Promises and Illusions of Data Protection in Indian Law: Graham Greenleaf

International Data Privacy Law, 2011, Vol. 1, No.
ARTICLE
47
Promises and illusions of data protection in Indian law

Graham Greenleaf*
I. Introduction
India is the worlds most populous democracy (estimated population 1.2 billion), with a multi-party bicameral parliamentary system at the national level. The Indian economy, previously very state dominant, has developed an energetic private sector in the last two decades. It has the worlds twelfth-largest economy, and is at present the second-fastest growing major economy, as well as being one of the worlds largest destinations for the international outsourcing of processing of personal information (business process outsourcing), through telecommunications call centres, transcription of medical consultation notes, and in many other areas. The data protection laws of a country cannot be understood in isolation from the surveillance systems operating within the country. Indian governments have long had power to intercept messages on the occurrence of any public emergency, or in the interests of public safety, if it was satised of certain matters,1 but this is constrained by 1996 Supreme Court guidelines as to who could tap phones and under what circumstances.2 More recent anti-terrorism laws have been criticized because they gave law enforcement sweeping powers to arrest suspected terrorists, intercept communications and curtail free expression,3 although they do include audit mechanisms involving judicial review and parliamentary oversight. The Indian courts are active in placing limitations on search without warrant.4 Amendments in 2008 to the Information Technology Act 2000, discussed below, include provisions for extensive data surveillance. The Credit Information
* Professor, Faculty of Law, University of New South Wales, Sydney, Australia. This article is based in part on a report by the author published by the European Commission at ,http://ec.europa.eu/justice/ policies/privacy/docs/studies/.. The assistance is acknowledged of Associate Professor Lee Bygrave, Professor VC Vivekanandan, Mr K Bajaj (DSCI), Mr P Duggal, Ms J Matthews, and a helpful reviewer, but all content remains the responsibility of the author. Telegraph Act 1885 s5. 2 3
Abstract
Discusses how the size and economic importance of
Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011
India has caused its data protection and privacy rules to come under increasing scrutiny and how, in recent years, the Indian government has enacted disparate pieces of legislation dealing with data protection in areas such as information technology, credit information, and access to public sector information.
Discusses how the privacy protection through the courts
has also expanded.

Shows that, despite this, India still lacks a comprehensive
legal framework for data protection, and much of the legislation fails to protect the rights of individuals as much as it promises (or pretends) to do.
Analyses the basic principles of data protection, which
are often not sufciently implemented into Indian legal provisions, or are so implemented only in relation to one sector.
Analyses how some of the legal structures that have been
constructed ostensibly to protect individual rights (such as credit information) may actually have the result of increasing the surveillance of individuals, and how some exist only on paper, without regulations or administrative measures to give them effect.
Discusses how India also lacks a system of genuinely
independent data protection regulators, or a wide enough range of remedies.

Concludes that India has made progress in data protec-
tion in the last few years, but still lacks a satisfactory legal framework for data protection. Its legal structure is evolving, and the precise points at which it is still lacking need to be understood so that they can be remedied.
Peoples Union for Civil Liberties v The Union of India & Anr [1996] INSC 1637. Electronic Privacy Information Centre (EPIC) and Privacy International (editors), Privacy and Human Rights, 10th edn (2006), at 547, available at ,http://epic.org/phr06/PHR, 2006: 547.. M/s MK International, Ludhiana and other v Union of India & Ors CWP5969 2006 [2006] INPBHC 7598 (21 September 2006).
1
#
The Author 2010. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oxfordjournals.org
48
ARTICLE
International Data Privacy Law, 2011, Vol. 1, No. 1
Companies (Regulation) Act 2005 is a blueprint for a comprehensive credit surveillance system, but on the other hand the information it collects will be largely restricted to the credit industry. India is also planning to introduce a biometric-based ID system by 2011, to be issued to its 1.2 billion citizens. It is to be implemented by a newly-established Unique Identication Authority of India (UIDAI)5 established in February 2009, the operation of which will change the signicance of all other personal information processing in India, particularly if and when linked to the National Population Register (NPR) and the national intelligence grid (NATGRID). A draft bill proposes some very weak data protection provisions.6 In summary, the Indian state is not yet involved in pervasive personal surveillance of its population; the rule of law is administered by an activist (if sometimes slow moving) judiciary that is sensitive to issues of civil liberties, including privacy. India is a frequent target of terrorist attacks, so there is a constant temptation to extend every form of surveillance. Indias private sector has not yet embraced systemic data surveillance techniques for commercial purposes. Indian law is therefore at a crossroads with regard to the development of data protection and privacy law. While there has been considerable legislative activity and case law concerning data protection in recent years, an overview of Indian data protection and privacy law reveals numerous signicant hurdles that must be overcome before the country can be regarded as having an international standard legal framework. Many of the protections that have been enacted are not yet in effect, either because essential regulations are still missing, or because laws are not yet being observed. To that extent, some of Indias data protection structure is illusory, or can at best be regarded as a promise of future improvements.
the International Covenant on Civil and Political Rights (ICCPR) 1966. Article 21 of the Indian Constitution (discussed below in relation to privacy) has to be interpreted consistently with international law, and it is considered that it has been so interpreted.8 India is not a signatory to the 2nd Optional Protocol to the ICCPR, so it is not possible for Indian citizens to make complaints (communications) to the UN concerning failures to fully implement Article 17. India is not a member of the OECD, nor of APEC, and has not sought to become a party to the Council of Europes data protection Convention. The South Asian Association for Regional Cooperation (SAARC), the regional organization of which India is the largest member, does not list human rights or privacy among its seven current areas of cooperation.9
Constitutional basis of privacy protection

The Constitution of India provides that No person shall be deprived of his life or personal liberty except according to procedure established by law (Article 21). The Supreme Court has interpreted this provision to include the protection of privacy since Kharak Singh v The State of U.P., where it stated: It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.10 Privacy was also held to be part of what was protected by Article 19(1)(a) (right to freedom of speech and expression) and Article 19(1)(d) (right of freedom of movement). Article 14s guarantee of equality before the law or the equal protection of the laws is also signicant in its interaction with Article 21. Against the constitutional right of privacy must be balanced Article 19(1) (a) of the Constitution which guarantees to all citizens freedom of speech and expression. Article 19(2) permits the State to impose reasonable restrictions on the exercise of the rights conferred by Article 19(1) (a) in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency, morality, contempt of court, defamation and incitement of offence. The Supreme Court has held that a citizen has a right to receive information, derived from the concept of
8 Peoples Union for Civil Liberties v The Union of India & Anr [1996] INSC 1637 per Kuldip Singh, J. 9 See Areas of Cooperation on SAARC website at , http://www.saarc-sec. org/?t=2.. 10 [1962] INSC 377; 1963 AIR 1295 1964 SCR (1) 332 (per Subba Rao and Shah, JJ).
II. The legal context of data protection laws in India

International obligations in relation to privacy
Treaties are not enforceable under Indian law until they are incorporated into domestic law.7 Indias only international obligation concerning privacy is Article 17 of
5 6 7 Unique Identication Authority of India website ,http://uidai.gov.in/.. G Greenleaf Indias national ID system: Danger grows in a privacy vacuum (2010) 26 (5) Computer Law & Security Review (in press). CRID, University of Namur (with Indian expert consultants) (2005) First Analysis of the Personal Data protection Law in India, 2005, Report to the Directorate General, Justice, Freedom and Security, European Commission, at 21, available at ,http://ec.europa.eu/justice_home/fsj/ privacy/docs/studies/nal_report_india_en.pdf..
Graham Greenleaf . Promises and illusions of data protection in Indian law
ARTICLE
49
freedom of speech and expression comprised in Article 19(1)(a).11 The rights under Article 21 are available to all persons, whether or not they are citizens of India. The Supreme Court has insisted that authorities relying on the procedure established by law exception to Article 21 must strictly and scrupulously observe the forms and rules of the law.12 Since Menka Gandhi v Union of India 13 the phrase procedure established by law has been held to have a meaning similar to due process of law in the US Constitution. Case law has repeatedly taken a persons and not places emphasis in interpreting the right of privacy, rejecting views that privacy is tied to property interests.14 This is consistent with the Indian Supreme Court developing Article 21 in the direction of data protection principles, although this has not occurred as yet: almost all cases on Article 21 are about search and seizure or telecommunications surveillance. The most signicant development outside search and surveillance issues is the decision of the High Court of Delhi in Naz Foundation v Government of NCT of Delhi.15 This was public interest litigation brought by the NGO, Naz Foundation to challenge the constitutional validity of Section 377 of the Indian Penal Code, 1860 (IPC), which criminally penalizes what is described by the section heading as unnatural offences including, in the Courts interpretation, homosexual sexual acts. The Delhi High Court initially dismissed the application as an academic challenge, but was required by the Supreme Court in 2004 to re-examine the matter. The Court found that s377 breached the right of privacy and rejected the claim that this invasion of privacy was justied within the exception to Article 21. It found that the State cannot invade the privacy of citizens based solely on considerations of public morals. Section s377 was also held to violate Article 14 (equality before the law) and its more particular expression in Article 15 (prohibiting discrimination on the grounds of sex). The Naz Foundation Case therefore takes the protection of privacy under the Indian Constitution beyond
11 State of U.P. v Raj Narayan (1975) AIR 1975 SC 865; P.V.Narsimha Rao v State (1998) AIR 1998 SC 2120. 12 Ram Narain v State of Bombay (1952) SCR 652. 13 (1978) AIR 1978 SC 597. 14 District Registrar and Collector, Hyderabad & Anr. v Canara Bank & Ors. (2005) 1 SCC 496. 15 High Court of Delhi, Case number WP(c) No.7455/2001 (2 July 2009), available at ,http://lobis.nic.in/dhc/APS/judgement/02-07-2009/ APS02072009CW74552001.pdf. 16 Ibid paragraph 40. 17 Judgment of 15 December 1983 (Census Act case), 65 BVerfGE 1. 18 M Singh, IndiaProtection of Human Rights against State and NonState Action, in D Oliver and J Fedke (eds): Human Rights and the
issues of search and surveillance. The broadest statement of the Delhi High Courts approach, following its review of Indian case law on protection of privacy, is The right to privacy thus has been held to protect a private space in which man may become and remain himself. The ability to do so is exercised in accordance with individual autonomy.16 Should such an expansive approach be adopted by the Indian Supreme Court, it could develop in the direction of the right to informational self determination articulated by the German federal Constitutional Court.17 Although the cases on Article 21 have not yet involved data protection issues, the Indian legal system is open to such judicial intervention, as illustrated by the Supreme Courts development of a right of access to public information prior to its national enactment in the Right to Information Act 2005. If the legislature has failed to enact protections required by the Constitution, the Supreme Court can make binding rules which will operate until laws are made by the legislature and found by the Court to be sufcient. The possibility of judicial developments must be kept in mind when considering the scope of Indian data protection law. The protection of privacy by the Indian courts has developed primarily from this constitutional basis, rather than by Indian courts developing a tort of invasion of privacy (as in the USA or New Zealand), or by extension of the law of breach of condence (as in the UK). Indian courts are unusual in having given some constitutional rights18 a direct horizontal effect, allowing constitutional rights to be asserted against nonstate actors, including directly by litigation. However, the implied right to privacy protection is not considered by academic authors to be one of these rights. Singh states that in relation to Article 21 (with Articles 19, 20, and 22) it may be inferred that they involve state action and therefore are protections against the state.19 This approach is supported by one of the few privacy decisions dealing with a claim against a private party, Petronet Lng Ltd. v Indian Petro Group and Another, 20 but that is only a High Court
Private Sphere: A Comparative Study (Routledge 2007) 182 considers that rights primarily available against private parties, or equally against them as against the State, include those in Articles 15(2), 17, 23, 24, 25, 26, 29(1) and 30(1). 19 Singh (n 18) at 180ff; Cf A Viswanathan, Outsourcing to India: CrossBorder Legal Issues (LexisNexis Butterworths Wadhwa 2008) 309: A rights to privacy per se would give the wronged party a right to damages against another private party, unlike a constitutional right to privacy, which only gives rights to the State. 20 Decision dated 13 April 2009; available at ,http://indiankanoon.org/doc/ 874488/..
50
ARTICLE
decision and possibly obiter dicta. Uncertainty about which fundamental rights have a horizontal effect has led one author to comment that The courts selective and ad hoc approach to horizontal application of fundamental rights has led to inconsistent interpretations of constitutional rights norms resulting in a muddled and messy fundamental rights jurisprudence.21 It would therefore be unwise to be dogmatic about whether the Article 21 right to privacy applies against private actors until the Supreme Court has made a clear decision on the matter. All that can be said is that existing authority does not support the constitutional right of privacy being able to be asserted against nonState actors.
While clear cases are lacking, some judges consider that there is a tort of invasion of privacy. In Secretary General, Supreme Court of India v Subhash Chandra Agarwal,25 three judges of the Delhi High Court said in obiter dicta:
The right to privacy as an independent and distinctive concept originated in the eld of Tort law, under which the new cause of action for damages resulting from unlawful invasion of privacy was recognized. This right has two aspects: (i) The ordinary law of privacy which affords a tort action for damages resulting from an unlawful invasion of privacy and (ii) the constitutional recognition given to the right to privacy which protects personal privacy against unlawful government invasion.26
Tort law
The extent to which the law of torts is relevant to the protection of privacy in India is unclear. In Rajagopal alias Gopal v State of Tamil Nadu,22 the Supreme Court held that (as summarized in M/S Amco Batteries Limited, Bangalore v Collector of Central Excise, Bangalore):
petitioners have a right to publish what they alleged to be a life story/autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorisation. But if they go beyond that and publish his life story, they may be invading his right to privacy for the consequences in accordance with law.23
This distinction still matters in India, because (as discussed above) it does not seem that Indian courts allow horizontal enforcement of the Article 21 constitutional implied right of privacy, so Article 21 does not provide privacy rights in relation to the private sector.
Breach of condence law

