[smc-discuss] FYI: Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill

[Anivar Aravind]

---------- Forwarded message ----------
From: Elonnai Hickok <elonnai at cis-india.org>
Date: Mon, Apr 14, 2014 at 12:10 PM



Dear Anivar

Following our previous post comparing the leaked 2014 Privacy Bill with the
leaked 2011 Privacy
Bill,<http://crm.cis-india.org/administrator/components/com_civicrm/civicrm/extern/url.php?u=5054&qid=395805>this
post will compare the recommendations provided in the Report
of the Group of Experts on
Privacy<http://crm.cis-india.org/administrator/components/com_civicrm/civicrm/extern/url.php?u=5055&qid=395805>by
the Justice AP Shah Committee to the text of the leaked 2014 Privacy
Bill. Below is an analysis of recommendations from the Report that are
incorporated in the text of the Bill, and recommendations in the Report
that are not incorporated in the text of the Bill.

*Recommendations in the Report of the Group of Experts on Privacy that are
Incorporated in the 2014 Privacy Bill*

*Constitutional Right to Privacy*

The Report of the Group of Experts on Privacy recommends that any privacy
legislation for India specify the constitutional basis of a right to
privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy
in Article 21 of the Constitution of India.

*Nine National Privacy Principles*

The Report of the Group of Experts on Privacy recommends that nine National
Privacy Principles be adopted and applied to harmonize existing legislation
and practices. The 2014 Privacy Bill also adopts nine National Privacy
Principles. Though these principles differ slightly from the National
Privacy Principles recommended in the Report, they are broadly the same,
and importantly will apply to all existing and evolving practices,
regulations and legislations of the Government that have or will have an
impact on the privacy of any individual. Presently, the 2014 Privacy Bill
locates the nine National Privacy Principles in an Annex to the Bill, but
also incorporates the principles in more detail in sections relating to
personal data.  An analysis of the principles as compared in the Report and
the Bill is below:

   - Notice: The principle of notice as recommended by the Report of the
   Group of Experts on Privacy differs from the principle of notice in the
   2014 Privacy Bill.  According to the notice principle in the Report, a data
   controller shall give sample to understand notice of its information
   practices to all individuals, in clear and concise language, before any
   personal information is collected from them. Such notices should include:
   (during collection) What personal information is being collected; Purposes
   for which personal information is being collected; Uses of collected
   personal information; Whether or not personal information may be disclosed
   to third persons;  Security safeguards established by the data controller
   in relation to the personal information; Processes available to data
   subjects to access and correct their own personal information;  Contact
   details of the privacy officers and SRO ombudsmen for filing complaints.
   (Other Notices) Data breaches must be notified to affected individuals and
   the commissioner when applicable. Individuals must be notified of any legal
   access to their personal information after the purposes of the access have
   been met. Individuals must be notified of changes in the data controller’s
   privacy policy. Any other information deemed necessary by the appropriate
   authority in the interest of the privacy of data subjects.

   In contrast, the 2014 Privacy Bill requires that all the data
   controllers provide adequate and appropriate notice of their information
   practices in a form that is easily understood by all intended recipients.
   In addition to this principle as listed in an annex, the Bill requires that
   on initial collection data controllers provide notice of what personal data
   is being collected and the legitimate purpose for which the personal data
   is being collected. If the purpose for which the personal data changes,
   data controllers must provide data subjects with a further notice that
   would include the use to which the personal data shall be put, whether or
   not the personal data will be disclosed to at third person and, if so, the
   identity of such person if the personal data being collected is intended to
   be transferred outside India  and the reasons for doing so; how such
   transfer helps in achieving the legitimate purpose; and whether the country
   to which such data is transferred has suitable legislation to provide for
   adequate protection and privacy of the data; the security and safeguards
   established by the data controller in relation to the personal data; the
   processes available to a data subject to access and correct his personal
   data; the recourse open to a data subject, if he has any complaints in
   respect of collection or processing of the personal data and the procedure
   relating thereto; the name, address and contact particulars of the data
   controller and all persons who will be processing the personal data on
   behalf of the data controller. Additionally, if a breach of data takes
   place data controllers must inform the affected data subject that lost or
   stolen; accessed or acquired by any person not authorized to do so;
   damaged, deleted or destroyed; processed, re-identified or disclosed in an
   unauthorized manner.

