State of Privacy India
A study of privacy and surveillance issues in India. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.
Table of contents
- Introduction
- Right to Privacy
- Communication Surveillance
- Data Protection
- Identification Schemes
- Policies and Sectoral Initiatives
Introduction
Acknowledgement
The State of Privacy in India is the result of an ongoing collaboration by Privacy International and the Centre for Internet & Society.
Key Privacy Facts
1. Constitutional privacy protections: In 2017, the Indian Supreme Court ruled that the Indian constitution guarantees a right to privacy.
2. Data protection law: India has no data protection act.
3. Data protection agency: India has no data protection agency.
4. Recent data breach: in January 2018, news broke that access to the details such as names, addresses, and photos of 1.3 billion records on the UIDAI database were being sold for 500 rupees (USD 8).
5. ID Regime: India's Aadhaar biometric database, with over 1.3 billion records, is the largest in the world.
Right to Privacy
The constitution
The Indian constitution guarantees a fundamental right to privacy. This was upheld in a decision of a nine judge constitutional bench of the Supreme Court in August 2017. This case was brought to the Supreme Court after the claim in the 2015 by Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy. This claim was denied by the nine-judge bench of the court, which found that the constitution does guarantee a right to privacy. Importantly, the case strikes down M.P Sharma and Kharak Singh, to the extent that the 2017 judgement holds that Indian Constitution does uphold a right to privacy.
In the judgment of the Supreme Court, the right to privacy has been read into two articles of the constitution: Article 21 (Right to life and liberty), and Part III (Chapter on Fundamental Rights) of the Constitution. This means that any limitation on the right in the form of reasonable restrictions must not only satisfy the tests evolved under Article 21, but where loss of privacy leads to infringement on other rights, such as chilling effects of surveillance on free speech, a constitutional framework now exists for these cases to be heard within.
The Supreme Court Judgement also upholds the decisions made after Kharak Singh on privacy, subject to the above conditions. Thus it is important to understand the contours of the right to privacy and its restrictions in India from the other case law that exists:
- The right to privacy can be restricted by procedure established by law and this procedure would have to be just, fair and reasonable (Maneka Gandhi v. Union of India);
- Reasonable restrictions can be imposed on the right to privacy in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence; (Article 19(2) of the Constitution of India, 1950)
- The right to privacy can be restricted if there is an important countervailing interest which is superior to it (Govind v. State of M.P.);
- The right to privacy can be restricted if there is a compelling state interest to be served (Govind v. State of M.P.);
- The protection available under the right to privacy may not be available to a person who voluntarily introduces him- or herself into controversy (R. adijagopal v. Union of India).
Case Law
There are a large number of cases where Indian Courts have recognised the right to privacy as a fundamental right. Below is a list of landmark cases that have elaborated on the right to privacy along with short points on what the Court has held in those cases:
- Kharak Singh v. The State of U.P. (1962). In this case before the Supreme Court, a minority opinion recognised the right to privacy as a fundamental right. The minority judges located the right to privacy under both the right to personal liberty as well as freedom of movement.
- Govind v. State of M.P. (1975). The Supreme Court confirmed that the right to privacy is a fundamental right. It derived the right to privacy from both the right to life and personal liberty as well as freedom of speech and movement. The right to privacy was said to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing. However, the right to privacy is subject to “compelling state interest”.
- R. Rajagopal v. Union of India (1994). It was determined by the Supreme Court that the right to privacy is a part of the right to personal liberty guaranteed under the constitution. It recognized that the right to privacy can be both a tort (actionable claim) as well as a fundamental right. A citizen has a right to safeguard the privacy of his or her own family, marriage, procreation, motherhood, child-bearing and education among other matters and nobody can publish anything regarding the same unless (i) he or she consents or voluntarily thrusts himself into controversy, (ii) the publication is made using material which is in public records (except for cases of rape, kidnapping and abduction), or (iii) he or she is a public servant and the matter relates to his/her discharge of official duties.
- People’s Union for Civil Liberties v. Union of India (1996). This case before the Supreme Court extended the right to privacy to communications. In doing so, the Court laid down guidelines that form the backbone for the checks and balances in interception provisions in India such as:
- (i) Interception orders to be issued only by Home Secretaries at both the Central and State governments;
- (ii) Issues such as the necessity of the information and whether it can be acquired by other means to be considered while making the decision to approve interception;
- (iii) The addresses and the persons whose communication has to be intercepted should be specified in the order, which means that the interception order cannot be generic; and
- (iv) Putting a cap of two months on the life of an interception order.
- District Registrar and Collector, Hyderabad and another v. Canara Bank and another (2004). This Supreme Court judgment refers to personal liberty, freedom of expression and freedom of movement as the fundamental rights that give rise to the right to privacy. The Court also held that the right to privacy deals with persons and not places and that an intrusion into privacy may be by (1) legislative provisions, (2) administrative/executive orders and (3) judicial orders.
- Petronet LNG LTD vs. Indian Petro Group and Another (2006). In this case before the Delhi High Court, it was established that corporations and companies cannot assert a fundamental right to privacy. Furthermore, the right to privacy is not available against non-state individuals or actors.
- Selvi and others v. State of Karnataka and others (2010). The Supreme Court acknowledged the distinction between bodily/physical privacy and mental privacy. The scheme of criminal and evidence law mandates interference with the right to physical and bodily privacy in certain circumstances, but the same cannot be used to compel a person "to impart personal knowledge about a relevant fact". This case also establishes the intersection of the right to privacy with Article 20(3) (self-incrimination). An individual's decision to make a statement is the product of a private choice and there should be no scope for any other individual to interfere with such autonomy. Subjecting a person to techniques such as narcoanalysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without his or her consent violates the subject’s mental privacy.
- Unique Identification Authority of India & Anr. v. Central Bureau of Investigation (2014). In this case, the Central Bureau of Investigation sought access to the database of the Unique Identity Authority of India for the purposes of investigating a criminal offence. However, the Supreme Court in an interim order held that the Unique Identity Authority of India should not transfer any biometric information of any person who has been allotted an Aadhaar number to any other agency without the written consent of that person.
- Justice K.S. Puttuswamy (Retd.) & Anr. v. Union of India & Ors. (2015). In this Supreme Court order, the issue of privacy was discussed in light of the Unique Identity Scheme. The question before the court was whether such a right is guaranteed under the Constitution, and if it is, the source of this right, given that there is no express provision for privacy in Indian Law. The Attorney General of India argued that privacy is not a fundamental right guaranteed to Indian citizens. Ultimately, the Court left the question to be deliberated by a larger constitutional basis since the earlier judgments that denied the existence of the right to privacy were given by larger benches than the cases where the right to privacy was accepted as a fundamental right. This led to unresolved controversy, leading the Court to refer the matter to a larger bench to be settled. This was settled in the 2017 ruling that there was a fundamental right to privacy in the constitution.
Regional and international conventions
India is party to two international instruments containing privacy protections. These are the Universal Declaration on Human Rights (Article 12) and the International Convenant on Civil and Political Rights (Article 17).
Communication Surveillance
Introduction
In light of the Mumbai terrorist attacks in 2008, India implemented a wide range of data sharing and surveillance schemes to increase public safety and security by tackling crime and terrorism. However, these projects have since raised serious privacy concerns. The Central Monitoring System was envisioned to centralise the interception of communications data and enable law enforcement agency access to it. If implemented, it would be connected to the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Other projects and schemes include the Lawful Intercept and Monitoring (LIM) systems, NATGRID, and CCTNS Project, to name a few.
These schemes involve mass interception of communication, keyword searches, and access to users’ data. They suggest that the Indian state is moving towards large-scale monitoring of its population.
Surveillance laws
Interception and Access
There are two major laws that regulate digital and telephonic surveillance, respectively: the Information Technology Act, 2000 (the “IT Act”) and the Indian Telegraph Act, 1885 (the “Telegraph Act”).
Section 5 of the Telegraph Act empowers the Central Government and the State Government to order the interception of messages in two circumstances: (1) in the occurrence of any “public emergency” or in the interest of “public safety”, and (2) if it is considered necessary or expedient to do so, in addition to the following instances: in the interests of the sovereignty and integrity of India; the security of the State; friendly relations with foreign states; public order; and for the prevention of incitement to the commission of an offense.
In 2007, Rule 419A was added to the Indian Telegraph Rules (1951) framed under the Indian Telegraph Act. These Rules provide that orders for the interception of communications must be issued by the Secretary in the Ministry of Home Affairs in the case of the Central Government and the Secretary to the State Government in-charge of the Home Department in the case of a State Government. However, the Rules provide that in unavoidable circumstances an order can also be issued by an officer, not below the rank of a Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary.
The IT Act widely regulates the interception, monitoring, decryption and collection of information of digital communications in India. More specifically, section 69 of the IT Act empowers the Central Government and the State Governments to issue directives for the monitoring, interception or decryption of any information transmitted, received or stored through a computer resource. Section 69 of the IT Act expands the grounds upon which interception can take place as compared to the Telegraph Act. As such, the interception of communications under Section 69 is carried out in the interest of: the sovereignty or integrity of India; the defense of India; the security of the State; friendly relations with foreign States; public order; the prevention of incitement to the commission of any cognizable offense relating to the above; and for the investigation of any offense.
Although the grounds for interception are roughly the same as under the Telegraph Act (except for the condition of prevention of incitement of only cognizable offences, defense of India and the addition of investigation of any offence), the IT Act does not contain the overarching condition that interception can only occur in the case of public emergency or in the interest of public safety. Additionally, section 69 of the IT Act mandates that any person or intermediary who fails to assist the specified agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with an imprisonment for a term which may extend to seven years, and shall be liable for a fine.
Section 69B permits authorized authorities to monitor and collect traffic data for the purpose of enhancing cybersecurity and for the identification, analysis and prevention of any intrusion or spread of computer contaminant in the country. A service provider that fails to comply with the provision faces imprisonment up to three years and is liable for a fine. The term “cyber security” has been defined in section 2(nb) of the IT Act as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction”. Further clarity on the meaning and importance of the term can be gleaned from the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 which are discussed below.
The main difference between Section 69B and Section 69 (the provision for interception) is that while the latter requires the interception, monitoring and decryption of information generated, transmitted, received or stored through a computer resource, Section 69B specifically provides a mechanism for all metadata through a computer resource for the purpose of combating threats to “cyber security”. Directions under Section 69 can be issued by the Secretary to the Ministry of Home Affairs, whereas directions under Section 69B can be issued by the Secretary of the Department of Information Technology under the Union Ministry of Communications and Information Technology.
Just like with Rule 419A of the Indian Telegraph Rules, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“IT Interception Rules”) are framed under Section 69 and the Information Technology (Procedure and Safeguards for Monitoring and Collecting traffic data or information) 2009. These stipulate who may issue directions for interception and monitoring; how such directions are to be executed; the duration they remain in operation; to whom data may be disclosed; the confidentiality obligations of intermediaries; periodic oversight of interception directions by a Review Committee under the Telegraph Act; the retention of records of interception by intermediaries; and the mandatory destruction of information in appropriate cases.