Over the last decade, the judiciary in the UK has been developing the law on the equitable action for breach of condence so that it may apply to a greater range of situations than previously. This has been spurred partly by the enactment of the Human Rights Act 1998 (UK).27 In the UK an action in equity for breach of condence may lie where there is public disclosure of personal information about which the data subject has a reasonable expectation of privacy irrespective of whether the data subject has imparted the information in circumstances importing an obligation of condence on the recipient. Other common law jurisdictions such as New Zealand and Australia have not yet followed the UK approach. In Petronet Lng Ltd. v Indian Petro Group and Another (2009), Bhat J held that Indian law should take a similar approach to that taken in the UK, which omits the requirement of a prior condential relationship.28 Bhat J held that even though the plaintiff here could not rely on a privacy action, the question of breach of condence required consideration. However, the plaintiff s claim also failed on that ground, so Bhat Js views are obiter dicta.
25 (2010) INHCD 40. 26 Ibid. para 110. 27 See generally G Phillipson, Transforming Breach of Condence? Towards a Common Law Right of Privacy under the Human Rights Act, 2003 Modern Law Review 726 et seq. 28 Ibid para. 48.
The case implies that there is no protection for personal information in public records, and protection of privacy for persons who have voluntarily placed themselves in the public eye is reduced, but otherwise tort law provides substantial protection for information privacy (at least in theory), including where the information is true. Viswanathan considers that the Supreme Court in Rajagopal, for the rst time, articulated the twin pillars of privacy law in India, rst in tort law giving rise to an action for damages against private persons and, secondly, in constitutional law which protects a person against intrusion by the government.24 However, this interpretation is not as clear as Viswanathan suggests, and some Indian academic authors make no mention of invasion of privacy as a tort.
21 N. Wahi, Supreme Court makes law governing civil and criminal liability for destruction of public and private property, Law and Other Things Blog, April 20, 2009, ,http://lawandotherthings.blogspot.com/2009/04/ supreme-court-makes-law-governing-civil.html.. 22 (1994) 6 SCC 632. 23 [2003] INSC 120. 24 Viswanathan, (n 19) at 309.
ARTICLE
51
Until the Supreme Court has the opportunity to consider this matter it cannot be considered as settled in Indian law, but it is quite possible that Indian courts will take a similar approach as UK courts in developing the law of breach of condence to protect privacy. This would be signicant in the private sector.
III. Legislation and self-regulation providing data protection

India does not have general data protection legislation. Data protection Bills have been drafted, but none have been introduced into Parliament. Such statutory protection of privacy as can be found in India is scattered across a number of statutes, the most important of which are introduced here, and their scope examined. According to Indian experts, only the national government is competent to legislate on privacy issues.29
Information Technology Act 2000 (as amended 2008)

The Information Technology Act 2000 (IT Act 2000) is the most signicant legislation with a potential effect on information privacy generally, although it deals primarily with electronic transactions and digital signatures. As yet, there are only a half dozen court decisions interpreting the Act, most concern the one section dealing with pornography. Even after the extensive amendments to the 2000 Act by the Information Technology (Amendment) Act 2008 (ITAA 2008), it only covers a small part of what is normally dealt with by information privacy legislation: rst a civil law provision on data security (s43A), with compensation for data subjects; second, an offence against wrongful disclosure; and third, identity-related offences which give some protection against wrongful disclosures of personal information. The ITAA 2008 also contains extraordinarily broad surveillance provisions providing the government with powers to intercept data, access stored data, require retention of data and control encryption. The key data protection provision s43A, is not yet effective due to a lack of implementing regulations as discussed below. The legislation does not deal specically with data protection, so core concepts such as personal data/ information, processing, disclosure, and consent are not dened. There is a very broad denition of data in the IT Act 2000 (s2(1)(o)), which covers data in any form which is intended to be processed, is
29 CRID (n 7), at 21.
being processed or has been processed in a computer system or computer network. Data in entirely nonautomated systems would therefore not be covered by the Act, but data in non-electronic form which had previously been the subject of processing could be. The IT Act 2000 says it shall extend to the whole of India (s1(2)). However, s43A (providing civil liability for personal data security) is limited to a body corporate, which means any company and includes a rm, sole proprietorship or other association of individuals engaged in commercial or professional activities. This key section for data protection purposes (if and when operational) is therefore limited in scope to the private sector. The impact of the IT Act on the public sector is minimal, though some of the offences it creates could apply to public servants misusing personal information, and s43 could apply to third parties interfering with personal data held in public sector computer systems. There are also exemptions from liability for intermediaries. Both the civil liability for personal data security (s43A) and the offences concerning disclosure (s72A) and identity (ss66BD) discussed below are made somewhat more complex by the protection against liability given to intermediaries in certain cases (s79). Where s79 applies, an intermediary shall not be liable for any third party information, data, or communication link made available or hasted by him (this should presumably say hosted). Third party information is dened to mean any information dealt with by an intermediary in his capacity as an intermediary, and this limitation may also apply to data and communication. The IT Act 2000 asserts that it has unlimited territorial jurisdiction: it applies . . . to any offence or contravention [under the Act] committed outside India by any person, save as otherwise provided in the Act (s2(1)). The substance of this provision is repeated in s75(1) of the same Act, but s75(1) is subject to s75(2) which provides that the section only applies if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. Given the proviso to s2(1), it seems likely that s75(2) also limits its scope. The IT Act 2000 establishes special procedures for civil actions coming under it which operate through specialist tribunals outside the normal civil courts. These Adjudicating Ofcers and Cyber Appellate Tribunal are discussed later under Independence and Powers of Supervisory Bodies.
52
ARTICLE
Credit Information Companies (Regulation) Act 2005

