the whitepaper by the end of January 31, 2018.
2. Present position of law.
- clear and easily accessible statements of its practices and policies;
- type of personal and sensitive personal data or information collected by it;
- purpose of collection and usage of such information;
- disclosure of information including sensitive personal data or information collected;
- reasonable security practices and procedures adopted by it.
Consent: The most
regard the Supreme Court has in re Puttuswamy7
made the following observations:
"497. It was rightly expressed on behalf of the Petitioners that the technology has made it possible to enter a citizen's house without knocking at his/her door and this is equally possible both by the State and non-State actors. It is an individual's choice as to who enters his house, how he lives and in what relationship. The privacy of the home must protect the family, marriage, procreation and sexual orientation which are all important aspects of dignity. 498. If the individual permits someone to enter the house it does not mean that others can enter the house. The only check and balance is that it should not harm the other individual or affect his or her rights. This applies both to the physical form and to technology."
- Purpose of information
clearly specify the purpose of collection of the
information.13 Only that personal information should be
collected from data subjects as is necessary for the purposes
identified for such collection, regarding which notice has been
provided and consent of the individual taken14. An
omnibus purpose which ambiguously refers to future commercial usage
may not be favourably viewed by Indian courts, especially if the
- Disclosure of information. The type of information collected must also be clearly informed to the information provider. Technological advancement is not equivalent to technological literacy. It is not audacious to assume that many of the internet users are still unaware of the perils of data divulge. Therefore, it is vital that the information provider be informed about the nature of his personal information that is being collected. The data controller must also permit the providers of information, as and when requested by them, to review the information they had provided17. The other side of this aspect is that the data controller must also obtain prior permission if it intends to disclose the collected information to a third party18 except with government agencies mandated under law.
"Digitalization has changed society. While data is becoming the "new oil", data protection is becoming the new "pollution control."20 With the increase of digital population in India, online services and businesses are being redefined every micro second. Technology combined with the vast mines of information available online has pushed the boundaries of standard business industries beyond recognizable horizon. Healthcare, finance, fitness and beauty, e-commerce, transportation, software solutions, music, arts, movies, etc., are evolving as an industry on a daily basis. The nature of services being offered by these industries are no longer limited to vanilla sale and purchase or a pure service model. However, nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy21.
Considering that the digital population in India has grown substantially, data privacy and data protection are key issues at the moment. Every internet user leaves his/her digital footprints in the form of personal data when browsing the internet. This may range from, knowingly or unwittingly, providing their IP address, name, mobile number to personal and sensitive information like their sexual orientation, medical records, etc. This leaves the internet users vulnerable to crimes like identity theft, breach of privacy and financial crimes.
1. See Justice Puttuswamy v. UOI, Writ Petition (Civil) No. 494 of 2012 decided on August 24, 2017.
2. Previously, in the matter of M.P. Sharma v. Satish Chandra, District Magistrate, Delhi (1954) SCR 1077 and Kharak Singh v. State of Uttar Pradesh (1964) 1 SCR 332 it had been observed that the Indian constitution does not specifically protect the right to privacy. The submissions of the petitioners in Kharak Singh and M. P. Sharma matter were founded on the principles expounded in A. K. Gopalan v. State of Madras, AIR 1950 SC 27 where it was held that each provision contained in the chapter on fundamental laws as embodying a distinct protection. This principle was held not to be good law by an eleven judge bench in Rustom Cavasji Cooper v. UOI (1970) 1 SCC 248.
Also in Maneka Gandhi v. UOI (1978) 1 SCC 248, the minority judgment of Justice Subba Rao in Kharak Singh was specifically approved of and the decision of the majority was overruled. Apart from this there were several matters rendered by benches of smaller strength than those in M.P. Singh and Kharak Singh which affirmed the existence of a constitutionally protected right of privacy. Faced with this predicament and having due regard to the far-reaching questions of importance involving interpretation of the Constitution, it was felt that institutional integrity and judicial discipline would require a reference to a larger Bench. Thus, the matter was referred to a constitutional bench of Supreme Court in re Puttuswamy.