Apart from the above two statues, a number of criminal statutes provide for the interception of communications and how such intercepted communications may be used. The Unlawful Activities Prevention Act, 1967 allows for information collected through interception of communications (under the IT Act or the Telegraph Act) to be produced as evidence for an offence under the Act.
However, intercepted communications are not admissible unless the accused is given a copy of the order approving the interception, thus making illegal interceptions inadmissible. Therefore, unless the interception order itself was obtained by fraud, this provision acts as a safeguard against the use of illegally obtained interceptions for evidentiary purposes. Apart from this Act there are a number of pieces of state legislation that provide for the interception of communications, including the Maharashtra Control of Organized Crimes Act, 1999 and the Andhra Pradesh Control of Organised Crime Act, 2001 .
Apart from the criminal statutes, there are certain other laws that address surveillance activities by Indian law enforcement agencies. These are:
The Indian Post Office Act, 1898
Section 26 of the Indian Post Office Act, 1898 empowers the Central Government and the State Governments of India to intercept postal articles. In particular, section 26 of the Act states that: on the occurrence of any public emergency or in the interest of public safety or tranquility, the Central Government, State Government or any officer specially authorised by the Central or State Government may direct the interception, detention or disposal of any postal article, class or description of postal articles in the course of transmission by post. Furthermore, section 26 states that if any doubt arises regarding the existence of public emergency, public safety or tranquility then a certificate to that effect by the Central Government or a State Government would be considered conclusive proof of such a condition being satisfied.
Code of Criminal Procedure, 1973
Section 91 of the Code of Criminal Procedure, 1973 regulates targeted access to stored content. In particular, section 91 states that a Court in India or any officer in charge of a police station may summon a person to produce any document or any other "thing" that is necessary for the purposes of any investigation, inquiry, trial or other proceeding under the Code of Criminal Procedure. Under section 91, law enforcement agencies in India can access stored data. If the Commissioner of Police or Superintendent of Police believes that such a document, parcel or thing is required for the above mentioned purposes, he may require the postal or telegraph authority to detain such item pending an order from a court. Section 92 of the Code also allows District Magistrates and Courts to issue directions requiring document, parcel or “things” within the custody of any postal or telegraph authority to be produced before it if needed for the purpose of any investigation, inquiry, trial or other proceeding under the Code. There is little judicial clarity on the subject but it has been argued that it is possible to interpret the provisions in a way that even private ISPs can be considered as postal or telegraph authorities and thus become subject to interception under this section. The level of protection granted to postal or telegraph authorities under section 92 is higher than that provided to ordinary citizens under section 91 since even a police officer in charge of a police station can ask for items to be produced whereas under section 92 it has to be either the District Magistrate or a specified Court.
The Indian Wireless Telegraphy Act, 1933
Under section 3 of the Indian Wireless Telegraphy Act, 1933, the possession of wireless telegraphy apparatus without a license is considered an offense. As such, the unauthorised establishment, maintenance or operation of wireless communications networks for the purpose of monitoring, intercepting and surveilling communications is in violation of the Act.
Central Motor Vehicles Act 1898 and 2012 Rules
In October 2012, Rule 138A of the Central Motor Vehicle Rules, 1989 concerning radio frequency identification tags, was proposed. This proposed Rule mandates the installation of radio frequency identification (“RFID”) tags on all light and heavy motor vehicles to enable their instant identification and monitoring by electronic collection toll booths, the police and any other authority or person that is able to query and read RFID tags.
Data retention
Data retention standards can be found in the operating licenses and in the Information Technology Act, 2000. According to the operating licenses, service providers are required to maintain all commercial records for one year. This includes the called and calling party, their locations, the telephone numbers of call forwarding, data records of failed call attempts, and call data records (CDRs). Under section 3(4) of the Information Technology Intermediary Guidelines Rules, intermediaries are required to retain content that has been removed and associated information for a period of 90 days. Under section 4(2) of the Information Technology Guidelines for Cyber Cafes Rules, cyber cafes are required to retain copies of user identification for a period of one year. Section 5 of the Rules requires cyber cafes to retain logs of user information and browsing history for a period of one year.
Surveillance actors
Intelligence Agencies
In India, surveillance is carried out by central intelligence agencies. There are at least sixteen different intelligence agencies. Intelligence agencies in India are often established by executive order and most of the intelligence agencies in India do not have clearly established oversight mechanisms other than the departments to which they report. For example, CBI and RAW report to the Prime Minister's Office, the Directorate of Revenue Intelligence reports to the Finance Ministry, and the Military Intelligence agencies report to the Ministry of Defence. As such, intelligence agencies do not come under the purview of Parliament or the Right to Information Act, and their functionings are not subject to audit by the Comptroller and Auditor General, though many agencies are funded from the Consolidated Fund of India. The following is a list of Indian intelligence agencies:
- National Technical Research Organisation
- Research and Analysis Wing (R&AW)
- The Aviation Research Centre (ARC) and the Radio Research Centre (RRC), which are a part of the Research and Analysis Wing (R&AW)
- Electronics and Technical Services (ETS), which is the electronic intelligence (ELINT) arm of R&AW
- Intelligence Bureau
- Narcotics Control Bureau
- Directorate of Revenue Intelligence
- Central Economic Intelligence Bureau
- Central Bureau of Health Intelligence
- Defence Intelligence Agency
- Joint Cipher Bureau
- Signals Intelligence Directorate
- Directorate of Air Intelligence
- Directorate of Navy Intelligence
- Directorate of Military Intelligence
- Directorate of Income Tax (Intelligence and Criminal Investigation)
- Directorate General of Income Tax Investigation
- Joint Intelligence Committee (JIC)
While the interception activities of intelligence agencies in India must be carried out in accordance with the procedures contained in the Telegraph Act, 1885 and the Information Technology Act, 2000 and the Rules framed under those pieces of legislation, non-interception access as well as passive interception surveillance by intelligence agencies is not governed by these pieces of legislation. It is possible that these capabilities may be governed by internal guidelines or the operation manuals, for example, of individual agencies.
State Police and Army
Each Indian state has a dedicated police force made up of different divisions and officers. State police forces have maintained passive interception capabilities. The Army also has passive interception capabilities along the Line of Control to surveil civilian communications.
Surveillance capabilities
Central Monitoring System
Since 2009, the Government of India has been developing the Central Monitoring System (CMS), a system that seeks to automate and centralize the interception process. It will allow security agencies to bypass the service provider and directly intercept communications. Regional Monitoring Systems (RMS) for the lawful interception of telecommunications will also be established. The CMS is under the Centre for Development of Telematics (C-DoT), a registered society under Department of Telecommunications and Ministry of Information Technology.
NETRA
NETRA (Network Traffic Analysis) is a software network developed by India's Centre for Artificial Intelligence and Robotics (CAIR), a Defence Research and Development Organisation (DRDO) laboratory. It is intended to be used by the Intelligence Bureau, India's domestic intelligence agency, and the Research and Analysis Wing (RAW), the country's external intelligence agency, to intercept and analyse internet traffic using pre-defined filters. It is capable of detecting words like 'attack', 'bomb', 'blast' or 'kill' from public and private internet traffic such as tweets, status updates, emails, internet calls, blogs and forums. It has been reported that through this network, security agencies will also be able to monitor voice traffic on international services like Skype and Google Talk. As part of implementation of the network, a national Internet scanning and coordination centre will be established.
NATGRID
The Ministry of Home Affairs had proposed the creation of a National Intelligence Grid (NATGRID) in India following the 2008 Mumbai terror attacks. The aim of the project was to collect comprehensive patterns of intelligence (21 citizen data sources) that can be readily accessed by 11 intelligence and investigative agencies in real time to track terror activities. These data sources will include bank account details, telephone records, passport data and vehicle registration details, among other types of data. Concerns were raised around NATGRID on grounds of potential violations of privacy and leakage of personal information.
New Media Wing
In the year 2013, a New Media Wing (NMW) was established under the Ministry of Information and Broadcasting to publicize government initiatives through multiple social media platforms. NMW monitors online media to track trends and gauge public opinion.
BlackBerry controversy
Since 2008 the Indian Government has sought access to content on BlackBerry phones through a number of different proposals. After much pushback, in 2013, the Company delivered a solution that enables India’s wireless carriers to address their lawful access requirements for consumer messaging services of BlackBerry, including BlackBerry Messenger (BBM) and BlackBerry Internet Service (BIS) email. However, this enabling of lawful access does not extend to BlackBerry Enterprise Server (BES). As a result, the Indian government can now monitor the exchange of emails and email attachments on BlackBerry devices, and also whether messages on BlackBerry Messenger have been marked ‘delivered’ or ‘read.’ The BES was excluded as BlackBerry managed to persuade the government that it did not possess the BES encryption keys.
Interception technologies
The operating licenses for service providers specify the capabilities that the technology must have. See also the section on telecommunications industry licensing for more detail.
To build the technological capacity of intelligence agencies, in 2010, the Indian government dedicated INR 660.92 million (66.92 crores) to revamping the special branches/intelligence agencies. This included enhancing GIS mapping, integrated documentation systems and integrated data centres, voice loggers, IED Jammers, VHF Mobile Jammers. These funds were sanctioned by the High Powered Committee under the Ministry of Home Affairs.
Surveillance companies
India hosts many security technology expos. These include Ground Zero, Convergence Secutech India, International Police Expo, Secure Cities, defexpo, IFSEC India, and the India International Security Expo. A wide range of technologies is on offer at these events, including access control systems; perimeter protection; surveillance devices; burglar alarm systems; explosive detection and disposal equipment; aviation security; disaster management and NBCW protection equipment; equipment for bank and hospital security; information security devices; audiovisual surveillance and de-bugging devices; equipment for forensic science; and more. A number of world’s largest communications surveillance companies like ZTE, Utimaco and Verint Systems also have India offices. Additionally, command and control servers of intrusion malware FinFisher have been found in India.
The Centre for Internet & Society (CIS) published a study of 100 surveillance companies in India. Out of the 100 identified, 76 companies appear to sell surveillance products performing functions such as internet monitoring, social network analysis, data mining and profiling, and also surveillance cameras, analytics, biometric collection, and access control systems. Most of the companies were headquartered in India; however, some were headquartered in countries including the United States, the UK, France and Poland. The research report suggested that biometric technology, access control systems, Internet and phone monitoring solutions as well as RFID and GPS tracking devices are in high demand.
The data collected by CIS suggests that the clients for the security solutions include law enforcement agencies, intelligence and securities government agencies, military, internet service providers, telecommunications service providers, corporations and the public. For instance, many of the companies sell CCTV cameras and unmanned aerial vehicles (UAV) to law enforcement agencies and the Indian military, biometric systems to the Unique Identification Authority of India (UIDAI), and possibly phone and Internet monitoring tools to intelligence agencies. Lawful interception technical regulations and standards adhered to by these companies include those proposed by Alliance for Telecommunications Industry Solutions (ATIS), European Telecommunications Standards Institute (ETSI) and Communications Assistance for Law Enforcement Act (CALEA), and standards such as ISO 9001: 2008, ISO 27001: 2005, STQC Certification, INCITS 379 and BS 7799. However, fewer than half of the companies in the study had publicly available certification information. Similarly, fewer than half of the companies in the study have privacy policies available on their websites. The remaining companies do not clearly define how they handle the data they collected.