The Credit Information Companies (Regulation) Act 2005 (CICRA 2005) is the only Indian legislation to contain a comprehensive set of data protection standards (discussed later). The Reserve Bank of India is the regulatory body under the Act. The Act came into force by 14 December 2006, and the rules and regulations under the Act came into effect on the same day. The Reserve Bank invited applications in April 2007 from companies interested in continuing/commencing the business of credit information companies (CICs), and four have now been registered to do so and are operating as such. This Act could provide one model for a more general data protection law for India, except for that there is no evidence that it is being enforced or complied with, as will be shown.
that will make their interconnection a powerful national surveillance system. The ID number being developed by UIDAI may become the main identication number under item 3 above. According to The Economic Times, helping link the borrowers to their credit histories will be the Unique Identication Authority of India (UIDAI).30 The emerging relationship between the ID system and the rapidly developing nancial surveillance system may become a key issue in assessing the extent of data protection in India.
A compulsory surveillance system The Act is as much a blueprint for the compulsory involvement of the Indian nance industry in a pervasive information surveillance system as it is a data protection law. No company can carry on a credit information business without being registered under the Act as a credit information company (CIC) (s3). The allowed business activity of a CIC is dened (s14(1)). A CIC cannot carry on other forms of business (s14(2)). The compulsory surveillance network is established by sections 15 and 17. All credit institutions must be members of one CIC (s15(1)(2)), but may join more than one (s15(3)). No CIC is allowed to refuse to accept a credit institution or another CIC as one of its members (s15(4)). Finally, a CIC may require any of its members to provide it with such credit information as it may deem necessary in accordance with the provisions of this Act (s17). The Reserve Bank has a general power to determine policy in relation to the operation of participants in the credit information system, and the participants are bound to follow that policy (s10). It can also issue directions (s11). The surveillance functions of the system are also seen in CICRA Rule 19 and Form II, which specify exactly what minimum information credit institutions must collect from potential borrowers, including such information as the usual location information, the borrowers fathers name, bank account details, and passport or other ID details. This specicity of regulation will ensure a degree of uniformity across Indian CICs
30 A Gupta and G Nayak, Select home loan provider with care, The Economic Times 3 Mar 2010.
Denitions, core concepts and scope The scope of the Act is broad: it regulates all participants in credit reporting: credit information companies (credit bureaux), credit institutions (credit providers), and others with access to credit information (specied users). The Act extends to the whole of India (s1(2)). It does not purport to have extraterritorial scope. The denition of credit information is equally broad and means any information relating to amounts and the nature of loans or advances, amounts outstanding under credit cards and other credit facilities granted or to be granted, by a credit institution to any borrower, plus various forms of information about securities, guarantees, or creditworthiness, and other information the Reserve Bank may specify in regulations (s2(d)). Personal data is not dened (or used) in the Act, but is dened in the Regulations as such other data relating to an individual other than the information that credit reporting participants are allowed to collect by the rules made under the Act (Regulation 11(4) Explanation). This would include identication and location data. It is important to remember that personal data therefore does not include credit information. It is not the more general term, but rather the complement to credit information. A credit information company (CIC), in other countries called a credit bureau, is a company registered in India and granted a certicate of registration by the Reserve Bank under s5 (s2(e)). No company may carry on the business of credit information without being registered under the Act (s3). A credit institution (CI) means a banking company (as dened in the Reserve Banks legislation) and includes non-banking nancial companies, housing nance companies, credit card companies, companies
ARTICLE
53
distributing credit in any other manner, and other institutions the Reserve Bank may notify from time to time (s2(l)). It is a very broad denition. A specied user means any credit institution (which must be a member of at least one credit information company: s15(1)), or a credit information company which is a member of another credit information company (optional: s15(3)), or an institution specied by regulations. Insurance companies, telecommunications providers, rating agencies, brokers, commodity traders, and securities or insurance regulators have been so specied (Regulation 3).
Forms of data protection regulation The Act, Regulations, and Rules set up complex and overlapping data protection requirements, but they are nevertheless incomplete: 1. Chapter VI of the Act sets out briey (ss1922) Information Privacy Principles applying to credit information companies, credit institutions, and specied users. The Principles require them to adopt principles covering every aspect of data protection, plus any other principles and procedures which the Reserve Bank may think necessary to specify by regulation. Offences and penalties, including administrative penalties which can be imposed by the Reserve Bank, are in Chapter VII (ss 23 26), but there are no provisions for complaints and compensation. 2. Chapter VI of the Credit Information Companies Regulations 2006 (Regulations)31 made by the Reserve Bank sets out some Privacy Principles in detail, but is not comprehensive. Unlike the Draft Regulations in 2005, they do not not include provisions for complaints and remedies. 3. The Credit Information Companies Rules, made by the Government, include privacy protections to be taken by credit institutions and by credit information companies and specied users. All parties have obligations in relation to unauthorized access, use or disclosure and delity and secrecy. There are no rules concerning remedies.
interpreted Article 19(1)(a) of the Constitution of India to include by implication the right to information in the constitutional guarantees of freedom of speech and expression (Peoples Union for Civil Liberties v Union of India 33). Consequently national legislation was enacted as the Right to Information Act 2005. The right to information provided by the 2005 national legislation has a broad scope, covering information held by or under the control of any public authority (s2(j)). Public authority includes any authority or body or institution of self government established or constituted under the Constitution, any law of the Centre Parliament, of a State Legislature, or under delegated legislation, and includes bodies owned or controlled by government or directly or indirectly substantially nanced by government (even if they are NGOs) (s2(h)). The reach of the legislation is therefore to all tiers of government and considerably beyond that. The Indian legislation only provides a right of access to personal information, not a right of correction such as is also included in the freedom of information legislation in some countries such as Australia. Details are given under the right of access, under limitations on disclosure, and also under the obligation of openness, discussed below.
The Protection of Human Rights Act 1993

The Protection of Human Rights Act 1993 denes human rights to mean the rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India (s1(d)). International Covenants includes the International Covenant on Civil and Political Rights, Article 17 of which provides for the protection of privacy, so privacy is within the ambit of the Act. The Act establishes the National Human Rights Commission (NHRC) (s3) which has the power to investigate, either on its own motion or on the basis of a complaint, a violation of human rights, or negligence in preventing such violations by a public servant (s12(a)). If an investigation reveals a violation of human rights (or negligence in preventing one), the Commission can recommend that government or authority pay compensation, commence any prosecutions that are open, and approach courts for directions, orders, or writs. It has no independent powers to take remedial actions.
32 Tamil Nadu; Goa; Rajasthan; Delhi; Maharashtra; Assam; Madhya Pradesh; Jammu & Kashmir. 33 (2004) AIR 2004 SC 1442.
The Right to Information Act 2005 (RTI Act)

A number of States enacted access to information Acts from 1997 to 2004,32 covering what is elsewhere called freedom of information in relation to the public sector. In 2004 Indias Supreme Court conclusively
31 Credit Information Companies Regulations, 2006, Gazette notication 14 December 2006, at ,http://nmin.nic.in/the_ministry/dept_n_services/ banking/CIBIL_nal.pdf..
54
ARTICLE
There is no indication that the NHRC has as yet any actual involvement in privacy issues. None are included in the hundreds of cases heard by it and summarized on its website since 1993.34 The focus of the NHRC has been and is on wrongful deaths and other more extreme violations of human rights. Access to personal information is an essential element of data protection. In India it is probably fair to say that focusing on the gains to personal liberty and privacy that can be obtained from the right of access is a pre-condition to later achievement of a more comprehensive set of data protection rights.
The National Consumer Disputes Redressal Commission

The National Consumer Disputes Redressal Commission (NCDRC) is established under the Consumer Protection Act 1986 to promote and protect the rights of consumers, and to enable ordinary consumers to secure less expensive and often speedy redressal of their grievances.35 Under the NCDRC 604 District Forums are headed by a person who is or has been or is eligible to be appointed as a District Judge and 34 State Commissions are headed by a person who is or has been a Judge of High Court. Decisions from all levels are published on the Internet.36 Decisions by District Forums may be appealed to the State Commissions and thence to the National Commission in Delhi. The Act allows complaints to be made by consumers in relation to an unfair trade practice which is dened broadly enough to cover many types of complaints about misuse of personal data. However, it must be possible to identify a deciency in relation to what a trader or service provider is required to do by law, or has undertaken to do, either by contract or by some holding out. As discussed later, the CDRC system has resulted in signicant data protection advances, particularly in the Nivedita Sharma Case concerning largescale disclosures of personal information.
such as the UK Contracts (Rights of Third Parties) Act 1999, the doctrine of privity of contract is modied and certain third parties on whom a contract expressly confers a benet can enforce a term of the contract. Protection of third party beneciaries is common in European laws, but some other jurisdictions (including most Australian jurisdictions, and Hong Kong), still adhere to the strict doctrine of privity of contract. Where a contract between an overseas company and an Indian outsourcing company creates data protection obligations on the Indian outsourcer, the question arises whether the data subjects (the individuals whose personal information has been outsourced for processing) could enforce those obligations if the Indian company breaches the data protection obligations. If the law of the contract is the law of the UK or any other country that protects third party beneciaries, it may be that the data subjects could enforce those rights in the courts of the foreign country concerned, or in an Indian court which is willing to enforce the contract applying the law of the foreign country as a matter of private international law. However, if Indian law (or the law of a foreign country with the doctrine of privity of contract) is the law of the contract, then it is unlikely that the data subject could enforce the data protection rights. If the data subject could enforce the contractual data protection rights, then Indias Specic Relief Act 1963 might become relevant, as it allows Courts to provide temporary or perpetual injunctions to prevent breaches of obligations in a persons favour, and also allows claims for damages in some situations, even though these are not provided for specically in the contract.37
Sectoral self-regulation and codes of conduct

Despite the lack of data protection law in India, there has been no signicant development of self-regulation aimed at providing protection to data subjects. The main concern of industry bodies such as NASSCOM and DSCI is self-regulation of the relationship between the overseas companies providing personal data for processing in India and the Indian companies processing that data. Such arrangements may provide indirect benets to data subjects, but that is not their purpose. The National Association of Software and Services Companies (NASSCOM) is the main industry association involved in personal information processing, with members including about 25 per cent of the 7,000
36 Judgments Search at ,http://cms.nic.in/ncdrcrep/.. 37 Specic Relief Act 1963 at ,http://www.commonlii.org/in/legis/num_act/ sra1963132/..
Indian contract law, choice of law, and outsourcing

The Indian Contract Act 1872 and Indian contract law does not generally recognize the concept of a third party beneciary allowing a third party to sue for enforcement of a contract made for its benet. This is sometimes referred to as the requirement of privity of contract. In contrast, under the law of some countries,
34 NHRC website at ,http://nhrc.nic.in/., see Human Rights Cases; this is consistent with the answer to a telephone enquiry in January 2010. 35 NCDRC web pages ,http://ncdrc.nic.in/..
ARTICLE
55
outsourcing organizations in India. Although it supports self-regulation, NASSCOM has no privacy initiatives listed on its website other than the formation of the DSCI.38 NASSCOM has established a central register of IT sector employees, the National Skills Registry (NSR), which conducts background checks on those IT industry employees who register with it. It is said to cover about 25 per cent of Indias estimated 2.5 million outsourcing workforce, but whether this is effective in increasing personal data security is unknown. The Data Security Council of India (DSCI) is a selfregulatory body established by NASSOM in 2007.39 Its executives state that DSCI will serve as a trust agent for data privacy and security accountability in outsourcing and It will engage in education, compliance and enforcement of trusted information management practices in the handling of personal data.40 Although they refer to DSCI prescribing good practices and that it will monitor and enforce compliance by members, they dont state where it will obtain any authority to do so. DSCIs current proposals are contained in the DSCI Framework for Data Protection (DPF)41 and DSCI Security Framework (DSF).42 It is necessary to distinguish between what the DSCI is offering to its clients (companies and governments outsourcing processing work to Indian service providers) from what (if anything) it is offering individuals whose personal data are being transferred to India. DSCI claims that its Privacy Framework does address consumer privacy protection.43 A more accurate statement is that The DSCI Framework is specially aimed at data protection practices for companies engaged in outsourcing, with a view to assure controllers of information from outside of India, that Indian companies are familiar with basic processor practice requirements and have developed model practices to ensure security and appropriate data use.44 Organisations are also required to remedy problems arising out of a failure to comply with the Principles,45 but the only apparent sanction is suspension of DSCI membership. It is not stated explicitly whether data subjects can request a remedy (or how), or whether this is limited to data controller/service provider disputes, but it seems to be the former.
38 DSCI information on NASSCOM website ,http://www.nasscom.in/ Nasscom/templates/NormalPage.aspx?id=51973.. 39 DSCI website ,http://www.dsci.in/.. 40 S Ghosh, K Bajaj, and P Kumaraguru, Data Security Council of India: A self-regulatory Organisation BNA World Data Protection Report (July 2008). 41 Data Security Council of India, DSCI Framework for Data Protection (November 2009), available at ,http://www.dsci.in/..
Some Indian companies are members of the TRUSTe privacy seal programme, which is intended to reassure consumers (data subjects) that they are dealing with companies that have sound privacy practices. The credibility of TRUSTe and other privacy seal programmes as any useful form of privacy protection is very questionable.46 No Indian privacy seal or certication programmes are known.
IV. Data protection principles in Indian law

