You are here: Home / Internet Governance / News & Media / Indian Government says it is still drafting privacy law, but doesn’t give timelines

Indian Government says it is still drafting privacy law, but doesn’t give timelines

by Prasad Krishna last modified May 15, 2017 02:10 AM

Read the original published by Medianama here


The Government is drafting a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, the minister for communications and information technology Ravi Shankar Prasad said in the Rajya Sabha. However, no timeline was provided, which is really the problem: Is the Indian government even interested in a privacy law?

  • In August last year, the Government of India had said in the Supreme Court of India that had said that “violation of privacy doesn’t mean anything because privacy is not a guaranteed right”, actually arguing that the citizens of India do not have a fundamental right to privacy.
  • In September last year, the DeitY had also sought to make encryption (and personal and business security) weaker via a draft policy on encryption, requiring all users to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain-text to Law and Enforcement Agencies if required. After a public outcry, the paper was withdrawn.
  • Last month, the DoT made it mandatory to have GPS on all phones by 2018.

We’re in a situation where the country doesn’t have a privacy law on one hand, and is setting up surveillance systems like the Centralized Monitoring System, NETRA, NATGRID (for collecting data from across databases), and linking citizens and databases across the unique identity number in Aadhaar on the other.

What happened to the old Privacy bill?

While India does not yet have a comprehensive privacy policy, back in 2014, the Centre for Internet and Society received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India had drafted. A comparison of the draft bill from 2014 and the draft privacy bill of 2011 can be found here.

As per Prasad, as of now, the Section 43, 43A and 72A of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Questions asked in Rajya Sabha:

Whether Government  intends  to  bring  a  specific  legislation  to  address  the  concerns regarding privacy in the country, if so, the details thereof, if not, the reason therefore; and

Whether the legislation would provide for protection of ‘personal data’ along the lines of the European Union’s Data Protection Directive, if so, the details thereof, if not, the reasons therefor

EU Privacy Bill

Interestingly, the question posed to the minister asked if the legislation would provide for protection of personal data along the lines of European Union’s General Data Protection Directive (GDRP), which were approved just last month. EU’s directive defines “any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, as personal data.

The GDRP has a pretty wide scope and is pretty consumer friendly. The laws require users to provide explicit consent for data collection, companies to report as soon as they have a data breach, and a ‘right to erasure’ that lets users request all personal data related to them to be deleted. It also imposes a significant fine of up to 4% of annual worldwide turnover of a company in the previous financial year, in case of non compliance. For a comprehensive overview of the policy read handbook on European data protection law (pdf).

Email privacy bill US

The US does not have a comprehensive digital privacy law like the EU and mostly relies on the the privacy act of 1974. However, recently the US House of Representatives unanimously passed the Email Privacy Act that would require investigators to get a warrant before forcing companies to hand over customer email or other electronic communications, no matter how old the communication.