Sei sulla pagina 1di 77

BUILDING AN EFFECTIVE DATA PROTECTION REGIME

Sreenidhi Srinivasan
Namrata Mukherjee

January 2017
www.vidhilegalpolicy.in
2

This Report is an independent piece of academic work and has been prepared with the support of the
Centre for Digital Financial Inclusion (CDFI). The authors are extremely grateful to CDFI and to Mr.
Krishnan Dharmarajan, its Executive Director, for their patronage and support. We are also thankful
to Mr. Rajendra Thakur and Mr. Pawan Xaxa, CDFI for their assistance.

The authors would also like to thank Mr. Chaitanya Ramachandran, Dr. Arghya Sengupta, Mr. Shankar
Narayanan, Ms. Srijoni Sen, Ms. Shalini Seetharam and Ms. Ritwika Sharma for their inputs. Errors, if
any, are of course ours alone.

The Vidhi Centre for Legal Policy is an independent legal think-tank whose mission is to achieve good
governance in India by impacting legislative and regulatory design.

For more information, see www.vidhilegapolicy.in

About the Authors

Sreenidhi Srinivasan and Namrata Mukherjee are Research Fellows at the Vidhi Centre for Legal Policy
with the Public Law vertical.

Vidhi Centre for Legal Policy, 2017


3

CONTENTS

INTRODUCTION ........................................................................................................................... 5

CHAPTER I: DATA PROTECTION IN INDIA ..................................................................................... 11


A. LIMITED DEVELOPMENT OF DATA PRIVACY THROUGH CASE LAW .................................................... 11
B. GENERAL DATA RULES UNDER THE INFORMATION TECHNOLOGY ACT ............................................. 12
a) Applicability of the Rules ........................................................................................................ 13
b) Consent requirements ............................................................................................................ 14
c) Communication of information to data subjects .................................................................... 15
d) Mandatory data sharing......................................................................................................... 16
e) Right to access information .................................................................................................... 17
f) Security measures ................................................................................................................... 17
g) Adopting and enforcing the rules ........................................................................................... 18
C. LAWS GOVERNING THE USE OF FINANCIAL INFORMATION ............................................................ 20
a) Scope of information to be collected ...................................................................................... 21
b) Communication of information to data subjects .................................................................... 22
c) Consent requirements ............................................................................................................ 23
d) Right to access information .................................................................................................... 24
e) Security measures ................................................................................................................... 26
f) Enforcement machinery.......................................................................................................... 26
D. LAWS GOVERNING DATA WITH TELECOM COMPANIES................................................................. 27
a) Scope of information collected ............................................................................................... 27
b) Communication of information to individuals ........................................................................ 28
c) Obligation to maintain confidentiality and the consent exception ........................................ 28
d) Mandatory sharing ................................................................................................................. 29
e) Right of access ........................................................................................................................ 29

CHAPTER II: INTERNATIONAL PRACTICES .................................................................................... 34


a) Coverage of entities and exemptions ..................................................................................... 35
b) Categories of data and their treatment ................................................................................. 37
c) Consent of the data subject .................................................................................................... 39
d) Other grounds of processing .................................................................................................. 41
e) Conveying information to data subjects................................................................................. 44
f) Individuals rights of access, rectification and restricting processing .................................... 45
4

g) Enforcement machinery.......................................................................................................... 47

CHAPTER III: THE WAY FORWARD............................................................................................... 51


A. KEY COMPONENTS OF A DATA PROTECTION REGIME ................................................................. 51
a) Coverage of entities ................................................................................................................ 51
b) Coverage of information......................................................................................................... 52
c) Processing ............................................................................................................................. 53
d) Limits to collection .................................................................................................................. 53
e) Purpose specification and use limitation ................................................................................ 54
f) Consent as primary basis of all processing ............................................................................. 55
g) Individuals rights of access .................................................................................................... 56
h) Right to restrict processing ..................................................................................................... 57
i) Right to seek erasure .............................................................................................................. 57
j) Data quality and accuracy ...................................................................................................... 58
k) Security measures ................................................................................................................... 59
l) Privacy policies ....................................................................................................................... 60
m) Accountability - Grievance redressal officers ......................................................................... 60
n) Implementation and enforcement.......................................................................................... 61
o) Exemptions ............................................................................................................................. 62
B. A FRAMEWORK FOR DATA PROTECTION ................................................................................. 64
5

INTRODUCTION

Privacy and data protection are gradually gaining ground in Indian public consciousness as issues
warranting discussion and debate. Given the staggering amount of personal information being
collected and shared routinely, the extent to which an individual can exercise control over her
information stored with any entity is a key issue. Critical to its satisfactory resolution is the role that
consent and choice play in facilitating assumption of control by an individual over information about
her. Concerns have emerged that legal requirements for obtaining consent, often translate into
verbose, legalistic, barely readable privacy notices that have little or no meaning to individuals. Far
from making the subject informed, they often result in information overload. 1 At other times, an
individual is not even aware that an organisation has her personal information.2 While India is only
now identifying what constitutes the right to privacy and to protection of information, jurisdictions
around the world have already taken giant strides in this field.

Origin of the Right to Privacy

The first and most well-known articulation of the right to privacy is a law review article written by
attorneys Samuel Warren and Louis Brandeis in 1890. 3 Credited by Roscoe Pound with having done
nothing less than add a chapter to our law, 4 the article discussed limitations of existing fields
within common law in protecting individuals from disclosure of their personal facts. The torts of libel
and slander, in their view, did not protect individuals when the information in question was true.
Property rights did not offer adequate protection when the value of the production is found not in
the right to take profits arising from publication, but in the peace of mind or the relief afforded by
the ability to prevent any publication at all. Copyright laws sought only to secure to the author,
composer, or artist the entire profits arising from publication while contract law would not protect
individuals against intrusions by third parties without a contract. The authors recognised a broader
right to privacy in common law that deserved separate recognition. Based on the more general right
to be let alone, the authors argued that common law secures to each individual the right of

1Bart W. Schermer, Bart Custers and Simone van der Hof, The crisis of consent (2014) 16 Ethics and Information
Technology 171 at p.177; See also AM McDonald & LF Cranor, The Cost of Reading Privacy Notices (2008) A
Journal of Law and Policy for the Information Society: From a study of 75 popular websites, the authors
concluded that reading all their privacy policies would take 244 hours annually.
2 For instance, a Report of the U.S. Federal Trade Commission had concluded that data brokers were collecting
consumer data such as bankruptcy information, web browsing history, voting registration, etc. from commercial,
government and other publicly available sources. The data was not obtained directly from consumers and
consumers are thus largely unaware that data brokers are collecting and using this information. Federal Trade
Commission, Report on Data Brokers: A Call for Transparency and Accountability (2014) at p.46 available at
<https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-
federal-trade-commission-may 2014/140527databrokerreport. pdf>.
3Samuel D. Warren & Louis D. Brandeis, The Right to Privacy (1890) 4 Harvard Law Review 193 (Warren &
Brandeis).
4 Alpheus Mason, Brandeis: A Free Mans Life 70 (1946) cf Daniel J. Solove, The Origins and Growth of
Information Privacy Law (2013).
6

determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be
communicated to others.

This right to be let alone was not necessarily a property right in the authors view but rather arose
from the idea of inviolate personality.5 While over a century has passed since this idea was mooted,
privacy as a concept does not have a strict, concrete meaning. It has been described by scholars as
a concept in disarray6 and suffering from an embarrassment of meanings7 and indeed has
different contours in different jurisdictions. However, the core of the right is widely accepted to
provide certain protectionsoffering the right to autonomy or control over the intimacies of
personal identity,8 to prevent intrusion into ones seclusion or solitude or private affairs,9 to be left
alone, and the right to respect for private or family life and communications10.

Privacy and Protection of personal information

One such way in which privacy is conceptualised is by linking it to the way in which an individual
controls information about her. Alan Westin recognised privacy as the claim of individuals, groups,
or institutions to determine for themselves when, how, and to what extent information about them
is communicated to others.11 The right to privacy is viewed as providing the means through which
an individual can affirmatively control her life and personality, by controlling information about ones
private life.12 Warren and Brandeis had also proposed that the right to privacy offered a basis for
remedies for interferences into ones personal information. 13 However, conceptualising privacy
with all the attributes it has come to be associated with as control over ones information may be
too narrow an approach. As Daniel Solove argues, such conceptualisation would exclude those aspects
of privacy that are not informational, such as the right to make certain fundamental decisions about
one's body, reproduction, or rearing of one's children.14

Alternatively, protection of personal information could be viewed as one of the aspects of the right
to privacy. It should be borne in mind, however, that the different aspects or conceptions of privacy

5 Warren & Brandeis, Supra note 3.


6 Daniel J. Solove, A Taxonomy of Privacy (2006) 3 University of Pennsylvania Law Review 154.
7 Ibid; Kim Lane Schepple, Legal Secrets (1988) cf Solove.
8T Gerety, in "Redefining Privacy" (1977) 12 Harvard Civil Rights- Civil Liberties Law Review 233 cited in Petronet
LNG Ltd. v. Indian Petro Group, Delhi High Court, 13 April 2009.
9 William L. Prosser, Privacy (1960) 48 California Law Review 383. Prosser had described four torts within
privacy protection: 1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs. 2. Public
disclosure of embarrassing private facts about the plaintiff. 3. Publicity which places the plaintiff in a false light
in the public eye. 4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.
10 Article 7 of the Charter of the Fundamental Rights of the European Union.
11 Alan F. Westin, Privacy and Freedom (1968) 25 Washington & Lee Law Review 166.
12 Dorothy J. Glancy, The Invention of the Right to Privacy (1979) 21 Arizona Law Review 1;; Edward J.
Bloustein, Privacy as an aspect of Human Dignity: An Answer lo Dean Presser (1964) 39 NYU Law Review 962.
13 Ibid; Warren & Brandeis, Supra note 3;
14 Daniel J. Solove, Conceptualising Privacy (2002) 90 California Law Review 1087.
7

do not sit in water-tight compartments. Despite the theoretical distinction between various aspects
of the right to privacy or the distinct ways in which it is conceptualised, there are significant overlaps.
For instance, control over personal information can be seen as an extension of the limited access to
self which in turn finds root in the right to be let alone.15 In any case, the right to protection of ones
personal information is unarguably closely linked to the right to privacy, and this is evident from the
way in which privacy and data protection laws across the world have developed.

While protection of personal information as a critical means of ensuring privacy rights has received
recognition in several jurisdictions, approaches vary depending on how privacy is understood in the
jurisdiction. For instance, in the United States, constitutional recognition has been accorded to
certain aspects of privacy, and the idea of privacy is linked to autonomy, covering aspects such as
sexual life and reproductive rights.16 The right to information privacy is derived from the substantive
due process right to privacy and seeks to protect individual interest in avoiding disclosure of personal
matters. The US Supreme Court has also recognised privacy as control over information concerning
his or her person.17 The jurisprudence around privacy is posited around protecting individuals from
unwarranted state intrusion. The focus of privacy rights in the U.S. appears to originate in the idea
of protecting individual liberties.18 It is perhaps for this reason that the primary federal privacy
statute in the U.S. the Federal Privacy Act 1973 focuses only on collection, use and disclosure of
personal information by government agencies. The use of personal information by private
organisations is governed by fragmented laws and codes, all drawing from a set of accepted practices
known as the fair information practices.19

In contrast, the European Union focuses equally on public entities and private organisations collecting
and using personal information. Personal data is viewed as ones property and an independent legal
authority is established to monitor violations and enforce compliance. 20 Privacy and protection of
personal data are placed at a high pedestal so much so that these rights are accorded separate
constitutional protection, not only in EU documents but in the constitutions of some individuals
member states, notably Germany.21 Interestingly, the European Union Charter of fundamental
freedoms guarantees both the right to privacy and data protection - the respect for private and
family life and protection of personal data in Articles 7 and 8 respectively. While judicial discourse

15 Ibid.
16Adrienne DLuna Directo, Data Protection in India: The Legislation of Self- Regulation (2014) 35 Northwestern
Journal of International Law & Business 1. (Directo)
17 United States Dep't of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 763 (1989).
18Avner Levin and Mary Jo Nicholson, Privacy Law in the United States, the EU and Canada: The Allure of the
Middle Ground (2005) 2 University of Ottawa Law and Technology Journal 357. (Leving & Nicholson)
19 Federal Trade Commission Fair Information Practice Principles available at
<https://www.ftc.gov/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-
trade-commission>. Initially conceptualised by the US Secretary's Advisory Committee on Automated Personal
Data Systems in its report, Records, Computers and the Rights of Citizens (1973).
20 Directo, Supra note 16.
21Lauren B. Movius and Nathalie Krup, U.S. and E.U. Privacy Policy: Comparison of Regulatory Approaches
(2009) 3 International Journal of Communication 169.
8

recognises a distinction in the interpretation and application of these Articles, the right to privacy
continues to be viewed as the core of data protection.22

Core privacy principles

While certain concepts vary, a common thread does run across jurisdictions the core principles
that form the basis of data protection laws are more or less uniform. These core principles were the
outcome of efforts of the Organisation for Economic Cooperation and Development (OECD), and have
formed the bedrock of data protection for several years now. The fair information practices in the
U.S. and the privacy principles in the European Union are largely similar to these core principles
formulated by the OECD in the 1980s. The eight principles that have guided data privacy laws across
the world are:

1. Collection Limitation Principle


There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and, where appropriate, with the knowledge or consent
of the data subject (the person to whom the information pertains and from whom
information is collected).

2. Data Quality Principle


Personal data should be relevant to the purposes for which they are to be used, and, to the
extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification Principle


The purposes for which personal data are collected should be specified not later than at the
time of data collection and the subsequent use limited to the fulfilment of those purposes
or such others as are not incompatible with those purposes and as are specified on each
occasion of change of purpose.

4. Use Limitation Principle


Personal data should not be disclosed, made available or otherwise used for purposes other
than those specified except:

(a) with the consent of the data subject; or


(b) by the authority of law.

5. Security Safeguards Principle


Personal data should be protected by reasonable security safeguards against such risks as
loss or unauthorised access, destruction, use, modification or disclosure of data.

6. Openness Principle

22Juliane Kokott and Christoph Sobott, The distinction between privacy and data protection in the jurisprudence
of the CJEU and the ECtHR (2013) 3 International Data Privacy Law 222.
9

There should be a general policy of openness about developments, practices and policies
with respect to personal data. Means should be readily available of establishing the
existence and nature of personal data, and the main purposes of their use, as well as the
identity and usual residence of the data controller (the person who collects the data and
determines the manner of its use).

7. Individual Participation Principle


An individual should have the right:

(a) to obtain from a data controller, or otherwise, confirmation of whether or not the
data controller has data relating to him;
(b) to have communicated to him, data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;

(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied,
and to be able to challenge such denial; and
(d) to challenge data relating to him and, if the challenge is successful to have the data
erased, rectified, completed or amended.

8. Accountability Principle
A data controller should be accountable for complying with measures which give effect to
the principles stated above.23

The above principles have found their way into several data protection laws across the world.
However, these were conceptualised at a time when digital technologies were just about beginning
to gain ground. Now, with unprecedented amounts of personal data being processed routinely by
both private and public organisations and the range of data-analysis activities, these principles are
also undergoing change. Further, special emphasis is now laid on implementation through national
privacy strategies (strategies adopted by the government for effective implementation of laws),
privacy management programmes (the mechanism through which organisations implement privacy
protection) and data security breach notification.24

In this context, the discussion in India is still largely at a nascent stage. Data privacy measures do
exist in some form across a host of scattered legislations, such as the Information Technology Act,
2000 (IT Act) and the rules made under it, as well as regulations specific to particular types of data
such as credit and financial information with banks and financial institutions, customer data and

23OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted on 23
September 1980.
24 OECD, The OECD Privacy Framework, (2013) (Revised OECD Guidelines).
10

details regarding call records, etc. available with telecom companies, and medical records and other
information with healthcare professionals. Some of these are inadequate and omit crucial privacy
principles that are essential for any regime. Others lack the enforcement machinery to be of any real
use to data protection.

At a time when India is seeking to develop as a digital economy, it is imperative to have in place an
effective regime for protection of personal information. Incidents of hacking and other security
breaches place individuals at risk of their personal data being misused, resulting in losses, financial,
reputational or otherwise. Without adequate systems in place, organisations would be leaving
individuals at risk of such misuse and loss. Such concerns are equally relevant when the entity
processing information is a government body. Additionally, a robust data protection regime is also
critical for generating confidence and trust with respect to business in India. Jurisdictions such as
Canada passed privacy laws for the private sector acknowledging the fact that privacy protection
forms the foundation of electronic commerce. 25 Further, the European Union has strict rules for
companies engaged in cross-border data sharing and does not permit companies in EU member states
to transfer information to countries that do not have an acceptable standard of privacy protection. 26
American and European organisations have also begun showing interest in outsourcing to entities in
jurisdictions that have stringent standards of data protection. 27

This report seeks to provide a framework for building an effective data protection regime for India.
It has three parts. Chapter I examines existing laws governing collection, processing and disclosure
of individuals personal data in India. Chapter II examines the data protection laws in four
jurisdictions, namely the European Union, the U.K. following an earlier European Union directive,
Canada and Australia. Chapter III suggests the way forward for India by (a) setting out the essential
components of a data protection regime, and (b) providing a framework with these components.