Surveillance oversight: checks and balances
Review Committees
The 419A Rules under the Telegraph Act mandate the creation of a Review Committee with the Cabinet Secretary as its Chairman and the Secretary to the Government in charge of Legal Affairs and the Secretary to the Department of Telecommunications as its members under Rule 16. This Review Committee also oversees interceptions under section 69 of the ITA and the Rules established under section 69B of the Information Technology Act 2000. Every order of interception, monitoring, or decryption under the Telegraph Act as well as the ITA must be sent to the Review Committee within seven days of being issued. The Review Committee is to meet at least once every two months at the central/state level and must validate the legality of the order. The committee has the authority to revoke orders and destroy copies of the intercepted message or class of message.
Regulatory bodies
In India, government departments involved in ensuring and overseeing cyber security are often also involved in some aspect of surveillance, as surveillance is legally justified for cybersecurity and national security purposes in India. Key government departments apart from the security agencies that play a role in ensuring India’s cyber security and overseeing and regulating surveillance in India include the Department of Telecommunications (DoT) and the Ministry of Electronics and Information Technology (MeitY). Under the DoT, Term Cells play a key role in overseeing the installation of interception equipment.
The Ministry of Home Affairs (MHA) is another government department that plays a role in surveillance. The MHA is responsible for the internal security of the country and the various central security agencies that report to and operate under it. Further, as per the rules promulgated under the IT Act as well as the Telegraph Act, the Secretary of the Ministry of Home Affairs is the "competent authority" to issue interception orders under this legislation in the normal course.
Transparency
While as per Rule 419A of the Telegraph Rules and Rules under section 69 of the Information Technology Act, service providers are required to maintain the secrecy and confidentiality of the intercepted information and directions for interception, there is no specific prohibition on disclosing the number of surveillance orders issued in an aggregate form. In practice, though, it appears that service providers interpret the requirement of secrecy to extend to aggregate information regarding interception orders as in Vodafone's 2014 'Disclosure Report'. In this report, Vodafone noted that, following Indian law, it could not disclose information on interception of communications and access to communications data it provided or did not provide to the Indian government.
Remedy
To date, there is no statutory redress mechanism that an individual can resort to in cases of suspected illegal interception. The most that an individual can do is to approach the court and claim an invasion of his/her right to privacy. In such a case, the redress available would be determined by the Court itself. A number of statutes penalize unlawful surveillance. For example, Section 24 of the Indian Telegraph Act states that the penalty for unlawful interception is a fine of up to 500 rupees and imprisonment of up to one year. In case of unlawful interception by a telegraph officer or person with official duties connected to a telegraph office, the penalty is a fine or imprisonment of up to three years or both. The Rules under section 69 of the Information Technology Act, 2000 provide that service providers or their employees who intentionally and without authorisation attempt to intercept, authorise, or assist any person to intercept information in transmission at any place within India will be punished according to the relevant provisions. In case of unauthorised interception by security agencies, no specific penalty is provided for but there is a “catch-all” penalty under the ITA (section 45) that states that any person who contravenes any provisions of the ITA or the Rules or Regulations under the ITA would be liable to pay a fine not exceeding 25,000 rupees.
Surveillance case law
Case law dealing with surveillance has been extremely influential in shaping the privacy landscape in India. The first two cases that established the right to privacy in India, Kharak Singh v. Union of India and Govind v. State of M.P., were decided in the context of the surveillance activities of the police. These two cases have already been discussed above. Apart from the above, the major cases on surveillance are given below:
- R.M Malkani v. State of Maharashtra, (1972). In this case, it was held that although telephonic conversations of individual citizens are protected against high-handed interference by tapping, illegally obtained evidence would still be admissible in court. It was held that although the conversation was recorded without the consent of the person, that would not prevent it from being admissible as evidence.
- State (N.C.T. of Delhi) v. Navjot Sandhu @ Afsan Guru (2005). In this case, the Supreme Court held that the pre-requisite conditions under a special statute such as the Prevention of Terrorism Act for admitting the evidence collected against the accused through the interception of wire, electronic or oral communication have to be complied with before accepting such material as evidence.
It therefore appears that under Indian law, if the statute under which a person is being charged is silent as to the admissibility of illegally obtained evidence, then such evidence may be accepted in court. However, it is up to the Judge to decide how much reliance, if any, is to be placed on such evidence. However if the statute in question has a specific procedure by which such evidence has to be collected, then such evidence will not be admitted if the procedure has not been complied with.
Examples of surveillance
News reports indicated that a variety of Indian individuals and groups have been subjected to surveillance including journalists, right to information activists, politicians, NGOs, and free speech activists. Key examples of surveillance include:
- For a year beginning in 2008, the Indian Income Tax Department, after obtaining the authorisation from the Ministry of Home Affairs, intercepted the telephonic conversations of corporate lobbyist Nira Radia with various prominent personalities including politicians, journalists and business houses for suspected tax evasion, possible money laundering, and restricted financial practices. However, some of the tapes of recorded conversations were leaked publicly. Although the surveillance was legal in this particular case, the publication of the recordings for access of the general public was challenged by Ratan Tata, one of the persons whose conversations with Nira Radia were leaked. Claiming the leak to be an infringement of his right to privacy, he accused the authorities of allowing the unauthorised publication of the recordings and not preventing the dissemination of the information. The case is currently pending in court.
- In 2015, the Gujarat state government was accused by pro-Patel reservation leader Hardik Patel of tapping his telephone calls, evidence from which led to Hardik and his associates being booked for criminal conspiracy. The Gujarat High Court has questioned the legality of the tapping and has asked the government to furnish an explanation.
- In 2016, a Supreme Court Lawyer alleged that phone conversations of corporate chiefs, Cabinet Ministers and bureaucrats were tapped by the Essar Group between 2001 and 2006, according to a 29-page complaint submitted on 1 June 2016 to Prime Minister Narendra Modi. The officials have clarified that no formal probe has yet been ordered into the alleged phone-tapping. The purported conversations that were recorded reveal widespread peddling of influence in the corridors of power, "corruption in the business milieu," brokering of deals and blurring of lines between business and government. Public interest litigation has been filed in this matter and Essar has sought to have the case dismissed, questioning the authenticity of the emails.
Data Protection
Data protection laws
IT Act and Rules
The strongest legal protection provided to personal information in India is through section 43A of the Information Technology Act and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 developed under the section. The provision requires a body corporate who 'receives, possesses, stores, deals, or handles' any ‘sensitive personal data’ to implement and maintain ‘reasonable security practices’, failing which they are held liable to compensate those affected. The Rules under section 43A contain the following major requirements:
- Body corporates must provide a privacy policy to all 'providers of information' (Rule 4);
- They must obtain consent in letter, fax, or email from the 'provider of information' before collecting, using or disclosing any sensitive personal information (Rule 5(1));
- Sensitive personal information may only be collected for lawful and necessary purposes (Rule 5(2)(a)). While collecting the information, they must ensure that the individual is informed of the a) fact that the information is being collected; b) the purpose for which the information is being collected; c) the intended recipients of the information; d) the name and the address of the agency collecting information, and the agency that will retain the information (Rule 5(3));
- Information should only be used for stated and agreed to purposes (Rule 5(5));
- Individuals should be provided with the option to opt in or out of services prior to the collection of sensitive personal information and should have the ability to withdraw consent at any point in time (Rule 5(7));
- Individuals should be allowed to review, update, and correct any sensitive personal information that they have provided wherever necessary (Rule 5(6));
- Body corporates are allowed to retain sensitive personal information only as long as is lawfully necessary (Rule 5(4));
- Before a body corporate is allowed to disclose or publish sensitive personal information to a third party, consent must be obtained from the individual who the information belongs. The only circumstances under which a body corporate may disclose information is (i) if it is required to do so by a contract with the provider of the information or through the law; or (ii) if it is to be disclosed to a governmental agency mandated under law (Rule 6(1)); and
- Body corporates must implement security practices and standards which require: a) a comprehensively documented information security programme; b) information security policies must contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected (Rule 8).
Non-observance of the data protection rules and general negligence with respect to personal data attracts civil liability since the provisions provide that any corporates who fail to observe data protection norms may be liable to pay compensation if they are negligent in implementing and maintaining reasonable security practices and thereby cause wrongful loss or wrongful gain to any person. In addition, body corporates may be exposed to criminal liability under Section 72A of the IT Act if they disclose personal information with the intent of causing wrongful loss or obtaining a wrongful gain.
Consumer Protection Act
In 2015, the Consumer Protection Act was enacted. The Act could be an additional source of redress for the misuse of personal data by commercial entities as the Act includes the disclosure of personal information given in confidence as an unfair trade practice (as defined under section 2 (r)) and includes mental or emotional harm resulting from damage to property, among other things, as a harm.
The Justice AP Shah Committee on Privacy
The Planning Commission of the Government of India held meetings of the Group of Experts on Privacy Issues throughout 2012. The Group was chaired by Justice AP Shah, the former Chief Justice of the Delhi High Court. This report entails a list of recommended national privacy principles that should be followed in the creation of a privacy law. According to the report, the national privacy principles of India should be the following:
- Principle of Notice: This principle requires a data controller to notify all individuals of its information practices before collecting information from them.
- Principle of Choice and Consent: This principle requires all data controllers to give individuals choices, either through the opt-in method or through the opt-out method, with regard to providing their personal information, and further states that no collection or processing et alia of data should take place without such consent, with the exception of authorised agencies.
- Principle of Collection Limitation: This principle requires a data controller to collect only as much information as is directly necessary for the purposes identified and notified to the data subject for such collection, and to do so through ‘lawful’ and ‘fair’ means.
- Principle of Purpose Limitation: It requires that the collection or processing of information be restricted to only as much information as is adequate and relevant. It further states that the collection, procession, disclosure, usage, et alia of personal information by a data controller should be limited to the purpose notified and consented to the individual by the data controller, and that any change in this purpose must be notified to the individual.
- Principle of Access and Correction: This principle requires that data subjects have access to the data held about them, the ability to seek correction, amendment, or deletion of such data in case of inaccuracy, and the ability to confirm if a data controller is holding any information on them.
- Principle of Disclosure of Information: This principle secures the right to privacy of a data subject in case the personal information collected by a data controller is disclosed to a third party.
- Principle of Security: This principle requires that a data controller ensure the security of the collected personal information by ‘reasonable security standards’ to protect from reasonably foreseeable risks, and specifically mentions the following possible dangers: loss, unauthorised access, destruction, use, processing, storage, modification, deanonymisation, and unauthorised disclosure, either accidental or incidental.
- Principle of Openness: This principle requires a data controller to make public all the information it can about the practices, procedures, policies and systems that it implements in order to comply with the National Privacy principles.
