In fact, drawing from global best practices, an officially constituted group of experts headed by former chief justice of the Delhi high court, A P Shah, has already prepared a blueprint for the privacy law which holds irrespective of the fundamental rights question.
The highlight of the 2012 report submitted by Shah, who is now chairman of the Law Commission, is an enumeration of nine “privacy principles” underlying the proposed legislation. The now-defunct Planning Commission had set up this group of experts to analyse the impact made on privacy by a slew of data-related initiatives including Aadhar card, NATGRID, CMS and human DNA profiling.
The group of experts recommended that all existing and future legislation and procedures should comply with these privacy principles, which hold data controllers, whether public or private, accountable for the collection, processing and purpose for which the data is used. The regulatory mechanism proposed in this regard is a “privacy commissioner” at the national level and four such authorities at the regional level, each with the power to impose fines on data controllers for violations of privacy principles.
The nine privacy principles thus adapted to the Indian context are:
Notice: Every data controller is required to give a simple-to-understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should specify, among other things, the reasons for collecting personal information, whether it may be disclosed to third parties, security safeguards for the data and processes available to data subjects to access and correct details concerning them.
Choice and Consent: Barring exceptional situations, the data controller should give everyone the choice of agreeing or refusing to provide their personal information and seek their consent only after giving due notice of its data practices. The consent should not be an induced one, as has been alleged before the Supreme Court in the Aadhar card case on the ground that people are being forced to enrol as the scheme has been made an integral part of various services.
Collection Limitation: The data controllers should collect only so much personal information as is necessary for the purposes cited for such collection, regarding which notice has been provided and consent obtained. The method of collecting personal information should be fair and lawful.
Purpose limitation: The manner in which personal data is processed, applied or disclosed should not go beyond the stated purposes for which the information had been collected. If there is a change of purpose, this should be notified to all the individuals concerned. After the personal information has been used for the stated purposes, it should be destroyed and not remain in any database.
Access and Correction: Apart from rare exceptions where such transparency may defeat the very purpose of the collection, individuals should have access to their personal information as held by the data controller. They should also be able to seek corrections and obtain copies of their personal data.
Disclosure of Information: The data controller should not disclose personal information to third parties without giving notice and seeking informed consent from the individual concerned for such disclosure. Third parties are also bound to adhere to relevant privacy principles.
Security: For the information collected or otherwise in their custody, the data collector should provide adequate security safeguards against unauthorised access, destruction, use, modification or disclosure.
Openness: The data collector should be transparent in its functioning even as it ensures compliance with the privacy principles.
Accountability: The data controller is liable to be penalised by the statutory regulator for any breach of privacy principles. In any event, the data controller shall comply with the orders of the privacy commissioner, whether specific or general.