This report focusses on protection of personal information as an extension of privacy but does not
delve into other aspects of privacy. Further, our analysis and recommendations in this Report are
limited to routine data processing and we have not proposed models for specialised data-gathering
functions like law enforcement, which merit separate attention.

25Statement by Canadas Minister of Industry, Industry Canada, News Release, Government of Canada Delivers
on Promise to Protect Consumer Privacy (13 April 2000).
26 Chapter V, EU GDPR.
27 Directo, Supra note 16.
11

Chapter I: Data Protection in India

A. LIMITED DEVELOPMENT OF DATA PRIVACY THROUGH CASE LAW

India does not have a law recognising the right to privacy. Similarly, it does not have an overarching
statute that governs use of personal information of individuals. In Kharak Singh v. State of U.P.,28
the Supreme Court had recognised the right to privacy as an essential ingredient of personal liberty
providing it the protection of Article 21 of the Constitution. The contours of such right are being
developed over the years. In a recent challenge to the Aadhaar project, the question as to whether
there exists a right to privacy in India was referred by the Court to a Constitutional Bench.29 This is
expected to bring clarity to the jurisprudence surrounding privacy and state intrusions into it. While
constitutional cases would define an individuals right to privacy vis--vis the state, the right to
protection of personal information also extends to non-state actors in several jurisdictions. There is
no statute in India that expressly recognises this right, sets out individual rights over their personal
data or places obligations on organisations that collect and use personal data.30

It is useful to note at this point, that a draft Right to Privacy Bill had been prepared by the Department
of Personnel Training of the Government in 2011 and subsequently revised in 2014. The draft covered
aspects such as interception and protection of communications, data protection, establishment of a
data protection authority, etc. However, the bill was not introduced in Parliament and India
continues to operate without an overarching privacy statute.

There are a few judicial precedents that indicate that liability for privacy violations may exist in tort.
In R. Rajagopal and Another v. State of Tamil Nadu and Ors.,31 the Supreme Court observed:

The right to privacy as an independent and distinctive concept originated in the field
of Tort law, under which the new cause of action for damages resulting from unlawful
invasion of privacy was recognized. This right has two aspects: (i) The ordinary law of
privacy which affords a tort action for damages resulting from an unlawful invasion of
privacy and (ii) the constitutional recognition given to the right to privacy which
protects personal privacy against unlawful government invasion.

However, the case itself dealt with privacy rights against state and public officials and cannot be
taken as an authoritative pronouncement on a tort for privacy. 32 While a few High Courts have

28 1964 SCR (1) 332.


29Justice KS Puttuswamy (Retd) & Another v. Union of India & Others, Writ Petition (Civil) No. 494 of 2012,
Order dated August 15, 2015.
30Rules framed under the Information Technology Act 2000 place certain obligations. See Part B of this Chapter
for a detailed discussion on the rules.
31 1994 (6) SCC 632.
32Graham Greenleaf, Promises and illusions of data protection in Indian law (2011) 1 International Data Privacy
Law 47.
12

discussed privacy actions and tort liability, they fall short of recognising liability or granting relief on
such basis.33

In Petronet LNG v. Indian Petro Group,34 the plaintiff company was seeking an injunction restraining
the defendant company from publishing confidential and/or misleading information relating to the
plaintiff's negotiations and contracts, in the form of articles or news items or in any other form on
their website. The Delhi High Court declined to recognise any right to privacy against non-state actors.

On occasion, individuals have been able to bring successful challenges before the consumer disputes
redressal forum for unauthorised disclosure of their personal information. In Nivedita Sharma v.
Bharti Tele Ventures, the complainant had alleged that she was receiving unsolicited calls on her
number despite her telecom company, Bhartis privacy statement claiming that does not disclose
your personal information to any other Cellular Service Providers, Banks, Credit Card companies etc.
or their agents, affiliates which could lead to invasion of your privacy information. Such sale of
personal information was found to be in breach of the Consumer Protection Act 1986 (as defective
provision of services by Bharti) and was directed to be discontinued by the State Consumer Dispute
Redressal Commission.35

These cases touch upon a miniscule portion of the right to data privacy in some form and fail to
substantially take forward the jurisprudence on protecting individuals personal information.

B. GENERAL DATA RULES UNDER THE INFORMATION TECHNOLOGY ACT

While there is no statute focusing on data protection, there is a set of rules framed under the IT Act
that place certain obligations on individuals holding data in the electronic form. The rules, known as
the Information Technology (Reasonable Security Practices and Sensitive Personal Data or
Information) Rules, 2011 (IT Rules), are applicable across different types of data. The IT Rules seek
to introduce internationally accepted privacy principles, such as collection limitation, purpose
specification, use principle, and significantly, consent, in the handling of sensitive personal
information or data. The IT Rules are framed under Section 43A 36 of the IT Act, which despite being

33 Indu Jain v. Forbes Inc, High Court of Delhi, 12 October 2007.


34 High Court of Delhi, 13 April 2009.
35A writ petition was filed before the High Court and subsequently appealed before the Supreme Court. While
a portion of the remedy granted by the State Commission was modified, no observations were made on the
substance of the claim.
36 Section 43A.- Compensation for failure to protect data.
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security
practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation to the person so affected.
Explanation.-- For the purposes of this section,--
(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities;
13

a penal provision, enables the making of rules to describe what sensitive personal data or
information and reasonable security practices and procedures for handling such information are.
The efficacy of the IT Rules in enabling data protection and individual control over personal data is
discussed here.

a) Applicability of the Rules

The IT Rules are applicable to body corporates handling personal information or sensitive personal
data or information. A body corporate is explained under Section 43A to mean a company and include
firms and associations engaged in commercial or professional activities, thereby excluding
individuals and government bodies. This leaves a vacuum insofar as data collection by individuals,
public sector entities and the government itself is concerned.

Personal information has two attributes first, that it relates to a natural person, and second, it is
capable of identifying such person, either by itself or in combination with other information with an
organisation37 (for ease of reference, a body corporate is referred to as organisation in the paper).
Sensitive personal data or information of a person is a sub-set of personal information which relates
only to certain listed attributes. Rule 3 of the IT Rules deems the following as sensitive personal data:

(i) password;
(ii) financial information such as bank account or credit card or debit card or other
payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) biometric information;
(vii) any detail relating to the above provided to the organisation for providing service; and
(viii) any of the information received under the above by the organisation for processing,
stored or processed under lawful contract or otherwise.38

Any information that is available in the public domain which can be furnished under the Right to
Information Act, 2005 will not be considered as sensitive personal information.

Thus, while personal information could be any identifier relating to a natural person, be it address,
photograph, biometrics, etc., sensitive personal information is that subset of personal information

(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect
such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in any law for the time being in force and
in the absence of such agreement or any law, such reasonable security practices and procedures, as may be
prescribed by the Central Government in consultation with such professional bodies or associations as it may
deem fit;
(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit.
37 Rule 2(1)(i), IT Rules.
38 Rule 3, IT Rules.
14

which pertains to any of the attributes specified in Rule 3. There are other types of information not
listed in Rule 3 which are considered sensitive in several jurisdictions, for instance, information
related to religious beliefs, ethnicity, and political opinions 39 the definition in the IT Rules however
does not cover these.

There is some ambiguity regarding applicability of the IT Rules to personal information. While some
obligations under the IT Rules relate to handling of personal information, certain other obligations
and significantly those related to consentare made applicable only in case an organisation seeks to
collect or deal with sensitive personal information.40 Section 43A, which appears to be the enabling
provision of the rules, refers only to sensitive personal data or information and enables the making
of rules only to prescribe what such information is. This has led some commentators to argue that
the obligations in the IT Rules can only pertain to sensitive personal information. 41 The IT Rules seem
to go beyond the scope of their enabling provision by prescribing rules for handling personal
information as well. For instance, one of the clauses of the IT Rules requires organisations to provide
privacy policies for dealing in personal information including sensitive personal data or information
but it is unclear whether these obligations can actually extend to non-sensitive personal information.

b) Consent requirements

The IT Rules require consent to be obtained before collection of sensitive personal data or
information:

5. Collection of information. (1) Body corporate or any person on its behalf shall obtain
consent in writing through letter or Fax or email from the provider of the sensitive
personal data or information regarding purpose of usage before collection of such
information.

Thus, before collecting sensitive personal information, an organisation is required to obtain consent
in writing42 from the provider of the information. In practice, information about an individual could
either be collected directly from the person concerned or from a third party source. The provider of
information would be different in both cases. When information is collected directly from the person
concerned, details such as purpose of collection, the intended recipients, and the contact details of
the collecting and storing entities, have to be made known to the concerned person. 43

39Several countries, including Austria, Estonia, France, Spain, etc., following the EU Data Protection Directive
95/46 EC include these as sensitive information requiring a higher degree of protection.
40 For instance, Rules 5(1) and (2), and 6(1), IT Rules.
41Graham Greenleaf, Indias U-turns on data privacy (2011) (This paper is a compilation of four articles
published as a series throughout 2011 in Privacy Laws & Business International Report, Issues 110-114).
42 This requirement of consent in writing through letter or fax or email has been clarified to mean consent
through any mode of electronic communication; Clarification on Information Technology (Reasonable security
practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the
Information Technology Act, 2000, Ministry of Communications & Information Technology, 24 August 2011.
43 Rule 5(3), IT Rules.
15

In cases where information about an individual is procured from a third party source, such third party
would be the information provider and not the individual whose data is being collected or shared
(referred to in this paper as the data subject). For instance, if a bank collects information from a
telecom company about one its subscribers, the telecom company is the provider of the information
and not the subscriber. The consent requirements and other rights such as right of access, option to
withdraw, etc. (discussed below) would be available only to the providers of information, i.e. the
third party sources and not necessarily the data subject. The omission of a reference to such data
subject greatly dilutes the consent requirement.44 If this were to be the intention, the rules do not
offer much in terms of a data subjects access or control when information is procured through third
party sources. A clarification was issued stating that provider of information refers to the natural
person who provides sensitive personal information to a body corporate. 45 However, the efficacy of
a clarification modifying the scope of rules framed by the Government is suspect.

Once the information is collected, an organisation cannot disclose such information unless it has
obtained prior permission from the information provider.46 Here again, when information has been
collected from a third party source, a data subject has no control over disclosure.

Separate consent before disclosure is not required if such disclosure was already permitted under the
original contract between an organisation and a data subject. For instance, if the agreement between
a bank and its customer has a term allowing disclosure to recovery agents, separate consent is not
required each time information is shared with such agents. This disclosure restriction is a variation
of the internationally accepted use limitation, which restricts disclosure for purposes other than
those specified at the time of data collection. 47 In practice this often translates into an elaborate
clause in the agreement for provision of services, where the data subject consents to a host of acts,
including disclosure to several entities which may not be necessary for provision of the service. Such
broad consent clauses remove any element of real choice in the matter of future disclosure. That
said, the alternative of seeking consent each time information has to be disclosed to any third
party is undesirable and certain to be cumbersome for both the organisation and the data subject.

c) Communication of information to data subjects

The IT Rules contain certain formal requirements for communication of information to data providers.
Key among them is the requirement of publication of a privacy policy by the organisation for handling
or dealing in personal information. Such policy has to be available for view by persons who have
provided information, and should be published on the organisations website. The categories of
information to be published in the policies include the types of information collected, purpose and

44 Greenleaf, Supra note 41.


45 Clarification issued by the Ministry of Communications and Information Technology dated 24 August 2011.
46 Rule 6, IT Rules.
47OECD Privacy Principles: Personal data should not be disclosed, made available or otherwise used for purposes
other than those specified except: a) with the consent of the data subject; or b) by the authority of law.
16

usage, reasonable security practices, etc.48 While this is a fairly standard requirement and draws
from the notice or openness principle 49 of data privacy, it is only a formal obligation and in
practice, does little to ensure that data subjects are aware of an organisations data related policies.
Increasingly, focus has been on strengthening additional avenues through which control can be
exercised instead of reliance on privacy policies as the basis of consent. 50 Importantly, the mere fact
that there is a privacy policy with requisite details has been served to the individual, should not
absolve an organisation of its other privacy obligations.51

In addition to the privacy policy, there is a specific notice requirement targeted at making a data
subject aware of what she is consenting to at the time of collection of information. As indicated
earlier, where information is being collected from an individual directly, notice of details such as
purpose of collection, the intended recipients, and the contact details of the collecting and storing
organisations, have to be made known to the individual. 52 These details do not include the choices
available for limiting use and disclosure, 53 or information about situations where the data subject
can ask for erasure, rectification or blocking of data which would enable an individual to know the
extent of control over the data, setting the groundwork for her to exercise such control.

Finally, the consent and notice requirements are applicable only for sensitive personal information.
As far as other personal information is concerned, there are no provisions requiring notification or
confirmation that an organisation is holding such information about an individual.

d) Mandatory data sharing

No consent is required for sharing of information with Government agencies mandated under the law
to obtain information including sensitive personal data or information for the purpose of verification
of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and
punishment of offences. However, the purpose of seeking such information will have to be specified
by the Government agency and a request sent in writing to the organisation. The Government agency

48Rule 4: Such policy shall be published on website of body corporate or any person on its behalf and shall
provide for
(i) Clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3;
(iii) purpose of collection and usage of such information;
(iv) disclosure of information including sensitive personal data or information as provided in rule 6;
(v) reasonable security practices and procedures as provided under rule 8.
49 OECD Privacy Principles; Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
50The OECD Privacy Framework, The Evolving Privacy Landscape: 30 Years after the OECD Privacy Guidelines,
pp.99-100.
51 Report of the Group of Experts on Privacy chaired by Justice AP Shah (2012) (Expert Group Report on Privacy).
52 Rule 5(3), IT Rules.
53 Clause 15(e), Notice Principle, APEC Privacy Framework.
17

is also required to state that the information so obtained shall not be published or shared with any
other person.54

However, the data subject is not required to be informed of such sharing even after the investigation
is complete. There are also no limits prescribed to the time period for which the Government agency
can hold such data.55 While investigation and detection of crime may be a necessary exception to the
consent rule, a balance should be struck between such purpose and individual rights over their data
potentially through notification requirements and procedural safeguards. Additionally, there is no
mechanism in place to ensure that the government agencies comply with these obligations since
Section 43A focusses only on the obligation of body corporates to implement and maintain reasonable
security practices.

e) Right to access information

Providers of information have the right to review their information and seek correction if it is found
to be inaccurate or deficient.56 Setting aside concerns regarding such rights being available to
providers of information instead of data subjects, this is a significant step in trying to hand control
over data to individuals. The IT Rules also require a grievance officer to be designated by the
organisation for addressing any discrepancies and grievancesif implemented correctly, such officer
could act as a point of contact and facilitate securing of control by an individual over information
about her. The IT Rules also require grievances to be addressed within a month. 57

While these are important steps towards securing right to access, a data subject would still not be
aware of the uses to which her data is actually being put or the entities with whom her data is being
shared. There is also presently no requirement to notify a data subject in case of a data breach or
change in the privacy policies.58 Further, while information providers are allowed the right to
withdraw consent given earlier at any time,59 there is nothing to indicate what steps are to be taken
upon such withdrawal, and whether this means that the organisation has to erase or delete the
information immediately.

f) Security measures

Reasonable security practices and procedures are explained in the IT Act as practices designed to
protect information from unauthorised access, disclosure, etc. Such practices could be specified by
agreement or law, and in the absence of such agreement or any law, the practices would be as
prescribed by the Central Government.60 For instance, in a few cases of fraudulent transactions from

54 Proviso to Rule 6(1), IT Rules.


55 Expert Group Report on Privacy, p.60.
56 Rule 5(6), IT Rules.
57 Rule 5(9), IT Rules.
58 Expert Group Report on Privacy, Supra note 55.
59 Rule 3(7), IT Rules.
60 Explanation (ii), Section 43A, IT Act.
18

bank accounts brought before the adjudicating officer (the enforcement officer under the IT Act),
non-compliance with KYC norms and security guidelines issued by the RBI was viewed as failure to
maintain reasonable security practices.61

It appears that in the absence of such sector-specific or contractual obligations, the standard
prescribed in the IT Rules would apply these require an organisation to put in place comprehensive
security policies covering technical, organisation, physical security measures, and cite one
international standard for information security as an acceptable security standard to follow.62
Implementation of such approved standards would mark compliance with the reasonable security
requirements. Importantly, there is no requirement to notify the data subject or any authorities in
case of security breaches.

g) Adopting and enforcing the rules

It is evident that a number of key privacy principles have been incorporated in the IT Rules. For
instance, collection limitation that sensitive personal information should be collected only if it is
necessary for a purpose connected with the organisations activities,63 use limitation that the
information has to be used for the purposes for which it was collected, 64 and that it should not be
retained for longer than required.65 While such and other obligations reflect important privacy
principles, the manner in which these are adopted by organisations needs examination. For instance,
a broad, vague purpose set out in the notice while seeking consent essentially allows an organisation
free rein to use it indefinitely for a host of purposes within the broad formulation, while ensuring
compliance with this obligation. It is possible, especially in the absence of effective enforcement
mechanisms, that organisations mark compliance with these obligations through privacy policies,
elaborate notices and broad formulations as to the purpose of collection. There is also little indication
as to whether these rules are being complied with, and how data subjects can seek to enforce their
rights.

