The Constitution of 1950 does
not expressly recognize the right to privacy. However, the Supreme Court first recognized in 1964 that there is a
right of privacy implicit in the Constitution under Article 21 of the
Constitution, which states, "No person shall be deprived of his life or
personal liberty except according to procedure established by law."
There is no general data
protection law in India. In June 2000 the National Association of Software and
Service Companies (NASSCOM) urged the government to pass a data protection law
to ensure the privacy of information supplied over computer networks and to
meet European data protection standards. The National Task Force on IT and Software Development had
submitted an "IT Action Plan" to Prime Minister Vajpayee in July 1998
calling for the creation of a "National Policy on Information Security,
Privacy and Data Protection Act for handling of computerized data." It
examined the United Kingdom Data Protection Act as a model and recommended several
cyber laws including ones on privacy and encryption. No legislative measures, however, have been considered to date.
In May of 2000, the government
passed the Information Technology Act, a set of laws intended to provide a
comprehensive regulatory environment for electronic commerce. The Act also addresses computer crime, hacking, damage to computer
source code, breach of confidentiality and viewing of pornography. Chapter X of
the Act creates a Cyber Appellate Tribunal to oversee adjudication of
cybercrimes such as damage to computer systems (Section 43) and breach of
confidentiality (Section 72). After widespread public outcry, sections
requiring cyber-cafés to create detailed records about their customers'
browsing habits were dropped. The legislation gives broad discretion to law
enforcement authorities through several provisions. Section 69 allows for
interception of any information transmitted through a computer resource and
requires that users disclose encryption keys or face a jail sentence up to
seven years. Section 80 allows deputy superintendents of police to conduct
searches and seize suspects in public spaces without a warrant. This section in
particular appears to be targeted at cyber-cafe users where an estimated
seventy-five percent of Indian Internet users access the web. Section 69 gives tremendous powers to the Controller of Certifying
Authorities (CCA) to direct interception of any information transmitted through
any computer resource. This direction is only to be given if the CCA is
satisfied that it is necessary or expedient so to do in the interests of the
following: the sovereignty or integrity of India, the security of the state,
friendly relations with foreign states, public order, or for preventing
incitement to the commission of any cognizable offence. Section 44 imposes stiff penalties on anyone who fails to provide
requested information to authorities, and Section 67 imposes strict penalties
for involvement in the electronic publishing of materials deemed obscene by the
government. Chapter III of the Act gives electronic records and digital
signatures legal recognition, and Chapter VI authorizes the Government to
appoint a CCA, who will license certifying authorities before they can operate
in India and will act as the repository of all Digital Signature Certificates
issued under the Act.
Following the enactment of the
IT Act the Ministry of Information Technology adopted the Information
Technology (Certifying Authorities) Rules in October 2000 to regulate the
application of digital signatures and to provide guidelines for Certifying
Authorities. The Digital Signature regime in India became operational in
February 2002. The CCA has also appointed numerous licensed Certifying
Authorities including Safe Script,
National Informatics Centre, the Institute of Development and Research in
Banking Technology, and Tata Consultancy Services.
There is also a right of
personal privacy in Indian law. Unlawful attacks on the honor and reputation of
a person can invite an action in tort and/or criminal law. The Public Financial Institutions Act of 1993 codifies India's
tradition of maintaining confidentiality in bank transactions.
In March 2000 the Central Bureau
of Investigation set up the Cyber Crime Investigation Cell (CCIC) to investigate
offences under the IT Act and other high-tech crimes. The CCIC has jurisdiction over all of India and is a member of the
Interpol Working Party on Information Technology Crime for South East Asia and
Australia. Similar cells have been set up at the state and city level, for
example in the state of Karnataka and the city of Mumbai. In June 2002 the
central government authorized the National Police Academy in Hyderabad to
prepare a handbook on procedures to handle digital evidence in the case of computer
and Internet-related crimes. The government is also considering establishing an Electronic
Research and Development Centre of India to develop new cyber-forensic tools.
India's Intelligence Bureau is reported to have developed an e-mail interception
tool similar to the Federal Bureau of Investigation's Carnivore system, which
it claims to use in anti-terrorist investigations. In April 2002, India and the United States launched a
cyber-security forum to collaborate on responding to cyber security threats.
