Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


IV. Privacy issues

Awareness of privacy issues is on the rise among NGOs, academic institutions and media organizations in India. One of the most influential judgments by the Supreme Court of India on the issue of wiretapping was brought to it in 1997 as a Public Interest Litigation by the People's Union of Civil Liberties - an acclaimed NGO working on civil rights issues in India. In 2009, the Delhi High Court, in a major ruling, "read down" Section 377 of the Indian Penal Code which had been previously used to criminalize homosexuality in India. A major plank of the ruling was an affirmation of the citizen's right to privacy which the court upheld as fundamental. This case was also brought to the Delhi High Court as a PIL by an NGO called the Naz Foundation. NGOs have therefore played a pivotal role in shaping the right to privacy in India over the years. In addition, organizations like the Center for Internet and Society in Bangalore have played a part in raising awareness among government and the public about online privacy issues.

More recently (since November 2010) there has been renewed interest and public discussion about issues of communications privacy, owing to a major controversy called the "Radia tapes" expose. In mid-November 2010, two leading newspapers published wiretapped telephonic conversations between Nira Radia, a noted corporate lobbyist, and several influential Indians including the heads of several powerful media companies and multinational companies. The conversations had been tapped by the Income Tax Department in the course of their investigation into her finances, and are widely regarded as exposing a shameful nexus between business, media and politics in India. Ratan Tata, one of the industrialists whose conversation with Radia was published, has filed a case in the Delhi High Court seeking an injunction against the publication of these tapes on grounds of violation of his "right to privacy". This controversy has churned a debate on the conditions under which wiretapping may be lawfully conducted, and the uses to which such information may be put. Although not the first instance of this kind, the controversy provides an immediate and emotive fulcrum to anchor discussion concerning issues of privacy and transparency that our study aims to raise.

In 2010, India embarked on an ambitious scheme of issuing Unique Identity (UID) cards to over half a billion people by the year 2014. In terms of its scale, this scheme is unprecedented in the world; it aims to photograph 600 million Indians, 'scan 1.2 billion irises, collect six billion fingerprints and record 600 million addresses'1 before 2014. There has been spirited opposition from civil society to the scheme on grounds, among others, of the privacy concerns it raises, and a number of influential activists have been voicing their opposition in print and at consultations. Perhaps one of the most energetic campaigners against the scheme has been Usha Ramanathan, a senior independent law researcher and activist who has written extensively against the scheme, lobbied with Parliamentarians and spoken at numerous fora across the country.2 Her efforts have led to a greater appreciation of privacy among NGOs and activist groups in India. In addition, various widely-read blogs and discussion forums such as The Hoot and MediaNama have been instrumental in raising awareness of privacy in the context of the media.

In recent times, media organizations have also begun to pay greater attention to privacy concerns. The broadcast industry has set up a self-regulatory organization - the News Broadcasting Standards Authority (NBSA) - with a code of ethics which explicitly obliges channels not to intrude on "private lives, or personal affairs of individuals, unless there is a clearly established larger and identifiable public interest for such a broadcast". In March 2005, the NBSA imposed a 100,000 rupee fine on the news channel TV9 for airing an extremely incendiary and invasive programme titled "Gay Culture rampant in Hyderabad", which used phone numbers from a social networking site for gay men to "entrap" youth into admitting their sexual preferences on the air.3 In addition, the channel was required to display a public apology on prime time. This is a welcome sign that the broadcast industry is willing to back its ethical commitment to privacy with swift remedies.

Despite a growing awareness of privacy among academicians, this sensibility has not filtered upwards to the institutions they represent. In February 2010, in a much publicized case, a senior professor of Aligarh Muslim University - one of the oldest in the country - was suspended after students 'set up cameras to catch him having consensual sex with a rickshaw-puller in his campus home'.4 Many universities and schools in India have installed extensive CCTV camera networks on their premises. In January 2011, the Maharashtra Government passed a resolution requiring all universities in the state to install a biometric card system on their campus.5 In February 2011, fingerprint data was captured from over 11,000 aspirants writing an entrance exam for post-graduate medical admissions in the state of Karnataka.6 In September 2011, the West Bengal Government ordered all undergraduate college campuses in the state to install CCTV camera networks.7 It certainly appears as if administrative insensitivity to privacy in academic spaces has kept with pace with the growing sensitivity among academics to the issue.