Since India does not have specic data protection legislation, other than for credit reporting, data protection principles are found scattered through other legislation, if they are provided at all.
Use limitations
The IT Act 2000 does not impose limitations on the internal use of personal information by the organization collecting it. Nor does the Right to Information Act 2005, which is limited to access rights. Outside of the credit reporting sector, Indian law does not provide any signicant protection in relation to the use of personal information. Because a CIC cannot engage in any form of business other than credit reporting (CICRA s14), it cannot use credit information for any other purposes. Permitted forms of business for CICs are further detailed in Regulation 6. Credit institutions (and other specied users such as other CICs) may only use credit information for the eleven purposes set out in Regulation 9, most of which are restricted to purposes concerning credit decisions. However, some relate to its customers, which could allow decisions to be made using credit information concerning insurance, since insurers can be CIC users (Regulation 3(a)). A credit institution shall . . . (b) use such data [as it collects], information and credit information subject to the provisions of the Act (Rule 19(b)). This implies that credit institutions cannot use the data for purposes other than those provided by the Act. No participant in credit reporting may collect, or publish or disclose, personal data except for the purposes relating to their
42 Data Security Council of India, DSCI Security Framework (November 2009), available at ,http://www.dsci.in/.. 43 Data Security Council of India, DSCI Privacy FrameworkBest Practice (November 2009), at 3, available at ,http://www.dsci.in/.. 44 Ibid., at 4. 45 Ibid., at 25. 46 C Connolly Trustmark Schemes Struggle to Protect Privacy (2008) on Galexia website at ,http://www.galexia.com/public/research/assets/ trustmarks_struggle_20080926/..
56
ARTICLE
functions under the CICRA 2005 or their activities incidental or relating to their functions (Regulation 11(2)). So personal data (which is dened to exclude credit information), including location and identication information, can be used for incidental and related purposes.
Disclosure limitations
There are signicant limitations on the disclosure of personal information in a number of sectors.
Consumer information In Nivedita Sharma v Bharti Tele Ventures, ICICI Bank Ltd, American Express Bank 47 the Delhi State Commission of the Consumer Disputes Redressal Commission held that both a mobile telephone service provider (Bhari) and two nancial services companies (ICICI and Amex) were in breach of the provisions in the Consumer Protection Act 1986 in relation to unfair trade practices and defective provision of services because of the sale by Bhari, for over Rs 250 lakhs,48 of personal details of its telecommunications customers to the two nancial services providers. Bharis terms of service had stated that it does not disclose your personal information to any other Cellular Service Providers, Banks, Credit Card companies etc. or their agents, afliates which could lead to invasion of your privacy. Kapoor J said [w]henever condential information of a subscriber or consumer is traded or furnished without the knowledge or consent of the consumer to persons who is (sic) neither acquaintance nor a friend nor has any business relationship with the subscriber, both the service provider as well as the person who procures this information by way of unscrupulous methods are guilty . . . . The sale and purchase of the information was apparently what was unscrupulous. Cellular Operators Association of India, representing mobile phone companies, was directed by CDRC to inform all its Members to immediately withdraw the list of subscribers and their mobile telephone numbers provided to them by banks, nancial companies or any other agencies or persons and give them directions in writing that they shall not use this information for any purposes whatsoever and also by way of telemarketing. The basis on which the Association could give such a direction to its members or be ordered to do so is not clear. The CRDC also ordered the Telecommunications Regulatory Authority of India to establish a Do Not
47 Cellular Operators Association v Nivedita Sharma, Delhi High Court, CW 583/2007, 15 January 2010 at ,http://lobis.nic.in/dhc/BDA/ judgement/16-01-2010/BDA15012010CW5832007.pdf.. 48 Rs 1 Lakh equals approximately $US2000.
Call Registry, which it has done (see later). The case illustrates the breadth of orders that Indian Courts and Tribunals are accustomed to making, and how this has the potential for data protection developments to be initiated by the judiciary rather than by the parliament. The CDRC also set a minimum amount of compensation of Rs 25,000 for affected consumers. Some aspects of the decision concerning the remedies have been overturned by the Delhi High Court as being beyond the CRDCs powers49. However, the main privacy protection aspects of the judgment were not challenged.
Credit reporting Credit information received under the CICRA may not be disclosed by a credit information company (CIC) other than to specied users (its members), or by a specied user to anyone else, or by either of them for purposes other than as permitted or required by any law (CICRA s17(4)(c)). The purposes under the Act for which CICs can disclose information to specied users are detailed in Regulation 9, and are essentially limited to credit-related matters (and perhaps insurance-granting or claims investigation purposes). The information obtained by CICs is therefore in a silo, it cannot be legally used outside a closed universe of credit reporting, such as for employment or licence checking. Nor can credit information in the hands of credit institutions, though the rules for personal data are more relaxed. Taken as a whole, these are very strong use and disclosure limitations, assuming there is some means of enforcing them. Unauthorised access to any credit information is also an offence by any person who obtains such access (s22). Private sector generally (ITAA 2008 s72A and s72) A new section added to the Information Technology Act 2000 in 2008 entitled Punishment for disclosure of information in breach of lawful contract (s72A), goes further than its title suggests. It creates an offence, subject to any other legislation in force, if any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract,
49 Cellular Operators Ass.O.I. & Ors v Nivedita Sharma & Ors (2010) High Court of Delhi, 15 January 2010, available at ,http://indiankanoon.org/ doc/1179078/..
ARTICLE
57
such material to any other person (s72A). So a disclosure may be an offence even if it is not in breach of the contract, provided (i) it is without the consent of the data subject and (ii) it is made with the requisite intent. The offence is punishable by up to three years imprisonment or a ne of up to 500,000 Rs or both. The section is potentially quite broad. The condition that the offender is a person providing services under the terms of lawful contract would include (i) a business located in India (whether locally-owned or an overseas captive business) providing any form of services to its customers (whether local or overseas customers) pursuant to an express or implied contract with them; and (ii) an Indian business providing processing services (i.e. an intermediary) for an overseas data controller under an outsourcing contract. The broad denition of intermediary further extends the scope of the section. Any disclosure of personal information about data subjects without their consent is therefore potentially a criminal offence if the act of disclosure occurs while services are being provided by the service provider. This would not criminalize further disclosures by third parties who subsequently received the data. However, there are important limiting factors to this offence. First, the personal information must have been obtained while providing the service, it cannot be information that the discloser has previously had in its possession. Second, the relevant intent is to cause wrongful loss or wrongful gain. The wrongfulness of either the loss or the gain may be difcult to prove in cases where personal information has been disclosed, for example, only so that it can be used for an otherwise legitimate commercial purpose such as direct marketing, rather than for some more obviously wrongful purpose such as credit card fraud. Whether direct marketing may be construed as wrongful gain because it arises from uses other than under the lawful contract is uncertain but is arguable. Third, the offence only occurs if there is disclosure of the information, as distinct from use of it for a wrongful purpose by the party securing access to itso it is a wrongful disclosure offence, not a wrongful use offence. It is unlikely that there would be data subject consent, at least in circumstances where the requisite (wrongful) intent was also present. However, if the data subject had given a broad consent to further commercial use of personal information at the time the
50 Shri Shailendra Verma v Nuclear Power Corporation of India Ltd. (NCPI) Mumbai Decision No. CIC/WB/A/2007/00178 [2008] INCIComm 447 (30 January 2008).
information was collected, consent could exist (in which case the gain would not be wrongful in any event). The lack of any signicant restrictions on what personal information can be collected in India (see later) also means that it is more difcult to argue that disclosures for the purpose of someone elses collection is in itself causing wrongful loss to the data subject.
Public sector Where a public authority is proposing to include personal information in responding to a request under the Right to Information Act 2005, a detailed procedure is laid out to balance the protection of privacy of this third party by preventing disclosure against the other interests advanced by the Act. The public authority has no obligation to give any citizen (s8(1)(j)) the following information:
[i]nformation which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Ofcer or the State Public Information Ofcer or the appellate authority, as the case may be, is satised that the larger public interest justies the disclosure of such information . . .
There is no denition of privacy of the individual in the Act. After considering the denition of sensitive personal data in the UKs Data Protection Act 1998 s2, the Central Information Commission stated in dicta that if we were to construe privacy to mean protection of personal data, this would be a suitable reference point to help dene the concept50. However, in that case the information concerned the carrying out of a public duty. The s8(1) exception does not apply to any information relating to any occurrence, event or matter which has taken place, occurred or happened twenty years before the date on which any request is made (s8(3)). There is therefore only protection of privacy for information in government records for twenty years. Similarly, information on the posting and transfer of public servants has been held to relate to the functions/affairs of the public authority and does not relate to any personal affairs of the transferees, so s8(1)(j) is inapplicable.51 Where the public authority does propose to disclose the third partys personal information (because it does
51 Mrs. Umabai Torvi v Syndicate Bank, Manipal Decision No. 344/ICPB/ 2006 [2007] INCIComm 418 (19 February 2007).
58
ARTICLE
not cause unwarranted invasion or because of the larger public interest), it must under some circumstances give written notice to the third party and invite submissions (s11(1)), and not make a decision before taking such submissions into account (s7(7)). The third party must also be notied of their right of appeal (s11(4)). However, this is only required where the personal information in question relates to or has been supplied by a third party and has been treated as condential by that third party. Where personal information has been generated by government, or provided by someone other than the person concerned, it appears from the Act they will have no right of notice before disclosure occurs, although such a distinction does not appear to be made in the case law. Section 11(1) then provides a slightly different test than s8, that disclosure may be allowed if the public interest in disclosure outweighs in importance any possible harm or injury to the interests of such third party. The procedures concerning the requirement of notice and the test to be applied for when disclosure is allowed are therefore somewhat unclear. Where an applicant was seeking from Indian Airlines (which is bound by the Act) detailed information about the re-appointment of an air hostess after fourteen years on compassionate grounds, Indian Airlines became aware that he wanted all this information to settle scores with his estranged daughter-in-law and the matter was before the Delhi High Court, and refused to provide any more information. In dismissing the appeal, the Central Information Commission held that this was information about the private affairs of the air hostess and exempt from disclosure. It stated that the father-in-law should go the High Court to get information for a matrimonial dispute. Further, Indian Airlines should have given notice to the air hostess before it previously disclosed information.52
the purposes for which credit information may be collected, but data subjects must be informed of these purposes at the time of collection, and uses and disclosures of credit information are both limited to prescribed purposes, as discussed above. Since credit information cannot legally be used or disclosed for other purposes, it matters less that collection is not specically limited to those purposes. However, the lack of a specic prohibition on excessive collection means there could still be excessive collection of either personal data or credit information even if it was collected for a proper purpose. The government is given by the ITAA 2008 very broad powers to monitor and collect certain types of personal data. Among others, Rules have been made to implement s69 (Procedure and Safeguards for Interception, Monitoring and Decryption of Information), s69A (Procedure and Safeguards for Blocking for Access of Information by Public), and s69B (Procedure and Safeguards for Monitoring and Collecting Trafc Data or Information).53 The common element in these provisions is that they strengthen the data surveillance powers of the Indian government, but they will not be discussed further here. The extent to which these powers and implementing rules are consistent with the Indian Constitution may become contentious.
Deletion or preservation of data