Adjudicating officers are appointed under the IT Act for hearing cases relating to violation of any of
the provisions. Orders passed by such officers can be appealed before a cyber appellate tribunal. The
tribunal has passed only 17 judgments till date 66 and none after June 30, 2011. A chairperson is yet

61Ram Techno Pack v. State Bank of India, Complaint No. 9 of 2012, Adjudicating Officer (Maharashtra) Order
dated February 22, 2013 available at
<https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_RamTechno_Vs_SBI-22022013.pdf> (last
accessed 7 January 2016).
62The international Standard IS/ISO/IEC 27001 on Information Technology Security Techniques - Information
Security Management System Requirements is specified to be one such security standard.
63 Rule 5(2), IT Rules.
64 Rule 5(5), IT Rules.
65 Rule 5(4), IT Rules.
66Central Administrative Tribunal, Judgements at <http://catindia.gov.in/Judgement.aspx> (last accessed on
7 January 2016).
19

to be appointed after expiry of tenure of the previous presiding officer in 2011. The mechanism is
evidently woefully inadequate.

There are also concerns regarding the scope of the enabling penalty provision. Section 43A is
attracted in cases of negligence in implementing and maintaining reasonable security practices
and procedures. In addition to negligence, there should be wrongful gain or wrongful loss to an
individual for the provision to be attracted. First, it is not entirely clear whether the reasonable
security practices referred to in Section 43A include the various obligations prescribed in the IT Rules
or only the security measures prescribed in Rule 8. Also, under Section 43A, the reasonable security
practices can be prescribed in the absence of any agreement or law providing such practices
implying that the IT Rules are applicable only when there is no other law or agreement providing for
security measures. While it is arguable that the rules provide a minimum set of requirements to be
complied with even in case of an agreement, their scope and applicability is not entirely certain or
clear.

Second, the meaning of implementing and maintaining reasonable security practices is unclear
would the mere fact of having policies in place constitute adequate implementation and maintenance
of reasonable security practices remains to be seen.

Third, in cases where one or more obligations have been breached but there is no gain or loss in
financial terms, the provision would not be attracted. If there is a violation of the rules but no loss
to the data subject, there would be no remedy available.

The only source of guidance for interpretation of this provision is a few orders passed by adjudicating
officers under the IT Act. These mostly revolve around fraudulent transactions from bank accounts
with the adjudicating officers observing that there was failure in maintaining reasonable security
practices. The reasonable security practices taken into consideration by the officers were KYC and
security norms issued by the RBI.67 The orders passed by the adjudicating officers do not relate to
the other obligations in the IT Rules and do not offer much guidance as to the above concerns.

Other penalties under the IT Act include penalties for disclosure without consent or in breach of
lawful contract,68 securing access to electronic records and information of a person and disclosing
the same without consent,69 and causing damage to computers, computer systems, etc.70 Again, there
is little indication as to actual enforcement and whether these can actually strengthen the role of
consent.

67 Ram Techno Park, Supra note 61; M/s Shreenivas Signs v. IDBI Bank Ltd., Complaint No. 12 of 2013,
Adjudicating Officer (Maharashtra) Order dated February 18, 2014 available at
<https://it.maharashtra.gov.in/Site/Upload/ACT/DIT_Adjudication_SreenivasSigns_Vs_IDBI-18022014.PDF>
(last accessed 7 January 2016).
68 Section 72A, IT Act.
69 Section 72, IT Act.
70 Section 43, IT Act.
20

The IT Rules make an attempt to hand control of user data back to individuals by incorporating several
internationally accepted privacy principles. A significant obstacle in this regard is the usage of
provider of information instead of data subject or a similar term that would have implied control
over data by a natural person to whom it relates. Such and other drafting ambiguities make the scope
of the rules uncertain. Further, absence of indication of enforcement raises concerns as to their
efficacy in securing access for data subjects over their data. Even setting aside these concerns, it is
entirely possible that several of the obligations in the rules take the form of an elaborate,
incomprehensible privacy notice. This also raises larger questions as to whether any consent so
obtained is truly informed.

Key takeaways

Limited scope of the rules, both in terms of the


entities covered and types of information.

Diluted consent requirements: Consent to be


sought from provider of information which might
not always be the data subject.

Choices for limiting disclosure and use not


necessarily available nor are they explained to
data subjects.

Data subjects not at the centre; no substantive


rights to data subjects.

Ambiguous scope of enabling penalty provision:


Unclear whether the penalty is applicable for all
obligations under the IT Rules or only security
measures.

Inadequate enforcement machinery.

C. LAWS GOVERNING THE USE OF FINANCIAL INFORMATION

Banks and financial institutions record and store details regarding transactions undertaken by
customers, amounts outstanding on loans, credit cards or other credit facilities and other details
relating to their financial information (in addition to personal data regarding their customers, such
as their names, addresses and other information submitted by customers for procuring banking
services). Various legislations in the financial sector govern the functioning of different types of
financial entities, each containing one or more privacy protections to be adopted by the entity that
21

they govern. A significant number of privacy principles have been introduced through rules and
regulations framed under the Credit Information Companies (Regulation) Act, 2006 (CIC Act).
Certain statutes including the CIC Act and the Prevention of Money Laundering Act, 2002 (PMLA)
also mandate sharing of certain types of information, thereby statutorily removing the element of
consent. Other privacy principles, including notice, consent and security principle, exist in a
scattered fashion across various circulars issued by the RBI 71 and other financial legislations.

a) Scope of information to be collected

Personal data

The banking regime requires banks and financial institutions to collect certain details at the time of
opening an account or providing any other service. A collection limitation is in place under the KYC
norms as banks/ financial institutions are allowed to only collect mandatory information at the time
of KYC.72 This appears to refer to such information which is necessary to establish the identity of
each new customer, and the purpose of the intended nature of the banking relationship. 73 Other
optional customer details/ additional information can be obtained separately only after the account
is opened, with the explicit consent of the customer and in a different form, distinctly separate from
the application form. It should be indicated clearly to the customer that providing such information
is optional.74

The CIC regime also requires credit participants (CICs, credit institutions and the users) to adopt
principles for collection and use of such personal data. 75

Credit information

Credit information is widely defined and includes information relating to loans, advances or other
credit facilities, and information about securities, guarantees and credit worthiness of borrowers. 76

71 For instance, the RBI Master Circular on Customer Service in Banks; RBI Master Circular on Credit Card, Debit
Card and Rupee Denominated Cobranded Prepaid Card operations of banks; the RBI Master Circular on KYC Norms
/ Anti-Money Laundering (AML) standards/Combating Financing of Terrorism (CFT)/Obligation of banks and
financial institutions under PMLA, 2002.
72The RBI Master Circular on KYC Norms / Anti-Money Laundering (AML) standards/Combating Financing of
Terrorism (CFT)/Obligation of banks and financial institutions under PMLA, 2002.
73The KYC norms also specify the documents to be obtained by the bank/FI: Banks/FIs should obtain one certified
copy of an 'officially valid document' containing details of identity and address, one recent photograph and such
other documents pertaining to the nature of business and financial status of the customer as may be required
by the bank/FI.
74 Para 3.2.1(c) and para 9(i), RBI KYC Master Circular.
75 Regulation 11, CIC Regulations.
76 Credit information is defined in the CIC Act as information relating to:
(i) the amounts and the nature of loans or advances, amounts outstanding under credit cards and other credit
facilities granted or to be granted, by a credit institution to any borrower
(ii) the nature of security taken or proposed to be taken by a credit institution from any borrower for credit
facilities granted or proposed to be granted to him
(iii) the guarantee furnished or any other non-fund based facility granted or proposed to be granted by a credit
institution for any of its borrowers
22

Under the Credit Information Companies Rules, 2006 (CIC Rules), credit institutions are required to
collect all relevant data about their borrowers as they may deem necessary and appropriate for
maintaining accurate and complete data, information and credit information 77 This is a broad
formulation only circumscribed by the use of the word relevant. While the CIC Act requires credit
institutions to adopt collection principles,78 there is no limit placed on excessive collection of credit
information.79 Although information cannot be legally used or disclosed except for the prescribed
purposes, excessive collections result in higher exposure in case of data breaches.

Other mandatory collection

Banks are also required to monitor transactions of their customers and prepare risk profiles. 80 Under
the PMLA, reporting entities (which include banks and financial institutions) have to maintain identity
details, account details, business correspondence, etc. for 5 years after the banking relationship has
ended.81 It may be noted that the law does not mandate deletion of the information upon completion
of 5 years.

b) Communication of information to data subjects

RBI circulars do not expressly require framing and publishing of separate privacy policies. 82 Thus,
there is no legally mandated minimum set of information that has to be included in the privacy
policies specific to the banking sector (unlike the IT Rules which require a privacy policy and specify
some minimum information to be included). Most banks do have privacy statements on their websites
but these differ in form and content.

Information that is required to be communicated to customers while applying for a service is


scattered across different regulations and codes. To illustrate, the Code of Banks Commitment to
Customers83 require banks to inform borrowers about the role of CICs in credit checks, 84 the CIC
regulations require individuals to be informed of purpose of collection of personal data,85 credit card

(iv) the credit worthiness of any borrower of a credit institution


(v) any other matter which the Reserve Bank may, consider necessary for inclusion in the credit information to
be collected and maintained by credit information companies, and, specify, by notification, in this behalf.
77 Rule 19, CIC Rules.
78 Section 20, CIC Act.
79 Greenleaf, Supra note 32.
80Para 3.4.2 of the RBI Master Circular on KYC Norms: The customer profile should contain information relating
to customers identity, social/financial status, nature of business activity, information about the clients
business and their location etc.
81 Section 12, PMLA.
82Under the RBI Master Circular on Customer Service in Banks (para 8.5), some of the policies required to be
published include a Citizens Charter, Deposit Policy, Grievance Redressal Mechanism, Information relating to
Banking Ombudsman, etc. which would include some relevant information from the perspective of user control
over data and privacy.
83 Code of Banks Commitment to Customers issued by the Banking Codes and Standards Board of India.
84 Para 5.1, Banking Code.
85 Regulation 11, CIC Regulations.
23

issuing banks/ NBFCs are required to explain to customers the full meaning and implications of
disclosure clauses,86 etc. There does not appear to be any legal obligation requiring banks to inform
customers about details such as what all information would be collected while providing the service,
purpose of collection of different types of information, rights of access, whether customers can limit
disclosure or uses for any other purpose, etc.

c) Consent requirements

Once any information is collected from a customer be it customer details obtained while opening
an account or information generated while providing the service such as transaction details banks
are required to keep all of it confidential. 87 The obligation of secrecy and confidentiality flows from
the contractual relationship between the bank and its customer. This secrecy obligation and its
exceptions have been discussed in RBI circulars 88 and by courts in India, for instance, in Shankarlal
Agarwalla v. State Bank of India:89

The banker is under an obligation to secrecy. According to Lord Halsbury's Laws of England
4th Edn. Vol. 3 p. 72 Article 97.

It is an implied term of the contract between a banker and his customer that the banker will
not divulge to third person without the express or implied consent of the customer either the
state of the customer's account or any of his transactions with the bank or any information
relating to the customer acquired through the keeping of his account unless the banker is
compelled to do so by order of a Court or the circumstances give rise to a public duty of
disclosure or protection of the banker's own interest requires it.

Generally, consent of the data subject has to be obtained by banks before disclosing her information.
Other exceptions to the rule of confidentiality are where disclosure is legally mandated, where there
is a duty to the public to disclose or where interest of the bank requires disclosure (such as for
preventing fraud).90

No consent or notification before sharing of information with CICs

A data subjects consent is not required before a bank or other credit institution submits credit
information to a CIC nor is she required to be notified of the fact. 91 Typically, the agreement entered
into between a bank and its customer contains a clause where the customer acknowledges and

86RBI Master Circular on Credit Card, Debit Card and Rupee Denominated Cobranded Prepaid Card operations of
banks, para 6.2.
87RBI Master Circular on Customer Service in Banks, July 1, 2015, Customer Confidentiality Obligations (para
25); Public Financial Institutions (Obligations as to Fidelity and Secrecy) Act, 1983.
88 RBI Master Circular on Customer Service in Banks.
89 AIR 1987 Cal 29.
90 RBI Master Circular on Customer Service in Banks, para 25; Banking Code, para 5.
91Under the CIC Act, credit institutions have to furnish credit information to the CICs that they are members of.
All banking companies, NBFCs, public financial institutions, housing finance institutions, credit card issuers, etc.
are credit institutions.
24

consents to the sharing of her credit information with CICs since it is a statutory requirement. User
control over the manner in which credit information is shared is, thus, minimal.

Only in cases of credit cards, the law expressly allows the bank or NBFC to bring to the notice of the
customer that such information is being provided to CICs92even so, notification is not mandatory. A
mandatory notice requirement is only built in at the time of reporting a data subject as a defaulter
to a CIC.93

While consent cannot be made a requirement in sharing of information with CICs, notification along
with details of what information has been furnished could enable better user control over his data.
Any errors or discrepancies could also be minimised through such notification at this stage itself.

CICs furnish credit information about data subjects to a set of specified users, which under the CIC
Act and CIC Regulations includes credit institutions, CICs, telecom companies, IRDA, SEBI, etc. 94
Again, neither consent nor notification is required while sharing information with such users. Other
than specified users and CICs, the CIC Act does not allow sharing of credit information with any third
person or for any other purpose.95 While such restrictions reflect strict use and purpose limitations,
this approach attaches little or no importance to a data subjects choice. Consent of the customer is
generally a recognised exception to the confidentiality rule as far as customer information with banks
is concerned. However, sharing of information with financial and regulated entities envisaged
under the CIC Act as a mandatory process is based on the principle of reciprocity and is unlikely to
shift to a consent-based approach. Nevertheless, a notification obligation could be introduced at this
stage to enable a data subject to know who has sought information regarding her. Insofar as
unregulated or non-financial users are considered, presently sharing of credit information is allowed
only with a limited set of specified users. Instead of limiting users, sharing could be permitted to
users authorised by a data subject. The desirability of shifting to a customer-centric and authorisation
based approach has been discussed by the Committee on Financial Sector Reforms 96 and the Report
of the Committee on Comprehensive Financial Services for Small Businesses and Low Income
Households,97 and deserves to be explored further.

d) Right to access information

92RBI Master Circular on Credit Card, Debit Card and Rupee Denominated Cobranded Prepaid Card operations of
banks, July 1, 2015.
93The bank/ NBFC should have a procedure in place including providing sufficient notice to the credit card
holder of the intention to report him as a defaulter. The procedure should also cover the notice period for such
reporting as also the period within which such report will be withdrawn in the event the customer settles his
dues after having been reported as defaulter.
94 Section 2(l), CIC Act and Clause 3, CIC Regulations.
95 Section 17(4), CIC Act.
96Report of the Committee on Financial Sector Reforms (CFSR) chaired by Dr. Raghuram Rajan (2008), Chapter
7, p.158.
97Report of the Committee on Comprehensive Financial Services for Small Businesses and Low Income Households
chaired by Mr. Nachiket Mor (2013) pp. 132-135.
25

There does not seem to be a mechanism for an individual to know or confirm what information about
her is being held by a bank. While some information such as risk profiles is not to be shared with a
data subject, it would be useful for an individual to know that such information exists with the bank
especially in case of a data security breach.

Information relating to customer transactions, through passbooks and statements of accounts, has to
be furnished by banks to their customers.98 Statements are to be sent on a periodic basis to customers
and in any case, in practice, customers can access transaction details at any point.

A customer presently is unaware of the recipients with whom personal information and credit
information has been lawfully shared by the bank. Recipients could also include Government
authorities or the RBI pursuant to statutes like the PMLA, the Banking Regulation Act, 1949, the
Securitization and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002,
the Foreign Contribution Regulation Act, 2010, and the Insurance Regulatory and Development
Authority Act, 1999. Such legislations mandate the sharing of certain information for investigation or
other lawful purposes but do not address a number of concerns, such as what happens to the
information upon closure of investigation, the time period for holding such data, and notifying the
individual upon the investigation being closed.

Credit information

Any person who has applied for a credit facility can request the potential lender for a copy of the
credit information received by it from the CIC 99 but not the information that was, at the first instance,
forwarded by the data subjects existing lenders to the CIC.

