This article is written by Aditi Aggarwal, of Symbiosis Law School, Noida. The article discusses the recommendations of the 2012 privacy report and its relevance in the present-day scenario by analysing the current frameworks regarding privacy in India.

Introduction

In January 2012, the Government of India established an expert committee on privacy, namely the Shah Committee which was chaired by Justice AP Shah. The Committee was established to review the best international practices on privacy and to recommend a framework for privacy legislation in India. The recommendations contained in the Report served as the blueprint for privacy legislation in India and a gaping void in India’s legal regime that needed to be filled.

The article aims to analyze the provisions relating to privacy that came into effect after the report was published. After the analysis, the contemporary relevance of the report would be discussed.

Five salient features of the proposed framework

Technological neutrality and interoperability with international standards

The Report suggested that the proposed framework must be technologically neutral and interoperable with international standards. Step by step features of this particular feature is as follows:

• The privacy law should not mention specific technologies and should be sufficiently versatile so that the principles and mechanisms applied can adapt to changes in society, technology, government, and the market.
• To this end, it is important to closely coordinate privacy rights with multiple international systems, build trust and promote cooperation between national and international stakeholders, and provide equal and adequate protection for data processed inside and outside India. 
• In this process, the framework must recognize that data has economic value and that the global data flow creates value for the individual who is the creator of the data and the company that collects and processes the data. 
• Therefore, one of the methods of the framework should be to inspire the trust of global customers and their end-users, while not harming the interests of national customers in improving privacy protection.

Multi – dimensional privacy

The Right to Privacy was recognized in multiple dimensions and according to the report, it must include the following concerns regarding data protection:

• Appropriate protection from unauthorized interception
• Video and audio surveillance
• Use of personal identifiers
• Bodily privacy including DNA as well as physical privacy

Horizontal applicability

According to the report, any privacy legislation that is proposed must be applicable to both- the government and the private sector. Furthermore, the report mentions that since the international trend is to develop a unified set of regulations to manage the public and private sectors, and these two sectors handle large amounts of data in India, both should be included in the scope of the proposed legislation.

Conformity with privacy principles

The report also recommended nine basic privacy principles that would form the basis of India’s proposed privacy law. The principles were taken from the best international practices and appropriately adapted to the situation in India, aiming to provide a basic level of privacy protection for all individual stakeholders. The basic idea of ​​emphasizing these principles was to make data controllers responsible for collecting, processing, and using data, so as to ensure that the privacy of data subjects is protected.

Principle 1- Notice

Before collecting any personal information from all individuals, the data controller shall notify all individuals of their information practices in a clear and concise language. The notice should be in a simple and an understandable manner.

Principle 2- Choice and Consent

After providing its information practices, the data controller shall give individuals the choice to opt-in or out with regard to providing their personal information and taking their individual consent. 

After the consent, the data controller except in the case of authorized agencies shall collect, use, disclose, or process such information to third parties. The data subject shall have the option of withdrawing his/her/their consent given earlier at any time while availing the services or otherwise. In this situation, the data controller shall also have an option not to provide those goods/services for providing which information sought was necessary. In special circumstances, if it is impossible to provide services with choice and consent, then choice and consent should not be required. 

Principle 3- Collection Limitation

According to this principle, a data controller shall collect personal information from data subjects through lawful and fair means if it is necessary to collect. It could be necessary for the purposes identified for such collection. 

Principle 4- Purpose Limitation

Data of individuals collected and processed by the data controllers should be firstly, adequate, and secondly, relevant to the purposes for which they are processed. After the personal information is used according to the determined purpose, it shall be destroyed according to the determined procedure. Government data retention requirements must comply with national privacy principles.

Principle 5- Access and Correction

Personal information provided by the individuals shall be accessible to them and in case it is not accurate, they shall be able to seek any correction, amendments, or deletion of that information. The confirmation shall be allowed along with obtaining a copy of their personal data. One condition is that if any of this would lead to infringing another person’s privacy rights (unless express consent has been given), access and correction may not be provided.

Principle 6- Disclosure of Information

Personal information shall not be disclosed to third parties without giving proper notice and taking informed consent from the individual concerning such disclosure. 

In addition, even third parties must comply with relevant and applicable privacy principles. Disclosures for law enforcement purposes must comply with applicable laws. The data controller shall not publish or otherwise disclose personal information, including sensitive personal information.