   Though the 2014 Privacy Bill requires a more comprehensive notice to be
   issued if the purpose for the use of personal data changes, it does not
   specify (as recommended by the Group of Experts on Privacy) that notice of
   changes to a data controller’s privacy policy be issued.
   - Choice and Consent: The principle of choice and consent in the 2014
   Privacy Bill is similar to the principle in the Report of the Group of
   Experts on privacy in that it requires that all data subjects be provided
   with a choice to provide or not to provide personal data and that data
   subject will have the option of withdrawing consent at any time. Though not
   a part of the specific principle on ‘choice and consent’ listed in the
   annex the 2014 Privacy Bill also contains provisions that address mandatory
   collection of information which require, as recommended by the Report of
   the Group of Experts, that the information is anonymoized. Furthermore,
   the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with
   respect to the provision of personal data.

   Different from as recommended in the principle in the Report of the
   Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in
   exception cases when it is not possible to provide a service with choice
   and consent, then choice and consent will not be required.
   - Collection Limitation: The principle of collection limitation as
   recommended in the Report of the Group of Experts on Privacy and the
   principle of collection limitation in the Annex of the 2014 Privacy Bill
   are similar in that both require that only data that is necessary to
   achieve an identified purpose be collected. As recommended in the Report of
   the Group of Experts on Privacy, the 2014 Privacy Bill also requires that
   notice be provided prior to collection and content taken.
   - Purpose Limitation: Though the principle of Purpose Limitation are
   similar in the Report of the Group of Experts on Privacy and the 2014
   Privacy Bill as they both require personal data to be used only for the
   purposes for which it was collected and that the data must be destroyed
   after the purposes have been served, the 2014 Privacy Bill does not specify
   that information collected by a data controller must be adequate and
   relevant for the purposes for which they are processed. The 2014 Privacy
   Bill also incorporates elements from the principle of Purpose Limitation as
   defined by the Report of the Group of Experts in other parts of the Bill.
   For example, the 2014 Bill requires that notice be provided to the
   individual if there is a change in purpose for the use of the personal
   information, and designates a section on retention of personal data.
   - Access and Correction: The principle of Access and Correction in the
   2014 Privacy Bill reflects the principle of Access and Correction in the
   Report of the Group of Experts (though not verbatim). Importantly, the 2014
   Privacy Bill incorporates the recommendation from the Report of the Group
   of Experts on Privacy that prohibits access to personal data if it will
   affect the privacy rights of another individual.
   - Disclosure of Information: The principle of ‘Disclosure of
   Information’ in the Privacy Bill 2014 is similar to the principle of
   ‘Disclosure of Information’ as recommended in the Report of the Group of
   Experts on Privacy (though not verbatim).  As recommended this principle
   requires that personal data be disclosed to third parties only if informed
   consent has been taken from the individual and the third party is bound the
   adhere to all relevant and applicable privacy principles.
   - Security: The principle of security in the 2014 Privacy Bill reflects
   the principle of Security recommended in the Report of the Group of Experts
   on Privacy and requires that personal data be secured through reasonable
   security safeguards against unauthorized access, destruction, use,
   modification, de-anonymization or unauthorized disclosure.
   - Openness: The principle of Openness in the 2014 Privacy Protection
   Bill is similar to the principle of Openness recommended in the Report of
   the Group of Experts on Privacy in that it requires data controllers to
   make available to all individuals in an intelligible form, using clear and
   plain language, the practices, procedures, and policies, and systems that
   are in place to ensure compliance with the privacy principles. The
   principle in the 2014 Privacy Bill differs from the recommendation in the
   Report of the Group of Experts on Privacy in that it does not require data
   controllers to take necessary steps to implement practices, policies, and
   procedures in a manner proportional to the scale, scope, and sensitivity to
   the data they collect.
   - Accountability: The principle of Accountability in the 2014 Privacy
   Bill is similar to the principle of Accountability as recommended in the
   Report of the Group of Experts as both require that the data controller is
   accountable for compliance with the national Privacy Principles.