- Principle of Accountability: This principle makes the data controller accountable for complying with measures that give effect to the Principles. It states that such measures should include mechanisms to implement privacy policies, and specifically mentions the following: training and education, external and internal audits, and requiring organizations or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with the Commissioner’s orders.
Right to be Forgotten
There is, at the moment, a lack of clear legal basis in interpreting the “right to be forgotten”, for example the deletion of information in search results that is no longer accurate or relevant. There is a lack of clarity over whether this right exists in India. In one case, before the Gujarat High Court, a man acquitted of murder failed in his attempt to have the record of this removed from a Google search result. However, in another case in Karnataka High Court, a petition was upheld in the case of a petitioner looking to remove his daughters name from an earlier court-order that was easily-searchable online. The court stated that this was “in line with the trend in Western countries of ‘right to be forgotten’ in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.”. It has been argued that this ruling is problematic as it is a ruling based on an idea of the modesty and reputation of women, rather than the fundamental right to privacy.
Draft Legislation on the Right to Privacy
Since 2010, starting with an Approach Paper on Privacy,India has been deliberating on the contours of a piece of privacy legislation drafts of which were released in 2011and 2014. The 2014 version was leaked and is still under proposal as of 2017, but if it became law it would recognize the right to privacy as a fundamental right under Article 21 of the Indian Constitution, establish a Data Protection Authority, and establish an alternative dispute mechanism for addressing disputes between data controllers and individuals.
In July 2017, the government of India set up an expert committeeto suggest a draft Data Protection Bill. The committee is chaired by Justice B N Srikrishna, Former Judge, Supreme Court. In November 2017, the Expert Committee released a white paperfor public consultation on the contours of a privacy legislation for India. The Expert Committee also held four open houses in different cities in India to seek input on key aspects of the proposed law.
In July 2018, the Committee released its final reportand a draft data protection bill, called the Personal Data Protection Bill, 2018. The Personal Data Protection Bill provides for the establishment of a Data Protection Authority to oversee activities that involve processing of data. It also recognises the need to protect personal data under the fundamental right to privacy, as well as the need to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation. Additionally, the Bill states that it aims to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, and to provide remedies for unauthorised and harmful processing.
Key provisions
In its broad structure and key provisions, the bill seems to follow the model of the European Union’s General Data Protection Regulation (GDPR) and, on a number of significant provisions, the draft bill takes on strong privacy preserving positions. The draft bill has included well recognised privacy principles on how a notice should be sent to individuals before data is collected. It says that for the consent to be valid it must be free, informed, specific, clear and capable of being withdrawn, besides prescribing explicit consent for sensitive personal data. Purpose limitation and collection limitation also feature prominently in the draft bill. Similarly, some of the key rights of individuals, such as the right to confirmation and access, right to correction and right to data portability, are part of the bill and would go a long way in providing individuals with control of their data. Finally, the creation of a data protection authority is sorely needed, and hopefully, it will lead to a strong, independent and specialised regulator.
‘Necessity’ in the Bill
The legal principle of “necessity”, developed in international law and by constitutional and administrative courts in several jurisdictions, has been imported into the reading of India’s data protection bill. It is worthwhile, at this point, to delve into the nature of restrictions that the state can impose on privacy which last year’s Puttaswamy judgment discussed. In the case of provisions such as Section 13 of the draft bill, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In the Puttaswamy case, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases. the three tests laid down by Justice Chandrachud are most operative —
a) the existence of a “law”
b) a “legitimate State interest” and
c) the requirement of “proportionality”
It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement which is most operative in this context. Unlike sections 42 and 43 of the bill, which include the twin tests of ‘necessity’ and ‘proportionality’, the committee has chosen to employ only one ground in Chapter III.
The use of “necessity” in the bill echoes, in many instances, the ways in which the word is used in the EU General Data Protection Regulation. For instance, the use of ‘necessity’ in section 13 is clearly drawn from the language of the GDPR. However, unlike jurisdictions like the EU, Canada and South Africa which have a rich history of jurisprudence on the term, India does not have judicial guidance on how it may be interpreted. If the Srikrishna committee intended to adopt the definition of ‘necessity’ as articulated by the ECt.HR, it should have clearly called out the interpretation in its report which accompanied the bill. Doing so would have provided clear guidance for the data protection authority and courts on how ‘necessity’ ought to be construed. It is also interesting that the bill refers to ‘necessity’ as a standard with respect to non-state actors. ‘Necessity’ has evolved in the constitutional law jurisprudence to govern the interference with fundamental rights of individuals. Therefore, the way it is construed in India relies heavily on the understanding of the scope and limitations of fundamental rights and how they may be curtailed. The conditions for the non consensual processing at this point, only rely on necessity, and not on proportionality.
Data localisation
As per the draft bill, all data collectors will be required to maintain a copy of all personal data collected on a server or data centre located in India. This has been introduced to deal with problems with data requests faced by investigative agencies, when they require data hosted outside India. It is unlikely that the localisation mandate will solve this issue for two reasons. First, as recognised by the Committee itself, a conflict of law question may still arise despite the data being physically stored in India. Second, the localisation mandate only extends to relating to Indian citizens. It does not solve the problem, that arose in the Microsoft-Ireland case where law enforcement agencies required access to data relating to a foreigner. India would fare better if it were to use the language of international law to articulate its position better in diplomatic negotiations to reform the MLAT process or propel itself to a better position in the CLOUD Act.
Surveillance Regulation
The draft Bill includes the twin tests of ‘necessity’ and ‘proportionality’ as condition precedent for any processing for the purposes of the Security of the state; and Prevention, detection, investigation and prosecution of contraventions of law. However, in its current formulation, there is no obligation and clear procedure for the agencies involved to establish necessity and proportionality before a judicial or quasi-judicial body. Other provisions such as user notification, cap on retention periods and a limited right to confirmation, access and rectification are completely missing from the Bill currently.
Accountability mechanisms
Presently, there is no explicit law in India that allows an affected individual to find out what information is held about themselves. Other accountability mechanisms pertaining to data protection include:
Freedom of Information
The Right to Informatiom Act establishes the right of citizens to request information held by public authorities. However, it specifically prohibits disclosure of information that relates to personal information if (i) the disclosure of which has no relationship to any public activity or interest; or (ii) that would cause unwarranted invasion of the privacy of the individual. Theseve two conditions are voided if a larger public interest is satisfied by the disclosure of such information.
An overview of case law pertaining to the RTI Act, especially sections 6 to 8, gives the impression that the legislature has tried to balance and harmonize conflicting public and private rights and interests by building sufficient safeguards and exceptions to the general principles of disclosure under the Act (Public Information Officer v. Andhra Pradesh Information Commission, 2009 (76) AIC 854 (AP)). This is why it is generally suggested that section 8, when applied, should be given a strict interpretation as it is a fetter on not only a statutory right granted under the RTI Act but also a pre-existing constitutional right (Bhagat Singh v. Chief Information Commissioner, 2008 (64) AIC 284 (Del).) Logical as this argument may seem and as appropriate in some circumstances, it does present a problem when dealing with the privacy exception contained in section 8(1)(j). This is because the right to privacy envisaged in this section has also been traced to the same provisions of the Constitution from which the constitutional right of freedom of information emanates (Articles 14, 19(1)(a) and 21 of the Constitution of India, 1950.) There is an ambiguity regarding the treatment and priority given to the privacy exception versus the disclosure mandate in the RTI Act, as it requires the balancing of not only two competing statutory rights but also two constitutional rights.
Regulatory bodies
No specific body exists to regulate privacy and data protection in India. The Data Security Council of India is a self-regulated organization associated with NASSCOM that works with industry on a voluntary basis to develop codes and practices related to data protection and security. Yet these are non-enforceable and non-binding.
Cyber Appellate Tribunals
In India, the first and only Cyber Appellate Tribunal has been established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000. The Tribunal, initially known as the Cyber Regulations Appellate Tribunal (CRAT), is known as the Cyber Appellate Tribunal (CyAT) after amendment of the IT Act in 2008. The first Cyber Appellate Tribunal set up by the Central Government is in New Delhi. Although a second branch of the Tribunal was to be set up in Bangalore, as of 2017, there has been no progress on the issue.
Furthermore, the position of the Chairperson of the Appellate Tribunal has been left vacant since 2011, after the appointed Chairperson retired. Although judicial and technical members have been appointed at various points, the tribunal cannot hold hearings without a chairperson. A total of 17 judgements have been passed by the Cyber Appellate Tribunal prior to the retirement of the chairperson, while the backlog of cases continuously grows. Despite a writ petition being filed before the Karnataka High Court and the Secretary of the Department of IT's official statement that the Chairperson would be appointed within six months (as of September 2013), no action seems to have been taken in this regard, and the lacunae in the judicial mechanism under the IT Act continues. The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61) that bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the adjudicating officer or the CAT is empowered.
In the April 2017 Finance Bill, it was announced that the Cyber Appellate Tribunal would be dissolved with its functions taken over by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Data breaches: Case law
While there are a few judicial decisions regarding instances in which employees or others with physical access to data have copied and used data in an unauthorized manner, there do not seem to be any cases yet where it has been alleged that data has been stolen by breaching the security systems of the data processor/controller.
Examples of data breaches
There are regular data breaches in India. For example, there have been several major breaches associated with the Aadhaar database.
In May 2016 it was reported that the ticket-booking website of Indian Railways had been hacked and personal data of around 10 million customers was feared to have been stolen from the servers of the e-ticketing portal. It was reported that IRCTC officials also feared that personal details including phone numbers, date of birth and other such details of its customers had been sold on a CD for Rs 15,000. The Indian Railways Catering and Tourism Corporation denied that their website had been hacked, and claimed that they had not received any indication that a data breach had taken place.
In October 2016, malware reportedly introduced in systems of Hitachi Payment Services enabled criminals to steal financial information of customers of a number of banking institutions including Visa, MasterCard, ICICI Bank, Axis Bank and YES Bank. As many as 3.2 million cards were compromised as a result of the breach.
In May 2017, a hacker reportedly stole email addresses and password details for 17 millon users of an Indian food delivery app, Zomato. In a statement, Zomato confirmed that no financial information was reportedly compromised.
In July 2017, details of customers of mobile operator Reliance Jio were published online. Compromised information included email id, full name, Reliance Jio mobile number, and SIM activation dates. Reliance Jio originally did not autenticate the leak, stating that it was investigating the matter internally. The company reportedly has since filed a police complaint alleging "unlawful access" to its systems.
Identification Schemes
ID cards and databases
In India, there are two national identity databases: the Unique Identification (also known as Aadhaar) database, and the National Population Registrar (NPR). In addition to these two databases, there are other documents that are used as proof of identity such as passports, PAN cards, ration cards, driving licenses, and electoral documents.
