"Why the seven principles?"
The principles of the Indian Privacy Code, 2018 provide a summary aimed at furthering the understanding of a model, citizen law on data protection, surveillance and interception. Through the #SaveOurPrivacy Campaign we hope to invite endorsement of this effort to build a credible basis to this draft law through debate and discussion while committing ourselves to certain core values which we believe derive from a variety of constitutional and expert texts.
Please remember, the Indian Privacy Code, 2018 is a working draft that will become better in time to fully articulate the seven principles we have listed below.
"How were these principles created?"
The seven principles of the #SaveOurPrivacy campaign are built off rigour, debate and the best global practices adapted to India. We have referred to the Privacy (Protection) Bill, 2013 which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore. This has been analysed within the framework of the influential report of the Justice A.P. Shah Committee of Experts and submissions by multiple lawyers to the Justice Srikrishna Committee of Experts.
Additionally the Indian Privacy Code, 2018 is a synthesis of Supreme Court judgments, including the landmark judgment in Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1 and best practices from international texts such as the European Union’s General Data Protection Regulation. This includes the right to explanation on algorithmic decision making, reducing the power of black box systems etc.
"Can I comment on these principles?"
- Bengali (created on 27.06.2018. Contributors Aurinko).
- Hindi (created on 20.06.2018. Contributors Harsh Tikoo)
- Kannada (volunteers at work)
- Khasi (created on 20.06.2018. Contributors Kyrsoibor Pyrtuh)
- Marathi (created on 21.06.2018. Contributors Rajendra Kshirsagar, Shardul Manurkar, Siddharth Chapalgaonkar)
- Malayalam (volunteers at work)
- Tamil (edited on 27.06.2018. Contributors Saravanan Poongavanam and Srikanth Lakshmanan)
- Telugu (volunteers at work)
- Urdu (volunteers at work)
Individual rights are at the center of privacy and data protection
The individual and their rights are primary. The law on privacy must empower you by advancing your right to privacy. This includes your right to autonomy and dignity.
Protecting your right to privacy through a data protection law comes first. Protecting you promotes innovation in a sustainable way.
A data protection law must be based on privacy principles
User rights as identified by the report of the Justice A.P. Shah Committee of Experts are essential to a data protection law.
A data protection law should develop with advances in technology and global best practices. Hence, we need to be guided by the Supreme Court’s Right to Privacy decision and make reference to the European Union’s General Data Protection Regulation.
Any law must also give room for certain exceptions, but without clear wording sometimes exceptions swallow up the rule. We adopted a three part test in our drafting process in which any exceptions to these privacy principles should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards.
A strong Privacy Commission must be created to enforce the privacy principles
We need a strong body to ensure that the data protection rights are put into practice and enforced. For this we have proposed a strong and independent Privacy Commission. We have tried to provide a structure in the statute that works in principle and in practice.
This Privacy Commission has been provided wide powers of investigation, adjudication, rule-making and enforcement. The Commission should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence.
A major concern in many technology oriented legislations is that the law takes time to catch up. To make sure that the Privacy Code is not outdated soon we have proposed that the Privacy Commission can exercise rule making powers to give effect to the data protection principles under the regulation.
In order to ensure that these regulations serve the principles and protect you, all regulations should be formed by robust public consultation processes. This allows the Privacy Commission to be responsive to technological advances and ensures the fulfillment of the intent of the law.
The public, in instances of disputes or allegations of violation of privacy, should have the ability to make complaints to the Privacy Commission. The Privacy Commission must serve as the forum for the redressal of the general public’s grievances. Privacy Commissions should have the ability to investigate (independently through the office of a Director General), hold hearings and pass orders with directions and fines.
The doors of the courts should always be open to the public. While the Privacy Commission serves as the forum for redressal, the public should retain the remedies of approaching the civil courts (even in instances where harm is suffered by a group of people) and of filing police complaints directly.
The Government should respect user privacy
The government has the most amount of power and information on the people of India. It is imperative that the government, its arms, bodies and programmes be compliant with the privacy protection principles through a data protection law. We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.
The government is responsible for the delivery of many essential services to the public of India. These services must not be withheld from an individual, due to such individual not sharing data with the government. Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare.
To make sure this happens the Privacy Commission must have jurisdiction over the government, as it does over the private sector. The Privacy Commission should have overriding power and superintendence over all legal entities in matter of data protection and privacy.
A complete privacy code comes with surveillance reform
The Snowden revelations brought to public knowledge that our personal data is collected in an indiscriminate manner by governments. Any data protection law has to limit such mass or “dragnet” surveillance as it contravenes the principles of necessity, proportionality and purpose limitation.
Even when individual interception and surveillance is carried out this should be severely limited in substance and practice through procedural safeguards. To ensure their enforceability there should be an office for surveillance reform at the Privacy Commission and any orders for interception need to be made by a judicial determination in which a public advocate represents the interest of the person whose privacy will be interfered.
Evidence which is gathered illegally, such as telephone intercepts without valid tapping orders, are made inadmissible as evidence in legal proceedings. Further to ensure accountability all such orders need to be communicated to the person who was surveilled.
The right to information needs to be strengthened and protected
Individual rights are well served by the Right to Information Act which brings accountability to the functioning of government and public authorities. Hence, privacy protections which already exist under the Right to Information Act and are made subject to public interest, need to be preserved.
Information Commissioners should be exempted from interference or control by the Privacy Commissioner. Specific and express language should be used for providing such exemptions and maintaining the independence of Information Commissioners.
International protections and harmonisation to protect the open internet must be incorporated
The Indian Privacy Code, 2018 must have extraterritorial effect and apply to web services and platforms which are accessible in India and which gather personal data of Indians.
At the same time, care and caution should be taken to preserve the global character of the open internet which is beneficial to Indians as they can access information, knowledge and services from all over the world. Hence, any suggestions, such as blanket data localisation proposals, which would threaten and undermine the global open internet need to be resisted.
In the age of a global, open internet, our data protection framework must protect the data of our citizens globally and focus on interoperability.