 Application to interception and access, video and audio recording,
personal identifiers, bodily and genetic material: The Privacy Bill 2014
incorporates the recommendations from the Report of the Group of Experts on
Privacy and specifies the way in which the National Privacy Principles will
apply to the interception and access of communications, video and audio
recording, and personal identifiers. But the 2014 Privacy Bill does not
specify the application of the National Privacy Principles to bodily and
genetic material (though this information is included in the definition of
sensitive personal information).

With respect to the installation and operation of video recording equipment
in a public space, the 2014 Privacy Bill requires that video recording
equipment may only be used in accordance with a prescribed procedure and
for a legitimate purpose that is proportionate to the objective for which
it was installed. Furthermore, individuals cannot use video recording
equipment for the purpose of identifying an individual, monitoring his
personal particulars, or revealing in public his personal information. The
provisions in the Bill that speak to storage, processing, retention,
security, and disclosure of personal data apply to the installation and use
of video recording equipment. As a note the 2014 Privacy Bill carves out an
exception for law enforcement and government intelligence agencies in the
interest of the sovereignty, integrity, security or the strategic,
scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the
interception of communications, the 2014 Privacy Bill lays down a regime
for the interception of communications and specifies that the principles of
notice, choice, consent, access and correction, and openness will apply to
the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the
principles of notice, choice, and consent will not apply to the collection
of personal identifiers by the government. Additionally, the government
will not be obliged to use any personal identifier only for the limited
purpose for which the personal identifier was collected, provided that the
use is in conformance with the other National Privacy Principles.

*Additional Protection for Sensitive Personal Data*

The Report of the Group of Experts on Privacy broadly recommends that
sensitive personal data be afforded additional protection and existing
definitions of sensitive personal data should be harmonised. The 2014
Privacy Bill incorporates these recommendations by defining sensitive
personal data as data relating to physical and mental health including
medical history, biometric, bodily or genetic information; criminal
convictions;  password, banking credit and financial data; narco analysis
or polygraph test data, sexual orientation. The 2014 Privacy Bill also
requires authorization from the Data Protection Authority for the
collection and processing of sensitive personal data and defines
circumstances of when this authorization would not be required including:
collection or processing of such data is authorized by any other law for
the time being in force; such data has already been made public as a result
of steps taken by the data subject; collection and processing of such data
is made in connection with any legal proceedings by an order of the
competent court; such data relating to physical or mental health or medical
history of an individual is collected and processed by a medical
professional, if such collection and processing is necessary for medical
care and health of that individual; such data relating to biometrics,
bodily or genetic material, physical or mental health, prior criminal
convictions or financial credit history is processed by the employer of an
individual for the purpose of and in connection with the employment of that
individual; such data relating to physical or mental health or medical
history is collected an processed by an insurance company, if such
processing is necessary for the purpose of and in connection with the
insurance policy of that individual; such data relating to criminal
conviction, biometrics and genetic is processed and collected by law
enforcement agencies; such data regarding credit, banking and financial
details of an individual is processed by a specific user under the Credit
Information Companies (Regulation) Act, 2005; such data is processed by
schools or other education institutions in connection with imparting of
education to an individual;  such data is collected or processed by the
government Intelligence agencies in the interest of the sovereignty,
integrity, security or the strategic, scientific or economic interest of
India,  the authority has, by a general or specified order permitted the
processing of such data for specific purpose and is limited to the extent
of such permission. The 2014 Privacy Bill also prohibits additional
transactions from being performed using sensitive personal information
unless free consent was obtained for such transaction.