The Unique Identity Scheme - Aadhaar
The UID scheme is the world’s largest identification number scheme. The UID scheme was first implemented in 2010, and Aadhaar enrollment reached 1 billion in April 2016. The scheme seeks to issue every resident of India a 12-digit identity number based on his/her biometric information (including fingerprints, iris scans, and photographs) and demographic data (including address, name, family name, and age) on a voluntary basis. The number is known as Aadhaar. To enroll in the UID, individuals must go to registrars and enrollment centres with the appropriate documentation. Enrolment centres are agencies under contract with the UIDAI and registrars can be public and private organizations. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail. The UIDAI will own and operate a Central Identities Data Repository (CIDR), a centralized database that will contain biometric and demographic data of citizens. The number can be used to authenticate individuals' identities during transactions and when accessing governmental services. To enable the delivery of services, an individual's Aadhaar number is seeded into the database of service providers. Biometric technology used in the scheme must be certified by the Standardisation Testing and Quality Certification Directorate under DeiTy. As of November 2015, certified suppliers include: BioEnable Technologies, Inspirate IT Solutions and Services, Precision Informatic (Madras), Sagem Morpho Security, and Terasoftware, M/s BioEnable Technologies.
The UID scheme is run by the Unique Identification Authority of India (UIDAI), an agency created by the Government of India as an attached office of the Planning Commission of India via Notification No. A.03011/02/2009-Ad. In 2012, a writ petition was filed by Justice K.S. Puttaswamy in the Supreme Court of India challenging the policy of the government in making an Aadhaar card mandatory for every person in India and its subsequent plans to link various government benefit schemes to the card. The court made an interim order on 23 September 2013 whereby it ordered that no person should suffer discrimination in access to services on account of not having an Aadhaar card. Subsequent issues about the constitutional validity of the right to privacy have been raised and the case is pending before the court. On 11 March 2016, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was passed by the Lok Sabha to establish a legislative framework for the Aadhaar scheme.
While the Aadhaar Act has been debated and criticized for a number of reasons, it also has a number of privacy implications, some of which are discussed below in brief:
- The Aadhaar Act entitles every “resident” to obtain an Aadhaar number by submitting his or her biometric information (photograph, finger print, Iris scan) and demographic information (name, date of birth, address) under Section 3(1) of the Aadhaar Act. It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. Therefore, although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. A resident is defined as any person who has resided in India for a period of at least 182 days in the previous 12 months.
- The Aadhaar Act provides (under the proviso to Section 28) that Aadhaar number holders may request the UIDAI to provide access to their identity information except their core biometric information. It is not clear why access to the core biometric information (defined as fingerprints, iris scans or other biological attributes which may be specified by regulations) is not provided to an individual. Further, since section 6 seems to place the responsibility of updating and ensuring accuracy of biometric information of the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he or she does not have access to the same.
- The Aadhaar Act gives individuals the right to request that the UIDAI alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed under Section 31. This section provides for the alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate.
- Under Section 8(4), the UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity.
- The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) under Section 10.
- The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information” under Section 30 of the Act, which would mean that in addition to the provisions of the Adhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information. It must be noted that while the Act details the principle that UIDAI is required to ensure the safety of the information, it does not anywhere establish any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the biometric information addressed in the Aadhaar Act.
National Population Register
The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules, 2003. Under the NPR, it is mandatory for every resident in India to register in the NPR according to the terms of Section 14A of the Citizenship Act, 1955. The NPR scheme began collecting data in 2010. The data collected under this scheme is managed by the Department of Electronics and Information Technology.
The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection of biometric information is not authorized by the Citizenship Rules and is provided for through guidelines. This is according to the Department of Information Technology National Population Register. The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines are issued from time to time.
The biometric data collected comprises of two iris scans, ten fingerprints, and a photograph. According to a 2010 Committee note, only the photograph and fingerprints were initially intended to be collected, while the iris scans were added later. The de-duplication of biometrics is currently outsourced to the Unique Identification Authority of India and the collection of biometrics is outsourced to private entities. The NPR involves a dual collection process. In the first stage, a door-to-door data collection is carried out as part of the Census, through a questionnaire without verification or supporting documents. This is followed by a verification process through public display of the information. This data is then digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’s data is aggregated and then de-duplicated by the UIDAI.
The ID card for the NPR is proposed to be a smart card with a micro-processor chip and the demographic and biometric attributes of each individual will be personalized in this chip along with the UID number. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.
Challeng to Aadhaar in the Supreme Court
Aadhaar Ruling
The Supreme Court has delivered its much awaited judgment in the Aadhaar case in September 2018. The majority (comprising Dipak Misra CJI., AK Sikri J., AM Khanwilkar, J. and Ashok Bhushan J.) upheld the constitutionality of the Aadhaar Act, 2016 and the Aadhaar project. They read down a few provisions of the Aadhaar Act such as those on the disclosure of personal information, cognizance of offences and use of the Aadhaar by private entities. DY Chandrachud J. delivered a dissenting opinion invalidating the entire Aadhaar scheme along with the Act. The full text of the judgment is available here.
Section 33(1) of the Aadhaar Act prohibited the disclosure of information, including identity information or authentication records, except when it is by an order of a court not inferior to that of a District Judge. The majority opinion read down this provisions stating that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing the right to challenge such an order passed by approaching the higher court. The impacted individual would also be able to object to the disclosure of information on accepted grounds in law, including Article 20(3) and Article 21 of the Constitution.
Section 47 of the Aadhaar Act notoriously provided for the cognizance of offence under the Act only on a complaint made by the UIDAI or any officer or person authorised by it. The majority opinion made it clear that it needs to be amended to include within its scope the provision of filing of such a complaint by an individual whose rights have been violated by under the Aadhaar Act.
Section 57 permitted the use of the Aadhaar ecosystem for establishing the identity of an individual ‘for any purpose’. This provisions was read down to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.
Voter registration
Elections in India are conducted according to constitutional provisions, and supplemented by laws made by Parliament. The Representation of the People Act, 1950 lays out standards and procedures for the preparation and revision of electoral rolls, the carrying out elections, and for post election disputes. The Election Commission of India (ECI) is the permanent constitutional body responsible for overseeing elections in India. One of the functions of the ECI is to prepare electoral rolls of registered voters in all assembly constituencies in India and more recently, to issue photo identity cards (EPIC) to all voters.
For the purpose of preparing the electoral rolls, a registration officer may access and request copies of the Register of Births and Deaths and the admission register of any educational institution in any area. The current method of preparing the electoral rolls in India is through house-to-house collection and verification of information. Registration is thus based on locale, and an individual is only permitted to register in one place. The complete electoral rolls – containing details such as full name, relatives, age, sex and EPIC number - are required by law to be available for inspection at office of the registration officer, and copies of the rolls must be supplied to every political party under Rule 22 of the Registration of Elector Rules, 1960. The Election Commission has placed the complete electoral rolls on its website so the complete list is open for inspection by any person with an internet connection. Rule 33 of the Act provides that all citizens may obtain copies of extracts of the rolls pertaining to themselves upon payment of a fee. Copies of the rolls, including photo rolls, requested by citizens under the Right to Information Act may be provided only if they do not deal with specific third-party individuals. For example, it is possible to requisition a specific page of the roll - for instance, page 45 - but it is not possible to specifically requisition the portion of the rolls on which a specific name appears.
In addition, it has become common practice for state election commission websites to provide online access to complete lists of electoral rolls that they maintain. Also, with the aim of “changing the way users access their electoral information, that is publicly available, which would make experience of voters simpler, faster and consistent through a national online look-up tool”, the publication of electoral rolls online has raised privacy concerns. Google had proposed to have an “electoral look up services for citizens” in 2014. However, after due consideration, the Election Commission in India decided not to pursue the proposal.
SIM card registration
According to the Unified Access Service (UAS) license, service providers are required to maintain a subscriber database with required proof of identity and address when issuing SIMs to individuals.
Registration for public Wi-Fi access
In light of national security concerns around the use of public Wi-Fi, the Department of Telecommunication published a regulation in February 2009 defining procedures for the establishment and use of public Wi-Fi to prevent "misuse" of public Wi-Fi and to be able to track the perpetrator in case of "abuse". In this, the DOT has stated that “Insecure Wi-Fi networks are capable of being misused without any trail of user at later date”. Regarding Wi-Fi services provided at public places, the Regulations state that "bulk login IDs shall be created for controlled distribution with authentication done through a centralized server. Individuals using public wifi are required to register with a temporary user ID and password and must submit a copy of photo identity to the provider which is to be maintained for one year and recieve details of a user ID and password via SMS on their mobile phone."
There are also rules for using cyber cafes. The Information Technology (Guidelines for Cyber Cafe) Rules, 2011 state that an internet cafe must establish and record the identity of the user and any person who accompanied him or her, keeping the information in the log register for a minimum of one year. Also, the cyber cafe owner is responsible for storing and maintaining backups of records for each access or login by any user of its computer resource for at least one year, including the history of websites accessed and logs of any proxy server installed at the internet cafe.
Policies and Sectoral Initiatives
Cybersecurity policy
In 2013 the Government published a National Cyber Security Policy. The Policy established an umbrella framework for securing Indian cyberspace and lays out the need to develop a national nodal agency to coordinate cybersecurity initiatives, create an assurance framework, encourage the use of open standards across products and services, create a dynamic legal framework for cyber security, create early warning mechanisms, secure e-government services, enhance the security of critical information structure and enable the prevention and investigation of cyber crime.
The 2013-2014 report by the Standing Committee on Information Technology noted that a number of initiatives envisioned in the policy had not yet been implemented and recommended the establishment of a National Critical Information Infrastructure Protection Centre and a centralized body to address cybercrime in India. The Committee also noted the need for capacity building and for a legal framework to protect privacy in India.
Cybercrime
Legislation
Cybercrime is legally addressed in the IT Act, including in the following sections:
- Causing damage to computer, computer system, etc. (section 43);
- Accessing or securing access to such computer, computer system or computer network or computer resource (section 43a) ;
- Downloading, copying or extracting any data, computer database or information from such a computer, computer system or computer network including information or data held or stored in any removable storage medium (section 43b);
- Producing or causing to be introduced to any computer contaminant or computer virus into any computer, computer system or computer network (section 43c);
- Damaging or causing to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such a computer, computer system or computer network (section 43d);
- Disrupting or causing disruption of any computer, computer system or computer network (section 43e);
- Denying or causing the denial of access to any person authorised to access any computer, computer system or computer network by any means (section 43f);
- Providing any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder (section 43g);
- Charging the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network (section 43h);
- Destroying, deleting or altering any information residing in a computer resource or diminishing its value or utility or affecting it injuriously by any means (section 43i);
- Stealing, concealing, destroying or altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage (section 43j);
- Dishonestly receiving or retaining any stolen computer resource or communication device knowing or having reason to believe the same to be stolen (section 66B);
- Fraudulently or dishonestly making use of the electronic signature, password or any other unique identification feature of any other person; (section 66C)
- Cheating by impersonation by means of any communication device or computer resource; (section 66D)
- Intentionally or knowingly capturing, publishing or transmitting the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person; (section 66E)
- Indulging in cyber terrorism as defined in the Act; (section 66F)
- Publishing or transmitting obscene material in electronic form; (section 67)
- Publishing or transmitting material containing sexually explicit acts, etc. in electronic form; (section 67A)
- Publishing or transmitting of material depicting children in a sexually explicit act, etc. in electronic form; (section 67B)
- Failure to protect data; (section 43A)
- Failure to furnish information, etc; (section 44) and
- Non-compliance with provisions of the Acts, Rules and Regulations. (section 45)
Other than the above-mentioned offences, the ITA also contains a provision that gives legal recognition to electronic records. Thus any offence that may be committed through physical paper would also be considered an offence if committed through electronic means.