In case a specified user is denying credit or other service on the basis of the credit information report,
the borrower has to be intimated along with the specific reasons for rejection and a copy of the
report.100 While this is a significant tool for gaining information, the CIC Act only enables an individual
to obtain adverse credit reports from potential lenders or service providers and not from the CIC
itself. Under the regulations, CICs are required to establish and adopt procedures relating to
disclosure to a person, on his request, of his own credit information (after verifying his identity)101
however, the provision does not mandate access and only calls for establishing policies. The
regulations further provide that for providing to an individual his own credit information, a credit
information company may charge such amount as it deems appropriate not exceeding Rs.100/. There
appears to generally be a low level of awareness insofar as accessing ones credit information report
is concerned.

98 RBI Master Circular on Customer Service in Banks.


99 Section 29(1), CIC Act.
100 Regulation 10(c), CIC Regulations.
101 Regulation 10(b)(i), CIC Regulations.
26

The CIC Regulations prescribe a rather long-winded procedure through which an individual seeks such
updating in the original records the potential lender or other specified user intimates the CIC from
which it had obtained the information, and the CIC then intimates the credit institution from which
it had obtained the information.102 All of this is also required to take place within the stipulated time
period of one month. Also, while there are rules for maintaining accuracy of information both for
CICs and credit institutions the level of interface with data subjects seems to be low.

Other than what is mentioned here, the law does not currently enable a data subject to know more
regarding her information, such as who has sought credit information regarding her. Significantly,
there is no process of recording all queries for a data subjects report and for the data subject to
access such records. This would enable the subject to detect if her information is being used for
unauthorised purposes or in an appropriate manner. 103

e) Security measures

The RBI has issued detailed guidelines on information security, electronic banking, technology risk
management and cyber frauds providing guidance to banks in adopting and implementing security
measures.104 There is no provision however for a data security breach notification to the data
subjects, which could enable them to take steps to safeguard themselves against potential harm from
the breach.105

f) Enforcement machinery

The remedy in case of unauthorised disclosure by a bank of a data subjects information is unclear.
Since the duty of confidentiality flows from the contractual relationship between a banker and the
customer, a remedy lies in a claim for damages. 106 However, a more specific remedy does not seem
to be available within the banking regime. The Banking Ombudsmen,107 appointed to address
complaints relating to deficiency in services, could be a potential remedy. While unauthorised
disclosure is not a specific head for complaints to the Ombudsman, such disclosure runs contrary to
RBI directions regarding confidentiality and the Code of Banks Commitments to Customers issued by
Banking Codes and Standards Board of India.

Credit reporting

While the CIC regime contains several safeguards relating to privacy, protection and accuracy of
data, there is little or no indication of enforcement of the regime. This is exacerbated by the fact
that the Act, rules and regulations do not contain provisions relating to remedies. The Act only

102 Section 21, CIC Act and Regulation 10, CIC Regulations.
103 Report of the CFSR, Supra note 96 at 158.
104RBI Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds
(2011)
105 The OECD Privacy Framework, Revisions to the Guidelines (2013) at p.26.
106 Shankarlal Agarawal v. State Bank of India, AIR 1984 Cal 29.
107 Banking Ombudsman Scheme, 2006.
27

provides for settlement of any disputes amongst CICs, credit institutions, borrowers and clients on
matters relating to the business of credit information, by conciliation and arbitration. 108 Several
disputes regarding incorrect credit information reports have surfaced highlighting the need for CICs
to have effective consumer complaint redressal. 109

Key takeaways

Scattered privacy principles.

No comprehensive notice requirements: Data


subjects would not always have adequate
information.

Credit information regime contains privacy


norms but uncertain enforcement machinery.

CIC regime is restricted to formal credit


sector, with certain strict prohibitions on
paper, such as, no person can carry on business
of credit information without RBI registration.

No mechanism for data subject to know what


all information is being held with a bank.

No database on who has lawfully sought/


received information about a customer from a
bank.

D. LAWS GOVERNING DATA WITH TELECOM COMPANIES

Telecom service providers (TSPs) collect details from subscribers at the time the subscriber applies
for a connection. Additionally, while providing the service, they collect details/ information such as
call records, billing history, etc. of the subscriber. The laws governing telecom services are the Indian
Telegraph Act, 1885, the license agreements which set out the terms and conditions to be complied
by the TSPs as licensees under the Telegraph Act, and regulations, directions, orders issued by the
Telecom Regulatory Authority of India (TRAI). Some of these contain provisions regarding collection
of certain types of data and processing or disclosure of such data.

a) Scope of information collected

108 Section 18, CIC Act.


109
Recent Policy initiatives in Credit Information Sharing: (Keynote Address delivered by Shri R. Gandhi, Deputy
Governor on March 3, 2015 at Seventh Annual CIBIL TransUnion Credit Information Conference, Hotel Trident,
Mumbai available at <https://www.rbi.org.in/scripts/BS_SpeechesView.aspx?Id=946>.
28

There are no express limitations prescribed on the information that can be collected. The license
agreement refers to a format prescribed by the government delineating the details required before
enrolling a customer as a subscriber.110 While these specifically require some information such as a
photo-identification of customers, unlike the banking sector, there is no demarcation between
mandatory and optional information.

Additionally, certain records and details are mandatorily required to be maintained and shared with
authorities as required. These include a complete list of subscribers with password control access to
designated security agencies. It is not clear what details regarding the subscribers are included in
this database. Further, the license agreements require TSPs to analyse call detail records for outgoing
calls made by subscribers where a large number of outgoing calls are being made. A record of the
check has to be maintained by the TSP, and a list and details of suspected subscribers (those making
a substantial number of calls exceeding the average) to be shared with the designated monitoring
cell.111

Commercial records, call detail records, IP detail records, etc. with regard to communications
exchanged over the network are to be maintained by the TSPs. Insofar as commercial records are
concerned, a limit of one year is prescribed after which the records can be destroyed 112 the
language however does not appear to mandate such deletion.

b) Communication of information to individuals

Telecom specific laws do not require the framing and publishing of a privacy policy although TSPs do
have in place, and put up privacy policies or statements on their websites. Some of these seem to be
based on the obligations in the IT Rules and contain information such as types of information
collected, disclosure obligations, grievance officers, etc. 113 There is no sector-specific rule requiring
the subscriber (i.e. the data subject) to be informed of specific details before collection of
information.

c) Obligation to maintain confidentiality and the consent exception

A TSP is required to safeguard information about a subscriber to whom it provides a service and from
whom it has acquired such information by virtue of services provided. This seems to include
information provided while applying for the service, such as name, address, contact details, etc. It

110 Clause 39.17, UL Agreement - Format prescribed by the Licensor delineating the details of information
required before enrolling a customer as a subscriber shall be followed by the Licensee. A photo identification of
subscribers shall be pre-requisite before providing the service. The Licensor may prescribe service-wise detailed
instructions for enrolment of subscriber and activation of service from time to time.
111 Clause 39.22 (ii), UL Agreement.
112 Clause 39.20, UL Agreement and Clause 41.17 of the Unified Access License Agreement.
113Airtel Privacy Policy available at <http://www.airtel.in/forme/privacy-policy> (last accessed 21 November
2016); Vodafones Privacy Policy available at <http://www.vodafone.in/privacy-policy> (last accessed 21
November 2016).
29

could also include any other information collected while providing the service, such as call usage
details or billing information.

All such information has to be kept secure and confidential, and is to be used as necessary for
providing service. This confidentiality rule is not applicable when the subscriber has consented to
disclosure and the disclosure is in accordance with the terms of the consent.

As discussed earlier, unauthorised disclosure of information by telecom companies has been the
subject of consumer disputes before consumer dispute redressal commissions. In Nivedita Sharma
v. Bharti Tele Ventures, receiving of unsolicited calls by the complainant despite Bhartis privacy
policy stating that it did not disclose personal information to third parties, was found to be in breach
of the Consumer Protection Act 1986.114

This also led the National Consumer Disputes Redressal Commission to direct service providers to ask
customers if they would be interested in being part of Do Not Call lists to avoid unsolicited calls.
Subsequently, TRAI issued regulations for registration of telemarketers and creation of registers,
pursuant to which customers could indicate their preferences regarding commercial communications
fully blocked meaning stoppage of all commercial communication or partial blockage with an
exception for certain categories. These preferences are to be complied with by telemarketers. 115

d) Mandatory sharing

As discussed under (a) above, certain details such as call records, list of subscribers, etc. would have
to be shared with security agencies. Additionally, the Telegraph Act also envisages interception of
messages transmitted through the network by the Government in emergencies. There are certain
procedural safeguards built in with respect to such intercepted messages, such as requirement to
maintain records, a 60-day limit for the direction ordering interception remaining in force and
provisions for further review of the direction.116 However, their adequacy and effectiveness as to
implementation have remained under the scanner.

e) Right of access

Details such as past usage charges, on request, for pre-paid subscribers,117 itemised billing
information for post-paid subscribers, and data usage charges118 are to be made available to
subscribers. As in the case of the banking regime, the sector-specific rules do not contemplate a
mechanism through which a data subject knows what all information about her is stored with a TSP
(other than through the privacy policy).

114 See Chapter I, p. 12 of this Report.


115 The Telecom Commercial Communications Customer Preference Regulations, 2010.
116Rule 419A,Telegraph Rules. This rule was framed after the Supreme Court, in Peoples Union of Civil Liberties
v. Union of India, AIR 1997 SC 568, recognised the importance of having safeguards in place and formulated
certain procedural safeguards for this purpose.
117 Regulation 8, Telecom Consumer Protection Regulations, 2012 (TCPR).
118 Regulation 10, TCPR.
30

This regime does not contain significant privacy safeguards restricting use or retention of information,
or require privacy policies, communication of information at the time of collection, or any significant
rights relating to access and seeking correction. Privacy seems to have been a major concern only in
dealing with telemarketers and unsolicited commercial communications. There also does not seem
to be a viable enforcement mechanism specific to this regime for enforcement of privacy or non-
disclosure rights.

Key takeaways

Limited privacy safeguards.

Obligation to maintain confidentiality and


privacy subject to user authorisation.

No comprehensive notice requirements.

No separate enforcement mechanism.

Limited details to be furnished to subscriber


(such as past usage details and itemised bills)

No mechanism for data subject to know what


all information is being held with a bank.

While the above laws do contain provisions relating to consent and other privacy principles, their
effectiveness in ensuring data protection and user control in practice remains uncertain. The IT Rules
although an attempt towards incorporation of privacy principles in India are plagued with
uncertainty as to their applicability, interpretation of their principles and scope and manner of
enforcement. Financial laws, and in particular the credit information regime, provide an elaborate
set of privacy measures for credit institutions and CICs to follow. However, very little hinges on a
data subjects consent, and rights of access and review seem to have been given short shrift. Also,
the lack of useful mechanisms for redressal and remedies appears to have rendered the regime
unenforceable. As far as the telecom sector is concerned, the law contains only limited provisions
regarding protection of subscriber information and no means of seeking enforcement. Thinking
around privacy, consent and information available with telecom companies is clearly at a nascent
stage.

This understanding of the existing regime throws up the crucial aspects that an ideal regulatory
framework ought to contain. A snapshot of privacy principles in existing laws is provided in the table
below. The above descriptive exercise also sets the background for identifying and delving into best
practices from across the world in strengthening user control over data. This is done in the next two
sections of the Report.
31

Snapshot of Privacy Principles in existing laws

Laws General Regime Financial laws Telecom laws

Types of information Personal information Sensitive personal data or Personal information Credit information Customer information
information (SPDI)

Collection limitation Not provided Exists Exists Inadequate as broad Not provided
formulation requiring
Only information that is
all relevant
necessary for identified
information to be
purposes to be collected
collected

Privacy policies Required to frame and publish No separate requirement No express requirement;
regardless, several TSPs provide
Requirement to frame and
privacy policies in accordance
publish policies for privacy
with the IT Rules
and data protection

Communication to data Not required Required while seeking Scattered and limited119 Not required
subject before collection consent (with details such
as intended recipients, to
Whether any specific details
be made known)
are to be intimated to data
subject at the time of
collection

119 See Section C of this Chapter under heading (b).


32

Laws General Regime Financial laws Telecom laws

Consent before collection Not required Required from information Specifically required Not expressly required Not expressly required but
provider (not data subject) for optional customer but generally included sought while applying for
Seeking consent before
details that are not in terms and conditions service
collection of information
required for KYC of customer
agreement with bank

Consent before disclosure Not required Required from information Generally required120 Required
to third parties provider (not data subject)
Not required for sharing with CICs and by CICs
unless envisaged in original
Separate consent before with specified users
contract
disclosing information or use
for other purposes

Right to access Available; data subject can seek correction; Not expressly Statements to be Partial (usage details, billing
appointment of grievance officer provided furnished, can access information to be furnished)
Availability and extent of
transaction details;
data subjects rights over
the information stored Can seek credit reports
from CICs;

Adverse credit reports


to be necessarily
provided by potential
lenders denying
facility or service

120 Exceptions: Where there is a duty to public to disclose; disclosure pursuant to law; disclosure is in banks interests.
33

Laws General Regime Financial laws Telecom laws

Use limitation Exists Exists Partial; for KYC Strict; no provision for Certain details like list of
purposes sharing with consent subscribers to be maintained
Information to be used for
for security reasons but not an
purposes specified unless
absolute prohibition on use for
consented to by data
other purposes
subjects

Security principles Required Required Partial (specifically required for


messages communicated over
Whether security measures
network, not for other details)
are required to be
maintained

Enforcement mechanism Unclear Penalties in the IT Act; but Possibly Banking Ombudsman Not available
could be limited to failure
Existence of remedies and
to meet reasonable
specific enforcement
security practices
machinery
34

Chapter II: International Practices

Nearly 90 countries around the world have data protection laws in some shape and form. 121 While the
core principles are largely the same, countries have pursued varying approaches for adopting and
enforcing these.

The European Union (EU) which has taken a lead in protecting the privacy of the individual in the
digital age treats data protection as a fundamental human right almost viewing it as the responsibility
of the state to ensure.122 The EU approach places controls on processing by entities and provides
individuals with rights to control such processing. The UK which has given effect to the EU Directive
reflects this approach. In contrast, the US views privacy protection as emanating from the protection
of liberty123 and contains a limited set of sector-specific legislations to address privacy. To a large
extent, for the private sector, it relies on market mechanisms to ensure data protection.124 It is
difficult to cull out a data privacy model from the US since the regime comprises ideas cutting across
federal legislations, state laws, certain state constitutions, common law and the US Constitution
and also do not cover all types of data.125 Data protection in Canada is focused on autonomy thereby
allowing individuals to set limits upon both the public and private sector when it comes to collection
and use of their personal information. 126 Australia follows a similar approach. Both Canada and
Australia appear to follow a co-regulatory approach with industry standards being recognised and
monitored by privacy commissioners.

This Report explores the data privacy norms in jurisdictions that in our view, seek to protect
individuals autonomy and dignity by enabling them to exercise control over their personal data. This
chapter studies the relevant principles applicable in the European Union with the newly introduced
European Union General Data Protection Regulation, 127 the United Kingdom128 (giving effect to the
European Union Directive of 1995 on the subject of data protection 129), Australia,130 and Canada 131.
It may be noted that American law is bound to influence the development of the constitutional right
to privacy in India and in setting limits of state intrusions into it. However, insofar as data protection

121 Graham Greenleaf, Global Privacy Laws, (2012) 115 Privacy Laws & Business International Report.
122
Movius and Krup, Supra note 21.
123 Levin & Nicholson, Supra note 18 at 360.
124Gregory Shaffer, Globalization and Social Protection: The Impact of EU and International Rules in the
ratcheting up of U.S. Data Privacy Standards (2000) 25 Yale Journal of International Law 1, at 6.
125 Levin & Nicholson, Supra note 18 at 360.
126 Ibid at 357, 360.
127Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data.
128 UK Data Protection Act of 1998.
129Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data.
130 Australia Privacy Act of 1988.
131 Personal Information Protection and Electronic Documents Act 2000.
35

is concerned, it does not offer a unified, clear, coherent model to adapt and has been left out of this
analysis. The key concepts related to data protection are examined here with the practices followed
in each of these jurisdictions.

a) Coverage of entities and exemptions

Data protection norms are often not uniformly applicable to all entities. Some jurisdictions have
separate legislations for private organisations collecting and processing data and for government or
public bodies doing the same.132 In other jurisdictions, while the norms are applicable to all
organisations, exceptions are carved out for activities relating to law enforcement or criminal
investigations.133

European Union - The European Union General Data Protection Regulation 134 is applicable to data
controllers and data processors who could be natural or legal persons, public authorities, agencies
or any body which determines the purposes and means of the processing of personal data. Thus,
as a general rule, the EU GDPR extends and applies to all private and public authorities with uniform
obligations placed on all entities. However, there are certain areas where Member States can restrict
the scope of the GDPR obligations, through legislation. These include: national security; defence;
public security; investigation and prosecution of criminal offences; other important objectives of
general public interest of the Union or of Member States.135

The obligations that can be restricted relate to the data protection principles, transparency and
notice requirements of an organisation processing data, information to be provided to a data subject
while collecting his personal information, right of access of the data subject, right to seek
rectification, right to erasure, data portability, etc. However, certain principles such as the
requirement to justify processing of data under one of the specified heads, and consent rules (where
relevant), would continue to be applicable.