3. See 'White Paper of the Committee of Experts on a Data Protection Framework for India' available at http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf on January 30, 2018. The Whitepaper recognizes in the foreword that the issue of data protection is important both intrinsically and instrumentally. Intrinsically, a regime for data protection is synonymous with protection of informational privacy. Instrumentally, a firm legal framework for data protection is the foundation on which data driven innovation and entrepreneurship can flourish in India. Fostering such innovation and entrepreneurship is essential
4. See Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology ACT, 2000 issued vide press note dated August 24, 2011.
5. In 2012, a Group of Experts on Privacy was constituted by the erstwhile Planning Commission under the Chairmanship of Justice AP Shah (Justice AP Shah Committee). The report of the Justice AP Shah Committee recommended a detailed framework that serves as the conceptual foundation for a privacy law in India, considering multiple dimensions of privacy. After a detailed deliberative and consultative exercise, it proposed a set of nine National Privacy Principles to be followed, broadly derived from the OECD Guidelines. The nine principles set out by the Justice AP Shah Committee are as follows: Principle 1: Notice; Principle 2: Choice and Consent; Principle 3: Collection Limitation; Principle 4: Purpose Limitation; Principle 5: Access and Correction; Principle 6: Disclosure of Information; Principle 7: Security; Principle 8: Openness; Principle 9: Accountability. See Report of the Justice AP Shah Committee, 21-27 (October 16, 2012).
6. See Rule 4 of the Sensitive Information Rules.
7. Ibid. See para 477 of the judgement.
8. See Rule 5 (7) of the Sensitive Information Rules. As per this provision the prior to the collection of information including sensitive personal data or information, the data controller must provide an option to the provider of information to not provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the data controller.
9. See Rule 5 (7) of the Sensitive Information Rules.
10. The term 'adhesion contract' has been defined under the Black's Law Dictionary as "a standardized contract form offered to consumers of goods and services on essentially 'take it or leave it' basis without affording consumer realistic opportunity to bargain and under such conditions that consumer cannot obtain desired product or services except by acquiescing in form contract. Distinctive feature of adhesion contract is that weaker party has no realistic choice as to its terms. Not every such contract is unconscionable."
11. See LIC of India and Anr. v. Consumer Education & Research center and Ors. AIR 1995 SC 1811; and Rakesh Chand and others v. State of Himachal Pradesh and others, [CWP (T) No. 781/2008, Decided on June 15, 2010]. Also see http://www.mondaq.com/india/x/380692/Contract+Law/Happily+Click+after+The+real+story+of+econtracts.
12. See Rule 5 of the Sensitive Information Rules.
13. In re Puttuswamy, the Supreme Court notes vis-à-vis 'purpose limitation' (which is one of the nine principles proposed by the Group of Experts on Privacy) – "Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which it is processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles."
14. Rule 5 (5) of the Sensitive Information Rules stipulates that the information collected must be used for the purpose for which it has been collected.
15. Rule 5 (3) of the Sensitive Information Rules stipulates that while collecting information directly from the person concerned the body corporate or any person on its behalf must take such steps as are in the circumstances reasonable to ensure that the person concerned is having the knowledge of – (a) the fact that the information is being collected; (b) the purpose for which the information is being collected, (c) the intended recipient of the information; and (d) the name and address of the agency that is collecting the information and the agency that will retain the information.
16. See Rule 5 (4) of the Sensitive Information Rules.
17. See Rule 5 (6) of the Sensitive Information Rules.
18. See Rule 6 of the Sensitive Information Rules.
19. See Rule 8 of the Sensitive Information Rules.
20. Summary to the documentary 'Democracy: Im Rausch der Daten' (2015).
21. In re Kharak Singh, at page 359.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.