Principle 7- Security

The personal information that is collected or is in the data controller’s custody shall be kept secured by reasonable security safeguards that are against unauthorized access, loss,  processing, storage, destruction, use, modification, unauthorized disclosure [either accidental or incidental], deanonymization or any other reasonably foreseeable risks.

Principle 8- Openness

Necessary steps shall be taken to implement procedures, practices, policies, and systems in a proportional manner to the scope, sensitivity, and scale of the data collected by the data controller. This is to ensure compliance with the privacy principles and information. 

Principle 9- Accountability

The data controller shall be accountable to comply with measures like mechanisms to implement privacy policies including tools, training, and education along with external and internal audits and requirement of overseeing bodies/organizations to extend necessary support along with complying with the specific and general orders of the Privacy Commissioner to give effect to the privacy principles.

Co-regulatory enforcement regime

This report recommended the establishment of the office of the Privacy Commissioner at both the Centre and region. For enforcing the provisions of the Act, the Privacy Commissioner would have the primary authority. Along with this, it recommended a system of co-regulation, with equal emphasis on Self-Regulating Organisations (SROs), which would be responsible for ensuring compliance with the law and is subject to the regular supervision of the Privacy Commissioner. SROs would be responsible to create awareness about the right to privacy, having industry-specific knowledge, and explaining the sensitivities of privacy protection within the industry and within the public in respective sectors.

The co-regulatory regime recommendation would not derogate from the powers of courts which would be available as a forum of last resort in cases where there is a persistent and unresolved violation of the Privacy Act.

Aadhar Act, 2016

The Aadhaar Act, 2016 was introduced to provide legislative support to the world’s most ambitious personal identity scheme, which aims to provide a unique identification number for the entire population of India. The basic principle behind the plan was to correctly identify the beneficiaries of government programs and subsidies, thereby reducing the leakage of government subsidies. 

To promote this basic principle, the Aadhaar Act gives the Unique Identification Agency of India (“UIDAI”) the power to register individuals by collecting personal biometric and demographic information and issuing an Aadhaar number.

Certain provisions of Aadhaar Act in the context of principles suggested by the A.P. Shah Committee

Notice

Notice during collection

The Aadhaar Act states the requirement of the agency which is enrolling individuals for Aadhar number distribution to give them notice relating to:

• How the information shall be used.
• The information about the recipients’ nature with whom the information is intended to be shared during authentication.
• The existence of a right to access information, the procedure for making requests for such access, and the details of the department or person-in-charge to whom the individuals can make such requests.

Failure to comply with this requirement will result in the agency being liable for either a fine of rupees 10,000 or imprisonment extendable up to 3 years or both. The maximum fine amount is Rs. 10,00,000 in the case of companies.

Notice during authentication

Authenticating agencies are required to give the following information under the Aadhar Act to the individuals whose information is to be authenticated: 

• The nature of the information which upon authentication, may be shared.
• The received information may be put to several uses by the requesting entity and that needs to be informed to the individual whose information it is.
• If there are any alternatives to identity information submitted to the requesting entity. 

In case of failure in complying with the requirements, the agency would be liable for a fine of Rs. 10,000 or for imprisonment extendable to 3 years or both. The fine amount is Rs. 10,00,000 (maximum) in the case of companies.

Collection Limitation

Collection of Biometric and Demographic Information

For obtaining an Aadhar number under the Act, there needs to be a submission of biometric data of residents like iris scan, photograph, fingerprint along with demographic information like date of birth, name, and address.

The Act does leave scope for the collection of more information if specified by regulations. Because of this, it becomes possible for enrolling agencies to collect individuals’ extra information and that too without any legal implications.

Authentication Records

It is a mandate for the UIDAI to have authentication records but that does not give it the right to keep/collect any information for which the authentication request was made.

Unauthorized Collection

If a person authorized to collect information does so by pretending that he is an authorized person is mandatorily punished with either an extendable fine up to rupees 10,000 or for imprisonment for an extendable term of up to three years or both. The fine amount in the case of companies is rupees 10,00,000.

Access and Correction

Updating Information

Under the Act, the UIDAI has the power to ask the residents for updates from time to time on the biometric and demographic information from time to time to maintain its accuracy.

Access and alteration of Information

The holders of Aadhaar number may request the UIDAI to access their identity information which can also be requested to be altered if it has changed or is incorrect, but here core biometric information is an exception and cannot be asked to be accessed, the reason for which is unclear. Biometric information though can be asked for alteration if it has changed or it is lost.