United Kingdom The UK has implemented the European Union Directive of 1995 through the Data
Protection Act 1998. The UK Act extends to persons recognised in law, which includes individuals,
organisations and other corporate and unincorporated bodies. 136 The UK Act, however, exempts
entities from certain processing obligations where the processing is for specified purposes, including:
national security, crime and taxation, health, education, disclosure made by law or made in
connection with legal proceedings, parliamentary privilege etc. The exemptions are from:

132 See Canada.


133 See European Union; United Kingdom.
134The European Union General Data Protection Regulation (EU GDPR) was adopted by the European Parliament
in April 2016 and will come into force after 2 years. Prior to this, data protection was governed by the EU
Directive of 1995. With data going digital and giant strides in data processing practices over the years, the
practices from two decades back were no longer considered adequate. This resulted in a comprehensive review
and update of the data protection regime in Europe and the adoption of the EU GDPR. [shift to footnote maybe]
135 Section 5, Article 23, EU GDPR 2016.
136Information Commissioners Office, Key Definitions of the Data Protection Act <https://ico.org.uk/for-
organisations/guide-to-data-protection/key-definitions/#rights-obligations>.
36

subject information provisions an organisations duty to provide individuals with a privacy


notice and individuals right to make a subject access request; and/ or
non-disclosure provisions an organisations duty to adhere to principles of fair
processing137, purpose specification138, use limitation139, data quality140, and time
limitation141. It also covers the right of the data subject to demand erasure, rectification,
blockage or destruction of data in the event of inaccuracy.142

Canada In Canada, the Privacy Act governs the personal information about an individual held by a
government institution143. Processing of information by private organisations is governed by the
Personal Information Protection and Electronics Document Act (PIPEDA). The obligations imposed
on government institutions under the Privacy Act are lenient compared to those placed on private
organisations under PIPEDA, and the need for strengthening the Privacy Act for incorporating a more
comprehensive set of norms is being discussed. 144 Canadas approach of separate legislations for
government and private entities should be viewed against the context in which it was developed.
Canada had decided to apply information privacy norms only to government bodies and the
government was, at the time, content with encouraging private sector organisations to develop and
follow voluntary practices.145 However, this was soon considered insufficient and PIPEDA was
introduced to fill in the gap. Privacy commissioners have argued for stronger principles being
introduced into the Privacy Act as well drawing from PIPEDA.

Australia In Australia, the Privacy Act of 1988 is the federal legislation governing information privacy
of individuals. The Privacy Act was initially applicable only to Australian government agencies but
through subsequent amendments, was extended to credit reporting agencies and credit providers 146
and to some private sector organisations in 2001.147 The Act, currently, extends to agencies and
organisations which are collectively referred to as APP entities. Agencies refers to government or
public sector entities including Ministers, Departments, bodies established under Commonwealth
enactments, federal courts, etc. Organisation refers to an individual, body corporate, partnership,

137 The First Data Protection Principle, Part I, Schedule I, Data Protection Act of 1998.
138 The Second Data Protection Principle, Part I, Schedule I, Data Protection Act of 1998.
139 The Third Data Protection Principle, Part I, Schedule I, Data Protection Act of 1998
140 The Fourth Data Protection Principle, Part I, Schedule I, Data Protection Act of 1998.
141 The Fifth Data Protection Principle, Part I, Schedule I, Data Protection Act of 1998.
142 Section 14(1) and 14(3), Data Protection Act 1998.
143(a) any department or ministry of state of the Government of Canada, or any body or office, listed in the
schedule, and (b) any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within
the meaning of section 83 of the Financial Administration Act.
144 Office of Privacy Commissioner of Canada, Privacy Act Reform
<https://www.priv.gc.ca/information/pub/pa_reform_060605_e.asp#004>.
145 Parliament of Canada, Canadas Federal Privacy Laws
<http://www.lop.parl.gc.ca/content/lop/researchpublications/prb0744-e.htm#endnote15>.
146 Privacy Amendment 1990 which introduced Part IIIA of the Privacy Act.
147 Privacy Amendment (Public Sector) Act 2000.
37

unincorporated association or a trust but not small business operators (having a turnover of less
than 3 million in the previous financial year), registered political parties, etc. The small business
exception would not apply in certain cases, for instance, where the operators provide a health service
and hold health records; or disclose personal information about another individual to anyone else for
a benefit, service or advantage; or provide a benefit, service or advantage to collect personal
information about another individual from anyone else. Within the same statute, some principles are
applicable differently to public and private bodies.

The obligations under the Australian privacy law also do not apply to processing of information for
personal, family or household affairs.

The EU GDPR covers all types of entities and allows member states to exempt activities in
specialised fields, such as crime investigation, public security, etc. UK follows this approach
and contains certain exemptions for crime and taxation, national security, etc. but even in
such cases, does not entirely exclude the applicability of certain provisions. Canada has
laws covering both private and public sector entities. Australia has one statute covering all
entities with some distinctions in the application of privacy principles to private
organisations and government agencies.

b) Categories of data and their treatment

In most jurisdictions, information privacy principles extend to the processing of personal


information, that is, information that relates to a particular individual and that can identify the
individual.

EU GDPR The EU GDPR extends to processing of personal data, which is defined as any information
relating to an identified or identifiable natural person. An identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that person. 148

The GDPR provides separate rules for processing of special categories of data which is listed as
personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership, and genetic data, biometric data to uniquely identify a person or data
concerning health or sex life and sexual orientation.

United Kingdom The UK Data Protection Act extends to four types of data:

Information which is processed, or recorded with the intention of being processed, through
equipment operating automatically (stored on a computer in electronic form)

148 Article 4(1), EU GDPR 2016.


38

Information which is recorded as part of a filing system (usually paper records),


Information which constitutes an accessible record (certain health records, educational
records and certain local authority housing or social services records, regardless of whether
the information is processed automatically or is held in a relevant filing system),
information held by a public authority.149

The definition of personal data under the UK Act is similar to the EU GDPR i.e. data relating to an
individual who can be identified from the data by itself, or from the data and other information
which an organisation processing it already has or is likely to acquire. While EU GDPR first requires a
determination of whether information is personal data and then forays into processing (automatic
and filing system), the UK Act first requires an assessment of whether the information falls within
the four types of data listed, and then whether such data is personal data. Further, drawing
from the EU approach, the UK Act provides separate conditions for the processing of sensitive
personal data.150

Canada PIPEDA extends to personal information, which is defined as information relating to an


identifiable individual. PIPEDA does not create a separate sub-category for sensitive information.
However, while discussing the consent principle and specifically the form of consent, it is
acknowledged that organisations should take into account the sensitivity of the information in
determining the form of consent.151 The Act does not enumerate the kind of information that is
sensitive, stating only that any information can be sensitive, depending on the context (although
information such as medical records and income records are generally always considered sensitive).
Regarding form of consent, again instead of laying down a rule, it is only stated that explicit consent
is typically required when the information being processed is sensitive. 152 This has led to different
interpretations as to what can be considered sensitive and where implied consent would not suffice.
For instance, the use of palm-vein scanning for the purpose of identifying individuals and ensuring
the integrity of the Graduate Management Admission Test (GMAT) by the Graduate Management Admission
Council was not deemed to be inappropriate153 since the binary representation of a candidates palm-vein
scan was not considered overly sensitive personal information in this specific case. 154 However, in a case
where the complainant was searching for information related to a medical device on health related

149 Section 1, UK Data Protection Act 1998.


150Section 2 of the UK Data Protection Act of 1998 defines sensitive personal data as as personal data consisting
of information concerning the data subject such as her racial or ethnic origin, political opinions, religious or
other beliefs of similar nature, membership of a trade union, physical or mental health or condition, sexual life,
commission or alleged commission of any offence, and proceedings, disposal of proceedings or the sentence of
any court in such proceedings with respect to commission or alleged commission of an offence.
151 Principle 4.3.4, Schedule 1, PIPEDA.
152 Principle 4.3.6, Schedule 1, 4.3.6, PIPEDA.
153Office of the Privacy Commissioner of Canada, Findings under the Personal Information Protection and
Electronic Documents Act (PIPEDA), PIPEDA Case summary #2011-012 <https://www.priv.gc.ca/cf-
dc/2011/2011_012_1027_e.asp>.
154 Office of Privacy Commissioner of Canada, Legal information related to PIPEDA
<https://www.priv.gc.ca/leg_c/interpretations_07_consent_e.asp>.
39

websites, the collection of such information for targeted advertisements by Google was deemed to
be inappropriate since personal health information is of sensitive nature. 155

Australia The Australian Privacy Act extends to processing of personal information, which is defined
in a similar manner as in other jurisdictions. 156 The Act creates a sub-category of sensitive information
and provides an exhaustive list157 of information that would be sensitive.

A study of the jurisdictions cited demonstrates that when it comes to creating


categories of data, the most common approach is to:

(i) Create a category of information that relates to an identified and


identifiable individual, and
(ii) Create another special category of sensitive information, with enumerated
attributes, which should not be processed unless certain conditions (more
stringent than for regular processing of data) are fulfilled.

c) Consent of the data subject

In some jurisdictions, consent is the primary basis for collecting, using or disclosing personal
information (all such activities collectively known as processing). However, in other jurisdictions,
chiefly the EU, consent is only one of the grounds for processing.

EU GDPR There are six grounds on the basis of which personal information can be processed.158 They
include: consent, performance of a contract, compliance with a legal obligation, protection of vital
interest, public interest, and legitimate interest pursued by the controller. 159

155
Office of Privacy Commissioner of Canada, Findings under the Personal Information Protection and Electronic
Documents Act (PIPEDA), PIPEDA Report of Findings #2014-001 <https://www.priv.gc.ca/cf-
dc/2014/2014_001_0114_e.asp>.
156 Section 6, Division 1, Part II, Australia Privacy Act 1988.
157 Ibid.
158 Article 6, EU GDPR 2016.
159 In detail, the grounds are as follows:
(i) The consent of the data subject has been obtained for processing for one or more specific purposes;
(ii) The performance of a contract to which the data subject is a party or in order to take steps for entering
such contract at the request of the data subject;
(iii) Compliance with a legal obligation to which the data controller is subject;
(iv) Protection of vital interests of the data subject or another natural person;
(v) Performance of a task carried out in public interest or in the exercise of official authority vested in the
controller;
(vi) Legitimate interest pursued by the controller or third party, except where such interests are over-
ridden by interests, fundamental rights or freedoms of the data subject which require protection of
40

The order in which these grounds are listed (which is replicated from the earlier EU Directive) is
interpreted by some as indicating a hierarchy of importance with consent being the preferred
ground. However, this view has been refuted by the Data Protection Working Party160 and each of
these is considered equal in law.161 Reliance on consent would not absolve an organisation of its other
data processing obligations. A view has also been expressed that consent would not be a desirable
ground in all circumstances and because the elements that constitute valid consent are unlikely to
be present (in certain circumstances), this would lead to great vulnerability and, in practice, this
would weaken the position of data subjects.162 For instance, if a summary of health records is being
created by a public authority, and patients consent is sought while creating it consent would not
be an appropriate ground for processing if patients refusing the system have to pay substantial extra
costs. Here the consent would not be sufficiently free, and it would be more appropriate to rely on
a different ground for processing, such as compliance with a legal obligation or by authority of law.

Under the GDPR, for processing of personal data, consent is required to be freely given, specific,
informed and unambiguous. It has to be expressed by a statement or by clear affirmative action.
Consent for processing of personal data can no longer be inferred through silence or inaction or pre-
ticked boxes.163 Also, consent has to be explicit for sensitive data. There has been some debate
regarding the actual difference between unambiguous and explicit consent but the distinction is
deliberate, although how it is eventually translated into practice remains to be seen.

The requirement that consent has to be through affirmative action gives the impression that even
unambiguous consent would always require the data subject to tick a box or expressly opt-in.164 This
is not clear however since the GDPR also provides that, other than ticking a box when visiting an
Internet website, choosing technical settings for information society services, consent can also be
given through another statement or conduct which clearly indicates in this context the data subject's
acceptance of the proposed processing of his or her personal data.165

Canada

The PIPEDA provides different conditions for collection, use and disclosure of personal information,
distinct from the EU and UK which collapse different processes within the larger definition of
processing. The Principles set out in the schedule of the Act necessitate consent for all the above.166

personal data. However, this condition does not apply to processing carried out by public authorities in
the performance of their tasks.
160EU Data Protection Working Party, Opinion 06/2014 on the notion of legitimate interests of the data
controller under Article 7 of Directive 95/46/EC adopted on 9 April 2014.
161 Ibid.
162 EU Data Protection Working Party, Opinion 15/2011 on the definition of consent adopted on 13 July 2011.
163 Recital 32, EU GDPR 2016.
164 Ibid.
165 Ibid.
166 Principle 4.3, Schedule 1, PIPEDA 2000.
41

Further, the form of consent required depends on the circumstances and the type of information
being collected.167 While express consent is necessary for sensitive information, implied consent is
sufficient for non-sensitive information.168 However, it must be noted that the PIPEDA principles are
recommendatory and not mandatory in nature.169 Data can also be collected, used and disclosed in
the absence of consent but the conditions for them vary.

Australia - In Australias Privacy Act, consent is not directly a pre-requisite for collecting personal
information. The only requirement before collecting personal information is that the information
should be reasonably necessary for the agency (government body) or organisations (private entity)
activities. For agencies, i.e. government bodies, it would also suffice if the information is directly
related to the agencys functions or activities. 170 Additionally, the privacy principles set out in the
Act provide that personal information should be collected directly from the individual unless the
individual has consented to collection from other sources or if it is authorised by law. 171 Thus, in
some sense, knowledge or consent of the individual before collection is provided for. For sensitive
information, the bar is significantly higher in as much as the individuals consent is required in
addition to the condition that the activity be reasonably necessary for the entitys functions.

Under the Act, consent is simply defined to mean express consent or implied consent. The other
grounds include authorisation by or under an Australian law or a Court/Tribunal order and the
existence of a permitted general or health situation, amongst others. 172 Australia does not treat
consent as a discrete privacy principle consent operates as the basis for handling of information or
as an exception to a general prohibition. The Australian Law Reform Commission (ALRC) had rejected
submissions aimed at elevating consent to a discrete principle. 173

Consent is an important concept across jurisdictions. While in the EU, there are other grounds
for processing, several of these are posited as exceptions and considered desirable where either
consent cannot be obtained or the particular circumstances makes consent inappropriate for
the situation. Canada and Australia also indicate a preference to elevating consent (or at least
knowledge in the case of Australia) as the primary basis for collection.

d) Other grounds of processing

167 Principle 4.3.4, Schedule 1, PIPEDA 2000.


168 Principle 4.3.6, Schedule 1, PIPEDA 2000.
169 Section 5(2), PIPEDA 2000.
170 Schedule 1, Part 2, Privacy Principle 3, Privacy Act 1988.
171 Privacy Principle 3, Clause 6, Privacy Act 1988.
172 Ibid.
173 Australian Law Reform Commission, Report on Australia Privacy law and Practice, Vol. 2
<http://www.alrc.gov.au/sites/default/files/pdfs/publications/108_vol2.pdf>.
42

EU GDPR

As discussed above, there are five additional grounds on the basis of which an individuals personal
information can be collected and used. Each of these is briefly discussed below:

Performance of Contract:

This ground covers two scenarios. First, where processing is necessary for the performance of a
contract to which the data subject is a party. This provision calls for a strict interpretation and does
not cover situations where processing is not genuinely necessary for the performance of a contract,
even if such data processing is specifically mentioned in the contract. 174 For this, a determination of
the precise rationale of the contract, namely, its substance and fundamental objective is essential. 175
For instance, processing the address of an individual to facilitate delivery of goods purchased online
by him, could be covered under this head. However, building a profile of a user based on items
purchased might not be justified under this. The second scenario covers pre-contractual relations
provided that the steps are taken at the request of the data subject. 176

Legal Obligation:

For this ground to be applicable, the obligation must be imposed by a law and such law must comply
with data protection law, including the requirements of necessity, proportionality as well as purpose
limitation.177 For instance, financial institutions required to report suspicious transactions under anti
money laundering laws would be covered by this ground.

