Another step to­wards pri­vacy leg­is­la­tion

A com­par­i­son be­tween the 2012 ex­perts’ re­port and the 2017 white pa­per on data pro­tec­tion

Governance Now - - FRONT PAGE - Elon­nai Hickok

On July 31 the min­istry of elec­tron­ics and in­for­ma­tion tech­nol­ogy (Mi­ety) con­sti­tuted a com­mit­tee of ex­perts, headed by jus­tice (re­tired) Bn srikr­ishna, to de­lib­er­ate on a data pro­tec­tion frame­work for in­dia. The com­mit­tee is another step in in­dia’s jour­ney in for­mu­lat­ing a na­tional-level pri­vacy leg­is­la­tion.

The for­mu­la­tion of a pri­vacy law started as early as 2010 with an ap­proach pa­per for a leg­is­la­tion on pri­vacy to­wards en­vi­sion­ing a pri­vacy frame­work for in­dia. in 2011, a bill on right to pri­vacy was drafted. in 2012 the plan­ning com­mis­sion con­sti­tuted a group of ex­perts, with jus­tice (re­tired) AP shah as its chief, which pre­pared a re­port rec­om­mend­ing a pri­vacy frame­work.

A month af­ter the for­ma­tion of the com­mit­tee, in Au­gust, the sec­toral reg­u­la­tor, Tele­com reg­u­la­tory Au­thor­ity of in­dia (Trai), re­leased the con­sul­ta­tion pa­per, ‘Pri­vacy, se­cu­rity and own­er­ship of the data in the Tele­com sec­tor’. in the same month, the supreme court in a land­mark de­ci­sion recog­nised pri­vacy as a fun­da­men­tal right.

in novem­ber 2017, the ex­pert group re­leased a ‘White Pa­per of the com­mit­tee of ex­perts on a data Pro­tec­tion Frame­work for in­dia’ to so­licit pub­lic com­ments on the con­tours of a data pro­tec­tion law for in­dia.

To un­der­stand the evo­lu­tion of the think­ing around a pri­vacy frame­work for in­dia, this ar­ti­cle out­lines and analy­ses com­mon themes and dif­fer­ences be­tween (a) the 2012 group of ex­perts’ re­port, and the 2017 ex­pert com­mit­tee’s white pa­per.

The white pa­per seeks to gather in­puts from the pub­lic on key is­sues to­wards the de­vel­op­ment of a data pro­tec­tion law for in­dia. The pa­per places it­self in the con­text of the nda gov­ern­ment’s dig­i­tal in­dia ini­tia­tive, the jus­tice shah com­mit­tee re­port, and the ju­di­cial de­vel­op­ments on the right to pri­vacy in in­dia. it is di­vided into three sub­stan­tive parts: (1) scope and ex­emp­tions, (2) grounds of pro­cess­ing, obli­ga­tion and en­ti­ties, in­di­vid­ual rights, and (3) reg­u­la­tion and en­force­ment. each part is com­prised of deep dives into key is­sues, in­ter­na­tional prac­tices, pre­lim­i­nary views of the com­mit­tee, and ques­tions for pub­lic con­sul­ta­tion.

Broadly, the 2012 re­port de­fined nine na­tional-level pri­vacy prin­ci­ples and rec­om­mended a co-reg­u­la­tory frame­work that con­sisted of pri­vacy com­mis­sion­ers, courts, self-reg­u­lat­ing or­gan­i­sa­tions, data con­trollers, and pri­vacy of­fi­cers at the or­gan­i­sa­tional level. At the out­set, the 2017 white pa­per is dif­fer­ent from that re­port sim­ply by the fact that it is a con­sul­ta­tion pa­per so­lic­it­ing views as com­pared to a re­port that rec­om­mends a broad pri­vacy frame­work for in­dia. in do­ing so, the white pa­per ex­plores a broader set of is­sues than those dis­cussed in the jus­tice shah re­port – rang­ing from the im­pli­ca­tions of emerg­ing tech­nolo­gies on the rel­e­vance of tra­di­tional pri­vacy prin­ci­ples, data lo­cal­i­sa­tion, child’s con­sent, in­di­vid­ual par­tic­i­pa­tion rights, the right to be for­got­ten, cross-bor­der flow of data, breach no­ti­fi­ca­tion etc. Given that the white pa­per is a con­sul­ta­tion pa­per, this ar­ti­cle ex­am­ines the pro­vi­sional views shared in it with the rec­om­men­da­tions of the 2012 re­port.