Upon receipt of such a request, necessary alteration is done only if the UIDAI is satisfied. It is also provided that identity information in the Central database can be altered if it is provided in the regulation.

Access to Authentication Record

Every individual has the right to obtain his/her authentication record as prescribed by regulations.

Disclosure

Authentication query

Any authentication query has to be given a reply by the UIDAI with any kind of appropriate response. 

Potential Disclosure during Maintenance of CIDR

The UIDAI has the power to appoint one or more entities for establishing and maintaining the Central Identities Data Repository (CIDR). Further, the UIDAI has been given the freedom of appointing an outside entity for the purpose of maintaining a sensitive asset such as the CIDR and this particular fact raises security concerns.

Restriction on information sharing

There is a blanket prohibition under the Act on the usage and sharing of Aadhaar numbers. Core biometric information can only be used for generating Aadhaar numbers. Other identity information is allowed to be shared as per the manner prescribed by the Act or the regulations. 

The law also stipulates that the requesting entity shall not disclose demographic information unless the person involved in the information has approved. 

In addition to regulations, public display of Aadhaar numbers or central biometric information is prohibited. It is forbidden for officials or UIDAI or employees of agencies employed to maintain the CIDR to disclose the information stored in the CIDR or identity verification records to anyone.

Penalty for Disclosure

Anyone who knowingly and unauthorizedly discloses, transmits, reproduces or otherwise disseminates any demographic information collected during the registration or authentication process will be punished with up to 3 years in prison or a fine of rupees 10,000 or both. In the case of a company, the maximum fine will be increased to Rs. 10,00,000.

Furthermore, anyone who deliberately accesses CIDR information in an unauthorized manner, downloads, copies, or extracts any CIDR data, or shares or reveals or distributes any identifying information will be punished with up to 3 years in prison. Years and fines not less than Rs. 10,00,000.

Consent

The requesting entity must obtain the consent of the individual before collecting their identity information for authentication purposes, and must also inform the individual of alternatives for submission of demographic information. 

Purpose

The authentication entity can only use the identity information for the purpose of submitting it to the CIDR for authentication.

In addition, the law stipulates that the identity information available to the requesting entity will not be used for any other purpose than that specified to the person when submitting the information for authentication.

The law also stipulates that any identity verification entity that uses information for any unspecified purpose shall be punished with up to 3 years imprisonment or a fine of rupees 10,000 or both. For companies, the maximum amount of fine shall be rupees 10,00,000.

Security

Security and confidentiality of information

UIDAI is responsible for ensuring the security and confidentiality of identity and authentication information and needs to take all necessary measures to ensure that the information in the CIDR remains authorized while ensuring that it is not damaged, destructed, or lost. 

In addition, UIDAI has to adopt and implement appropriate technical and organizational security measures while ensuring that its contractors do the same. It is also needed to ensure under the Act that agreements with contractors are imposing the same conditions as are imposed on UIDAI and that they shall act only on its instructions.

Biometric information to be an electronic record

Biometric information collected by UIDAI is considered “electronic records” and “sensitive personal data or information”, which means that provisions of the Aadhaar Act along with the provisions of the Information Technology Act 2000 would be applied to such information.

Accountability

Inspections and audits

One of the functions listed in UIDAI’s powers and functions is the power to request information and records, to inquire, to inspect, and to audit the operations of CIDR, enrolling agencies, registrars, and other institutions designated under the Aadhaar Act.

Grievance redressal

UIDAI’s other function is to set up grievance redressal mechanisms for grievances redressal and facilitation centres, enrolling agencies, registrars, and other service providers. 

Openness

Although UIDAI is responsible for maintaining the security and confidentiality of information, there appears to be no provision in the Aadhaar Act that requires UIDAI to provide its privacy policies and procedures to the general public.

Dispute regarding the Aadhar Act

Justice K.S. Puttaswamy and Anr. v. Union of India (2018)

This is a landmark case where the status of a fundamental right was given to the right to privacy and thus its status was retained amongst the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) as well as Article 21 (Right to Life and personal liberty).

The case was filed by K.S. Puttaswamy, a retired High Court judge, who challenged the government’s proposal for a unified biometric ID card that would be needed for having access to government services and benefits. The case dealt with two fundamental questions, first question was on the validity of the Aadhar card and secondly, whether the right to privacy is a fundamental right.