Vital Interest:

In interpreting this ground, the Working Party has referred to its limited application to situations
involving questions of life and death, or at the very least, threats that pose a risk of injury or other
damage to the health of the data subject. It could also include instances such as processing being
necessary for humanitarian purposes such as for monitoring an epidemic and its spread. 178 Further,
the Working Party also suggests that in situations where there is a possibility and need to request
valid consent, the same should be sought whenever practicable.179 The EU GDPR itself indicates that
processing to protect the vital interests of another natural person is to be relied upon only when the
processing cannot be manifestly based on another legal basis. 180

Public Interest or exercise of official authority:

174 Working Party Opinion, Supra note 162.


175 Ibid.
176 Ibid.
177 Ibid.
178 Recital 46, EU GDPR 2016.
179 Working Party Opinion, Supra note 162.
180 Recital 46, EU GDPR 2016.
43

The ground dealing with public interest covers two situations. First, where the controller itself has
official authority or a public interest task and processing is essential for exercising such authority or
performing the public task.181 Second, where the controller does not have official authority but
disclosure is requested by a third party having such authority. 182 Further, this ground can also cover
situations where the controller proactively discloses data to a third party having the requisite official
authority.183 It is suggested that since this provision has the potential for broad application, a strict
and case by case interpretation is desirable.184

Legitimate Interest:

This ground demands the carrying out of a balancing test between the legitimate interests of the
controller or third parties on one hand, and the interests or fundamental rights and freedoms of the
data subject on the other.185 However, such a test is not a straightforward exercise which involves
the weighing of two easily quantifiable and comparable weights. Rather, it involves a complex
assessment of a number of factors which fall under the broad heads of (a) assessing the controllers
legitimate interest, (b) impact on the data subjects, (c) provisional balance and (d) additional
safeguards applied by the controller to prevent any undue impact on the data subjects. 186

An interest can be deemed legitimate provided the controller can pursue it in a manner which is in
accordance with data protection and other laws i.e. the legitimate interest is acceptable under the
law.187 For instance, controllers may have legitimate interest in getting to know their customers
preference to develop marketing strategies. However, this does not mean that they can, along with
other entities such as data brokers, unduly monitor on- and off-line activities of customers, combine
data about them collected in different contexts and engage in profiling activities. Such profiling
activity is likely to present a significant intrusion of privacy thereby being detrimental to the rights
and interests of the data subject.188

UK

Drawing from the EU approach, personal data can be processed if one of the permissible grounds are
attracted. The first four conditions are largely similar to the grounds provided in the EU GDPR.
However, the public interest condition is not expressed in a manner similar to the EU GDPR. Instead,
it lists out that the processing should be necessary for: (a) administration of justice; (b) exercise of
functions of either House of Parliament; (c) exercise of functions conferred on any person by or under

181 Working Party Opinion, Supra note 162.


182 Ibid.
183 Ibid.
184 Ibid.
185 Ibid.
186 Ibid.
187 Ibid.
188 Ibid.
44

any enactment; (d) exercise of functions of the Crown, a Minister of the Crown or a government
department; and (e) exercise of any other function of a public nature exercised in public interest by
any person.189 The final ground relates to the legitimate interests condition with the exception of
situations where the processing is unwarranted in any particular case by reason of prejudice to the
rights and freedoms or legitimate interests of the data subject.

Canada

In Canada, under the PIPEDA, consent is the primary basis for collecting data. Data can be collected
in the absence of consent if such collection is in the interests of the individual and consent cannot
be obtained in a timely way, collection is solely for journalistic, artistic or literary purposes, and it
is reasonable to expect that the collection with consent would compromise the availability or
accuracy of data, amongst others.190 Some grounds on the basis of which personal information can be
used in the absence of consent include: there is reasonable ground to believe that it can be useful
in the investigation of a contravention of law, for the purpose of acting in an emergency which
threatens the life, health or security of an individual, etc.191 Finally, information can be disclosed
without consent on grounds such as: collecting a debt, disclosure required to comply with a subpoena
or warrant, emergency that threatens the life, health or security of an individual, amongst others. 192

Australia

The Australian Privacy Principles set out in the Act require that entities should collect personal data
directly from individuals (although it does not mandate consent directly). Entities may collect data
from other sources if individuals have consented to such collected or when the collection is authorised
by law.193

e) Conveying information to data subjects

This draws from various core principles, including notice or openness, purpose limitation and use
limitation. At the time of collection of information from data subjects, certain details are required
to be communicated to them. These differ slightly across jurisdictions but largely include the
following:194

(i) Identity and contact details of the controller,


(ii) Purposes of the processing and the legal basis for the processing,
(iii) Whether the provision of personal data is necessary or required under statute or contract,
or if it is necessary to enter into a contract, and consequences of failure to provide data,

189 Schedule 2, UK Data Protection Act 1998.


190 Section 7(1), PIPEDA.
191 Section 7(2), PIPEDA.
192 Section 7(3), PIPEDA.
193 Privacy Principle 3, Schedule 1, Australia Privacy Act 1988.
194 Article 14, EU GDPR 2016.
45

(iv) Recipients or categories of recipients of the data,


(v) The period for which the personal data will be stored,
(vi) The existence of the right to access and rectification of personal information held by an
entity,
(vii) The existence of the right to lodge complaints with supervisory authorities,
(viii) The right to withdraw consent at any point (where applicable).

f) Individuals rights of access, rectification and restricting processing

Most jurisdictions allow individuals the right to view their personal information held by an entity and
seek corrections, where necessary. This is consistent with the Individual Participation and Data
Quality principles of data protection.

European Union

The EU GDPR encapsulates a gamut of rights for the data subject and provide avenues for securing
ongoing control over their personal data. The first amongst them is the right to receive information
concerning the identity and contact of the data controller, the purpose of processing as well as the
legal basis of such processing, and information concerning the existence of the other rights of the
data subject in relation to the data controller.195 Further the data subject has the right to access her
personal data which includes the right to confirm whether her personal data is being processed or
not, and in the event that it is, information concerning the purpose of processing, the categories of
personal data being processed, the recipients of such personal data, the period of storage of personal
data, amongst others.196

Additionally, the data subject also has the right to seek erasure as well as the right to seek
rectification of her data, subject to certain grounds and exceptions. Further, the right to restrict
processing is also housed in the GDPR.

United Kingdom

The UK Data Protection Act of 1998 borrows from the EU Directive of 1995 and vests the data subject
with an array of rights. First amongst these is the right to access personal data197 which includes the
right to be informed about whether ones personal data is being processed 198, and in the event it is,
the description of such personal data 199, the purpose of processing200, and the recipients to whom
such data may be disclosed201. Further, the data subject also has a right to prevent processing in the

195 Article 13, EU GDPR 2016.


196 Article 15, EU GDPR 2016.
197 Section 7, UK Data Protection Act of 1998.
198 Section 7(1)(a), UK Data Protection Act of 1998.
199 Section 7(1)(b)(i), UK Data Protection Act of 1998.
200 Section 7(1)(b)(ii), UK Data Protection Act of 1998.
201 Section 7(1)(b)(iii), UK Data Protection Act of 1998.
46

event that such processing is likely to cause substantial damage or substantial distress to her or
another, and that such damage or distress is/will be unwarranted. 202 However, such right is not
absolute and is subject to exceptions.203 Further, the data subject, in the event that her personal
data is inaccurate, has the right to approach the appropriate Court for an order which directs the
data controller to rectify, block, erase or destroy those data, including that which contains an
expression of opinion which appears to the Court to be based on inaccurate data. 204 However, just
like the right to access, this right is not absolute and is subject to exceptions. 205 Finally, the data
subject also has a right to receive compensation in the event she suffers damage or distress by reason
of any contravention by the data controller of any of the requirements of the Act or the contravention
relates to the processing of personal data for special purposes. 206

Canada

The principle of individual access is contained in Schedule 1 207 of the PIPEDA. These standards are
recommendatory in nature. The principle of individual access allows an individual, upon request, to
be informed of the existence, use and disclosure of her personal information. 208 This principle also
incorporates the principle of data quality as it allows the data subject to challenge the accuracy and
completeness of her information and have it amended.209 However, there can be exceptions to
individual access. These exceptions have to be limited and specific and can include situations such
as the disclosure of such information is prohibitively costly, amongst others. 210

Australia

A data subject has the right to access personal information held by an APP entity. 211 However, such
right is not absolute and is subject to exceptions. If the APP entity is an agency (government body),
then disclosure can be refused under the Freedom of Information Act or other appropriate
laws/enactments.212 If the APP entity is an organisation (private entity) access can be refused on
certain grounds, such as: belief that access would pose a serious threat to the life, health or safety

202 Section 10(1), UK Data Protection Act of 1998.


203
Section 10(2), UK Data Protection Act of 1998; Exceptions include situations such as when the data subject
has already given consent for processing, or cases as prescribed by the Secretary of State by order, amongst
others.
204 Section 14(1), UK Data Protection Act of 1998.
205 Section 14(2), UK Data Protection Act of 1998.
206 Section 13, Data Protection Act of 1998.
207Schedule 1 pf PIPEDA houses the National Standard of Canada Entitled Model Code for the Protection of
Personal Information.
208 4.9, Principle 9, Schedule 1, PIPEDA.
209 Ibid.
210 Ibid.
211 Principle 12.1, Part 5, Schedule 1, Privacy Act of 1988.
212 Principle 12.2, Part 5 of Schedule 1, Privacy Act of 1988.
47

of any individual, or to public health or public safety or that such access would have an unreasonable
impact on the privacy of other, amongst others.213

Further in the event that the personal information held by the APP entity is inaccurate, not
up-to-date, incomplete, irrelevant or misleading, then the data subject has the right to make a
request to such entity to correct her personal data. 214

The substantive rights set out for individuals have the potential to secure ongoing control for
individuals over their personal data. All the jurisdictions studied have important access
provisions. The EU and UK also significantly empower individuals be allowing them to restrict
processing and seek erasure in appropriate cases.

g) Enforcement machinery

European Union

The EU GDPR requires each Member State to have a supervisory authority in place for monitoring the
application of the Regulation. The GDPR seeks transparent appointment 215 and independent
functioning216 of such supervisory authorities and vests in them the duty to deal with and investigate
complaints relating to the breach of any of the rights of the data subject.217 The supervisory authority
is granted a range of investigative powers218 and corrective powers219.

The data subject has a right to lodge a complaint with the supervisory authority, in the event that
they consider that the processing of personal data relating to them does not comply with the
regulation.220 However, the data subject continues to retains their right to pursue a judicial remedy 221
by initiating proceedings before the relevant Court. 222

United Kingdom

An Information Commissioner is set up as the authority under the UK Data Protection Act for ensuring
compliance with data protection obligations. The Commissioner can take certain actions under the
statute, including issuance of enforcement notices to data controllers (in case of contravention),

213 Principle 12.3, Part 5 of Schedule 1, Privacy Act of 1988.


214 Principle 13.1, Part 5 of Schedule 1, Privacy Act of 1988.
215 Article 43(1), EU GDPR 2016.
216 Article 42, EU GDPR 2016.
217 Article 46(1)(f), EU GDPR 2016.
218 Article 47(1), EU GDPR 2016.
219 Article 47(2), EU GDPR 2016.
220 Article 52(1), EU GDPR 2016.
221 Article 54, EU GDPR 2016.
222 Ibid.
48

assessment notices (with a range of powers including the right to enter the specified premises 223
and access documents of specified description224 amongst others225 to determine compliance);226 and
information notices (for deciding whether the data controller has complied with the data protection
principles)227 Failure to comply with any of these notices constitutes an offence under the statute. 228
Further, the Commissioner can also impose a monetary penalty on the contravening party. 229

Further, under the Act, the competent Court is empowered to direct compliance in the event of
violation of a right of the data subject. 230 However, the proceedings before the Court can only be
initiated by the Commissioner or with the consent of the Director of Public Prosecutions. 231

Canada

Contravention of privacy principles set forth in the PIPEDA 232 can give rise to a cause of action under
the statute. The enforcement mechanism can be triggered either by the filing of a complaint by an
individual233 or with the Privacy Commissioner234 taking suo moto cognizance. Upon a complaint being
filed, the Commissioner serves notice to the concerned organisation and may conduct an
investigation235. The Commissioner may, if feasible, also attempt to resolve complaints by means of
dispute resolution mechanisms such as mediation and conciliation.236 The PIPEDA Annual Report of
2014 reveals that around half of the dispositions were early resolutions, which are resolved through
mediation, negotiation and persuasion.237

223 Article 41A(3)(a), Data Protection Act 1998.


224 Article 41A(3)(b), Data Protection Act 1998.
225 Article 41A(3), Data Protection Act 1998.
226 Section 41A, Data Protection Act 1998.
227 Section 43(1)(b), Data Protection Act 1998.
228 Section 47, Data Protection Act 1998.
229 Section 55A, 55B, 55C, 55D, 55E and 60, Data Protection Act 1998.
230High Court or County Court in England, Northern Ireland and Wales, and the Sessions Court or Sheriff in
Scotland.
231 Section 60, Data Protection Act of 1998.
232Division 1, Part 1, PIPEDA 2000 and National Standard of Canada Entitled Model Code of Personal Information
contained in Schedule 1 of PIPEDA. While Division 1, Part 1 lays down provisions for the protection of personal
information, Schedule 1 sets out the core privacy principles.
233 Section 11(1), Part 1, PIPEDA.
234The definition section defines Commissioner as Commissioner means the Privacy Commissioner appointed
under section 53 of the Privacy Act.
235 Sections 11(4) and 12, Part 1, PIPEDA.
236 Section 12.1(2), Part 1, PIPEDA.
237185 out of 375 cases. Privacy Commissioner of Canada, Annual Report to Parliament 2014, Privacy Protection,
A Global Affair <https://www.priv.gc.ca/information/ar/201415/2014_pipeda_e.pdf>.
49

After investigation, the Commissioner is required to prepare a report which may include the judicial
recourse available.238 In the event that the Commissioner proposes judicial recourse 239, the
complainant may apply for a hearing to the Court in respect of any matter concerning which the
complaint was made, or that is referred to in the Commissioners report.240

Finally, the Commissioner is also empowered to enter into a compliance agreement with an
organisation if she believes that the organisation has committed or is likely to commit a contravention
of the rights of the data subject.241 However, such compliance agreements do not take away the right
of the individual complainant from making an application to the Court. 242

It has been observed that organisations sometimes ignore the recommendations of the Privacy
Commissioner until the matter goes to Court, or merely pay lip service to her when engaging in a
consultative exercise - ultimately ignoring her advice.243 The need to move from a framework of soft
recommendations for non-compliance to a more effective regime to protect data in a rapidly changing
environment where privacy risks are high has been observed. 244

Australia
Complaints for breach of privacy principles under the Privacy Act can be individual or representative
and are made to the Information Commissioner appointed under the Australian Information
Commissioner Act 2010.245 If the Commissioner is of the opinion that the complaint may be reasonably
conciliated then she must take reasonable steps to conciliate the complaint. 246

However, if a conciliation is not feasible, and an investigation carried out by the Commissioner leads
to the finding of a substantiated complaint, she can make a determination which can include a
declaration that the respondent engaged in conduct that amounted to an interference with privacy
and must not repeat or continue such conduct 247 or must take specified steps to ensure that such
conduct is not repeated or continued248 or that the respondent must perform a reasonable act to
redress loss suffered by the complainant 249. The Commissioner can also arrive at the finding that the

238 Section 13, Part 1, PIPEDA.


239 Section 13(1)(d), Part 1, PIEPDA.
240
Section 14(1), Part 1, PIPEDA.
241 Section 17.1(1), Part 1, PIPEDA.
242 Section 17.1(4)(a), Part 1, PIPEDA.
243Office of the Privacy Commissioner of Canada The Case for Reforming the Personal Information Protection
and Electronic Documents Act <https://www.priv.gc.ca/parl/2013/pipeda_r_201305_e.asp#toc4a>.
244 Ibid.
245Section 37, Privacy Act 1988. Individual complaints are made by individuals who may have experienced an
interference with their privacy whereas representative complaints are made by an individual on behalf of 2 or
more individuals who may have experienced an interference of their privacy by the same act.
246 Section 40(A), Privacy Act,1988.
247 Section 52(1)(b)(i)(A) and (B), Privacy Act 1988.
248 Section 52(1)(ia), Privacy Act 1988.
249 Section 52(1)(ii), Privacy Act 1988.
50

complainant is entitled to a specified amount by way of compensation for any loss suffered. 250
Further, she may decide that it may be inappropriate to take further action in the matter. 251 Such
declarations can also be made in the event of suo moto action.252

All the jurisdictions studied have independent authorities for the purpose of implementing their
respective data protection laws. Such authorities can hear complaints and conduct investigations
into violations. Some commissioners are empowered to directly take action to secure compliance
while others provide the mechanism through which individuals or the commissioners can then
approach courts for appropriate remedy.

250 Section 52(1)(iii), Privacy Act 1988.


251 Section 52(1)(iv), Privacy Act 1988.
252 Section 52(1A), Privacy Act 1988.
51

Chapter III: The Way Forward

From the above, it is clear that the existing data protection norms contained in the IT Rules are
inadequate and address only a portion of what jurisdictions across the world have done for data
protection. In addition to drafting ambiguities, significant hurdles that plague their efficacy are
exclusion of government bodies and lack of independent and effective enforcement. From the
examination of best practices across jurisdictions, the clear way forward is for India to expressly
recognise the right to protection of personal data. Flowing from this, obligations should be placed on
organisations handling personal data, rights of control conferred on data subjects, and an effective
enforcement machinery established to ensure compliance with obligations and protection of rights.
This should be applicable to all types of data, financial, telecom, health or otherwise. Any additional
obligations contained in sector-specific laws, such as applicable RBI directives, or TRAI regulations,
should additionally be applicable to particular types of data.

In this section, we have set out the key components of a good data protection regime. As indicated
earlier, we have limited our recommendations to routine data processing and not delved into
specialised data collection such as limits on powers of intelligence agencies relating to surveillance,
interception, etc. or aspects of non-informational privacy such as freedom to make choices relating
to sexual or reproductive rights.

