Q&A to the Report of the Group of Experts on Privacy
Executive Summary
The executive summary explains how the need for a horizontal privacy legislation that recognizes the right to privacy has come about in India in light of projects and practices such as the UID, NATGRID, and the changing nature of business and technology. The executive summary highlights the committee’s recommendations of what should be considered by legislatures while enacting a privacy legislation in India.
Q: What are the salient features of the committee’s recommendations?
A: In its report the committee recommended that any privacy legislation passed should:
- Be technologically neutral and interoperable with international standards to ensure that the regulation can adapt to changing technology, and that business will be promoted.
- Recognize the multiple dimensions of privacy including physical and informational privacy.
- Apply to all data controllers both in the private sector and the public sector to ensure that businesses and governments are held accountable to protecting privacy.
- Establish a set of privacy principles that can be applicable to different practices, policies, projects, departments, and businesses to create a uniform level of privacy protection across all sectors.
- Create an enforcement regime of co-regulation, where industry has the choice of developing privacy principles and ensuring compliance at the sectoral level with regular oversight by the Privacy Commissioners.
Chapter 1: Constitutional Basis for Privacy
This chapter summarizes a number of decisions from the Indian Judiciary that demonstrate how the right to privacy in India has been defined on a case to case basis and has been defined as either a fundamental right or a common law right.
Q: What are the contexts of the cases covered?
A: This chapter covers cases that speak to the:
- Right to privacy in the context of surveillance by the State
- Balancing the ‘right to privacy’ against the ‘right to free speech’
- The ‘right to privacy’ of HIV patients
- Prior judicial sanctions for tapping telephones
- The ‘search and seizure’ powers of revenue authorities
Chapter 2: International Privacy Principles
This chapter summarizes recent developments in privacy laws, international privacy principles, and privacy principles developed by specific countries. This review aided the Committee in forming its recommendations for the report.
Q: Privacy principles from which countries were reviewed by the Committee?
A: The Committee reviewed privacy principles from the following countries and international organizations.
- EU Regulations of January 2012
- US Consumer Privacy Bill of Rights
- OECD Privacy Principles
- APEC Privacy Framework
- Australia
- Canada
Chapter 3: National Privacy Principles, Rationales, and Emerging Issues
This chapter lays out the nine national privacy principles and describes the rationale for each principle along with emerging issues around each principle.
Q: What could the principles apply to?
A: The principles apply to the collection, processing, storage, retention, access, disclosure, destruction, sharing, transfer, and anonymization of sensitive personal information, personal identifiable information, and identifiable information by data controllers. The national privacy principles can also be applied to legislation, projects, practices, and policies to ensure that provisions and requirements are in compliance with the national privacy principles.
Q: Who could be brought under the scope of the principles?
A: The principles are applicable to every data controller in the private sector and the public sector. For example organizations and government departments that determine the purposes and means of processing personal information will be brought under the scope of the principles and will be responsible for carrying out the processing of data in accordance with sectoral privacy standards or the national privacy principles.
Q: How could the National Privacy Principles impact individuals?
A: The principles provide individuals with the right to 1. Receive notice before giving consent stating what personal information is being collected, the purposes for which personal information is being collected, the uses of collected personal information, whether or not personal information will be disclosed to third persons, security safeguards established by the data controller, processes available to data subjects to access and correct personal information, and contact details of privacy officers. 2. Opt in and out of providing personal information 3. Withdraw given consent at any point of time. 4. Access and correct any personal information held by data controllers 5. Allow individuals to issue a complaint with the respective ombudsman, privacy commissioner, or court.
Q: Would the National Privacy Principles be binding for every data controller?
A: Yes, but Self Regulating Organizations at the industry level have the option of developing principles for that specific sector. These principles must be approved by the privacy commissioner and be in compliance with the National Privacy Principles.
Chapter 4: Analysis of Relevant Legislation, Bills, and Interests from a Privacy Perspective
This chapter examines relevant legislation, bills, and interests from a privacy perspective. In doing so the chapter clarifies how the right to privacy should intersect with the right to information and the freedom of expression, and anaylzes current and upcoming legislation to demonstrate what existing provisions in the legislation uphold the privacy principles, what existing provisions are in conflict with the principles, and what provisions are missing to ensure that the legislation is compliant to the extent possible with the principles.
Q: How does the report understand the relationship between the Right to Information and the Right to Privacy?
A: When applied the Privacy Act should not circumscribe the Right to Information Act. Furthermore, RTI recipients should not be considered data controllers and thus should not be brought under the ambit of the privacy principles.
Q: How does the report understand the relationship between the freedom of expression and privacy?
A: Questions about how to balance the right to privacy with the freedom of expression can arise in many circumstances including: the right to be forgotten and data portability, journalistic expression, state secrecy and whistle blowers, and national security. Most often, public interest is the test used to determine if the right to privacy should supersede the freedom of expression or vice versa.
Chapter 5: The Regulatory Framework
This chapter outlines the committee’s recommendations for a regulatory framework for the Privacy Act.
Q: Who are the main actors in the regulatory framework?
A: The report recommends that a regulatory framework be comprised of one privacy commissioner at the central level and four commissioners at the regional level, self regulating organizations (SRO’s) at the industry level, data controllers and privacy officers at the organization level, and courts.
Q: What are the salient features of the regulatory framework?
