pic ocurtsey – The Hindu

With the initiation of national programmes like Unique Identification number,  (UID)
NATGRID, CCTNS, RSYB, DNA profiling, Reproductive Rights of Women, Privileged
communications and brain mapping, most of which will be implemented through ICT
platforms, and increased collection of citizen information by the government, concerns
have emerged on their impact on the privacy of persons. Information is, for instance,
beginning to be collected on a regular basis through statutory requirements and through egovernance projects. This information ranges from data related to: health, travel, taxes,
religion, education, financial status, employment, disability, living situation, welfare
status, citizenship status, marriage status, crime record etc. At the moment there is no
overarching policy speaking to the collection of information by the government. This has
led to ambiguity over who is allowed to collect data, what data can be collected, what are
the rights of the individual, and how the right to privacy will be protected The extent of
personal information being held by various service providers, and especially the enhanced
potential for convergence that digitization carries with it is a matter that raises issues
about privacy.
II. Global data flows, today, are no longer the result of a file transfer that was
initiated by an individual’s action for point-to-point transfer over 30 years ago. As soon
as a transaction is initiated on the Internet, multiple data flows take place simultaneously,
via phenomena such as web 2.0, online social networking, search engine, and cloud
computing. This has led to ubiquity of data transfers over the Internet, and enhanced
economic importance of data processing, with direct involvement of individuals in transborder data flows

. While this is exposing individuals to more privacy risks, it is also challenging businesses which are collecting the data directly entered by users, or through
their actions without their knowledge, – e.g. web surfing, e-banking or e-commerce – and
correlating the same through more advanced analytic tools to generate economic value
out of data. The latter are accountable for data collection and its use, since data has
become one of the drivers of the knowledge based society which is becoming even more
critical to business than capital and labor. The private sector on the other hand, uses
personal data to create new demands and build relationships for generating revenue from
their services. The individuals are putting out their data on the web in return for useful
services at almost no cost. But in this changed paradigm, private sector and the civil
society have to build legal regimes and practices which are transparent and which inspire
trust among individuals, and enhance their ability to control access to their data, even as
economic value is generated out of such data collection and processing for all players. In
order to understand these concerns and identify interventions for effectively addressing
these issues, a brainstorming session on privacy-related issues was held in the Planning
Commission under the chairmanship of Justice A P Shah, former Chief Justice of Delhi
High Court. The meeting was presided over by Dr. Ashwani Kumar, MOS (Planning,
S&T and MoES) and attended by representatives from industry, civil society NGOs,
voluntary organizations and government departments.
III. During the meeting it was decided to constitute a small Group of Experts to
identify key privacy issues and prepare a paper to facilitate authoring of the Privacy bill
while keeping in view the international landscape of privacy laws, global data flows and
predominant privacy concerns with rapid technological advancements. Accordingly a
Group of Experts was constituted under the chairpersonship of Justice A P Shah. The 4
constitution and the terms of reference of the group is at Annex 1. The Group held several
meetings to understand global privacy developments and challenges and to discuss
privacy concerns relevant to India. The Group was divided into two sub-groups – one for
reviewing privacy regimes around the world with a view to understand prevalent best
practices relating to privacy regulation and the other for reviewing existing legislation and
bills to identify prevalent privacy concerns in India. However, the committee did not
“make an in-depth analysis of various programs being implemented by GOI from the
point of view of their impact on privacy.” This report, which is a result of the work of
both sub-groups, proposes a detailed framework that serves as the conceptual foundation
for the Privacy Act for India.
IV. This report proposes five salient features of such a framework:
1. Technological Neutrality and Interoperability with International Standards:

The
Group agreed that any proposed framework for privacy legislation must be
technologically neutral and interoperable with international standards. Specifically,
the Privacy Act should not make any reference to specific technologies and must be
generic enough such that the principles and enforcement mechanisms remain
adaptable to changes in society, the marketplace, technology, and the government. To
do this it is important to closely harmonise the right to privacy with multiple
international regimes, create trust and facilitate co-operation between national and
international stakeholders and provide equal and adequate levels of protection to data
processed inside India as well as outside it. In doing so, the framework should
recognise that data has economic value, and that global data flows generate value for
the individual as data creator, and for businesses that collect and process such data.
Thus, one of the focuses of the framework should be on inspiring the trust of global
clients and their end users, without compromising the interests of domestic customers
in enhancing their privacy protection.
2. Multi-Dimensional Privacy:

This report recognises the right to privacy in its
multiple dimensions. A framework on the right to privacy in India must include
privacy-related concerns around data protection on the internet and challenges
emerging therefrom, appropriate protection from unauthorised interception, audio and
video surveillance, use of personal identifiers, bodily privacy including DNA as well
as physical privacy, which are crucial in establishing a national ethos for privacy
protection, though the specific forms such protection will take must remain flexible to
address new and emerging concerns.
3. Horizontal Applicability:

The Group agreed that any proposed privacy legislation
must apply both to the government as well as to the private sector. Given that the
international trend is towards a set of unified norms governing both the private and
public sector, and both sectors process large amounts of data in India, it is imperative
to bring both within the purview of the proposed legislation.
4. Conformity with Privacy Principles:

This report recommends nine fundamental
Privacy Principles to form the bedrock of the proposed Privacy Act in India. These
principles, drawn from best practices internationally, and adapted suitably to an Indian
context, are intended to provide the baseline level of privacy protection to all
individual data subjects. The fundamental philosophy underlining the principles is the
need to hold the data controller accountable for the collection, processing and use to
which the data is put thereby ensuring that the privacy of the data subject is
guaranteed.
5. Co-Regulatory Enforcement Regime: This report recommends the establishment of
the office of the Privacy Commissioner, both at the central and regional levels. The
Privacy Commissioners shall be the primary authority for enforcement of the
provisions of the Act. However, rather than prescribe a pure top-down approach to
enforcement, this report recommends a system of co-regulation, with equal emphasis
on Self-Regulating Organisations (SROs) being vested with the responsibility of
autonomously ensuring compliance with the Act, subject to regular oversight by the
Privacy Commissioners. The SROs, apart from possessing industry-specific
knowledge, will also be better placed to create awareness about the right to privacy
and explaining the sensitivities of privacy protection both within industry as well as to
the public in respective sectors. This recommendation of a co-regulatory regime will
not derogate from the powers of courts which will be available as a forum of last
resort in case of persistent and unresolved violations of the Privacy Act.

DOWNLOAD FULL REPORT HERE