Regarding the first question, the Court confirmed that the Aadhaar Act is constitutionally valid. It stated that the law empowers disadvantaged groups in society by providing them with better access to fundamental entitlements, such as state subsidies. The Court held that the law was passed by Parliament, even though it was passed as a Money Bill. And thus, the Act does not violate the fundamental rights guaranteed by Articles 14, 15, 19, and 21.

The petitioner argued that the Right to Privacy was an independent right, guaranteed by the Right to Live With Dignity under Article 21 of the Indian Constitution. On the other hand, the respondent argued that the Constitution of India only recognized personal liberties which may incorporate within their ambit, Right to Privacy, but only to a limited extent.

The petitioner argued that the Right to Privacy is independent and is guaranteed by the right to live with dignity under Article 21 of the Constitution of India. On the other hand, the defendant argued that the Constitution of India recognizes personal freedom that may be included in its scope, but only to a limited scope. The nine Justices of the Supreme Court unanimously agreed that the right to privacy is a constitutionally protected right in India and is an inherent part of the right to life and personal liberty under Article 21. 

While giving judgment under the Navtej Singh Johar vs Union Of India Ministry Of Law And Justice (2018) and aspect of privacy under the case, the Supreme Court referred to the above case.

Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were notified under the Information Technology Act, 2000 on February 25, 2021, to replace the 2011 Rules. The Act provides for the regulation of electronic transactions and cybercrime.  

Key features of new IT Rules

Due diligence by intermediaries

An intermediary is an entity that stores or transmits data on behalf of others. Intermediaries include Internet or telecommunications service providers, online markets, and social media platforms. The due diligence that intermediaries must comply with includes: 

• Informing users about the rules and regulations, privacy policies, and the terms and conditions of use of their services. 
• As per the court or government orders, blocking access to illegal information within 36 hours. 
• The information that is collected for user registration after withdrawal or cancellation of registration, retaining it for 180 days

Intermediaries are required to report cybersecurity incidents and share relevant information with the Computer Emergency Response Team of India. 

Significant social media intermediaries

If a social media intermediary’s registered Indian users go above a threshold, such intermediary would be known as ‘Significant Social Media Intermediary.’  

Such intermediaries have to observe the following due diligence:

• Appointment of a chief compliance officer for ensuring compliance with the IT Rules and Act
• Appointment of a grievance officer residing in India. 
• Publishing of a monthly compliance report. 

Intermediaries who provide messaging as their primary service must be able to identify the first initiator of information on their platform. If required by a court or government order, the promoter must be disclosed. Such orders will be used for specific purposes, including the investigation of crimes related to national sovereignty and security, public order, or sexual violence. 

Code of Ethics for Digital Media Publishers

The Rules prescribe the code of ethics for publishers of digital media that include content providers of OTT platforms and of news/current affairs.

For news and current affairs, the provider has to follow the norms formulated by the Press Council of India regarding journalistic conduct and program code under the Cable Television Networks Regulation Act, 1995. 

For OTT platforms, requirements are, improving content accessibility keeping in mind the disabled persons, implementation of a mechanism for age verification to access adult content, and accessing measures like parental controls.

Grievance redressal: The Rules require the establishment of a grievance redressal mechanism as per which the intermediaries have to designate a grievance officer for addressing the complaints (which have to be taken into account within 24 hours and disposed of within 15 days) against violation of the Rules.  

A three-tier grievance redressal mechanism has been given for addressing complaints regarding content by digital media providers i.e. as follows: 

• Self-regulation by the publishers.
• Self-regulation by the self-regulating bodies of the publishers.
• Central government oversight mechanism (as a part of this, an Inter-Departmental Committee would be established by the Ministry of Information and Broadcasting to hear the grievances which are not addressed by self-regulatory bodies along with overseeing adherence to the code of ethics).

A grievance redressal officer based in India has to be appointed by the publisher and complaints have to be addressed within 15 days.

Blocking of content in case of emergency

In an emergency, authorized personnel can check the content of digital media, and secretaries and MIBs can block such content through temporary addresses. The final content blocking order can only be approved after the interagency committee approves it. The content must be unlocked in case of non-approval.

Formulation of the committee of experts in 2017

On July 31, the Ministry of Electronics and Information Technology (MeitY) established an expert committee headed by (retired) Justice BN Srikrishna to review India’s data protection framework. The formulation of the committee was another step in India to formulate privacy legislation at the national level.

Common themes between the 2012 group of experts’ report and the 2017 expert committee’s white paper

Provisional views on Enforcement Mechanisms

The 2017 white paper broadly agreed with the model of co-regulation and development of codes of practice as suggested in the 2012 privacy report. 