Regulatory bodies
Broadly, MeitY is responsible for the administration of the Information Technology Act 2000 and other IT related laws. Under MeitY, CERT-IN is the nodal agency for cyber security in India and C-DAC develops indigenous software and technologies that can be used for surveillance and security purposes. The Central Government has also set up a National Cyber Coordination Centre, a new security body that would responsible for cyber intelligence and cyber security. The Centre has the objective of streamlining coordination between intelligence agencies and to screen all forms of metadata, and not personal data. Therefore, it is said to work with Internet Service Providers (ISPs) to analyze the metadata of Indian users but it will not mine information. Other ministries in India that play a role in cyber security in India include:the Ministry of Home Affairs, the Ministry of Defence, the Ministry of Personnel, Public Grievances and Pensions, the Ministry of Finance, the Ministry of Information and Broadcasting, the Ministry of External Affairs, the Prime Minister's Office, and the Ministry of Communications and Information Technology.
Encryption
Under section 84A of the Information Technology Act, the Central Government has the power to set the nationally permitted method and mode for encryption. Currently, the Unified Access License permits 40-bit bulk encryption.
In 2015 the Department of Electronics and Information Technology published a draft National Encryption Policy for public comment. The Policy proposed a framework that would allow the government to establish permitted algorithms and key sizes for encryption, require businesses to store encrypted data for 90 days and make the data available to law enforcement agencies when requested, require businesses to provide communications with foreign companies in plain text, and require service providers offering encryption to register with the government. The Policy was harshly criticised by the public, and has been withdrawn for the time being.
In 2016, MeitY wrote to the Cellular Operators Association of India (COAI), Association of Unified Telecom Service Providers of India (AUSPI), and Internet Service Providers Association of India (ISPAI), to seek their comments on a new draft National Policy on Encryption. However, this second draft was never released.
Licensing of industry
India has a diverse market of telecommunications and Internet Service Providers. Some major telecom companies include: Bharti Airtel, Aircel LTD, Reliance Communications, Tata Teleservices, Vodafone, MTNL, Idea Cellular, BSNL and Reliance Jio Infocomm. Of these, BSNL and MTNL are state owned service providers.
The Department of Telecommunications is the overseeing body for telecommunication and internet service providers in India, responsible for the following areas that are relevant to security and privacy:
- Development of policy;
- Licensing and coordination of communication services;
- Framing of rules related to the security of telecom networks in India and coordination with security agencies on the same;
- Cooperation and coordination with international bodies related to telecommunications;
- Promotion of standardization, manufacturing, research and development in telecommunications; and
- Implementation of relevant laws including the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933, and the Telecom Regulatory Authority of India Act, 1997.
Key bodies under the Department of Telecommunications include Telecom Enforcement Resource Management Cells, the Centre for Development of Telematics, the Telecommunication Engineering Centre, the National Telecommunications Institute for Policy Research, Innovation and Training, and the Telecom Regulatory Authority of India, and TDAT.
Internet Service Providers (ISPs) and Telecom Service Providers (TSPs) in India are required to comply with the License Agreement for Provision of Internet Services, which is issued by the Department of Telecommunications of the Ministry of Communications and Information Technology. This License Agreement is governed by the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933, and by the Telecom Regulatory Authority of India Act, 1997. Telecom Service Providers (TSPs) in India have to comply with two license agreements in order to operate: the Cellular Mobile Telephone Service (CMTS) License Agreement and the License Agreement for the Provision of Basic Telephone Services (BTS). The first license agreement applies to cellular mobile communications, whereas the second applies to landlines. The Unified Access Services (UAS) License Agreement applies to both Internet Service Providers (ISPs) and Telecom Service Providers (TSPs) operating in India and serves as an “umbrella” license agreement. These licenses can be amended and updated by the Department of Telecommunications. For example, in 2013, the UAS licence agreement was amended to provide for the technical requirements of the Centralized Monitoring System. Through applicable licenses, a number of security requirements are imposed on service providers, for example, tracing and monitoring capabilities and requirements, provision of subscribers' identity and location, access to law enforcement, retention of subscriber information, and encryption limitations.
E-governance/digital agenda
For many years the government of India has been leveraging technology with the goal of better and more efficient government services. In 2006, the Government of India launched National e-Governance Plan (NeGP) and 31 Mission Mode Projects covering various domains were initiated. According to the government, e-Governance as a whole has not been able to achieve the desired impact and fulfil all its objectives and significantly more effort is required to ensure e-Governance in the country promote inclusive growth that covers electronic services, products, devices and job opportunities. In order to transform the entire ecosystem of public services through the use of information technology, the Government of India has launched the Digital India programme with the vision to transform India into a digitally empowered society and knowledge economy. The approach to be adopted to implement this digital agenda has been laid out in the following terms:
- Ministries/Departments/States would fully leverage the Common and Support ICT Infrastructure established by the central government. The Department of Electronics and Information Technolgy (DeITy) would also lay down standards and policy guidelines, provide technical and handholding support, undertake capacity building, R&D, etc.
- The existing and ongoing e-Governance initiatives would be suitably revamped to align them with the principles of Digital India.
- States would be given flexibility to identify for inclusion of additional state-specific projects, which are relevant for their socio-economic needs.
- e-Governance would be promoted through a centralised initiative to the extent necessary, to ensure citizen centric service orientation, interoperability of various e-Governance applications and optimal utilisation of ICT infrastructure/ resources, while adopting a decentralised implementation model.
- Successes would be identified and their replication promoted proactively with the required productization and customisation wherever needed.
- Public Private Partnerships would be preferred wherever feasible to implement e-Governance projects with adequate management and strategic control.
- Adoption of Unique ID would be promoted to facilitate identification, authentication and delivery of benefits.
- Restructuring of NIC would be undertaken to strengthen the IT support to all government departments at Centre and State levels.
- The positions of Chief Information Officers (CIO) would be created in at least 10 key Ministries so that various e-Governance projects could be designed, developed and implemented faster.
It appears that the emphasis of the government is on scaling the technology and improving infrastructure to provide services to the end user as promised and issues such as privacy are addressed in principle as some of the platforms employ HTTPS and have associated privacy standards in their terms and conditions - for example, mygov.in. However, India's data protection provisions under the IT Act do not extend to the public sector and privacy concerns have been voiced about the scheme in of the lack of a comprehensive privacy legislation in India.
Some of the Digital India schemes include Digital Locker, in which the government is expected to roll out a national depository that will hold documents like birth certificates, school and college leaving certificates, residence and marriage proof, and even PAN cards in digitized form), MNREGA (which will ensure better implementation of the rural job scheme through mobile monitoring system), MyGov.in (an online portal to engage citizens in governance through a “Discuss”, “Do” and “Disseminate” approach), e-Hospital (a Hospital Management System and patient centric applicatoion software meant ofr Hospitals in Government sectors to enable and avail services like online registration, payment of fees and appointment, online diagnostic reports, checking on the availability of blood online, etc.), eBasta (this project has created a framework to make school books accessible in digital form as e-books to be read and used on tablets and laptops), etc. Some of these, such as Digital Locker, are Aadhaar enabled, though it is clarified that provision of the Aadhaar is voluntary.
In furtherance of the Digital India scheme, the Government of India launched an open API policy in 2015. An open API (Application Programming Interface), often referred to as a public API, is a publicly available API that provides programmers with programmatic access to a propriety software application. This set of open API is known as the India Stack, which is a complete set of API for developers and includes the Aadhaar for Authentication, e-KYC documents (safe deposit locker for issue, storage and use of documents), e-Sign (digital signature acceptable under the laws), unified payment interface (for financial transactions) and privacy-protected data sharing within the stack of API. It is envisioned that India Stack will enable the ease in integration of mobile applications with the data securely stored and provided by the government to authenticated Apps. DeitY has notified the open API policy to promote software interoperability for all e-Governance application and systems.
Health sector and e-health
In India, healthcare can be accessed through both state-run and privately owned establishments. Typically, unless accessing healthcare through a specific project or service that requires know your customer norms (like health insurance), individuals do not have to be registered to access healthcare nor is the provision of an identity document mandatory, though some states have plans of linking health databases to Aadhaar.
Proposed Health Stack and Information Exchange
In July 2018, Niti Aayog, the central government policy think tank in India released a strategy and approach paper (Strategy Paper) on formulation of a integrated health information system called the National Health Stack. The Strategy Paperproposes the creation of a stack which would comprise a set of building blocks essential in implementing digital health initiatives. The National Health Stack envisions the creation of a federated application programming interface (API)–enabled health information ecosystem. The Ministry of Health and Family Welfare has focussed on the creation of Electronic Health Records (EHR) Standards for Indiain the last few years and also identified a contractorfor the creation of an centralised health information platform (IHIP). A few months before that, the Ministry of Health & Family Welfare, Government of India releases a Draft Digital Information Security in Healthcare Act. This bill envisions the creation of a health information exchange in India. It provides for establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to collection, storing, transmission and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto. As stated, the purpose of the Digital Information Security in Healthcare Act is to facilitate the establishment of the National and State Electronic Health Authorities and Health Information Exchanges, that are incharge of standardising and regulating the process of data collection, storage and transmission.
The National Health Stack is proposed as set of building block, a stack of Open APIs which would work together to provide an interoperable framework. The stack is presented as comprising of vertical layers which would be designed to work together, and horizontal connections which would work with the APIs in the vertical framework.
The lack of reliable and easily accessible master data is identified as one the key problems of the healthcare programmes in developing countries and each vertical program in the government tends to maintain its own copy of data that is difficult to keep updated. There is also restricted data sharing across programs. The National Health Stack attempts to address these issues. It has two main layers. The first layer, called the National Health Electronic Registries is the base layer which will be utilised by all other services. This layer would provide access to data for various health-sector stakeholders such as healthcare providers, patients, doctors, insurers and Accredited Social Health Activist (ASHAs). It will also contain data about health programs such as drugs and interventions. The Creation, updation and retrieval of data would be carried out using Open APIs with consent-based access for authorised entities. The Registries will be self-maintainable where listed entities could view and update their information, and have mandates or incentives to ensure do so. There are huge issues of frauds in the health insurance sector and the registries are meant to be non-repudiable with the source of each attribute available and an audit trail for all changes made to entries in the registry.
It would comprise master data for all healthcare providers including hospitals, clinics, labs and leverage and unify data from different programmes such as National Health Resource Repository (NHRR), NIN database, NIC and the Registry of Hospitals in Network of Insurance (ROHINI). Additionally, there is an intended Beneficiary Registry based on a unique identification number and also accommodating other identifiers. This part of the register would enable a holistic view of the different programs that beneficiaries participate in, it will also enable efficient search and recovery of beneficiary details.
