Tag: India
17. June 2022
At present, there is no comprehensive data protection law in India. The relevant provisions are governed by several laws, regulations and court decisions, including the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
Following the inclusion of privacy as a fundamental right in Article 21 of the Indian Constitution on August 24th, 2017, a Personal Data Protection Bill (PDPB) was formulated and introduced in the Lower House of the Parliament on December 11th, 2019. The PDPB was intended to constitute the first comprehensive data protection law in India.
The PDPB was pending consideration of the Parliament for a long time. On November 22nd, 2021, the Indian Joint Parliamentary Committee (JPC) responsible for reviewing the PDPB issued its report on the proposed law. Back then, the Indian Parliament was expected to table JPC’s final report and consider the bill on December 21st, 2021, ahead of the end of its legislative session on December 23rd, 2021. Once passed by both houses of the Parliament and approved by the president, the PDPB was then to be enacted as legislation.
However, as it has recently become known, new regulations may soon be introduced to replace the proposed PDPB, which was scrapped in favor of a total overhaul after data localization and data mirroring requirements raised concerns among business stakeholders. In addition, the Indian Government is expected to commence work on a new law to replace the Information Technology Act 2000, which would entail new guidelines for data governance and cybersecurity as part of a ‘Digital India Act’.
This would be a major, and long overdue, step towards a modern data protection law that takes into account both economic interests and individual rights, as well as integrates into the progressive legal development worldwide.
10. December 2021
To this date, there is no comprehensive law on the protection of personal data in India. The need for such a law was already expressed in 2017, when the Constitutional Bench of the Supreme Court of India confirmed that privacy is a fundamental right enshrined in Article 21 of the Constitution. This led to the creation of an extensive Personal Data Protection Bill 2019 (PDPB), which we have already reported on several times. It is currently pending consideration of the Indian Parliament.
The PDPB aims to ensure the protection of personal data of individuals and to establish a data protection authority for this purpose. To review and, if necessary, amend the PDPB, a Joint Parliamentary Committee (JPC) has been formed on the demand of opposition members. On November 22nd, 2021, the JPC issued its report on the proposed law, which is meant to be the basis for further discussions in the Parliament.
Initially, it was expected to present the report together with the PDPB at the start of the Winter Session of the Parliament, which began on November 29th, 2021. However, most recently it has become known that the JCA was granted a last (so far the sixth) extension of time to submit its report to resolve disagreements among committee members. As a result, the Parliament is likely to table the final report and subsequently consider the proposed law along with possible clarifications on December 21st, 2021, ahead of the end of its current legislative session on December 23rd, 2021. Once passed by both houses of the Parliament and approved by the President, the PDPB is then to be enacted as legislation.
14. February 2020
The Indian Government released a Request for Proposal to bidder companies to procure a national Automated Facial Recognition System (AFRS). AFRS companies had time to submit their proposals until the end of January 2020. The plans for an AFRS in India are a new political development amidst the intention to pass the first national Data Protection Bill in Parliament.
The new system is supposed to integrate image databases of public authorities centrally as well as incorporate photographs from newspapers, raids, mugshots and sketches. The recordings from surveillance cameras, public or private video feeds shall then be compared to the centralised databases and help identify criminals, missing persons and dead bodies.
Human rights and privacy groups are pointing to various risks that may come with implementing nationwide AFRS in India, including violations of privacy, arbitrariness, mis-identifications, discriminatory profiling, a lack of technical safeguards, and even creating an Orwellian 1984 dystopia through mass surveillance.
However, many people in India are receiving the news about the plans of the Government with acceptance and approval. They hope that the AFRS will lead to better law enforcement and more security in their everyday lives, as India has a comparably high crime rate and only 144 police officers for every 100.000 citizens, compared to 318 per 100.000 citizens in the EU.
12. December 2019
The new update of the Indian Personal Data Protection Bill is part of India’s broader efforts to tightly control the flow of personal data.
The bill’s latest version enpowers the government to ask companies to provide anonymized personal data, as well as other non-personal data in order to help to deliver governmental services and privacy policies. The draft defines “personal data” as information that can help to identify a person and also has characteristics, traits and any other features of a person’s identity. “Sensitive personal data” also includes financial and biometric data. According to the draft, such “sensitive” data can be transferred outside India for processing, but must be stored locally.
Furthermore, social media platforms will be required to offer a mechanism for users to prove their identities and display a verification sign publicly. Such requirements would raise a host of technical issues for companies such as Facebook and WhatsApp.
As a result, the new bill could affect the way companies process, store and transfer Indian consumers’ data. Therefore, it could cause some difficulties for top technology companies.
4. August 2017
The Indian Supreme Court has to decide if the “right to privacy” should be considered a fundamental human right.
According to the Wire, a bench of nine justices was set up after several petitions that challenged the constitutional validity of India’s Aadhaar scheme, with some petitioners claiming that the biometric authentication system is a violation of the privacy of Indians. The bench examined over the last two weeks the nature of privacy as a right in context of two earlier judgements. Back in 1954 and 1962 these judgements came to the conclusion that the right to privacy was not a fundamental right. Legal experts expect the judgement in the last week of August.
Times of India reports that the Supreme Court outlined a three-tier graded approach to examine the question whether privacy can be considered as a fundamental right. The Bench therefore configures privacy into three zones. As stated by a justice of the Bench, the first zone could be the most intimate zone concerning for example marriage or sexuality. The state should only intrude this zone under “extraordinary circumstances provided it met stringent norms”.
The second zone would be the private zone. This zone could involve personal data like the use of credit card or the income tax declaration. In this zone, “sharing of personal data by an individual will be used only for the purpose for which it is shared by an individual”, it is further said.
The third zone would be the public zone. This zone should require only minimal regulation. However, that should not mean that the individual would lose the right of privacy, but “retain his privacy to body and mind”.