Key ar­eas that the both the doc­u­ments touch upon (though not nec­es­sar­ily agree on) in­clude:

Ap­pli­ca­bil­ity

The 2012 re­port of ex­perts rec­om­mended a pri­vacy leg­is­la­tion that ex­tends the right to pri­vacy to all per­sons in in­dia, all data that is pro­cessed by a com­pany or equip­ment lo­cated in in­dia, and to data that orig­i­nate in in­dia.

Pro­vi­sional views in the white pa­per reflect this po­si­tion, but also of­fer that ap­pli­ca­bil­ity could be in part de­ter­mined by the le­git­i­mate in­ter­est of the state, car­ry­ing on a busi­ness or of­fer­ing ser­vices or goods in in­dia, and if, de­spite lo­ca­tion, the en­tity is pro­cess­ing the per­sonal data of in­dian cit­i­zens. The pro­vi­sional views also touch upon ret­ro­spec­tive ap­pli­ca­tion of a data pro­tec­tion law and agree with the 2012 re­port by rec­om­mend­ing that a law ap­ply to pri­vacy and pub­lic bod­ies. They also go a step fur­ther by rec­om­mend­ing spe­cific ex­emp­tions in ap­pli­ca­tion for well de­fined cat­e­gories of pub­lic or pri­vate en­ti­ties.

Ex­cep­tions

The ex­perts’ re­port de­fined the fol­low­ing ex­cep­tions to the right to pri­vacy: artis­tic and jour­nal­is­tic pur­poses, house­hold pur­poses, his­toric and sci­en­tific re­search, and the Right to

in­for­ma­tion. ex­cep­tions that must be weighed against the prin­ci­ples of pro­por­tion­al­ity, le­gal­ity, and nec­es­sary in a demo­cratic state in­cluded: na­tional se­cu­rity, pub­lic or­der, dis­clo­sure in pub­lic

in­ter­est, pre­ven­tion, de­tec­tion, in­ves­ti­ga­tion, and pros­e­cu­tion of crim­i­nal of­fences, and pro­tec­tion of the in­di­vid­ual or of the rights and free­doms of oth­ers.

Pro­vi­sional views in the 2017 white pa­per broadly mir­ror the ex­emp­tions de­fined in the ex­perts’ re­port, but do not weigh ex­cep­tions re­lated to na­tional se­cu­rity and pub­lic in­ter­est etc. against the prin­ci­ples of pro­por­tion­al­ity, le­gal­ity, and nec­es­sary in a demo­cratic state and in­stead ex­plored a re­view mech­a­nism for these ex­cep­tions.

Con­sent

Pro­vi­sional views in the white pa­per on con­sent note that as­pects of con­sent should in­clude that it is freely given, informed and spe­cific and that stan­dards for im­plied con­sent need to be evolved.

Though the 2012 ex­perts’ re­port de­fined a prin­ci­ple for choice and con­sent, this prin­ci­ple did not de­fine as­pects of what would con­sti­tute valid con­sent, yet it did in­cor­po­rate an optout mech­a­nism.

No­tice

Pro­vi­sional views in the white pa­per hold that no­tice is im­por­tant in en­abling con­sent and ex­plore a num­ber of mech­a­nisms that can be im­ple­mented to ef­fect mean­ing­ful no­tice such as codes of prac­tice for de­sign­ing no­tice, mul­ti­lay­ered no­tices, as­sess­ing no­tices in pri­vacy im­pact as­sess­ments, as­sign­ing ‘data trust scores’ based on their data use pol­icy, and hav­ing a ‘con­sent dash­board’ to help in­di­vid­u­als man­age their con­sent across en­ti­ties.