A: The salient features of the regulatory framework include 1. A framework of co-regulation 2. Complaints 3. Exceptions to the Privacy Act 4. Offenses under the Act
Q: What are exceptions to the right to privacy? Are these blanket exceptions?
A: National security; public order; disclosure of information in public interest; prevention, detection, investigation and prosecution of criminal offences; and protection of the individual or of the rights and freedoms of others are suggested exceptions to the right to privacy. The committee has qualified these exceptions with the statement that before an exception can be made for the following circumstances, the proportionality, legality, and necessity in a democratic state should be used to measure if the exception applies and the extent of the exception. Thus, they are not blanket exceptions to the right to privacy
Historical and scientific research and journalistic purposes were also recommended as additional exceptions to the right to privacy that may be considered. These exceptions will not be subjected to the principles of proportionality, legality, and necessary in a democratic state.
Q: What are the powers and responsibilities of the privacy commissioners?
A: The powers and responsibilities of the Privacy Commissioners are the following:
Responsibilities:
- Enforcement of the Act
- Broadly oversee interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material.
- Evaluate and approve privacy principles developed by SRO’s
- Collaborate with stakeholders to endure effective regulation, promote awareness of the Act, and sensitize citizens to privacy considerations
Powers:
- Order privacy impact assessments on organisations
- Investigate complaints suomotu or based off of complaints from data subjects (summon documents, call and examine witnesses, and take a case to court if necessary )
- Fine non-compliant data controllers
Q: How does Co-regulation work?
A: The purpose of establishing a regulatory framework of co-regulation is to ensure that appropriate policies and principles are articulated and enforced for all sectors. If a sector wishes to develop its own privacy standards, the industry level self regulating organization will submit to the privacy commissioner a sub set of self regulatory norms. If these norms are approved by the privacy commissioner the SRO will be responsible for enforcing those norms, but the privacy commissioner will have the power to sanction member data controllers for violating the norms. If a sector does not have an SRO or does not wish to develop its own set of standards, the National Privacy Principles will be binding.
Q: What are data controllers? What are privacy officers? What are ombudsmen?
A: A data controller is any entity that handles or process data. Privacy officers receive and handle complaints at the organizational level and may be appointed as part of a SRO’s privacy requirements for a sector. Ombudsmen are appointed at the SRO level and are also responsible for receiving and handling complaints. The objective of having ombudsman and privacy officers is to reduce the burden of handling complaints on the commissioner and the courts.
Q: When can an individual issue a complaint? Which body should individuals issue complaints to?
A: An individual can issue a complaint at any point of time when they feel that their personal information has not been handled by a data controller according to the principles, or that a data controller is not in compliance with the Act. When applicable complaints are encouraged to be issued first to the organization. If the complaint is not resolved, the individual can take the complaint to the SRO or privacy commissioner. The individual also has the option of taking a complaint straight to the courts. When a complaint is received by the commissioner, the commissioner may fine the data controller if it is found to be non-compliant. Data controllers cannot appeal fines issued by the commissioner, but they can appeal the initial decision of non-compliance.
Q: Can an individual receive compensation for a violation of privacy:
A: Yes. Individuals who suffer damages caused by non-compliance with the principles or any obligation under the Act can receive compensation, but the compensation must be issued by the courts and cannot be issued by a privacy commissioner. Actors that can be held liable by individuals include data controllers, organization directors, agency directors, and heads of Governmental departments.
Q: What offences does the report reccomend?
A: The following constitutes as an offence under the Act:
- Non-compliance with the privacy principles
- Unlawful collection, processing, sharing/disclosure, access, and use of personal data
- Obstruction of commissioner
- Failure to comply with notification issued by commissioner
- Processing data after receiving a notification
- Failure to appear before commissioner
- Failure to produce documents requested by commissioner
- Sending report to commissioner with false or misleading information
Chapter 6: The Multiple Dimensions of Privacy
This chapter gives examples of practices that impact privacy in India which the national privacy principles could be applied to. These include interception/access, the use of electronic recording devices, the use of personal identifiers, and the use of bodily and genetic material. The current state of each practice in India is described, and the inconsistencies and gaps in the regimes are highlighted. Each section also provides recommendations of which privacy principles need to be addressed and strengthened in each practice, and how the privacy principles would be affected by each practice.
Q: Does the report give specific recommendations as to how each practice should be amended to incorporate the National Privacy Principles?
A: No. Each section explains the current state of the practice in India, gaps and inconsistencies with the current practice, and recommends broadly what principles need to be addressed and strengthened in the regime, and how the National Privacy Principles may be affected by the practice.
Summary of Recommendations
This chapter consolidates and clarifies all of the Committee’s recommendations for a Privacy Act in India.
Q: Are the recommendations in this chapter different from chapters above?
A: No. The recommendations in this chapter reflect the recommendations made earlier. This chapter does clarify the recommended scope and objectives of the Privacy Act including:
- The Act should define and harmonize with existing laws in force.
- The Act should extend the right of privacy to all individuals in India and all data processed by any company or equipment locating in India, and all data that originated in India.
- The Act should clarify that the publication of personal data for artistic and journalistic purposes in public interest, the use of personal information for household purposes, and the disclosure of information as required by the Right to Information Act should not constitute an infringement of privacy.
- The Act should not require a ‘reasonable expectation’ of privacy to be present for the right to be evoked.
- If any other legislation provides more extensive protections than those set out by the Privacy Act, than the more extensive protections should apply.
Report of the Group of Experts on Privacy [PDF, 1270 Kb]