Privacy Concerns in Indian IT law
The 18th annual Computers, Freedom and Privacy (CFP) Conference was held
in the United States between May 20th and 23rd and focused on Technology
Policy Issues.
Policies ranging from spyware and national security, to ISP filtering and
patent reform, e-voting to electronic medical records, and more was
addressed by expert panels of technologists, policymakers, business
leaders, and advocates.
It is
reported that during the conference a discussion arose on the Indian
Information Technology Act 2000 (ITA 2000) and the polices for protection
of Privacy in India. The immediate provocation for the discussion was the demand
made by the Indian Government on Black Berry managers (Research in
Motion-RIM, a Canadian Company) for providing
access to the decryption of the data under transmission. According to the
earlier indications, Indian Government has demanded that the servers of
Black Berry should be in India and it should have an access for
decryption of data.
Status of Privacy Law in India
In India, there is no specific law for privacy protection. We
derive privacy protection right from Article 21 of the Constitution which
provides the right to any citizen for "Civil Liberty". It states that "No
person shall be deprived of life or personal liberty except according to
procedure established by law". The Supreme Court has interpreted this
article as to provide a right to privacy to the citizens.
But some legal experts feel that this provision only provides a right
against the Government and is not a general provision that can be
considered as providing "Privacy Protection". Hence they are demanding
for a "Data Protection" legislation either as a part of ITA 2000 or
otherwise.
Under ITA 2000, Section 69 provides a right to intercept electronic
information and order decryption in national interest. This right is
given to the "Controller of Certifying Authorities" (In the proposed
amendments, CERT is designated as the authority for this purpose) who has
to record his reasons in writing. Failure to comply can result in
imprisonment up to 7 years. Liability for Financial compensation is also
provided under Section 44 for non compliance.
This section came in for specific criticism in the CFP 2008. Even Section
80 of the Act which provides powers to the Police for search and arrest
without warrant also seems to have come in for critical remarks at the
CFP.
However, it is necessary to recognize that India does have some
provisions of Cyber Crime law which is also available for privacy
protection. For example, under Section 66 of ITA 2000, "Diminution in
value of information residing inside a computer resource" is punishable
with imprisonment upto 3 years. Here, "Diminishing the value" is to be
implied when "Sensitive Private Data" is compromised. Similarly
provisions of Section 43 of the Act can be claimed by a victim to seek
compensation for unauthorized access of his private data.
These provisions can be used both against private persons as well as the
Government agencies subject to the limitations imposed by the operation
of Section 69. Note that there is accountability for the Controller since
he has to record his reasons in writing before using his powers under
this section. Also the provisions of Section 80 also has certain
limitations built in since it does not provide any powers to the Police
in a "Private" place.
These provisions which can be interpreted as safeguarding the privacy
protection rights are however not widely recognized for their "Privacy
Protection Potential" and hence has escaped the attention of the CFP.
Action Required
What is required now is to ensure that these legal provisions are applied
properly and not misapplied as in the case of a techie in Bangalore who
was arrested by Pune Police for a defamatory remark alleged to have been
posted on a social networking site. (In this case the Police also
arrested a wrong person due to a wrong interpretation of IP address by
the ISP). There has been other instances of Police mis-interpreting law
to book cases under section 67 of ITA 2000 calling certain documents
"Obscene" when it was not in fact so. There has been one such case in
Bangalore where a techie is being harassed for over 6 years by what
appears to be a false accusation.
At the same time genuine complaints of "Privacy Invasion" or "Data
Misuse" or often turned away as not falling under ITA 2000.
These are and should be the concerns of the Privacy Protection Brigade in
India. It is not the law to be blamed but the slack implementation.
Hence, if there are people in India who want to work in the sphere of
improving the privacy rights of individuals, they should set up
programmes to ensure that the "Complaint Registration mechanism" and "Pre
Trial investigation process" of the Police is brought under suitable
disclosure and monitoring norms.
One such suggestion is an overhauling of the "Complaint Registration
Mechanism" at the Police Stations aimed at "Transparency" and
"Accountability".
To start with, there should be an online complaint lodging
mechanism which should create a public database of complaints lodged at
Police Stations (Whether registered or not), the reasons for non
registration if any, and a status report (Without affecting the
confidential nature of investigations).
One fear of such disclosures is the possibility of nuisance complaints
and tarnishing of image of honest persons. These were the same reasons
under which the efforts of the Chief Vigilance Commissioner of India to
place names of allegedly corrupt persons on a website was opposed a few
years back.
The fear is of course genuine. However if along with every complaint, the
defense statement is also displayed on the web, the negative effect can
be reduced. Further, any irresponsible complaint can be made a subject
matter of a defamation liability or an automatic fine. Further, a
remark about the past "Failed Complaints History" of the complainant may
also be provided on the web itself so that readers can themselves
evaluate if the complaint is genuine or not before a final verdict comes
up.
I suggest therefore that contrary to the indications provided at CFP
2008, what we need in India for Privacy Protection is not to attack
the law but to bring about a change in the process of law implementation.
Can we hope for some reformations voluntarily from the Police at least in
some progressive state in India?
Naavi
June 8, 2008