The second part of the stack comprises a host of platforms which would interact with the Registry layer. The Coverage and Claims platform, for instance, will facilitate implementation of the large scale health insurance programmes. Using a Unified Multi-Policy View so that beneficiaries can view all their health insurance policies, public and private in one place and a PML (policy markup language), a machine readable language designed for describing, updating, accessing and communicating policies between software programs, it would automate large parts of the claims process.
The part of the stack which we are most interested in is the federated personal health records or the PHR framework. It is this part of the framework which would act as a Personal Data Stores, and could be used to provide “an integrated view of all data related to an individual across various health providers, comprising of medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats such as age and weight, demographics and billing information, and multiple health apps.” The PHR framework relies on a patient-controlled repository where data may be accessed from multiple nodes within the system. Importantly, the Strategy Paper also envisions health data fiduciaries to facilitate consent-driven interaction between entities that generate the health data and entities that want to consume the PHR for delivering better services to the individual.
The other part of the stack that is pertinent to our discussion is the National Health Analytic Platform which would integrate information on multiple health initiatives and inform policymaking using anonymised and aggregated datasets that assist in the creation of dashboards, reports for Disease Surveillance, Pharmacovigilance, Health Schemes Management Systems and Nutrition Management.
E-Health Record Standards
India is in the process of standardizing health records to enhance the interoperability of health databases. To introduce a uniform system for maintenance of Electronic Health Records (EHR ) by the hospitals and healthcare providers in the country, an Expert Committee was set up by the Ministry of Health & Family Welfare (MoH&FW). In September 2013, the MoH&FW notified the EHR Standards for India, based on the recommendations of the Expert Committee. The Committee also carefully examined the provisions of open standards and the guidelines as per the norms suggested by DeitY, MCIT and the Government of India. The EHR standards were improved and a revised version was publicly circulated on 18 March 2016 with the aim of ensuring syntactic (structural) and semantic (inherent meaning) interoperability of data amongst systems at all times.
The standards contain detailed recommendations on the interoperability and standards, clinical informatics standards, data ownership, privacy and security and the various coding systems. For example, as per the Regulations, sensitive personal data or personal information of the patient as per the Information Technology Act, 2000 is owned by the patients; however the medium for storage or transmission of such data is owned by the healthcare provider. Also, the Standards provide that disclosure of protected/sensitive information for use in treatment, payments and other healthcare operations must be done only after obtaining a general consent of the patient. On the other hand, disclosures for non-routine and most non-health care purposes must be done only after obtaining the specific consent of the patient. Only for certain specified national priority activities, such as notifiable/communicable diseases, may information be disclosed to the appropriate authority as mandated by law without the patient's prior authorization.
Health Insurance Records
India's insurance regulator, the Insurance Regulatory and Development Authority (IDRA), has issued a number of guidelines regulating third party administrators, outsourcing of functions, database sharing and health insurance portability, which cumulatively promotes customer confidentiality and privacy in the health insurance sector.
The IRDA (Third Party Administrators - Health Services) Regulations place regulatory guidelines on ‘third party administrators’ (TPAs). TPAs have to observe a code of conduct so as to obtain a license from the IRDA. The salient features of the code of conduct in relation to health information privacy requires TPAs to refrain from trading information and the records of its business, maintain the confidentiality of the data collected by it in the course of its agreement, maintain proper records of all transactions carried out by it on behalf of an insurance company and keep them for a period of not less than three years.
An exception to the maintenance and information confidentiality clause in the code of conduct requires TPAs to provide relevant information to any court of law or tribunal, the Government, or the Authority in the case of any investigation carried out or proposed to be carried out by the Authority against the insurance company, TPA or any other person or for any other reason.
The Insurance Regulatory and Development Authority (Sharing Of Database For Distribution Of Insurance Products) Regulations regulate the conditions under which insurance companies can purchase customer databases from referral companies. The regulations restrict referral companies from providing details of their customers without their prior consent, are forbidden from providing details of any person, firm or company with whom they have not had any recorded business transaction and if they are bound by any confidentiality agreement in the matter of sharing the personal and financial databases of its customers.
The IDRA (Insurance Advertisements and Disclosure) Regulations 2000 require insurers or intermediaries to include disclosure statements on their website or portal outlining specific policies vis-a-vis the privacy of personal information.
In February 2011, the IRDA issued guidelines permitting insurance companies to outsource their non-core functions which include claim processing for over overseas medical insurance, call centre, telemarketing, data entry, printing and posting of reminders and other documents and pre employment medical checkups among others. The guidelines require the insurer to take appropriate steps that require third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons. In addition, if insurers issue policies and data storage in electronic form, it is mandatory for them to do so with the repository service providers authorised by IRDA. Lastly, the guidelines require every insurer to have an in-house Grievance Redressal Machinery to deal with grievances relating to services provided by the outsourced agencies.
Legislation and Codes
Privacy safeguards afforded to health information as well as standards around access and disclosure can be found in various pieces of legislation and policy and patient privacy is a recognized principle in Indian jurisprudence. For example, the Rules issued under Section 43A of the Information Technology Act, 2000 classify “medical records and history” as sensitive personal data or information for the purposes of data protection standards and body corporate handling such data must do so in compliance with the Act and Rules. Additionally, the Medical Council of India (MCI) Code of Ethics Regulations sets the professional standards for medical practice. These include that:
- Physicians are obliged to protect the confidentiality of patients including their personal and domestic lives unless required by law or if there is a serious and identified risk to a specific person and/or community; and notifiable disease;
- Disclosure of a patient’s prognosis rests with the patient and not the medical attendant;
- Medical records of their patients for a period of three years;
- Patients, authorized attendants or legal authorities can request for medical records, which have to be issued within 72 hours.
- Efforts should be made to computerize medical records for quick retrieval; and that
- Publication of photographs or case studies without consent by patients is prohibited. If the identity of the patient cannot be discerned then consent is not needed.
Other important legislation include the Pre-Natal Diagnostic Techniques (Regulation and Prevention of Misuse) (PNDT) Act,1994 and associated Rules and the Medical Termination of Pregnancy Act 1971 and associated Rules. The former legislation seeks to prevent sex determination and mandates that all records of pregnant women who have undergone an ultrasonography must be preserved for a period of two years. The PNDT (RPM) Rules, 1996 require that when the records are maintained on a computer, the person responsible for such record should preserve a printed copy of the record after authentication. The Medical Termination of Pregnancy Act mandates that abortion may only be carried out by a registered medical practitioner under stipulated conditions. Medical practitioners are only allowed to disclose information of those who have terminated a pregnancy to the Chief Medical Officer of the State. Otherwise, it prohibits the disclosure of matters relating to treatment for termination of pregnancy. The Medical Termination of Pregnancy Regulations, 1975 explicitly mandate data collection and processing. Additionally, the Regulations stress the importance of secrecy and security of information. The medical practitioner is required to assign a serial number for the woman undergoing an abortion. Hospitals have to maintain an Admission Register of women who have terminated their pregnancy. They are prohibited from disclosing the information contained to anyone. The admission register is considered ‘secret’ and stored in safe custody of the head of the hospital. It must be destroyed on the expiry of a period of five years from the date of the last entry. It is not open to inspection by any person except with the authority of in the case of a department or other enquiry conducted by the Chief Secretary to the Government of a Union Territory, in case of an investigation into an offence a magistrate of the First Class; and in the case of suit or other action for damages conducted by the District Judge.
Proposed DNA Profiling Legislation
A DNA profiling bill has been discussed in India since 2007. The latest draft bill, Use and Regulation of DNA Based Technology Bill 2017, is the most recen titeration of the legislation following the previous drafts in 2012 and 2015.
The 2017 bill, if passed, would establish national and region DNA banks, with five different indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. Information from the DNA databanks will be available under six circumstances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. There are offences relating to the unauthorised access, or use, of the information in the DNA bank, including unlawful disclosure, and obtaining information without authorisation.
The 2017 draft has some positive changes from earlier versions of the draft, yet the proposed bill still contains privacy concerns. Earlier drafts of the bill was critiqued by a committee chaired by Justice AP Shah in the “Report of Group of Experts on Privacy” for a lack of adequate privacy safeguards. The principles outlined by the A.P Shah Committee have not been fully implemented in any of the Bills - namely notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability.
In January 2019, Lok Sabha, the lower house of the Indian Parliament passed the DNA Technology (Use and Application) Regulation Bill, 2018.
Case Law
The courts in India have also been influential in shaping the laws dealing with health and medical privacy. In Raghunath Raheja vs. Maharashtra Medical Council 1996, the Bombay High Court declared that when a patient or his or her relative demands case papers from the hospital or the doctor, the hospital authorities and the doctors concerned must furnish copies of case papers to the patient or his or her near relative. In this judgement, there is a potential for a patient to seek redress for privacy violations, as the High Court treats the patient and his/ her near relatives in the same vein. The High Court has failed to account for the ability of a near relative to demand records from the hospital without the permission and authorization of the patient.
Mr. “X” vs. Hospital “Z” was the first decision recognizing sensitive data related to health. The Supreme Court of India granted liberty to clinical establishments to disclose the HIV positive status of an individual to the public, without his or her knowledge. Hospital “Z” disclosed the HIV positive status of Mr. “X” to his fiancée without his consent. After the revelation, his marriage was called off and he was ostracized by the community. Mr. “X” sued Hospital “Z” for violation of privacy by disclosing information about his health, which ought to have been kept confidential. The court affirmed that the disclosure of information prevails over the duty of confidentiality between a doctor and patient to protect public interest (prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others).
In Surjit Singh. v. Kawaljit Kaur, the Punjab and Haryana High Court held that allowing a medical examination of a women for her virginity amounts to violation of her right to privacy and personal liberty enshrined under Article 21 of the Constitution. The wife filed a petition for a divorce on the ground that the marriage had never been consummated, as her husband was impotent. The husband held that the marriage was consummated and he was not impotent. In order to prove that his wife was not a virgin the husband filed an application for her medical examinations. The Court held that such a medical examination would be a roving enquiry and the virginity test cannot constitute the sole basis to prove the consummation of marriage. The incapacity of the husband in any form, physical or mental, may also be the factor for non-consummation of marriage.
In Ms. X vs. Mr. Z & Anr, the Delhi High Court held that an aborted foetus was not a part of the body of a woman and allowed the DNA test of the aborted foetus at the instance of the husband even though the application was opposed by the wife on the ground of the right to privacy. The court held that right to privacy is not absolute right and aborted foetus is not part of a woman's body as it is a part which has already been discharged from the body, therefore a DNA test on the aborted foetus does not violate the right to privacy of the woman.
In B. K. Parthasarthi vs. Government of Andhra Pradesh, the Andhra Pradesh High Court upheld “the right of reproductive autonomy” of an individual as a facet of his “right to privacy”, which characterized the right to reproduce as “one of the basic civil rights of man”.