*Privacy Officers*

The Report of the Group of Experts on Privacy recommends that Privacy
Officers be established at the organizational level for overseeing the
processing of personal data and compliance with the Act. This
recommendation has been incorporated in the 2014 Privacy Bill, which
establishes Privacy Officers at the organizational level.

*Co-regulatory Framework*

The Report of the Group of Experts on Privacy recommends that a system of
co-regulation be established, where industry levels self regulatory
organizations develop privacy norms, which are in turn approved and
enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a
similar co-regulatory framework where industry level self regulatory
organizations can develop norms which will be turned into regulations and
enforced by the Data Protection Authority. If a sector does not develop
norms, the Data Protection Authority can develop norms for the specific
sector.

*Recommendations in the Report that are not in the Bill*

*Scope*

The Report of the Group of Experts on Privacy recommends that the scope of
any privacy framework extends to all individuals, all data processed in
India, and all data originating from India.  The 2014 Privacy Bill differs
from these recommendations by extending the right to privacy to all
residents of India, while remaining silent on whether or not the scope of
the legislation extends to all data processed in India and all data
originating in India. Despite this, the 2014 Bill does specify that any
organization that processes or deals with data of an Indian resident, but
does not have a place of business within India, must establish a
‘representative resident’ in India who will be responsible for compliance
with the Act.

*Exceptions*

The Report of the Group of Experts recommends the following as exceptions
to the right to privacy:

   1. National security
   2. Public order
   3. Disclosure in the public interest
   4. Prevention, detection, investigation, and prosecution of criminal
   offenses
   5. Protection of the individual and rights and freedoms of others

 The Report further clarifies that any exception must be qualified and
measured against the principles of proportionality, legality, and necessary
in a democratic state.

The Privacy Bill 2014 reflects only the exception of  “protection of the
individual rights and freedoms of others”. The exceptions as defined in the
2014 Bill are:

   1. Sovereignty, integrity or security of India or
   2. Strategic, scientific or economic interest of India; or
   3. Preventing incitement to the commission of any offence; or
   4. Prevention of public disorder; or
   5. The investigation of any crime; or
   6. Protection of rights and freedoms others; or
   7. Friendly relations with foreign states; or
   8. Any other legitimate purpose mentioned in this Act.

 Instead of qualifying these exceptions with the principles of
proportionality, legality, and necessary in a democratic state – as
recommended in the Report of Group of Experts on Privacy, the 2014 Privacy
Bill qualifies that any restriction must be adequate and not excessive to
the objectives it aims to achieve.

*Constitution of Infringement of Privacy*

The Report of the Group of Experts on Privacy specifies that the
publication of personal data for artistic and journalistic purposes in the
public interest, disclosure under the Right to Information Act, 2005, and
the use of personal data for household purposes should not constitute an
infringement of privacy. In contrast the 2014 Privacy Bill specifies that
the processing of personal data by an individual purely for his personal or
household use, the disclosure of information under the provisions of the
Right to information Act, 2005, and any other action specifically exempted
under the Act will not constitute an infringement of privacy.