There are no general requirements to delete or deidentify personal data after its uses have ceased. The rules under Section 69B for Monitoring and Collecting Trafc Data or information54 do contain requirements for data so collected to be destroyed within a set period. In contrast, the 2008 Amendments (s67C) create open-ended powers to require ISPs and other intermediaries to preserve data, but whether they are consistent with the Indian Constitution may be challenged. Credit information companies (CICs) and credit institutions are required to retain credit information for seven years, and to develop procedures for preservation and destruction with the approval of the Reserve Bank (CICRA 2005, Regulation 10(d)). Personal data must be similarly preserved (Regulation 11(4)). There are as yet no requirements in the credit reporting laws for personal information to be destroyed
54 Notication of Rules under Section 52, 54, 69, 69A, 69B on DTI website at ,http://www.mit.gov.in/sites/upload_les/dit/les/downloads/ itact2000/Itrules301009.pdf..
Collection limitations
There is no specic limitation on the ability of companies or government to collect personal information except in relation to credit information. All credit reporting participants must adopt collection principles (CICRA 2005 s20(a)). CICs and credit institutions may not collect personal data (which excludes credit information) except for purposes relating to their functions (Regulation 11(2)). There is no specic restriction on
52 Shri Om Prakash Pokhriyal Decision No. CIC/OK/A/2006/00072 [2006] INCIComm 116 (6 June 2006). 53 Ministry of Communications & Information Technology, Press Release Information Technology (Amendment) Act, 2008 comes into force, ,http://pib.nic.in/release/release.asp?relid=53617, October 27, 2009..
ARTICLE
59
or de-identied after a period of time, other than the requirement that it not occur before seven years.
Data quality obligations

The IT Act 2000 does not impose data quality obligations in relation to personal information. The most detailed requirements concern credit reporting. All credit reporting participants must adopt principles in relation to processing and recording credit information, and checking it for accuracy before furnishing it (CICRA 2005 s20(a) and (c)). Credit institutions are required to ensure that the credit information they furnish to CICs is update, accurate and complete (Regulation 10(a)(ii), and Rule 20 in a lot more detail). CICs must ensure it is properly and accurately recorded, collated and processed (Regulation 10(a)(i)). Credit institutions must update the information they provide to CICs on a monthly basis or as otherwise agreed (Regulation 10(a)(ii)), thus establishing a system of positive rather than negative credit reporting. They must also inform a CIC or anyone else to whom they have disclosed credit information details of any inaccuracy, error or discrepancy that they discover of their own, or are informed about, as well as making corrections to their own records (Rule 19(3)). Failure to do so is a contravention of the Act (Rule 19(5)). Where a claimed inaccuracy, error or discrepancy is in dispute between the data subject and the credit institution, it must inform any CIC to which it has provided the credit information that it is in dispute (Rule 21). Pay-outs of debts and similar information must also be notied to CICs (Rule 22). For CICs, equivalent detailed procedures concerning accuracy and completeness, and disputed debts, are in Rules 25 and 26. They must have specic policies and procedures for evidencing robust matching and to verify that their whole system has been collated without any distortion (Rule 24).
person (s66C). This is an identity misuse provision which should have a wide ambit to deal with the misuse of credit card numbers, drivers licence numbers and the like due to the breadth of any other unique identication feature. It is probably broad enough to deal with the combination of a persons name and address. The other offence covers other forms of identity misuse wherever a person by means of any communication device or computer resource cheats by personating (s66D). Logging into a persons account by use of any information such as usernames and passwords would be covered, even if the information used could not be said to constitute a unique identication feature.
Transparency principle
The IT Act 2000 does not impose obligations on private sector organizations to disclose details of their practices in handling personal information. Nor is there any such obligation in the credit reporting legislation. The Right to Information Act 2005 does impose such obligations on public authorities, which are required to publish inter alia a statement of the documents that are held by it or under its control (s4(1)(b)(vi)), details in respect of the information available to or held by it (xiv) the particulars of facilities available to citizens for obtaining information (xv) and such other information as may be prescribed (xvi). All of the obligations in s4(1)(b) are subject to the further direction (s4(2)) that [i]t shall be the constant endeavour of every public authority to take steps . . . to provide as much information suo motu to the public at regular intervals through various means of communication, including internet, so that the public having [sic] minimum resort to the use of this Act to obtain information.
Data security principle

A number of provisions create both obligations to compensate those who suffer from security breaches, and offences in relation to breaches of data security.
Identity offences (ITAA 2008, s66C and 66D) Identication frauds of various types are becoming one of the most signicant threats to the integrity and quality of a persons personal data. The 2008 Amendments to the Information Technology Act 2000 create new offences concerning the misuse of identity information. The offences carry penalties of up to three years imprisonment or a ne of up to 100,000 Rs or both. One offence is where a person fraudulently or dishonestly makes use of the electronic signature, password or any other unique identication feature of any other
Credit information All credit reporting participants must adopt principles in relation to protecting credit information (CICRA 2005 s20(a)). CICs are obliged to ensure that credit information is protected against loss, unauthorised access, use, modication or disclosure thereof (Regulation 10(a)(i)), and have similar obligations in relation to personal data (Regulation 11(3)(b)). These security procedures are supported strongly by the Act making it
60
ARTICLE
illegal for any person to access credit information held by a CIC or a credit institution unless the access is authorized under the Act or another law (s22(1), punishable by a ne of Rs 1,000 and a prohibition on the use of the information (s22(2)). Furthermore, any individual affected may claim damages for any losses suffered as a result of such unauthorized disclosures (s30(2)). For credit institutions, security obligations are prescribed (Rule 23). There are very detailed obligations on all credit reporting participants to take measures to prevent unauthorized access and disclosure (R28). They must also require all of their employees to sign a Declaration of Fidelity and Security (R29 and Form III).
Obligation on third parties to compensate for damage to personal data (ITA 2000 s43) The IT Act 2000 already provided in s43 a wide range of situations where a person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, accesses, downloads, copies, or extracts data, or damages or causes to be damaged, computer facilities or data (clauses (b)(h) may all be relevant). It provides that such a third party shall be liable to pay damages by way of compensation not exceeding ten million rupees to the person so affected. This provision therefore provides a right of compensation against anyone other than the person in charge of the computer facilities concerned, including their employees or agents who have permission. The effect of s43 is therefore to give a data subject a right not to have their personal information accessed by third parties, or damaged or changed by those third parties. The section is also able to be used by data controllers or the subjects of personal information against third parties, it is only that they will be affected in different ways which justify compensation. The maximum amount of compensation is very small in comparison with the damage that the section seeks to prevent. However, there have been no substantive cases on s43 since 2000.55 Section 43A, if it comes into force, will complement the s43 compensation provision (to some extent) because it applies to data controllers. The ITAA 2008 added a new s66 which provides that if a person does any act referred to in s43 dishonestly or fraudulently, this will constitute a criminal offence, punishable by three years imprisonment or a ne up to 500,000 Rs.
55 Conrmed by search of available case law, 27 September 2010. There is one decision concerning the relationship between s43 and arbitration clauses.
Obligation on data controllers to compensate for failure to protect data (ITAA s43A) From the perspective of data protection and privacy, the most signicant aspect of the ITAA 2008 appears to be that it inserts a new s43A on Compensation for failure to protect data, if it were not for the fact that the regulations needed to bring the section into force have not been implemented nearly three years after its enactment. It is therefore questionable whether it will ever come into force.56 Depending on what the government prescribes under the denitions of reasonable security practices and procedures and sensitive personal data or information, and whether the section is interpreted to benet data subjects or only the other party in outsourcing contracts, s43A could have a signicant effect as a personal data security provision, or it could have very little effect. It is possible that the Indian government will delay making these regulations for as long as possible, if at all, so as to avoid imposing any requirements on industry. Statements by industry and commentators sometimes assume that s43A is operative, although that is not yet the case. Despite its nebulous status, s43A requires discussion because of its potential importance. Section 43A provides
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
There is no limitation imposed on the compensation that can be awarded. Body corporate is dened to mean any company and includes a rm, sole proprietorship, or other association of individuals engaged in commercial or professional activities. This last clause would exclude religious and social organizations whose activities are not classied as commercial. It also excludes the public sector. At rst glance this looks like a useful data protection provision dealing with data security: organizations controlling personal data that fail to implement reasonable security procedures will be liable to pay compensatory damages to the person so affected for resulting wrongful loss. Data leaks and other data security breaches could, it seems, result in compensation to the
56 No rules had been made as at 27 September 2010, nor draft rules proposed.
ARTICLE
61
data subjects so harmed. Foreign companies dealing with Indian outsourcing organizations could also have a statutory basis for compensation. However, on closer inspection, the provision has considerable limitations which may give it a different meaning. First, reasonable security practices and procedures is dened to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modication, disclosure or impairment. This part of the denition gives it broad coverage as a data security provision. However, the denition goes on to require that it only applies to those practices and procedures as may be specied in an agreement between the parties or as may be specied in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem t. So it may be that a consumer who has been damaged can nd no applicable standard on which to base their claim. No standard has yet been prescribed by the government. Second, the reference to an agreement between the parties also opens up a possible argument that the provision, despite its wording, is only intended to benet parties who have contracted to have data processing done for them, and not consumers/data subjects, though this view seems misconceived. Third, sensitive personal data or information is dened so that it means (not includes) such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem t. So the government can prescribe, however narrow, a class of personal information as it deems appropriate, and unless it prescribes something s43A will not come into effect at all. The Indian government was advised by the DSCI that sensitive data should be restricted to data pertaining to a persons health or sex life, plus nancial data.57
special security protections for such system, but none have yet been prescribed as protected systems.58 The IT Act provides in s66 for an offence of hacking, and a new criminal offence is created by the 2008 Amendments where a person who dishonestly received or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen (s66B). These provisions are valuable but not directly relevant to implementation of the security principle. The government is also given sweeping powers by the 2008 Amendments to determine what modes of encryption companies and individuals may use. The rules under s84 have not yet been implemented.59 The extent to which any of these powers are constitutional may become contentious.
Restrictions on onward transfers