A. KEY COMPONENTS OF A DATA PROTECTION REGIME

a) Coverage of entities

Issue Which entities should be required to comply with data protection norms?

Indian law Currently, the data protection rules only cover body corporates handling
personal information. This excludes the public sector. It is also unclear if this
includes an organisation that does not directly undertake collection, storage or
other acts but outsources these to a third party.

International Most jurisdictions that have strong data protection laws for the private sector
experiences also have laws covering the public sector. This could be through the same
legislation or a different one, with different rules. Very few countries exclude
the public sector entirely.253

The EU GDPR extends to data controllers and data processors. Controllers


are entities that define the purpose for processing and control the data-related
activities generally. Processors are the entities that actually carry out activities
of collecting, using, storing, etc. Distinct obligations are placed on controllers

253Graham Greenleaf, Global data privacy laws: 89 countries and accelerating (2012) 115 Privacy Laws &
Business International Report.
52

and processors. Drawing a distinction between the two can sometimes prove
challenging254 but may be necessary to ensure that the organisation that has
overall control over the processing also bears responsibility for it. For instance,
if a telecom company contracts an agency to store personal data of its
customers, the telecom company is the controller that should have overall
responsibility for any breach.

Australia has an exemption for small business operators.

Way Forward Data protection rules should be applicable to all entities and persons handling
personal data both private and public sector bodies. There is no rationale as
to why principles such as openness, purpose limitation, use limitation, etc.
should not be applicable to public bodies generally. Certain specialised
functions such as those related to crime and investigation, national security,
taxation should be exempted from the general obligations and should be subject
to specific rules. The exemptions are discussed below at para (o).

The concepts of data controller and data processor should be introduced and
their respective obligations towards data subjects should be clarified.

b) Coverage of information

Issue What information should be covered?

Indian law The IT rules largely deal with sensitive personal information or data. While
certain obligations in respect of personal information are also included, the
scope of the rules is unclear.

International All jurisdictions studied cover personal information or data, which relates to an
experiences identifiable individual. Most have a sub-set of sensitive information for which
either there is a requirement for consent, or a higher standard for consent. All
other norms such as notice, purpose limitation, organisational measures, etc.
are applicable to all personal data.

Way forward Data privacy norms should extend to processing of all personal data and not
merely sensitive personal data. Personal data should be defined to relate to an
identified or identifiable individual, by itself or with other information likely to
be with an organisation. (similar to the IT Rules definition).

254EU Data Protection Working Party, Opinion 1/2010 on the concepts of controller and processor adopted
on 16 February 2010.
53

Further, certain additional attributes should be covered within sensitive


personal data, which include political opinions, religion, caste or ethnic origin.

c) Processing

Issue What activities related to personal data should be regulated?

Indian law The IT Rules place an obligation to obtain consent before collecting sensitive
personal information. These also require consent prior to disclosure and that
information should only be stored as long as necessary for the specified purpose.

International In addition to these three activities, there may be additional acts related to the
experiences data, such as modifying, using or analysing the data which should also find
legal basis in either consent or another ground.

The EU GDPR has an all-encompassing term processing for any acts related to
personal data. Any processing has to find basis in one of the grounds specified
in the GDPR for processing, such as consent, compliance with a legal obligation,
etc. This would imply that any action related to the data finds legal basis in
either consent or one of the other grounds.

Way forward The concept of processing should be introduced to cover the wide range of
activities relating to data such as collection, use, recording, alteration,
erasure, etc. Within this, specific acts such as collection, storage or use may
have additional obligations associated with them. For instance, at the time of
collection of personal data, an individual should be given notice of certain
details that would ensure that her consent is meaningful. An organisation is not
permitted to retain personal data for a period longer than necessary for the
specified purposes.

d) Limits to collection

Issue The collection limitation principle requires that there should be limits to the
collection of personal data, and any such data should be obtained by lawful and
fair means and, where appropriate, with the knowledge or consent of the data
subject. How should collection be limited?

Indian law Sensitive personal data can only be collected for a lawful purpose which is
connected with a function or activity of the body corporate collecting such
54

information, and if such collection is necessary for such purpose. No such


obligation is prescribed for collection of personal data which is not sensitive.

International Innovative means for ensuring fair and lawful processing emerging across the
experiences world include conducting risk impact assessments prior to processing. In
Australia, the Privacy Commissioner can direct agencies (government bodies) to
conduct privacy impact assessments in case the Commissioner considers that
the activity may have a significant impact on individuals privacy. Such
assessment would identify the impact and recommend measure to minimise
it.255

The EU GDPR also introduces the concept of data protection impact


assessment for activities that are likely to result in high risk to individuals. The
organisation may also be required to consult the supervisory authority if the
assessment shows a high risk in the absence of mitigating measures.

Way forward Collection limitation should extend to all personal data and not just sensitive
personal data. In addition, to establish and demonstrate necessity for a
purpose, exercises such as impact assessments should be carried out by the
controller in the event that there is likely to be a significant impact on
individuals privacy from such processing.

e) Purpose specification and use limitation

Issue What can an individuals personal information held by an entity be used for?

Indian law The IT Rules prescribe that sensitive personal information or data is to be used
only for the purpose for which it has been collected. No such obligation is
prescribed for personal information which is not sensitive.

International Primarily, personal data is to be used for the purpose for which it was collected.
experiences However, most jurisdictions also allow further processing for secondary
purposes in limited cases. The EU GDPR permits processing for secondary
purposes that are not incompatible with the purpose for which data was
collected. To determine whether the secondary purpose is incompatible, the
following factors are considered: (1) any link between the purposes, (2) context
in which data was collected, (3) nature of personal data, (4) possible
consequences of intended processing, and (5) existence of appropriate
safeguards including encryption. The GDPR also considers the further processing

255 Section 33D, Privacy Act 1988.


55

for archiving purposes in the public interest, or scientific and historical research
purposes or statistical purposes as compatible lawful processing operations.

Australia does not permit processing for a secondary purpose unless the
individual has consented to the secondary purpose; or if the individual would
reasonably expect the organisation to process the information for the secondary
purpose, and the secondary purpose is related to the primary (directly in case
of sensitive personal data).

Way forward Processing for a secondary purpose should only be permitted if the individual
has consented to it or if further processing finds legal basis in one of the other
grounds, such as compliance with a legal obligation. Additionally, further
processing could also be permitted if an individual could reasonably expect the
organisation to process the information for the secondary purpose, and it is
related to the primary purpose (following the Australian approach). Further
processing for archiving purposes in public interest or scientific and historical
research or statistical purposes could also be an exception.

The test of incompatibility, although fairly widespread, could prove to be very


subjective and enable processing for a wide array of unrelated activities.

f) Consent as primary basis of all processing

Issue Should consent of an individual be required for all processing activities relating
to her personal data? What should be the other grounds for processing/
exceptions to the consent requirement?

Indian law Consent is required from the provider of information before collecting
sensitive personal data or information.

International There are two approaches to this. First, consent is listed as one of the grounds
experiences on the basis of which an individuals personal information can be collected,
used, stored or disclosed. This is the approach followed in the EU GDPR, which
provides six grounds for processing of data. Consent is one of the grounds.

The second approach is placing consent as the primary requirement before


collecting personal information. In the event consent cannot be obtained,
certain exceptions are provided. This is followed in Canada.

Way forward Consent of an individual should be obtained before collecting her personal
information, and not just sensitive information. The consent may be implied or
explicit in case of personal information, while for sensitive personal
56

information, the consent should be explicit. Explicit consent is a higher


threshold that signifies an act by the individual whereas implied consent could
also be satisfied through pre-ticked boxes.

This should not mean that separate consent is required for each stage or act of
processing. It is important to be cognisant of the problem of consent fatigue.

In the event consent cannot be obtained, data should be processed only in


specified circumstances: (1) the processing is necessary for performance of a
contract that the data subject has entered into with the data controller; or (2)
the processing is necessary for compliance with a legal obligation prescribed in
law; (3) the processing is necessary for discharging a public duty by a public
authority, prescribed in law; or (4) the processing is necessary for protecting
the life or health of the data subject or any other person.

g) Individuals rights of access

Issue What rights should an individual have over her personal information held by an
organisation?

Indian law An individual has the right to access her information and seek corrections,
where necessary.

International Under the EU GDPR, individuals have the right to obtain confirmation from
experiences controllers as to whether personal information about them is available with an
organisation. If so, the purpose of processing, categories of data being
processed, intended recipients, period of storage, right to restrict processing
and to file complaints, is to be communicated.

In Australia, organisations can refuse access requests on grounds such as public


health, public safety, etc. and government entities can refuse disclosure under
their Freedom of Information Act. In Canada, the grounds for refusal include
where providing access would be prohibitively costly, the information contains
references to other individuals, or it cannot be disclosed for legal or security
reasons, or is subject to litigation privilege.

Way forward Individuals should have the right to obtain confirmation regarding the personal
information about her that is held with an organisation upon request. They
should also be informed what the information is, purpose of processing,
intended recipients, rights associated with access and seeking restriction of
57

processing, contact details of the data protection officer, procedure to file


complaints with such officers and with the independent supervisory authority.

Organisations that are exempt from the general data protection obligations
would not be required to provide access. Such exemptions would include
entities such as tax authorities, law enforcement agencies, etc.

h) Right to restrict processing

Issue In what circumstances should an individual be able to prevent processing of her


personal information?

Indian law This is not currently present.

International Under the EU GDPR, individuals can seek to restrict processing when accuracy
experiences of the data is being contested, processing is unlawful (but the data subject
opposes erasure and seeks restriction instead), the controller no longer needs
personal data for processing but the data subject needs the data for
establishment, exercise or defence of legal claims. The GDPR also recognises
an individuals right to object to processing of her personal data for direct
marketing purposes, in which case the data should no longer be processed for
such purposes.

In the UK, individuals have the right to prevent processing if it would cause
substantial distress to her or another and where such damage/ distress is
unwarranted. In case of inaccurate information, individuals have the right to
approach appropriate court for seeking rectification or erasure of personal
data.

Way forward The right to restrict processing should be introduced in certain cases. Drawing
from the GDPR, these could be: (1) when accuracy of the data is being
contested, (2) processing is unlawful (but the data subject opposes erasure and
seeks restriction instead), (3) the controller no longer needs personal data for
processing but the data subject needs the data for establishment, exercise or
defence of legal claims. Data subjects should additionally have the right to
object to processing for purposes of direct marketing (or commercial
communications, a familiar term in the Indian context).

i) Right to seek erasure


58

Issue In what circumstances should an individual be able to seek erasure?

Indian law This is not currently present.

International Under the EU GDPR, Individuals can seek erasure in certain cases such as when
experiences the personal data is no longer required for the specified purpose, when consent
has been withdrawn, when personal data has been processed unlawfully, when
data has to be erased for compliance with legal obligations. The right however
is not absolute and is subject to the following exceptions: for exercising the
right of freedom of expression and information, compliance with a legal
obligation, for performance of a task carried out in public interest or in the
exercise of official authority vested in the controller, for reason of public
interest in the area of public health, for archiving purposes in public interest or
scientific and historical research purposes or statistical purposes as far as the
right is likely to render impossible or seriously impair the achievement of these
objectives, and for the establishment of legal claims.

Way forward A limited right to erasure could be introduced enabling data subjects to seek
erasure in certain cases: (1) where the data is no longer necessary for the
purpose for which it was collected, (2) processing was based on the data
subjects consent and she subsequently withdraws such consent, (3) data was
unlawfully processed, (4) data has to be erased in compliance with a legal
obligation.

j) Data quality and accuracy

Issue How can the quality of data be maintained?

Indian law Under the IT rules, a body corporate is required to permit the providers of
information to review the information they have provided and in the event that
the same is found inaccurate or deficient, they are required to correct or amend
such information as feasible.

International The EU GDPR requires that data must be accurate and where necessary kept up
experiences to date. Further, having regard to the purpose of processing, reasonable steps
must be taken to erase or rectify inaccurate data without any delay. The GDPR
also recognises the right of the data subject to demand rectification and
restriction of processing of inaccurate data.

In Canada, the principle of accuracy under PIPEDA requires that data be


accurate, complete and up-to-date as is necessary for the purposes for which it
59

is used. Further, where an individual successfully demonstrates the inaccuracy


or incompleteness of data, the organisation is required to amend the
information as required.

Way forward There must be an express duty on data controllers to ensure that data is
accurate, complete and up to date. Further, the data subject must have the
right to seek rectification of data which does not meet such data quality
standards.

k) Security measures

Issue What measures should be adopted by an organisation for protecting personal


data from loss, theft and damage?

Indian law The IT rules prescribe that body corporates implement security practices and
standards that have a comprehensive security programme and information
security policies that are commensurate with the information assets being
protected. A standard prescribed by the rules is the International Standard
IS/ISO/IEC 27001 on Information Technology Security Techniques -
Information Security Management System Requirements.

In the event of a security breach, the body corporate is required to demonstrate


to the appropriate agency that it had implemented security control measures.

International Most jurisdictions require security practices to be adopted to safeguard


experiences personal data against loss, theft, unauthorised access, disclosure or use. Also,
the nature of security practices should depend on the sensitivity of the data
involved.

The GDPR also requires controllers to notify supervisory authorities and the data
subjects (in certain cases, where there is a risk to the individuals rights and
freedoms) in case of security breaches.

In Canada, organisations are required to notify individuals in cases where there


is risk of significant harm to individuals owing to the security breach. Significant
harm includes bodily harm, humiliation, damage to reputation or relationships,
loss of employment, business or professional opportunities, financial loss,
identity theft, negative effects on the credit record and damage to or loss of
property.

Way forward Organisations should implement security practices and be able to demonstrate
compliance. Organisations should also have in place and implement, when
60

necessary, plans to minimise damage in case of any security breach. This should
include notifying relevant authorities in case of a breach. Individuals need not
be notified of breaches in all cases; however, if there is a risk of significant
harm, they should also be notified within a reasonable period of time. Examples
of significant harm could include identity theft, loss of employment, bodily
harm, etc. (drawing from the Canadian examples). Organisations may be
exempt from providing breach notifications in case there is no risk involved or
likely to individuals.

l) Privacy policies

Issue What information should be contained in a privacy policy?

Indian law The IT rules prescribe that body corporates must have clear and accessible
privacy policies for handling of or dealing in personal and sensitive personal
information and must make the same available by providers of such
information. Further, such policy is required to be published on the website of
such body. The policy must disclose details concerning the type of information
collected, the purpose for collection, the use and disclosure of such information
and the security practices and procedures followed by it.

International Most jurisdictions provide a comprehensive list of items that should form part
experiences of privacy policies. Most of these are provided in the IT rules.

Way forward Organisations should have clear and accessible privacy policies with all relevant
information provided to individuals. Organisations should also make reasonable
efforts to ensure that these policies are publicly accessible.

m) Accountability - Grievance redressal officers

Issue How should a data controller ensure accountability for compliance with the
data protection norms?

Indian law The rules provide for a grievance redressal officer to be appointed for every
body corporate handling personal information.

International The GDPR requires designation of data protection officers in certain cases so
experiences as to facilitate compliance by controllers and processors with data protection
norms. Under the GDPR, not all controllers are required to designate data
protection officers. This is required when:
61

(a) the processing is carried out by a public authority or body, except for courts
acting in their judicial capacity; or

(b) the core activities of the controller or the processor consist of processing
operations which, by virtue of their nature, their scope and/or their purposes,
require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on
a large scale of special categories of data and data relating to criminal
convictions and offences.

Way forward Not all data controllers should be required to appoint such officers since every
organisation collects or uses some personal data in some form. For instance, a
firm may collect and use financial details of employees for processing their
salaries but processing of personal data or monitoring individuals regularly may
not be amongst the firms core activities.

Drawing from the EU GDPR, a grievance redressal officer should be designated


by a controller which is (a) a public authority or body, except courts in judicial
capacity, and (b) controllers or processors whose core activities consist of
processing operations which require regular monitoring of data subjects. Such
officer could be designated as the officer-in-charge for ensuring compliance
with the data protection norms.

n) Implementation and enforcement

Issue What remedies should be available to individuals in case of non-compliance with


any data protection rule? How should enforcement be carried out?

Indian law The IT Act only provides for compensation to be awarded by adjudicating officer
in case of failure to implement and maintain reasonable security practices that
causes wrongful loss or gain to an individual.

International The EU GDPR requires member states to have independent supervisory


experiences authorities in place for enforcing the data protection obligations. In the UK,
this authority is the information commissioner who has the right to serve
notices to organisations in case of breaches enforcement notices seeking
compliance in case of breach, assessment notices to enter premises, search
documents, etc. to determine non-compliance, and information notices. Non-
compliance with the notices attracts punishment.

The EU GDPR provides for sanctions and penalties in case of contravention.


62

Both Canada and Australia have Privacy Commissioners with powers to


investigate and determine compliance with principles and prepare
recommendations. In Canada, based on this report, the Commissioner or the
concerned individual may approach appropriate court for judicial remedy.