*The Data Protection Authority*

The Report of the Group of Experts on Privacy recommends the establishment
of Privacy Commissioners (and places emphasis on Privacy Commissioner
rather than Data Protection Authority) at the Central and Regional level.
The Privacy Commissioner should  be of a rank no lower than a retired
Supreme Court Judge at the Central level and a retired High Court Judge at
the regional level. The privacy commissioner should have the power to
receive and investigate class action complaints and investigative powers of
the commissioner should include the power to examine and call for
documents, examine witnesses, and take a case to court if necessary. The
Commissioner should be able to investigate data controllers on receiving
complaints or suo moto, and can order privacy impact assessments.
Organizations should not be able to appeal fines levied by the Privacy
Commissioner, but individuals can appeal a decision of the Privacy
Commissioner to the court. The Commissioner should also have broad
oversight with respect to interception/access, audio & video recordings,
use of personal identifiers, and the use of bodily or genetic material. The
Privacy Commissioner will also have the responsibility of approving codes
of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on
Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as
opposed to a Privacy Commissioner) at the Central level. Instead of
creating regional Data Protection Authorities, the 2014 Privacy Bill allows
for the Central Government to decide where other offices of the Data
Protection Authority will be located. Furthermore, the 2014 Privacy Bill
does not specify a qualification for the Data Protection Authority and
instead establishes a selection committee to choose and appoint a Data
Protection Authority. This committee is comprised of a Cabinet Secretary,
Secretary to the Department of Personnel and Training, Secretary to the
Department of Electronics and Information Technology, and two experts of
eminence from relevant fields that will be nominated by the Central
Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data
Protection Authority will be binding for organizations, but does allow
individuals to appeal decisions of the Data Protection Authority to the
Appellate Tribunal. Differing from the recommendations in the Report of the
Group of Experts on Privacy,  the 2014 Privacy Bill gives the Data
Protection Authority the power to call upon any data controller at any time
to furnish in writing information or explanation relating to its affairs,
and receive and investigate complaints about alleged violations of privacy
of individuals in respect of matters covered under this Act, conduct
investigations and issue appropriate orders or directions to the parties
concerned. Furthermore, the 2014 Privacy Bill does not specify that the
Data Protection Authority will carry out privacy impact assessments, but
the Authority can conduct audits of any or all personal data controlled by
a data controller, can investigate data breaches, investigate in complaint
received, and adjudicate on a dispute arising between data controllers or
data subjects and data controllers.  Unlike the recommendations in the
Report of the Group of Experts on Privacy, it does not seem that the Data
Protection Authority will play an overseeing role with respect to
interception, the use of video recording equipment, personal identifiers,
and the use of bodily and genetic material.

*Tribunal and System of Complaints*

Differing from the recommendation in the Report of the Group of Experts on
Privacy, which specified that a Tribunal should not be established as under
the Information Technology Act as there is the risk that the institutions
will not have the capacity to rule on a broad right to privacy, the 2014
Privacy Bill does establish a Tribunal under the Information Technology
Act. The Report of the Group of Experts on Privacy also recommended that
complaints be taken to the district level, high level, and Supreme Court –
whereas the 2014 Privacy Bill allows individuals to appeal decisions from
the Tribunal only to a High Court. Similar to the recommendations of the
Report of the Group of Experts, the 2014 Privacy Bill has in place
Alternative Dispute Resolution mechanisms at the level of the industry self
regulatory organization.  The 2014 Privacy Bill also specifies that
individuals can seek civil remedies and leaves the issuance of compensation
for privacy harm to be from a Court. Unlike the recommendations in the
Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not
specify that the Data Protection Authority will be able to take a case to
the court.

*Penalties and Offenses*

The Report of the Group of Experts on Privacy did not provide specific
recommendations for types of offences and penalties, but did suggest that
offenses similar to those spelled out in the UK Data Protection Act and
Australian Privacy Act be adopted – namely non-compliance with the privacy
principles, unlawful collection, processing, sharing/disclosure, access,
and use of personal data, and obstruction of the privacy commissioner. The
2014 Privacy Bill does create offenses for the unlawful collection,
processing, sharing/disclosure, access, and use of personal data, but does
not create offenses for obstruction of the privacy commissioner or broad
non-compliance with the privacy principles.

*Conclusion*

The Centre for Internet and Society welcomes the similarities between the
recommendations in the Report of the Group of Experts on Privacy and the
leaked 2014 Privacy Bill, but would recommend that on areas where there are
differences, particularly in the scope of the Privacy Bill and the powers
and functions of the Data Protection Authority, the 2014 Bill be brought in
line with the recommendations from the Report of the Group of Experts on
Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014
Privacy Bill to international best practices and standards.

Thanks and regards,

Elonnai Hickok
Program Manager
Centre for Internet and Society,
No. 194, 2nd 'C' Cross, Domlur, IInd Stage
Bangalore 560071

#194, Second 'C' cross
Domlur Second Stage
Domlur
Bangalore, 560071
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.smc.org.in/pipermail/discuss-smc.org.in/attachments/20140414/09f1c484/attachment-0002.htm>