In 2002 there were an estimated 400 business process outsourcing (BPO) operators in India with revenue estimated at US$2.1 billion,60 while in 2010 DSCI estimated there are 7,000 outsourcing organizations in India.61 There are no laws specically protecting personal information (or other information) transferred into India, other than the provisions of the IT Act 2000 discussed above. There are also no specic Indian laws restricting the transfer of personal data out of India. This is signicant, given the substantial amounts of personal information that is transferred into India from overseas, due to BPO arrangements. It is also signicant to the privacy of Indian citizens, in that there is no protection against their personal information being transferred overseas. Concerning credit information, the strict restrictions on to whom credit information can be disclosed by CICs will also apply to disclosures to overseas enquirers, whether credit providers or credit bureau. These overseas parties would not qualify as a specied user and could therefore not obtain information from a CIC (s17(4)), unless the Reserve Bank made regulations deeming them to be credit institutions.
Other related security requirements The ITAA 2008 amended s70, so that the government may declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system, allowing for
57 K Sanzaro and C Ferris, Indias New Information Technology Law Impacts Outsourcing Transactions Georgia Journal of Technology Law (Spring 2009), at ,http://www.technologybar.org/2009/06/.. 58 Rules for Information Technology Act 2000 on Department of Information Technology site at ,http://www.mit.gov.in/default. ASPX?id=316..
Principles for specic types of processing

Processing of sensitive data There is no special protection in Indian law for sensitive personal information, other than s43A IT Act 2000
59 As of 27 September 2010, no rules had been gazetted, and no draft published. 60 P. Duggal, CyberlawThe Indian Perspective (2nd edn Saakshar Law Publishers 2004), at 12. 61 Personal communication from Director, DSCI, January 2010.
62
ARTICLE
(if and when it becomes effective), and a provision (s67 and s66E) concerning dissemination by telecommunications of material concerning some aspects of a persons sexual activities. The CICRA 2005 does not explicitly regulate the collection and use of sensitive information. However, Indias Constitution includes in its Fundamental Rights section (Part III) a prohibition of discrimination on the grounds of religion, race, caste, sex, or place of birth (A 15). This prevents the State from discriminating on these grounds (A 15(1)), and prohibits anyone from so discriminating in relation to (a) access to shops, public restaurants, hotels and places of public entertainment; or (b) the use of wells, tanks, bathing ghats, roads and places of public resort maintained wholly or partly out of State funds or dedicated to the use of the general public (A 15(2)). Discrimination in relation to employment by the State is also prohibited on any of these grounds, or on the grounds of descent or place of residence (A 16). The practice of untouchability is also prohibited in all forms (A 17). Further specic provisions give additional protections to freedom of religion (A 25) and against discrimination in relation to access to State-supported educational institutions on grounds only of religion, race, caste, language or any of them (A 29(2)). These provisions mean that the collection, storage, use or disclosure of any of these categories of personal information, if done within the context of discriminatory or potentially discriminatory conduct, would be likely to be regarded as constitutionally prohibited. However, the discriminatory conduct to which these provisions apply is vey narrow. For example it does not seem to cover the provision of credit or insurance.
Telecom Unsolicited Commercial Communications Regulations 2007.62 This gives India a reasonably comprehensive privacy regime of involving principles, penalties for breach, a regulatory authority and a facility for complaints to be made and adjudicated by an administrative tribunal. It seems that the NDNC has led to a 10 per cent reduction in the calls made by registered telemarketers.63 The 2008 amendments to the Regulation make service providers liable to pay up to 5,000 Rs for contraventions of the Regulations and up to 20,000 Rs for each subsequent contravention. Unregistered telemarketers can be penalized by disconnection of their telephones or discontinuation of their telecom services by their access provider (Reg 15). By 2009 12,000 telemarketers had already been ned.64 The NDNC is intended to protect Indian consumers, not to protect foreigners, who are unable to utilize the NDNC as it requires subscriber numbers to be lodged with telecoms providers. As the worlds largest location of call centres, Indian telemarketing outsources have been responsible for a signicant quantity of the telephone marketing that is regarded as an invasion of privacy in parts of the rest of the world. Indian laws do not provide any protection against unsolicited calls directed to overseas telephone subscribers. Telemarketing from India to other countries is therefore only dealt with by anti-spam laws in the target country penalizing the local party responsible even though the breaches are by the Indian telemarketer.
Direct marketing Because India does not have a general data protection law, privacy protections against direct marketing must be found in relation to specic intrusions such as telemarketing. India has not yet legislated in relation to Internet unsolicited communications (SPAM). However, Indias regulation of telemarketing is in marked contrast to its lack of regulation of other aspects of privacy. In October 2007 the Telecom Regulatory Authority of India (TRAI) launched the National Do Not Call (NDNC) database, authorized under the
62 Telecom Unsolicited Commercial Communications Regulations 2007 and Explanatory Memorandum ,http://www.trai.gov.in/regulationpre. asp?id=65.. 63 Telecom Unsolicited Commercial Communications (Second Amendment) Regulations, 2008 (No. 3 of 2008) and Explanatory Memorandum, at ,http://www.trai.gov.in/regulationpre.asp?id=76..
Automated decisions (Sensitive Processing) There are no provisions dealing specically with automated decision-making involving personal information. However, the RTI Act 2005 requires public authorities to provide reasons for its administrative or quasi-judicial decisions to affected persons (s4(1)(d)), and this could be used to force some disclosure of automated decision-making processes. Interconnection of les (Data matching) There are no provisions in current India law restricting interconnection of les, either in the public sector or the private sector. On the contrary, the RTI Act 2005 s4(1)(a) requires all public authorities to:
maintain all its records duly catalogued and indexed in a manner and the form which facilitates the right to information under this Act and ensure that all records that are
64 C Connolly and A Vierboom, Do Not Call Registers backed by highprole enforcement action, Privacy Laws & Business International Newsletter, Issue 101, at 10 (October 2009).
ARTICLE
63
appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitated . . .
also a very specic offence where a person publishes or transmits the image of a private area of any person without his or her consent (s66E).
This is not balanced by any data protection law placing limits on such linking up in the case of personal data. If such a linking up of all records of public authorities was in fact undertaken, rather than just being legislative wishful thinking, then it would be extremely dangerous to Indian citizens in the absence of the protections of a full-edged data protection law. Data matching has not been a major method of social administration or business in India until now. However, as discussed in the previous section, the introduction of the ID number and the proposed developments of the NPR, National Citizenship Register, ID card, NatGrid, are likely (even if not all of them go ahead) to make it far easier (technically and socially) for Indian government agencies and companies to undertake data matching on a much more massive scale than in the past. At present, the RTI Act gives a green light for the linking up of these and other government data sets, without any special consideration for personal data.
V. Rights of data subjects (access, rectication, and opposition)

Notication rights
Informing the data subject of information concerning the processing of his or her personal information at various points in the information lifecycle is also very relevant to the effective exercise of the access, rectication, and opposition rights. There is no right in India for data subjects to be informed of any matters at the time of collection of personal information, except in relation to credit information. In relation to credit reporting, the data subject must be informed of the content of his credit information whenever it is the basis for refusal of credit (as discussed below). Credit reporting participants must take reasonable steps to inform a person, whenever they collect personal data (which excludes credit information), the purposes for which the data is collected (CICRA 2005, Regulation 11(4)). The IT Act 2000 provides no such rights. There is no right to be positively notied of disclosures of personal information, except as described below in relation to credit reporting. When a credit institution or other specied user denies credit or any other service on the basis of his credit information report, they must within 30 days provide him in writing with the specic reasons for rejection, a copy of the credit information report, and the name and address of the CIC concerned (CICRA 2005, Regulation 10(c)). This is one of the most effective forms of conrmation of processing, advising the person of processing by both credit institution and CIC at the point of adverse decision. The Right to Information Act 2005 requires a public authority (or other body bound by the RTI Acts) to provide reasons for its administrative or quasi-judicial decisions to affected persons (s4(1)(d)), which is a signicant enhancement to the right of access to personal information and has resulted in numerous reported decisions.
Publicly accessible data (Public Registers) There are no general provisions in India controlling the use of personal information in publicly accessible government data registers (public register). The Right to Information Acts have a limited effect. Where personal data has not been placed in a public register, there are limited protections available against the disclosure of third party personal data as a result of a RTI application (as discussed earlier under Purpose limitation principledisclosure limitations). But the RTI Acts do not prevent Indian governments from disclosing personal data (or other information) by means other than RTI applications. They do not create a separate right of privacy outside the context of a RTI application. The Internet There are no general provisions concerning privacy and the Internet. As a result, neither user-generated content/social networking sites (SNS), nor journalistic publications, which disclose personal information come under any special regulation (or need any special exemption). The IT Act 2000 includes an offence of Publishing of information which is obscene in electronic form (s67), which is broader than its title suggests as it covers inter alia any material which is lascivious or appeals to the prurient interest. There is
Access rights
Public sector information The Right to Information Act 2005 applies to every public authority established under the Constitution or a central or State law, or a notication or order by a
64
ARTICLE
government, and includes any body owned, controlled, or substantially nanced, or non-government organization (NGO) substantially nanced, directly or indirectly by government funds (s2(h)). The right to access therefore applies to substantial parts of the private sector.65 Subject to exceptions in the Act, all citizens have the right to information (s3). The right does not therefore extend to non-citizens, and would therefore fall short of adequacy from the EU perspective. The right to information applies to any information held by or under the control of any public authority, and includes inspections, certied copies, and obtaining information . . . in any other electronic mode or through printouts where such information is stored in a computer (s2(j)). The right to access information held by public authorities is much broader than the right to access ones own data, but it encompasses that right. Citizens can access their own records under the Act. Where some part of the information they seek to access is exempt under s8, s10 requires that as much information as can be severed must be provided. For example, while information about which particular public servants had been granted leave on which dates was regarded as personal information, unconnected with the government affairs of an ofcial, and therefore exempt from disclosure under s8(1)(j), the details with the names removed were required to be disclosed.66
Act 2005. Although under the latter Act the Central Information Commission or State Information Commissions can receive complaints from a person who believes that he or she has been given incomplete, misleading or false information under this Act (s18(1)(e)), these references to incompleteness and falsity do not appear to refer to the nature of the personal information about the individual, but instead to a comparison between what is really in the government records and what is disclosed.68
Credit information In contrast, the CICRA 2005 allows borrowers or clients to ask any credit reporting participant to update the credit information that they hold, by making an appropriate correction or addition or otherwise, and requires this to be done within 30 days (s21(3)). Rule 25 makes it clear that it is the responsibility of the CIC to take proactive steps to check with the CI that provided the information whenever it is informed about any inaccuracy, and (until the matter is resolved), must inform subsequent inquirers that the debt is disputed. CIBIL tries to claim69 that it has no responsibility for correcting inaccurate information in its records. Its approach does not seem to be consistent with the Act.
Rights to oppose processing

