New privacy Bill more refined & has wider ambit, say experts

The article by Surabhi Agarwal was published in the Business Standard on April 2, 2014. CIS welcomes changes in the Bill but is cautious of the wide exceptions.

The government’s latest attempt to draft a privacy Bill is being termed by as a refined one by experts as it expands its ambit.

However, the Bill creates some wide exceptions for law enforcement and intelligence agencies to collect personal information of individuals. The government has made several attempts at drafting a privacy Bill since 2010, with the aim of protecting individuals against data misuse by government or private agencies.

The first draft, released in 2011, extended the Right to Privacy to citizens of India. But, the 2014 version has expanded its ambit to cover all residents of the country. The 2014 Bill also recognises the Right to Privacy as a part of Article 21 of the Indian Constitution and extends to the whole of India. In contrast, the 2011 Bill did not explicitly recognise the Right to Privacy as being a part of Article 21, and excluded Jammu and Kashmir from its purview.

Both the drafts include a list of circumstances under which authorisation for the collection and processing of sensitive personal data is not required. The lists are broadly the same. However, the latest version exempts insurance company and government intelligence agencies collecting or processing data “in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.”

A Bangalore-based Internet think-tank Centre for Internet and Society said it welcomed many changes in the Bill, but were cautious on the wide exceptions.

“The Bill carves out another exception for government agencies, allowing disclosure of sensitive personal data without consent to government agencies mandated under law for the purposes of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences,” the Centre for Internet and Society said in a note analysing the provisions of the Bill.

The privacy Bill was originally conceptualised to ensure the data collected by the government under various new projects such as Aadhaar or the National Information Grid (NATGRID) are not misused in any way. But incidents, such as the tapping of phone conversations involving former lobbyist Niira Radia, prompted the government to expand the ambit of the privacy law from just being a data protection one to also cover surveillance and interception.

However, it was unable to reach a consensus due to inter-ministerial conflicts as the law was superseding various provisions under several existing legislations.

The government also set up a committee under retired Delhi high court judge Ajit P Shah under the aegis of the Planning Commission to study international best practices on privacy and surveillance. This committee filed a report in 2012.

Some additions to the Bill include the term personal identifier, defined by any unique alphanumeric sequence of members, letters, and symbols that specifically identifies an individual with a database or a data set.

The Bill has also re-defined sensitive personal data to denote personal data relating to physical and mental health, including medical history, biometric, bodily or genetic information, criminal convictions, password, banking credit and financial data, narco analysis or polygraph test data and sexual orientation.

Once the law comes into being, the government or a private agency will have to adequately inform citizens before collecting data, stating the reasons and only collecting as much information as is necessary.

It will also have to clearly define the time period for which the data will be stored and the security measures taken to protect it from misuse. The law also lays down the penalties in case of a breach.