Smart policing
Smart policing (or predictive policing) is still very new in India, with Jharkhand being the only state that appears to already have concrete plans in place to introduce predictive policing. The Jharkhand police began developing their IT infrastructure such as a Geographic Information System (GIS) and server room when they received Rs. 18.5 crore in funding from the Ministry of Home Affairs. The Open Group on E-governance (OGE), founded as a collaboration between the Jharkhand Police and National Informatics Centre, is now a multi-disciplinary group which takes on different IT projects . With regard to predictive policing, in 2013 some members of OGE began developing data mining software which will scan online records that are digitised. According to the group, the emerging crime trends “can be a building block in the predictive policing project that the state police want to try.”
The Jharkhand Police was also reported in 2012 to be in the final stages of forming a partnership with IIM-Ranchi. It was alleged the Jharkhand police aimed to tap into IIM’s advanced business analytics skills, skills that can be very useful in a predictive policing context.
Presently, in Jharkhand, the emphasis appears on developing a Domain Awareness System, collecting data, and creating new ways to present that data to officers on the ground, instead of using predictive policing software. For example, the Jharkhand police now have in place a Naxal Information System, Crime Criminal Information System (to be integrated with the CCTNS) and a GIS that supplies customised maps. The Jharkhand police’s “Crime Analytics Dashboard” shows the incidence of crime according to type and location and presents it in an accessible portal, providing up-to-date information. Potentially, the domain awareness systems that are taking shape in Jharkhand could pave the way for future predictive policing methods in India.
Though not explicitly focused on predictive policing, in 2013 the Ministry of Home Affairs, PM Division published guidelines for the development of mega policing projects. As per the guidelines, it is envisioned that Delhi, Kolkata, Mumbai, Chennia, Hyderabad, Bangalore, and Ahemadabad would implement the Mega City Policing projects. Among other aspects, the guidelines provide instructions for the establishment of Fusion Centres/Data Centres. According to the guidelines: “The Fusion/Data Centre would be playing a crucial role in prevention and detection and also investigation of crime or security related challenges. It will, however be necessary to have up to date and comprehensive databases from various fields, for example, vehicle registration numbers, Unique ID numbers, residential addresses, Pan card details, and crime related details. The accessibilty of these databases by the Fusion Centres will have to be ensured by defining MoU or law enforcement agreements or state legislation to enable the State to have access to the private data on individuals without any encroachment on the privacy rights of the individuals.
There are several law enforcement agencies which use smart tool for social media monitoring. An investigative news report in 2018 stated that over 40 state and Central government departments have deployed a social media monitoring tool called AASMA (Advanced Application for Social Media Analytics). This tool can collect and analyse “live data” on users from “multiple social networks” including Twitter, Facebook, YouTube, Flickr, and conduct sentiment analysis on the data it collects.
Transport
National Transport Schemes
The transport sector is not mentioned in the digital India scheme of e-governance, and very few details of the schemes are publicly available. Sarathi.nic.in is a national online portal providing various services related to driving license management. The Ministry of Road Transport and Highways has also launched vahan.nic.in as a one-stop portal for a number of services such as issuance of duplicate registration papers, new vehicle registration, NOCs from the department, and transfer of ownership.
Intelligent Transport System (ITS) in India
The application of innovative technology in public transport systems in India has increased dramatically over the last few years. For example, in November 2012, the Karnataka State Road Transport Corporation (KSRTC) implemented a unique ITS solution known as the Mysore Intelligent Transport System (MITRA). The project implementation covers 500 buses, 105 bus stops, 6 bus terminals and 45 bus platforms. It involves real-time monitoring and tracking of buses to help reduce road congestion and other transport issues, dynamic passenger information system (PIS) based on Geographical Positioning System (GPS), application of advanced display and communication technologies, Central Control Station (CCS) and intelligent display boards to improve passenger safety, fleet efficiency, and services to monitor the traffic situation through the transmission of real time information.
Similarly, Mumbai Area Traffic Control involves the application of ITS has resulted in maximized traffic flow, reduced congestion and reduction in junction stops and delays to suit traffic conditions at different times of the day. Another project is Bangalore Traffic Improvement Project (BTRAC), which quantifies the reduction in travel time, improvement in travel speed, reduction in accidents, better enforcement action plan, and paperless enforcement of motor vehicles act for the first time in country. As another example, Janmarg (Ahmedabad BRTS) has also utilized the ITS solution in order to constantly maintain the benchmark of operations and service quality.
Multiple transit agencies in India have also implemented Electronic Ticketing Machines (ETMs). ETMs generate data that can be analysed for the improvement of services and operations. Examples of cities integrating the use of automated ticketing systems include Mumbai, Indore, Bhopal, Mysore, Vishakhapatnam, Jaipur, Gulbarga, and Bhubaneswar.
In 2013, the first pilot corridor of iBUS was launched in Indore. The 11.45-km corridor running along the AB Road from Rajiv Gandhi to Niranjanpur is functional, with 20 median bus stations and a daily ridership of 40,000 passengers and growing (Atal Indore City Transport Services Limited 2014). The system includes off-board payment facilities, a segregated corridor, dual-entry buses, and one of the most advanced ITS systems in India, used for tracking buses. The proposal is to build a network of 120kms of BRTS for the city.
In Bangalore city, the Bangalore Metropolitan Transport Corporation (BMTC) launched the Intelligent Transport System (ITS) in May 2016. The aim of the ITS project has been to create a smart transport arrangement for real-time tracking of buses as well as of passenger trips, so as to take data-driven decisions regarding planning of bus routes and schedules on one hand, and to effectively inform potential passengers regarding travel options and time involved. The system comprises of three key elements, namely, the Vehicle Tracking System (VTS), the Passenger Information System (PIS), and the Electronic Ticketing System (ETS). The system also includes a mobile application that provides passengers with information about buses available from a particular stop/location, the route of the buses, the estimated time of arrival, and allows for trip planning. The growing scale of BMTC’s operations includes 6,404 buses and 6,216 schedules, 5,200,000 daily passengers, 2,400 routes and over 75,000 trips, and 12,900,000 KMs of daily service. First of its kind in India, the ITS project in Bangalore has seen integrated implementation of over 10,000 internet-enabled electronic ticketing machines, and over 6,400 vehicle tracking units.
Smart cities
The Indian Government has announced the ambitious “Smart Cities Mission” with an aim to develop 100 smart cities in the country. Though the Government did not define a “smart city”, a common definition is of a city in which modern technology will be harnessed, leading to smart outcomes.
Similarly, NASSCOM is working closely with the Ministry of Urban Development to create a sustainable model for smart cities, and due to lack of regulatory standards for smart cities, the Bureau of Indian Standards (BIS) in India has undertaken to formulate standardised guidelines for central and state authorities in planning, design and construction of smart cities. As leveraging city data and using geographical information systems (GIS) to collect valuable information are commonly used techniques in smart cities, cities across the world are taking note of potential surveillance by way of sensors and tools deployed in city services, leading to concerns around privacy, data protection, and biases. However, in India, the project is at a nascent stage where the dialogue around these issues has not yet matured, and is more focused on political and infrastructural aspects.
Migration
In order to modernize and upgrade the immigration services, the “Immigration, Visa and Foreigners Registration & Tracking (IVFRT)” scheme has been identified and included as one of the Mission Mode Projects to be undertaken by the Ministry of Home Affairs under the National e-Governance Plan (NeGP). This Project seeks to develop and implement a secure and integrated service delivery framework that would facilitate legitimate travellers while at the same time strengthen security. The scope of the project includes 169 Missions, 77 ICPs (Immigration Check Posts), 5 FRROs (Foreigners Regional Registration Offices), and FROs (Foreigners Registration Offices) in the State/District Headquarters.
The aims of this project are to authenticate travellers' identities at the Missions, Immigration Check Posts (ICPs) and Foreigners Registration Offices (FROs) through use of intelligent document scanners and biometrics, update foreigner’s details at entry and exit points, and improve tracking of foreigners through sharing of information captured during visa issuance at Missions, during immigration check at ICPs, and during registration at FRRO/ FROs.
Emergency response
While mobile-based emergency response and disaster related services are mentioned in the National e-Governance plan (NeGP), there are no further details available regarding the state of implementation of this plan. That said, an online emergency response system project by Telecommunications Consultants India Limited has been implemented in three cities to handle emergency situations and make the police more accessible.
The system works in the following manner: an individual dials '100' from anywhere in the city for police assistance and the call is answered. A form with pre-filled data fields such as caller number, name, address (name and address as per the database records) is displayed on call taker’s screen while she or he continues to fill the data in as to the “type” of call from information as told by the caller in “description field”. Once the call taker validates and identifies the location from the map with selected landmarks, the case is passed on to the respective dispatcher. The dispatcher assigns a PCR van by selecting the proximity of “idle” vehicles and informs the informs the PCR van on radio and sends the essential data to the PCR van through GPRS. Using Logical Communication, the application software identifies if the vehicle has taken up the task or not. If not, then the dispatcher sends the data again. Once the situation is attended to by the PCR van, the Dispatcher fills in the relevant fields of the form to conclude the transaction.
Humanitarian and development programmes
Information technology in the form of internet, GIS, remote sensing, and satellite communication can be of immense help in tracking and planning disaster management. There have been efforts in the past in India to leverage technology during humanitarian disasters, such as using crowd sourcing to aggregate information on a single platform. Yet these instances were mostly limited to voluntary efforts from private citizens or institutions.
The only instances of the government using technology like this during major humanitarian disasters was noted in the 2014 floods in Jammu and Kashmir and the 2015 floods in Chennai. In the latter case, geospatial mapping was used to monitor the flood situation and disseminate information to various government agencies.
Social media
In 2014, it was reported that the New Delhi Police was in the process of establishing a centre to monitor social media content for law enforcement purposes. Apart from this, the Mumbai Police have already launched a Social Media Lab to keep an eye on issues being publicly discussed and to track matters relating to public order. The intent behind the Social Media Lab appears to be to assess changes in mass moods that could lead to gatherings and or possible protests on a large scale. The police have publicly stated that the aim of the Social Media Lab is to keep a tab on the pulse of the people in order to scale up deployment requirements and undertake effective interventions. Although the monitoring of social media platforms for policing purposes raises questions about the permitted scope of state surveillance and citizen’s rights, such issues have not yet clearly been discussed and debated in the Indian justice system.
Media outlets report that the social media analytics centre of the Ministry of Information and Broadcasting scrutinizes posts on platforms like Twitter and Facebook and generates reports for the Prime Minister’s Office, the National Security Advisor’s Office and various intelligence bureaux, aside from ministries including Home Affairs, External Affairs and Defence. In February 2016, news reports indicated that the government was planning to increase the scope and work of the analytics wing to ensure 24/7 monitoring of social media. It appears that reactions on social media are categorised as positive, negative or neutral, which officials claim helps them in their decision-making tasks. Ministries can also commission special reports and analyses of large events like the Prime Minister’s foreign visits, actions against terror attacks or responses to policies that can impact internal security and external relations.