In addition, under the GDPR, certain controllers are also required to designate
data protection officers for all matters related to processing of personal data.

Way forward It is essential to have an independent supervisory authority such as a privacy


commissioner that individuals may approach in case of non-compliance by any
organisation of any of the data protection rules. Such authority should also be
empowered to require compliance by oranisations and also award penalties in
case of breach. The powers of a supervisory authority should include: (1) power
to determine whether there has been non-compliance with data protection
norms, (2) issue notices seeking further information and conducting inquiry to
determine compliance, (3) issue appropriate directions, including requiring
organisations to comply and imposing penalties.

o) Exemptions

Issue Which organisations and entities should be exempt from data processing
obligations? Should such exemptions imply that none of the data privacy rules
are to complied with?

Indian law Excludes government bodies and individuals since the IT rules are only
applicable to body corporates.

International Under the GDPR, processing of personal data by a natural person for personal
experiences or household activities is excluded. The GDPR also allows Member States to
restrict application of the regulation in certain cases such as national security;
defence; investigation and prosecution of offences, etc. In the UK, controllers
and processors are exempt from certain processing obligations where the
processing is for specified purposes, namely, national security, crime and
taxation (i.e. prevention and detection of crime, the apprehension or
prosecution of offenders, or the assessment or collection of any tax or duty),
health, education and social work (exemptions on these grounds can only be
effected via an order by the Secretary of State), regulatory activity, journalism,
literature and art; research, history and statistics; information available to the
public by or under an enactment, disclosure made by law or made in connection
with legal proceedings, parliamentary privilege and domestic purposes.
63

Australia has an exception for small business operators.

Way forward The following activities could be exempt from the general data protection
obligations:

(a) Processing by an individual for personal or household purposes;


(b) Processing with a view to publication of any journalistic, literary or
artistic material, where publication would be in public interest and
compliance with the data protection principle would be incompatible
with such purpose;
(c) Processing for historical research or statistical purposes as indicated in
relevant provisions.
Processing for the prevention or detection of crime, apprehension or
prosecution of offenders; or assessment or collection of any tax or duty or other
similar imposition should also be exempt from the general obligations. Such
processing should be subject to different limitations, such as limits on how long
such data can be retained, which are the competent authorities that could pass
such orders, the establishment of an independent authority to ensure
individuals rights, etc.

Keeping the above in mind, we have suggested a framework for management of personal data. This
provides a model that could be incorporated in a data protection statute. Alternatively, the principles
specified in this framework could be incorporated in the IT rules while substantive provisions such as
scope of coverage of entities and data, individuals rights, and implementation and enforcement
could form part of the IT Act. It is essential, however, to recognise expressly the right to privacy and
provide substantive rights to individuals through a statute. This would provide a firm legal footing for
placing obligations on organisations for handling data.
64

B. A FRAMEWORK FOR DATA PROTECTION

Heading Rule Principle

I. Key Concepts

Personal data Any data that relates to a natural person who can be identified, either directly or indirectly- Only data that can identify
an individual should be
(i) from such information, or
covered.
(ii) from such information along with other information available or likely to be
available with a data controller.

Sensitive personal Personal data which consists of data or information relating to: Certain categories of data
data are sensitive by nature and
(i) physical, physiological and mental health condition;
should be subject to
(ii) sexual orientation or sexual life; additional protections.
(iii) political opinions;
(iv) medical records and history;
(v) biometric information;
(vi) race, religion, caste or ethnic origin;
(vii) financial information such as bank account or credit card or debit card or other
payment instrument details.

Data subject An individual who is the subject of personal data. All rights should be centred
around the data subject.

Data controller Any natural or legal person who determines the purpose and manner of processing of personal The entity that has overall
data, regardless of whether the data is processed by that party or by another party on its control over the data
behalf. should bear primary
responsibility for it.
65

Data controller can also include Government ministries, departments, public authorities or
agencies.

Data processor Any natural or legal person who processes the data on behalf of the data controller. Distinction between
controller and processor
necessary when an entity
other than the controller
conducts processing.

Supervisory An independent supervisory authority established for monitoring compliance with this Enforcement
authority framework and enforcement of remedies.

Grievance redressal Officers appointed by controllers for ensuring compliance. Such officers should be appointed Accountability principle
officer when:
(a) controller or processor is a public authority or body, except courts in their judicial
capacity; or
(b) controllers or processors whose core activities consist of processing operations which
require regular monitoring of data subjects.

Processing Any operation performed on personal data, such as collection, recording, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure
or destruction.

Consent Any freely given, specific and informed indication of his or her wishes by which the data Individual participation
subject, either by a statement or by a clear affirmative action, signifies agreement to
personal data relating to them being processed.

II. Applicability
66

Coverage of The following activities may be exempt from the general data protection obligations in the Clarifying coverage
activities framework:

(a) Processing by an individual for personal or household purposes;

(b) Processing with a view to publication of any journalistic, literary or artistic material,
where publication would be in public interest and compliance with the data
protection principle would be incompatible with such purpose;

(c) Processing for historical research or statistical purposes as indicated in relevant


provisions.
Processing for the prevention or detection of crime, apprehension or prosecution of
offenders; or assessment or collection of any tax or duty or other similar imposition shall not
be governed by the general data protection obligations set out in this framework. (Processing
for these special purposes by specialised agencies should be subject to different
limitations.)

III. Processing of personal data

Fair and lawful Personal data should only be processed for specified and legitimate purposes (primary Purpose limitation
processing purpose).

Personal data shall not be processed unless: Collection limitation


(a) processing is necessary for the specified purpose or purposes, and
(b) such purpose is connected with a function or activity of the data controller.

Personal data shall not be processed for another purpose (secondary purpose) unless: Purpose limitation; but not
to make it too restrictive
(a) the data subject has consented to processing for the secondary purpose; or
(b) the data subject would reasonably expect the data processor to process the
information for the secondary purpose, and
67

(i) the secondary purpose is directly related to the primary purpose, in case of
sensitive personal data; or
(ii) the secondary purpose is related to the primary purpose; or
(c) the further processing is for archiving purposes in public interest or scientific or
historical research purposes or statistical purposes.

Consent for No personal data shall be processed without consent of the data subject. Lawful processing and
processing personal consent
data
Personal data may be processed without consent of the data subject only in the following Lawful processing
cases:
a. the processing is necessary for performance of a contract that the data subject has
entered into with the data controller; or
b. the processing is necessary for compliance with a legal obligation prescribed in law;
c. the processing is necessary for discharging a public duty by a public authority,
prescribed in law; or
d. the processing is necessary for protecting the life or health of the data subject or
any other person; or
e. the processing is necessary for archiving purposes in public interest, or scientific and
historical research purposes or statistical purposes based on law which shall be
proportionate to the aim pursued and provide for measures to safeguard the rights
of the data subjects.

Regardless of whether the processing is with or without consent, data controllers and To clarify that consent does
processors are required to comply with other obligations contained in this framework. not absolve a controller of
other data protection
obligations.
68

Communication of Where personal data about a data subject is collected from the data subject himself or Notice or openness
information to data herself, the controller shall inform the data subject of the following details: principle
subject

i. The identity and contact details of the controller, and where processing is to be
carried out by a different entity, that of the processor;
ii. The purpose for which the data is being collected as well as the legal basis of such
collection;
iii. Whether it is mandatory or optional to provide the information and consequences in
case she does not provide the data;
iv. The recipient, or categories of recipients of the data;
v. The data collectors privacy policy;
vi. The existence of the data subjects rights to access, rectification, restricting
processing and erasure;
vii. The process for lodging a complaint about the breach of the rules.

Where personal data is collected from a person other than the data subject, in addition to
the above, the controller shall also inform the data subject of the source from which her
data was collected. Such information should be communicated within a reasonable time of
collection within a month or prior to any further disclosure of her personal data.

Such communication shall not be required where the data subject already has the information
referred to above.

Retention of No person shall retain personal information of a data subject for longer than is required for Limited data retention
personal data the purpose for which the information may be lawfully used or is otherwise required under
any other law for the time being in force.
69

Personal data that is no longer required to fulfil the specified purposes should be destroyed, Limited data retention
erased or made anonymous.

Data controllers shall develop and implement procedures to govern the destruction or
anonymisation of personal data.

IV. Sensitive personal data

Processing of No sensitive personal data shall be processed without the explicit consent of the data Individual participation;
sensitive personal subject. consent
data

Sensitive personal data may be processed without consent only in the following cases:
(a) processing is necessary for archiving purposes in public interest, or scientific or
historical research purposes or statistical purposes based on law which shall be
proportionate to the aim pursued and provide for measures to safeguard the rights
of the data subjects;
(b) the processing is necessary for protecting the life or health of the data subject or
any other person where it is not possible to obtain consent.

The other rules governing personal information shall additionally be applicable to controllers
and processors handling sensitive personal information as well.

V. Rights of data subject

Right to access The data subject shall have the right to obtain from the data controller confirmation as to Individual participation
personal data whether or not personal data concerning her are being processed, and where such personal
data are being processed, access to the data and the following information:
70

(a) the purposes of the processing;

(b) the categories of personal data concerned;


(c) the recipients or categories of recipients to whom the personal data have been or
will be disclosed;

(d) where possible, the envisaged period for which the personal data will be stored, or
if this is not possible, the criteria used to determine this period;

(e) where the personal data are not collected from the data subject, any available
information as to their source.

Access to personal data may be refused by controllers in the following cases: Individual participation
(a) where allowing access would reveal personal data of another individual and the data
is not severable from the data subjects personal data;
(b) where allowing access is reasonably likely to threaten the life or security of any
individual;
(c) where the data is protected by attorney-client privilege;
(d) where access is prohibited by law.

Right to seek A data subject shall have the right to seek rectification of personal data in case of inaccurate Individual participation
rectification or incomplete data. and data quality

If the data subject successfully demonstrates the inaccuracy or incompleteness, the Individual participation
controller should amend the data as appropriate. Data controller may also be required to and data quality
intimate third parties of the rectification where appropriate.

If the data is not amended to the data subjects satisfaction, the data controller may be Individual participation
required to communicate the existence of the unresolved challenge to third parties to whom and data quality
it has transferred the concerned data.
71

Right to restrict A data subject shall have the right to prevent processing of personal data in the following Individual participation
processing cases:
(a) when accuracy of the data is being contested,
(b) there has been unlawful processing of the data but the data subject opposes erasure
and seeks to restrict processing instead,
(c) the controller no longer needs personal data for processing but needs the data for
establishment, exercise or defence of legal claims.
A data subject shall have the right to object to processing of her personal data for unsolicited
commercial communications. On such objection, the data shall no longer be processed for
such purposes.

Right to seek A data subject shall have the right to seek erasure of personal data in the following cases: Individual participation;
erasure right to be forgotten
(a) when the personal data is no longer required for the specified purpose,
(b) where personal data was collected with consent and the data subject has withdrawn
consent,
(c) when personal data has been processed unlawfully,
(d) when data has to be erased for compliance with legal obligations.

A data controller may refuse erasure where retaining the data is required:
(a) for exercising the right of freedom of expression and information, compliance with
a legal obligation,
(b) for performance of a task carried out in public interest or in the exercise of official
authority vested in the controller, under a law,
(c) for reason of public interest in the area of public health,
72

(d) for archiving purposes in public interest or scientific and historical research purposes
or statistical purposes as far as the right is likely to render impossible or seriously
impair the achievement of these objectives, or
(e) for the establishment of legal claims.

Right to withdraw The data subject should have the right to withdraw consent at any point. Upon withdrawal, Individual participation;
consent the data controller or processor should cease to process the data any further. Consent

The withdrawal should not affect the lawfulness of processing based on consent before the
withdrawal.

VI. Data Quality

Data Quality Personal data shall be accurate and complete, and kept up to date. Data controllers and data Data quality
processors shall take reasonable steps to ensure this.

Where a data subject has contested the accuracy of personal data, any disclosure of personal Data quality and individual
data shall be accompanied with the fact of such objection. participation

VII. Organisational Measures

Privacy policies Data controllers and processors shall have clear, understandable and easily accessible Notice or openness
policies about their practices relating to processing of personal data.

In particular, the policy shall contain the following: Notice or openness

(a) the types of data that the data controller collects and holds;

(b) how data is collected;


73

(c) the purposes for which the controller collects, holds, uses or otherwise processes the
data;
(d) the reasons for which data may be shared with other persons;

(e) how an individual can access personal data about him or her held by the controller
and seek corrections, where necessary;

(f) the security practices and procedures adopted by the controller in respect of
personal data; and

(g) the procedure for filing complaints with the data controller or making any enquiries,
including the name and contact details of the controller

The privacy policy shall be reviewed and updated where necessary. Data subjects shall be Notice or openness
informed of any changes to the privacy policy.

Data controllers shall take reasonable steps to ensure that their privacy policies are publicly Notice or openness
accessible.

Security safeguards Data controllers shall safeguard personal information against loss, theft, unauthorised use, Security principle
access, disclosure or modification.

Without limiting (1), data controllers shall implement:

(a) Physical security measures including locked filing cabinets and restricted access to
offices,

(b) Organisational measures including security clearances and limiting access on a


need-to-know basis,

(c) Technological measures including use of passwords and encryption.

Data controller shall implement the International Standard IS/ISO/IEC 27001 on Information
Technology - Security Techniques - Information Security Management System -
Requirements or an equivalent security standard approved or prescribed by the Central
Government.
74

Controllers may adopt a higher standard keeping in mind the sensitivity of the data being
processed. Data controllers implementing a code on security practices and procedures other
than the IS/ISO/IEC Standard shall get such code duly approved and notified by the Central
Government for effective implementation.

Auditing Data controllers shall get their security practices audited by an independent auditor, duly Security principle
approved by the Central Government.

Audits shall be carried out on an annual basis, or as and when the data controller undertakes
significant upgradation its process and computer resources, or as required by the supervisory
authority.

Breach notification The data collector shall report incidents relating to breach of security safeguards involving Breach notification
personal data under its control to the supervisory authority. They are not required to report
such incidents if the breach is unlikely to result in any harm to the data subjects.

Data collectors should also notify the data subjects of breaches that are likely to result in Breach notification
significant harm to the data subjects.
Significant harm includes bodily harm, humiliation, damage to reputation or relationships,
loss of employment, business or professional opportunities, financial loss, identity theft,
negative effects on the credit record and damage to or loss of property.
In determining whether data subjects should be notified, the factors to be considered shall
include the nature or sensitivity of personal data involved and the likelihood of personal data
being misused.

Appointment of a Data controllers and processors should designate an officer as the grievance redressal officer Accountability
grievance redressal in case:
officer
(a) controller or processor is a public authority or body, except courts in their judicial
capacity; or
75

(b) controllers or processors whose core activities consist of processing operations which
require regular monitoring of data subjects.

Processing by Where processing is to be carried out by a person other than the data controller, the data Accountability
person other than controller shall use contractual or other means to provide a comparable level of protection
controller while the information is being processed by such processor.

VIII. Enforcement

Independent An independent supervisory authority should be established for monitoring compliance by Enforcement
supervisory data controllers and processors, and for ensuring the rights of data subjects are safeguarded.
authority
Powers of the authority should include: Enforcement

(a) conducting investigation or inquiry regarding non-compliance by controllers or


processors of data protection rules on complaint by data subjects or suo moto;
(b) issuing notices to controllers and processors seeking further information during an
inquiry;

(c) upon conclusion of investigation or inquiry, issuing notices requiring controllers and
processors to comply with data protection rules, and imposing penalties where
appropriate;

(d) examining impact assessment reports submitted by controllers seeking to adopt


processing activities that could result in harm to individuals freedoms;

(e) examining any proposed laws that could adversely affect the data privacy rights of
individuals, and submit recommendations to the concerned government department
or ministry;

(f) promote awareness amongst individuals of their rights related to data privacy.
76

Compensation A data subject may apply to the authority for recovery of compensation from controllers or Enforcement; restitution
processors for any loss or damage shown to have suffered by the data subject as a result of
a contravention.

Offences Where: Enforcement


(a) a controller or processor processes personal data of a data subject unlawfully; and
(b) such contravention is deliberate or the controller or processer knows that the
contravention is likely to cause significant harm to the data subject,
the controller or processor shall be punishable with imprisonment for a term which may etend
to [] or with fine which may extend to [] or both.
Significant harm includes bodily harm, humiliation, damage to reputation or relationships,
loss of employment, business or professional opportunities, financial loss, identity theft,
negative effects on the credit record and damage to or loss of property.

(A higher quantum of penalty may be fixed for unlawful processing of sensitive personal
data.)

Extra - territorial The authority shall have power to inquire into any contravention by a data controller or Coverage
jurisdiction processor situated outside India if the act or conduct constituting the contravention involves
a computer, computer system or computer network located in India.
Please direct all correspondence to:
Sreenidhi Srinivasan,
Vidhi Centre for Legal Policy,
D-359, Defence Colony,
New Delhi 110024.
Phone: 011-43102767/ 43831699
Email:
sreenidhi.srinivasan@vidhilegalpolicy.in