Wiretapping is regulated under
the Telegraph Act of 1885. There have been numerous phone tap scandals in
India, resulting in a 1996 decision by the Supreme Court that wiretaps are a
"serious invasion of an individual's privacy." The Supreme Court recognized the fact that the right of privacy is
an integral part of the fundamental right to life enshrined under Article 21 of
the Constitution. However, the right is only available and enforceable against
the state and not against action by private entities. The Court also laid out
guidelines for wiretapping by the government. The guidelines define who can tap
phones and under what circumstances. Only the Union Home Secretary, or his
counterpart in the states, can issue an order for a tap. The government is also
required to show that the information sought cannot be obtained through any
other means. The Court mandated the development of a high-level committee to
review the legality of each wiretap. Tapped phone calls are not accepted as
primary evidence in Indian courts. However, as is the case with most laws in
India, there continues to be a gap between the law and its enforcement.
According to prominent NGOs, the mail of many NGOs in Delhi and in strife-torn
areas continues to be subjected to interception and censorship.
In March 2002 the Indian
Parliament, in a rare joint session, passed the Prevention Of Terrorism Act
(POTA) over the objections of several Opposition parties and in the face of
considerable public criticism. The National Human Rights Commission, an
independent government entity, criticized the measure finding that the existing
laws were sufficient to combat terrorism. The law codifies the Prevention of Terrorism Ordinance that in turn
builds on the repealed Terrorists And Disruptive Activities (Prevention) Act
(TADA). It gives law enforcement sweeping powers to arrest suspected
terrorists, intercept communications, and curtail free expression. Critics
argue that the experience of TADA and POTA shows that the power was often
misused for political ends by authorities and that POTA does little to curb
those excesses. Chapter V of POTA deals with the interception of electronic
communications, which also creates an audit mechanism that includes some
provision for judicial review and parliamentary oversight; however, it remains
to be seen how effective such mechanisms will be in practice. In certain high-risk states such as Jammu and Kashmir, search
warrants are not required and the government from time to time bans the use of
cellular telephones, long distance phones, and cyber-cafés. India's Enforcement Directorate, which investigates foreign
exchange and currency violations, searches, interrogates and arrests business
professionals, often without a warrant.
On December 13, 2001, five heavily
armed intruders and gunmen attacked the Indian Parliament. A case was duly
registered, investigated and prosecuted under the provisions of POTA after it
was enacted. The trial court judge convicted the accused persons. On appeal,
the New Delhi High Court held that intercepted telephone conversations of the
three persons charged under POTA for plotting the attack on the Parliament were
not admissible evidence, although the High Court had previously held that
telephone conversations could qualify as admissible evidence under the Indian
Evidence Act, the Indian Telegraph Act and the Indian Penal Code, and that it
was open for the trial court to consider the intercepts under these laws while
deciding the case. The Central Bureau of Investigation appealed against the
High Court order and on September 5, 2003 the Supreme Court set the Delhi High
Court judgment aside, allowed the appeal and decided that intercepted
communications between the accused in the House of Parliament are admissible.
A prominent expose of government
corruption by the web portal Tehelka sparked a growing debate on the
appropriate balance between the press and personal privacy. Telehka's
investigative journalists covertly filmed high-level officials accepting bribes
and army officers groping call girls as part of their expose on how official
corruption operates in India. While some critics admit that the journalists did shed much needed
light on a murky subject, they argue that there should be some restrictions on
the press' behavior. India authorizes the use of illegally obtained evidence that would therefore allow journalists to present
such evidence in court. Similar questions arose in relation to the transcripts
of tapped phone calls released to the press in a match fixing scandal surrounding
the national sport of cricket in April 2000.
The Government of India has
initiated steps for enacting a law on Convergence. The proposed Communications
Convergence Bill 2001 was tabled in both Houses of Parliament in the second
half of 2001. The Parliament referred it to the Standing Committee on
Information Technology that gave detailed recommendations at the end of 2002
and forwarded them to the government. The government is likely to make changes
to the Bill in line with some of the Committee's recommendations, and to submit
it to the Parliament. The bill aims to create a "super regulator,"
the Communications Commission for India, to oversee voice and data (including
telecom, broadcasting, and Internet) communications. Chapter XIV of the Bill covers the interception of communications
and penalties for unlawful interception. Section 63 has been criticized by
business groups for placing a significant burden on service providers to
provide the government information about their customers, and allow law
enforcement to intercept any communication under a very low standard.
