The IT Act, even after its 2008 amendment and the introduction of Section 43A, contained scant provisions relating to privacy. To address this legislative gap, several proposed versions of specific data protection and privacy Bills have been drafted by different bodies in recent years but no legislation relating to this contentious subject has yet been approved by the Ministry of Law and Justice. An examination of recent draft Bills suggests the likely direction future privacy legislation will take in India.
The 2011 draft – which was itself the third working draft of the Right to Privacy Bill – was drafted by the Department of Personnel and Training (DoPT) with the aim of creating a statutory right to privacy in India and to ‘regulate the collection, maintenance, use and dissemination’ of personal information. Although unofficial copies became available in April 2011, this draft was never officially made public. A further draft was leaked in September 2011.
In early 2012, the government established a committee of privacy experts chaired by Justice AP Shah to recommend a framework for privacy legislation. The resulting Report of the Group of Experts on Privacy compared international privacy regulations from the EU, APEC, US, Canada and Australia with OECD privacy principles and analysed existing Indian legislation from a privacy perspective to determine existing, missing and conflicting privacy provisions. The Shah Committee’s report recommended a regulatory framework overseen by a Privacy Commissioner, supplemented by a system of self-regulation and co-regulation by organisations.
In 2013, recognising that Indian privacy legislation needed impetus from industry, The Centre for Internet & Society (CIS), a non-profit research organisation that works on privacy issues, released an updated third draft, the Privacy (Protection) Bill 2013. The CIS describes its draft Bill as a ‘citizen’s version of privacy legislation for India’. There then followed a series of round-table consultation discussions across the country, held in partnership with the Federation of Indian Chambers of Commerce and Industry, and the Data Security Council of India. In February 2014 The CIS called for comments on the draft Bill. The government’s 2014 draft Bill was leaked shortly afterwards.
The 2014 draft extends the right to privacy to all residents of India rather than just its citizens, and recognises the right to privacy as part of Article 21 of the Indian Constitution. It defines a number of new terms as well as nine specific privacy principles: notice, choice and consent, collection limitation, purposes limitation, access and correction, disclosure of information, security, openness, and accountability. Penalties for privacy violations are substantially increased. Intelligence agencies and law enforcement agencies are exempted from the Bill’s scope, a point that is likely to fuel dispute still further. It seems entirely likely that the drafting process will therefore continue for some time.
How ISO27001 can help you comply with Indian information security legislation
Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to the IT (Amendment) Act 2008 and many other information security laws.
Enter your name and email address below to read our free guide on complying with information security legislation in India:
Why IT Governance?
IT Governance has created ISO 27001 packaged solutions to give Indian organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Get started today >>
We will update this page as soon as we have new information.