The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt
I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.
A Constitutional/Fundamental Right?
The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.
Preamble
I’m extrapolating here from the Hindu article:
"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."
So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.
Definition of ‘Right to Privacy’
The Hindu article appears to quote directly from the Bill.
Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.
This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).
The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."
This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.
Interception
What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)
Here are some of the sweeping changes sought to be introduced:
- The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
- Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
- Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
- CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
- "unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
- Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)
Data Protection
The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.
Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.
The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body
- to monitor development in data processing and computer technology;
- to examine law and to evaluate its effect on data protection
- to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
- to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.
Video Surveillance
The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.
No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.
Bodily Privacy
The bill prohibits "surveillance by following a person".
This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.
Impersonation and Financial Fraud
In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".
I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.
Residual
A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).
It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.
I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.
Tailpiece
That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.
I’d greatly appreciate someone sending me a copy of the bill if you have access to it.
Read the article published on the Privacy India website here.