These views build upon and com­ple­ment the prin­ci­ple of no­tice de­fined in the 2012 re­port which de­fined com­po­nents of a pri­vacy pol­icy as well as other forms of no­tice in­clud­ing data breach (also ad­dressed in the white pa­per) and le­gal ac­cess to per­sonal in­for­ma­tion.

The new white pa­per is dif­fer­ent from that re­port sim­ply by the fact that it is a con­sul­ta­tion pa­per so­lic­it­ing views as com­pared to a re­port that rec­om­mends a broad pri­vacy frame­work for In­dia.

Pur­pose lim­i­ta­tion/min­imi­sa­tion

Pro­vi­sional views in the white pa­per recog­nise the chal­lenges that evolv­ing tech­nol­ogy is pos­ing to the prin­ci­ple of pur­pose lim­i­ta­tion and rec­om­mend that lay­ered pri­vacy poli­cies and the stan­dard of rea­son­able­ness can be used to con­tex­tu­alise this prin­ci­ple to ac­tual pur­poses and uses.

Though the 2012 re­port de­fined a pur­pose lim­i­ta­tion prin­ci­ple, the prin­ci­ple does not in­cor­po­rate a stan­dard of rea­son­able­ness or ex­plore meth­ods of im­ple­men­ta­tion.

Data Re­ten­tion and Qual­ity

Pro­vi­sional views in the white pa­per sug­gest that the prin­ci­ples of data re­ten­tion and data qual­ity can be guided by the terms “rea­son­ably and nec­es­sary” to en­sure that they are not overly bur­den­some on in­dus­try.

The 2012 re­port of ex­perts briefly touched on data re­ten­tion in the prin­ci­ple of pur­pose lim­i­ta­tion –hold­ing that prac­tices should be in com­pli­ance with the na­tional pri­vacy prin­ci­ples.

Right to Ac­cess

Pro­vi­sional views in the white pa­per recog­nise the im­por­tance of the right con­fir­ma­tion, ac­cess, and rec­tify per­sonal in­for­ma­tion of the in­di­vid­ual, but note that this is in­creas­ingly be­com­ing harder to en­force with re­spect to data that is ob­served be­hav­ioral data and de­rived from habits. A sug­gested so­lu­tion is to im­pose a fee on in­di­vid­u­als for us­ing these rights to de­ter friv­o­lous re­quests.

Though the 2012 re­port de­fined a prin­ci­ple of ac­cess and cor­rec­tion it did not pro­pose a fee for us­ing this right and it in­cluded the caveat that if the ac­cess would af­fect the pri­vacy rights of oth­ers, ac­cess may not be given by the data con­troller.

En­force­ment Mech­a­nisms

Pro­vi­sional views in the 2017 white pa­per broadly agree with the ap­pro­pri­ate­ness of the model of co-reg­u­la­tion and de­vel­op­ment of codes of prac­tice as sug­gested in the 2012 re­port. Within the sys­tem en­vi­sioned in the 2012 re­port of ex­perts, self-reg­u­lat­ing or­gan­i­sa­tions at the in­dus­try level will have the abil­ity to de­velop in­dus­try spe­cific norms and stan­dards in com­pli­ance with the na­tional pri­vacy prin­ci­ples to be ap­proved by the pri­vacy com­mis­sioner.

Ac­count­abil­ity

The pro­vi­sional views of the white pa­per go be­yond the prin­ci­ple of ac­count­abil­ity de­fined in the 2012 re­port by sug­gest­ing that data con­trollers should not only be held ac­count­able for im­ple­men­ta­tion of de­fined data pro­tec­tion stan­dards, but in de­fined cir­cum­stances, also for harm that is caused to an in­di­vid­ual.