As discussed below, there is a right to object to telemarketing by using the National Do Not Call (NDNC) system established under the Telecom Unsolicited Commercial Communications Regulations 2007. There are no other rights to object to direct marketing, or to object to any other form of processing including credit reporting.
Credit information The CICRA 2005 allows a person who applies for credit to request the credit institution to furnish him or her with a copy of the credit information provided by the CIC (s21(1)), and they must do so subject to payment of such charge as the Reserve Bank has specied by regulations (s21(2)). The CIBIL website67 sets out how consumers can access a copy of their credit bureau le and obtain corrections, but does not indicate that this is pursuant to the legislation, and does not appear to charge access fees consistent with the legislation.
VI. Procedural and enforcement mechanisms

As is obvious from the preceding sections, in India there is no single Act providing the predominant procedural and enforcement mechanisms for data protection, and thus no single public authority in India as yet has a predominant responsibility for enforcement. It is
67 CIBIL website Access your CIBIL credit record at , http://www.cibil. com/accesscredit.htm.. 68 For an example of a case on s18(1)(e) on such an issue, see Shri Gaurav Jain v Delhi Development Authority (DDA) Decision No. CIC/WB/C/2007/ 00198 [2007] INCIComm 4338 (30 November 2007) ,http://www. commonlii.org/in/cases/INCIComm/2007/4338.html.. 69 Q14 Rectifying Information in your CIR in CIBIL FAQ at ,http://www. cibil.com/consumerfaqs.htm..
Correction rights
There is no right to correction of personal information in either the IT Act 2000 or the Right to Information
65 For example a stock exchange being a quasi governmental body working under the statute and exercising statutory powers has to be held to be a public authority within the meaning of section 2(h): Smt. Raj Kumari Agrawal and Others v Jaipur Stock Exchange Ltd., Jaipur and Others Decision No. CIC/AT/A/2006/00684 & CIC/AT/A/2007/00106 [2007] INCIComm 1751 (7 June 2007). 66 Shri Kartikey Vyas v Employees Provident Funds Organisation Decision No. 174/ICPB/2006 [2006] INCIComm 1029 (4 December 2006).
ARTICLE
65
therefore necessary to consider the contributions of a number of Acts and organizations.
Independence and functions of supervisory authorities

It is useful to rst review the independence, powers, and functions of those institutions that could potentially carry out a broad data protection mandate. Indias courts do have the necessary degree of independence for a supervisory body, but do not have an ongoing role in administering data protection rights beyond periodic interventions. Some bodies such as the Consumer Disputes Redressal Commissions have a very limited scope in relation to privacy and will not be discussed here. The National Human Rights Commission (NHRC) is the only organization to which complaints about interferences with privacy can be made for the purposes of initiating an investigation, but it does not have enforcement powers, and does not yet play any role in relation to privacy.
They are probably the closest legislative model for a data protection authority in the Indian system. The Central Information Commissions website70 contains an exceptionally broad and informative collection of information about administration of the Act, including standards for penalties. By January 2010 it had already published 33,307 decisions in four years.71
Central Information Commission The Central Information Commission (Chief Information Commissioner and up to ten Information Commissioners) has independence guaranteed by statute (Chapter III of the Right to Information Act 2005). Commissioners are appointed by the President on advice from a parliamentary Committee (s12(3). They exercise their powers without being subject to direction (s12(4)). Appointment is for ve years only (s13). The Commissioners operate with independence from government and have protection against removal from ofce except for proven misbehaviour or incapacity, found in a report to the President by the Supreme Court (ss14). They have powers of investigation, to hear appeals, to award remedies and to order remedial and compliance actions to be taken. They have many of the attributes desirable in a data protection authority, but only in the very limited ambit of rights of access in the public sector. The Central Information Commission and State Information Commissions are empowered (s18) to receive and investigate complaints from any person who has been refused access or not given an answer within the time specied in the Act, or has been given incomplete, misleading or false information, and in respect of any other matter relating to requesting or obtaining access to records. Commissioners have power to examine any records (s18(4)).
70 Central Information Commission website at ,http://www.cic.gov.in/.. 71 CIC decisions on CommonLII at ,http://www.commonlii.org/in/cases/ INCIComm/..
Cyber Regulations Appellate Tribunal and adjudicating ofcers The IT Act 2000 establishes its own enforcement regime. Any contraventions of the IT Act coming under Chapter IX (Penalties and Adjudication) are to be heard by an adjudicating ofcer (AO) to be appointed by the Central Government, to hold an inquiry in a manner to be prescribed (s46(1)). AOs must have experience in the eld of Information Technology and legal or judicial experience (s46(2)). AOs have the same powers as a civil court as conferred on the Cyber Appellate Tribunal. This would seem to give both bodies independence from government instructions in carrying out their duties. Anyone aggrieved by an order of an AO may appeal to a Cyber Appellate Tribunal with jurisdiction in the matter (s57(1)). Cyber Appellate Tribunals may be appointed by notication by the Central Government, with jurisdiction over specied matters and places (s48). They comprise a Chairperson (with qualications as a High Court judge) and other Members (with ICT and legal qualications) (ss4950). Tribunals are not to be bound by civil procedure laws but shall be guided by the principles of natural justice (s58(1)), and with the same enumerated powers as a civil court (s58(2)). To date, the Cyber Appellate Tribunal has delivered decisions in nine matters (in 2009),72 seven dealing with the relationship between proceedings before it and arbitration proceedings, and the rest concerning procedural aspects of a dispute over allegedly defamatory emails. As yet no appeals from a Cyber Appellate Tribunal have been heard by a High Court. This aspect of Indias data protection structure is newly established, and it is premature to assess how well it will work, including its independence. Credit reporting It is impossible to say yet how the functions of supervisory authorities will operate in relation to Indias credit reporting law. The complex framework comprising the
72 Available at , http://www.mit.gov.in/content/judgment-cat..
66
ARTICLE
Act (CICRA), Regulations, and Rules says very little about a supervisory system that will need to deal with many thousands of complaints each yearperhaps hundreds of thousandsif the credit reporting data protection system is to have any substance. At present, it is even difcult to identify the supervisory structure and relevant bodies. The Reserve Bank of India (RBI) is clearly the supervisory authority in relation to offences and penalties (ss2326). Otherwise, the Act says little about the resolution of credit reporting disputes. Under (s18) where there is any dispute . . . on matters relating to business of credit reporting between CICs, CIs, borrowers and clients . . . for which no remedy has been provided under this Act, then the dispute shall be settled by arbitration as provided in the Arbitration and Conciliation Act 1996. The RBI appoints the arbitrator, who must settle the matter within 3 months unless extended (s18(2)). It seems unlikely that the relatively cumbersome procedures of arbitration legislation could effectively give redress in relation to large numbers of consumer credit disputes (usually the most numerous data protection disputes) so it seems likely that some other remedial approach needs to be provided. The Reserve Bank of India has power to make regulations under the Act (s37(3)) which can cover procedures relating to credit information (s37(2)(e)) and s20(f)). The Regulations made do not cover dispute resolution. Does Indian credit reporting law provide an independent supervisory body? The RBI is clearly the relevant supervisory authority in relation to offences and penalties (ss2326 and offences by CICs and CIs. It controls which offences can be heard by courts (s24 Cognizance of offences). Given the wide range of functions of the RBI, credit reporting regulation is a minor function, and it would seem unlikely to be subject to government interference on this issue. However, it is questionable on different grounds whether the RBI would be an independent supervisory authority in relation to credit reporting, because it has been and still is the main proponent, and administrator, of increased credit surveillance in India. As such, it may have a conict of interest in relation to protecting the rights of data subjects.
AO might possibly demonstrate independence over time, but it is too early to tell, and at present they have no role at all to play in relation to data protection. At present, with credit reporting regulation in India in such a formative and inchoate state, it would be premature to say that it has supervisory authorities with the requisite independence.
The role of the courts in data protection