In February 2003, India
convicted its first cyber-criminal when a Delhi High Court sentenced Arif Azim
on the charges of online cheating. In the said case, Arif Azim, while working
for a call centre near Delhi stole credit card information that belonged to an
American citizen and used it to order a color television and a cordless phone.
This case has highlighted the security and privacy risks for companies to
outsource some of their processing operations in India where there is a lack of
a clear privacy legal framework.
The Indian government is
currently considering the idea of enacting a detailed law on data protection
under the initiative of the Ministry of Communication and Information
Technology.
With the boom in the Information
Technology Sector and the increasing protests against off-shoring to India,
both in the US and the UK, BPO companies in India have stepped up security
measures for protection of their data, thereby somewhat contributing to protect
privacy.
As India has increasingly become
a base for outsourcing operations, in 2004 there have been discussions in
government circles that amendments to the Information Technology Act would have
to be introduced to ensure protection of data and preservation of privacy.
The NAASCOM, India's premier
software body, has pushed for some time for a privacy law that has been stalled
within political circles. However, it is more likely that the law is coming
close to being enacted after NAASCOM made certain suggestions to the
government.
The draconian Maharashtra Control of Organised Crime Act
(MCOCA) was reportedly repealed. However, police officials felt that its
provisions were justified. MCOCA's repeal has been the main demand of human
rights activists. One of the biggest drawbacks of the Act was that it made it
difficult to get bail. Another drawback, as has been discussed by the legal
community, was that Sections 14 to 17 are provisions dealing with authorizing
the interception of wire, electronic and telephonic communications. However,
nowhere is it specified that permission from a competent authority is required
before an individual's privacy is invaded.
On June 14, 2004, the Reserve Bank of India
submitted for public comments a report of the Working Group on Financial
Conglomerates. The group suggested criteria for identifying
financial conglomerates, establishing a monitoring system for capturing
intra-group transactions and exposures amongst conglomerates, as well as
mechanisms for inter-regulatory exchange of information with respect to
conglomerates. The group also proposed that a "designated entity" be
established within each group/conglomerate and be first identified within each
of them. The entity is to be assigned the responsibility of providing data,
with respect to all financial subsidiaries/associates constituting the
conglomerate, to its regulator, which would be the Principal Regulator for the
entire conglomerate. Therefore a Principal Regulator is to be established for
each conglomerate. The group suggested that the designated entity would have to
submit periodic reports to the principal regulator and that a complete database
of all information received from all conglomerates was to be maintained at the nodal
cell further RBI to address issues arising out of data dis-aggregation. Each
designated entity may also submit the information to RBI. Modalities of
electronic data submission and database issues are to be developed later on.
The responsibility of collating data from all other group entities and
submitting the same to their principal regulator therefore lies with the
designated entity. The Principal Regulator would notify the name of the
designated entity.
Known as the world's largest
democracy, voting in India is open to those 18 years or older, but is not mandatory. In May
2004, over 670 million registered voters, voting at nearly 800,000 polling
locations over several phases spanning weeks, completed their first all-direct
recording electronic (DRE) -voting-technology election. There are 11 completely
different scripts, alphabet systems, used throughout the Nation of India and
the government recognizes 18 official languages. The Indian Census has
identified over 200 different dialects, which had to be accommodated by the
voting system. The technology afforded more privacy for language minorities
throughout the country. This achievement did not come without complications
with over 40 deaths reported as a result of election violence. There were also reports
of hired partisans taking control of some polling locations and employing the
skills of computer science and engineering graduates to manipulate the
technology at those sites. The problems identified with this election period
were greatly minimized by the efforts of civil society groups who, with the
assistance of government officials, were successful in getting public
candidates to file disclosure affidavits, correcting voter registration lists,
educating voters, and better enforcing election ethics laws.
India has
made strides in the direction of protecting privacy, albeit at a slow pace.
With the BPO boom and other promising economic trends, it is logical to expect
that India would soon be looking at coming up with further legal provisions
aimed at preservation of privacy.