Ad­di­tional obli­ga­tions on data con­trollers

Pro­vi­sional views in the white pa­per sug­gest the fol­low­ing mech­a­nisms as meth­ods to­wards en­sur­ing ac­count­abil­ity of spe­cific cat­e­gories of data con­trollers: reg­is­tra­tion, data pro­tec­tion im­pact as­sess­ment, data au­dits, and data pro­tec­tion of­fi­cers that are cen­tres of ac­count­abil­ity.

The 2012 ex­perts’ re­port also en­vi­sioned im­pact as­sess­ments and in­ves­ti­ga­tions car­ried out by the pri­vacy com­mis­sioner and the role of a data con­troller, but did not ex­plore reg­is­tra­tion of these en­ti­ties.

Au­thor­i­ties and ad­ju­di­ca­tion

The both doc­u­ments are in agree­ment on the need for a pri­vacy com­mis­sioner/data pro­tec­tion au­thor­ity and en­vi­sion sim­i­lar func­tions such as con­duct­ing pri­vacy im­pact as­sess­ments, au­dits, in­ves­ti­ga­tion, and levy­ing of fines. The white pa­per dif­fers from the 2012 ex­perts’ re­port in its view that the ap­pel­late tri­bunals un­der the it Act and bod­ies like the na­tional com­mis­sion dis­putes re­dres­sal com­mis­sion could po­ten­tially be ap­pro­pri­ate venues for ad­ju­di­cat­ing and re­solv­ing dis­putes.

Though the 2012 ex­perts’ re­port rec­om­mended that com­plaints can be is­sued through an al­ter­na­tive dis­pute res­o­lu­tion mech­a­nism, to cen­tral and re­gional level com­mis­sion­ers, or to the courts – for reme­dies– en­force­ment of penal­ties should in­volve dis­trict and high-level courts and the supreme court. The 2012 re­port spec­i­fied that a dis­tinct tri­bunal should not be cre­ated nor should ex­ist­ing tri­bunals be re­lied upon as there is the pos­si­bil­ity that the in­sti­tu­tion will not have the ca­pac­ity to rule on a broad right of pri­vacy. in­di­vid­u­als that can be held li­able by in­di­vid­u­als in­clude data con­trollers, or­gan­i­sa­tion direc­tors, agency direc­tors, and heads of gov­ern­men­tal de­part­ments.

Penalty and Rem­edy

The white pa­per goes much fur­ther in its think­ing on penal­ties, reme­dies and com­pen­sa­tion than the 2012 re­port of ex­perts – dis­cussing po­ten­tial mod­els for cal­cu­la­tion of civil penal­ties in­clud­ing na­ture and ex­tent of vi­o­la­tion of the data pro­tec­tion obli­ga­tion, na­ture of per­sonal in­for­ma­tion in­volved, num­ber of in­di­vid­u­als af­fected, whether in­fringe­ment was in­ten­tional or neg­li­gent, mea­sures taken by the data con­troller to mit­i­gate the dam­age, and pre­vi­ous track record of the data con­troller.

The white pa­per is a pro­gres­sive and pos­i­tive step to­wards for­mu­lat­ing a data pro­tec­tion law for in­dia that is ef­fec­tive and rel­e­vant na­tion­ally and in­ter­na­tion­ally. it will be in­ter­est­ing to see the pub­lic re­sponse to it and the re­sponse of the com­mit­tee to the in­puts re­ceived from the con­sul­ta­tion as well as how the fi­nal rec­om­men­da­tions dif­fer, build upon, and in­cor­po­rate pre­vi­ous pol­icy steps to­wards a com­pre­hen­sive pri­vacy frame­work for in­dia.

The white pa­per is a pro­gres­sive and pos­i­tive step to­wards for­mu­lat­ing a data pro­tec­tion law that is rel­e­vant na­tion­ally and in­ter­na­tion­ally, and also ef­fec­tive.

Ashish asthana

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.