Courts can contribute to a system of independent adjudication either by having original jurisdiction, or by having appellate jurisdiction over some other supervisory body.
Matters in the original jurisdiction of the courts Indian courts have original jurisdiction to hear cases concerning breaches of the implied constitutional right of privacy, and the as-yet-undeveloped areas of the tort of invasion of privacy, and the expanded action of breach of condence to protect privacy. There is some potential for class actions (public interest litigation) before Indian courts. These avenues have as yet produced few developments in relation to data protection rights. The original jurisdiction of courts to hear credit reporting matters under CICRA is discussed below. Rights of appeal There is usually a right of appeal to the Courts from other supervisory bodies, which is a generally positive feature of Indias limited data protection rights. Concerning the right to information, a rst appeal against a decision by a body bound by an RTA Act lies before a more senior Central or State Public Information Ofcer than the one who made the original decision (an internal review). Thereafter a second appeal lies before the relevant Central or State Information Commissioner (s19). There are strict time limits within which appeals must be heard. There is a right of appeal from the Information Commissioners decision to a High Court. However, there is no direct right of action before the courts under the Act (s23). In relation to the IT Act, no civil court may exercise jurisdiction over any matter which an AO or a Cyber Appellate Tribunal is empowered to determine73 under Chapter IX (Penalties and Adjudication) of the IT Act 2000. Nor do injunctions lie against them (s61). Instead, there is a right of appeal from a decision of a Cyber Appellate Tribunal to a High Court within 60 days on any questions of law or fact (s62).
Address 122.163.98.166 (25 August 2008) Delhi High Court at ,http:// indiankanoon.org/doc/1625957/..
Conclusions The Information Commissions have the highest degree of independence. The Cyber Appellate Tribunal and
73 However, a pleading in a civil suit before a court which raises a claim under the IT Act will not invalidate the pleading, and the civil court still has jurisdiction to hear any other matters pleaded: Jcb India Ltd v I.P.
ARTICLE
67
If the Reserve Bank imposes nes concerning credit reporting, this bars actions being taken in the Courts (s25(3)). However, [w]here any complaint has been led in any court against a CIC or a CI or specied user, for breaches of most of the data protection provisions in the Act (s22(2) or s23(2)(4)), then no proceedings seeking a penalty shall be taken before the RBI (s25(6)). This implies that courts have original jurisdiction to hear most credit reporting prosecutions involving data subjects, but not if the matter is rst heard by the RBI. There have been no such cases before the courts as yet. Courts cannot take congnizance of offences by CICs or CIs under s24, except by specied procedures which do not allow data subjects to initiate prosecutions (s24). There is a right of appeal from the decisions of Consumer Disputes Redressal Commissions to the Courts, and appeals do occur.
assistance, or that the Reserve Bank or its Banking Ombudsmen does so in relation to credit reporting. The Human Rights Commission has not dealt with complaints concerning data protection.
Remedies
The Indian Constitution Art. 32 provides very extensive powers to the Supreme Court to enforce constitutional rights,75 but this does not include a right to obtain compensation. Legislation can empower other courts to exercise these rights within the limits of their jurisdiction (Art. 32(3)), and the Constitution itself gives this power to all High Courts throughout the territories in which they exercise jurisdiction (Art. 226). The Information Commissioners can require public authorities to comply with the Acts concerning the right to information, including ordering access to information in a particular form. They can also require compliance by making necessary changes to its practices in relation to the maintenance, management and destruction of records (RTI Act s19(8)(a)(iv)). Questions of security and destruction of records can therefore be raised where they relate to questions of access. Perhaps the most signicant power in such Commissions is to require the public authority to compensate the complainant for any loss or other detriment suffered (RTI Act s19(8)(b)). This power to compensate, which is unusual internationally for mere failure to provide access, is used and does result in signicant awards of compensation.76 The credit reporting legislation provides for penalties and (as discussed earlier) has provisions concerning arbitration which seem inappropriate. The CICRA 2005 Chapter VIII provides for offences and penalties, three aspects of which are relevant to data protection (s23).77 Where s23 contraventions occur, or there is unauthorized access under s22(2), the Reserve Bank may impose nes on the same penalty scale (s25). This bars further Court proceedings (s25(3)). A court imposing such nes may direct that nes may be applied towards payment of the costs of the proceedings, or for such purposes as may be directed by the court (s26). This could allow the
because of denial of his dream job, as an IAS ofcer: Shri Kumar Avikal Manu v DoPTAdjunct, Decision No. 458/IC(A)/2006 [2007] INCIComm 305 (6 February 2007). 77 (i) A wilful breach of the Privacy Principles in s20 (including those set by the Reserve Bank through regulations) is punishable by a ne of one crore Rs (10,000,000 Rs or US$200,000); (ii) Knowing provision of false credit information is punishable by a ne of one crore Rs (10,000,000 Rs or US$200,000); (iii) A contravention of any other provision of the Act, or of any rule etc made thereunder and not specically penalised, is punishable by a ne of up to one lakh Rs (and 5,000 Rs per day for continuing contraventions) (100,000 Rs or US$2,000, and US$100/day).
Assistance to individual data subjects

Individuals need to be able to enforce their rights with reasonable speed and effectiveness, and without prohibitive cost. Some institutional mechanism allowing independent investigation of complaints is provided by data protection regimes in most countries. It is likely that the State and Central Information Commissions as public authorities are overall providing sufcient support and help to data subjects in relation to the RTI Acts. Public Information Ofcers (PIOs) in public authorities under the RTI Acts are required to render reasonable assistance to the [applicant] to reduce [his request] in writing.74 Every Indian government website provides prominently located information about how to exercise RTI rights against that particular government authority. In the State and National Consumer Disputes Redressal Commissions the position is similar. Otherwise, in India there is no data protection ofce to advise data subjects on any aspect of data protection rights, or assist them to pursue their claims. There is no evidence that newly established bodies such as the Cyber Regulation Appeals Tribunal are providing such
74 VK Puri, Right to Information Practical Handbook (JBA Publications 2010) at 2.3. 75 Constitution Art. 32(2): The Supreme Court shall have power to issue directions or orders or writs, including writs in the nature of habeas corpus, mandamus, prohibition, quo warranto and certiorari, whichever may be appropriate, for the enforcement of any of the rights conferred by this Part. 76 Where a handicapped person was victimized for applying for information under the Act and not offered a job, the denial of information resulted in the maximum penalty of Rs 25,000 being imposed on the relevant ofcial, plus compensation to the victim equal to the amount of the salary and allowances already paid to the successful job applicants,
68
ARTICLE
court to apply nes toward compensating victims. This is not the same as a civil action because the victim cannot initiate it. The legislation appears to rely entirely on enforcement through prosecutions, with no clear procedures by which complaints can be made (other than through the unlikely recourse to arbitration). Thus, insofar as Indian law provides data protection rights, the supervisory bodies which administer and enforce those rights do generally have a reasonable range of remedies available to them, except that civil remedies are lacking in relation to credit reporting.
How much compliance results?

While India has established some supervisory bodies with varying degrees of independence, some enforcement powers, and provision for appeals to the courts and in relation to a very narrow range of data protection rights, there is as yet little evidence that those enforcement mechanisms actually deliver a signicant level of compliancewhether voluntary or through individuals complaining or taking actions. Most of the data protection structure that exists in theory is not yet functioning. The most striking lacuna is in relation to credit reporting. There is nothing on the websites or the most recent annual reports of the Reserve Bank, or the Banking Ombudsman about how dispute resolution does or will work in relation to credit reporting, and no indication that any disputes are being heard or resolved. The website of the largest CIC, Credit Information Bureau (India) Ltd (CIBIL)78 does not refer to the Act. Although there are numerous Indian website dealing with consumer disputes, they show little awareness that CICRA exists, and none that its provisions are being enforced.79 The one exception is the right to information. Although only a small percentage of the more than 30,000 cases decided by the Central Information Commission80 concerning the Right to Information Act deal with personal or private affairs or information, the numbers are nevertheless signicant. The reported cases show that the procedures are working well enough. There is a great deal of media interest in the RTI cases, which increases the transparency of the system.
VII. Conclusions: Illusions versus reality

India is still at a very early stage of developing personal data protection. Some of the signs are promising but
78 CIBIL website ,http://www.cibil.com/rbi.htm.. 79 Use a search engine to search for India credit information .
the most important legislative protections are as yet, not functioning. In particular, the key data protection provisions of the 2008 amendments to the Information Technology Act 2000 are not yet effective, and the consumer protections in the credit reporting legislation appear to be ignored by regulators and credit bureaux alike. At present India does not provide signicant protection to personal data in relation to all or most of the common privacy principles, in any sector, to meet any international standards. The principles which have been given the most substantial legislative implementation are: (i) the right of access (but only in relation to public authorities); (ii) the security principle in relation to the private sector, subject to how s43A is implemented; (iii) the right to opt-out from direct marketing, but only in relation to telemarketing; and (iv) most data protection content principles in relation to credit reporting. The credit reporting principles contain most elements of a normal data protection regime, and could be generalized to cover other types of personal data. Some Indian supervisory bodies have aspects of the independence, powers, and available remedies that could contribute to a useful data protection regime if (as is not the case) they were administering broad sets of principles. This is particularly so of the Information Commissions administering the RTI Acts, though they might not be able to exercise all of the functions of a supervisory body (e.g. providing assistance to data subjects) even if the RTI laws contained a full set of data protection rights. In contrast, although the credit reporting sub-sector has on paper data protection principles and remedies that approach international standard, the Reserve Bank as a regulatory body has questionable independence, the legislation does not provide an enforcement system of use to the consumer, and the Bank does not provide any information about its enforcement activities. There is no evidence of delivery of any level of compliance. There is also as yet no signicant self-regulation for the purposes of data protection usable by data subjects in India. If some of these data protection deciencies are remedied, any protections must be balanced against the developments in Indias increases in surveillance powers in such areas as the IT Act (following the 2008 amendments), the proposed unique ID number system, the expansions of the credit surveillance system once the newly-authorized CICs become operational, and
80 See ,http://www.commonlii.org/in/cases/INCIComm/., search for right to information act or rti act.
ARTICLE
69
the identication system being established for the 2011 census. How these surveillance measures are implemented in practice, and whether they are accompanied by further legislation or regulations providing data protection guarantees, will have signicant implications for the overall level of data protection India provides. This situation is likely to undergo major developments over the next few years. Deceptions, illusions, and promises are often hard to separate. Overall, India has not yet implemented personal data protection to a signicant extent, and
it is still an open question whether it is taking steps to do so, or whether this is an illusion. External observers need to suspend their belief in promises even when embodied in legislation, and insist that India move from illusions or promises to veriable reality, if it wants its data protection efforts to be acknowledged as providing an international standard of protection. doi:10.1093/idpl/ipq006 Advance Access Publication 17 November 2010

Promises and Illusions of Data Protection in Indian Law: Graham Greenleaf

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Promises and Illusions of Data Protection in Indian Law: Graham Greenleaf

Uploaded by

Copyright:

Available Formats

International Data Privacy Law, 2011, Vol. 1, No.

Promises and illusions of data protection in Indian law

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

has also expanded.

independent data protection regulators, or a wide enough range of remedies.

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Constitutional basis of privacy protection

II. The legal context of data protection laws in India

Graham Greenleaf . Promises and illusions of data protection in Indian law

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Breach of condence law

Graham Greenleaf . Promises and illusions of data protection in Indian law

III. Legislation and self-regulation providing data protection

Information Technology Act 2000 (as amended 2008)

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

International Data Privacy Law, 2011, Vol. 1, No. 1

Credit Information Companies (Regulation) Act 2005

Graham Greenleaf . Promises and illusions of data protection in Indian law

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

The Protection of Human Rights Act 1993

The Right to Information Act 2005 (RTI Act)

International Data Privacy Law, 2011, Vol. 1, No. 1

The National Consumer Disputes Redressal Commission

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Sectoral self-regulation and codes of conduct

Indian contract law, choice of law, and outsourcing

Graham Greenleaf . Promises and illusions of data protection in Indian law

IV. Data protection principles in Indian law

International Data Privacy Law, 2011, Vol. 1, No. 1

Graham Greenleaf . Promises and illusions of data protection in Indian law

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Deletion or preservation of data

Graham Greenleaf . Promises and illusions of data protection in Indian law

Data quality obligations

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Data security principle

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Graham Greenleaf . Promises and illusions of data protection in Indian law

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Restrictions on onward transfers

Principles for specic types of processing

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Graham Greenleaf . Promises and illusions of data protection in Indian law

V. Rights of data subjects (access, rectication, and opposition)

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

International Data Privacy Law, 2011, Vol. 1, No. 1

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

Rights to oppose processing

VI. Procedural and enforcement mechanisms

Graham Greenleaf . Promises and illusions of data protection in Indian law

therefore necessary to consider the contributions of a number of Acts and organizations.

Independence and functions of supervisory authorities

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011

International Data Privacy Law, 2011, Vol. 1, No. 1

The role of the courts in data protection

Downloaded from http://idpl.oxfordjournals.org/ at Sri Krishna Devraya University on November 9, 2011