Additional obligations on data controllers

The views in the white paper suggested that mechanisms such as data protection impact assessment, registration, data protection officers, and data audits should be used as methods to ensure the accountability of specific categories of data controllers. The 2012 expert report also anticipated the impact assessments and investigations by the Privacy Commissioner and the role of data controllers but did not discuss the registration of these entities.

Authorities and adjudication

Both the documents agreed on the need for a privacy commissioner/data protection authority and envisioned similar functions such as conducting privacy impact assessments, levying of fines and audits, and investigation.

The contemporary relevance of the 2012 report on privacy

The formulation of the privacy law started as early as 2010 when it was a methodological document on privacy legislation aimed at envisioning a privacy framework for India. In 2011, a Bill on privacy rights was drafted. In 2012, the Planning Committee formed a group of experts, led by Judge (retired) AP Shah, and prepared a report recommending a privacy framework.

After analyzing the recommendations of the 2012 privacy report and relating it to other privacy frameworks which came after it, it is clear that the 2021 report paved the way for these laws and reports to be formulated in a much better way. By acting as a guiding pillar, the report helped future legislators frame-worthy rules and laws under the ambit of privacy.

Loopholes and the way ahead

Though the privacy framework in India has developed to a greater extent and has given much security and reliability to citizens of India, there still exists a significant number of loopholes.

Loopholes in the Aadhar Act

For instance, the collection of additional information is not specifically prohibited under the Aadhar Act. Where the provision of the requirement of notice is given, there is no specified manner in which it is required to be given and is left to regulations leaving an unclear picture. Further, the act provides access to the information only upon the request of an individual and does not make it an individual’s right, leaving the matter of giving access to one’s information to the discretion of the UIDAI.

The language of the clause is ambiguous and it is not clear what “identity information” can be shared and why it is necessary to share such information. At last, considering the importance that the government has given and intends to give to Aadhaar, the essential task of establishing a grievance redressal and some grievance redressal mechanism should have been incorporated into the Act itself.

Loopholes in the digital rules

The new IT rules have been in controversy for more reasons than one. The new IT rules aim to regulate OTT content providers and digital news platforms. Several provisions under the rules might undermine free expression and privacy for internet users in India.

There is no clear legislative support for the formulation of the provisions of the regulatory mechanism because of which it might increasingly perform functions similar to those performed by the Ministry of Information and Broadcasting for television monitoring.

As the scope of the Information Technology Act of 2000 was not extended to the media, the guidelines did not have legislative support to regulate the media. Therefore, the power exercised by these norms goes far beyond the parent legislation.

The most controversial part of the rules is the provision that traces the first originator of the information. The introduction of traceability requirements undermines end-to-end encryption. Additionally, the creator of the post has no control over who re-posts the content, how many re-posts, or which forum it re-posts to.

Today, India is no longer a consumer, but a producer of high-quality original video content, providing employment and entertainment for local and global audiences. It is actively competing with other countries like South Korea and needs an environment that recognizes that regulation based on traditional films or television can cause irreparable damage to the industry. Any such regulatory model is likely to have a significant impact on citizens’ digital rights, cause economic losses, and negatively affect India’s growing cultural impact through the production of modern and contemporary entertainment video formats.

Antony Clement Rubin v. Union of India (2020)

The issue of traceability of originators of information on messaging platforms is also the subject of litigation before the Supreme Court in Antony Clement Rubin v. Union of India (2020). The case originated as a  PIL before the Madras High Court that seeks to link Aadhaar with social media accounts. However, during the Madras High Court hearing process, the focus was on the traceability of the originator of the information on end-to-end encrypted platforms such as WhatsApp, and the case was subsequently transferred to the Supreme Court.

Conclusion

The Shah Committee’s recommendations provided the basis for the formulation of national privacy legislation. The nine principles suggested in the report were taken into consideration while making all the future legislations or frameworks regarding privacy. This mere fact shows how contemporarily relevant this report is. But there are still some loopholes in the framework and that could be addressed by having again a committee of experts to discuss the issues at a wider level, along with active participation of common citizens.

References 

1. https://www.governancenow.com/views/columns/another-step-towards-privacy-law-data-protection 
2. https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021 
3. https://thewire.in/tech/data-protection-law-india-right-to-privacy
4. https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles 
5. https://thewire.in/tech/explainer-how-the-new-it-rules-take-away-our-digital-rights 

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.