Medical Privacy and Health Management

There is no uniform statute specifically protecting the privacy of health information in India. However doctors are required to maintain the confidentiality of their patients, and various regulations have been passed by the insurance regulator requiring a high level of confidentiality with respect to health insurance records.

In 2002, the Medical Council of India promulgated the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations that contain ethical injunctions backed by disciplinary action in cases of breaches. Several of the articles in these regulations relate to privacy:

-       Every physician is required to maintain medical records pertaining to indoor patients for a period of three years from the date of commencement of the treatment. Upon request by the patients, authorised agents or legal authorities involved these documents should be issued within a period of 72 hours.

-       Article 2.2 requires physicians to maintain confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate "whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed". In such an instance, the rules advice the physician to "act as he would wish another to act toward one of his own family in like circumstances."

-       Article 7.14 enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except in a court of law under orders of the Presiding Judge; in circumstances where there is a serious and identified risk to a specific person and / or community; and notifiable diseases.

-       Article 7.17 forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.

In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fianc" without his knowledge, resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The Supreme Court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was 'subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others."

Health Insurance Records

The Insurance Regulatory and Development Authority (IRDA) - the national regulator overseeing the insurance industry in India - has issued a number of guidelines which cumulatively promote privacy in the health insurance sector. Illustratively, guidelines have been issued regulating the use of telemarketing to solicit insurance business,8 third party administrators, outsourcing of functions and health insurance portability which each contain measures designed to promote customer confidentiality and privacy.

Third Party Administrators Regulations: In 2001, the IRDA (Third Party Administrators - Health Services) Regulations9 were issued, placing restrictions on "third party administrators" (TPAs) who provide "health services" under agreement with insurance companies. TPAs are typically companies which provide information services like back-end processing of claims, processing cashless cards etc. Such TPAs must obtain a license from the IRDA10 and must operate in accordance with a code of conduct that requires them, inter alia, to "refrain from trading on information and the records of its business" and "maintain the confidentiality of the data collected by it in the course of its agreement". Regulation 22 requires TPAs to "maintain proper records of all transactions carried out by it on behalf of an insurance company" and keep them "for a period of not less than three years". In maintaining the records, the TPAs are required to "follow strictly the professional confidentiality between the parties as required". However, this obligation "does not prevent the TPA from parting with the relevant information to any Court of Law/Tribunal, the Government, or the Authority in the case of any investigation carried out or proposed to be carried out by the Authority against the insurance company, TPA or any other person or for any other reason." If the TPA's license is revoked for any reason, then the "data collected by the TPA and all the books, records or documents, etc., relating to the business carried on by it with regard to an insurance company" is to be handed over to the insurance company by the TPA.

Data sharing

Sharing of Data Regulations: In 2010, in a somewhat ambivalent move, the IRDA issued regulations stipulating the conditions under which "referral companies" could sell their customer databases to insurance companies to enable them to solicit business. These regulations RDA (Sharing of Database for Distribution of Insurance Products) Regulations 2010 prescribe rigorous qualifications for referral companies from whom insurance companies may lawfully purchase databases. All previous referral arrangements that do not conform with the regulations are required to be terminated. This introduces an element of conservatism into the manner in which insurance companies are permitted to source their clients. However, the regulations lay the foundation for wholesale transfers of databases from government and public sector bodies to insurance companies.

The regulations place welcome restrictions on the kinds of entities that may be allowed to transfer their databases to insurance companies. Such "referral companies" must, for instance, a) seek and obtain approval from the IRDA, b) meet rigorous financial norms to qualify, c) not be a company engaged in the business of "acquisition and sale of data", d) nor provide retail banking services or be linked in any way to the insurance business, and e) must not have an existing referral agreement with any other insurer. They must not earn more than 10% of their total income from the referral business. In addition, the regulations require the referral company not to be bound "by any confidentiality agreement in the matter of sharing the personal and financial databases of its customers." Referral companies are barred from providing details of their customers without their prior consent, and are forbidden from providing "details of any person/firm/company with whom they have not had any recorded business transaction". All agreements between insurers and referral companies must be submitted to the IRDA for approval. These measures are welcome since they provide a degree of government oversight into the manner in which insurance companies source their information. By placing restrictions on the kinds of entities who may supply databases to insurance companies, the IRDA has forestalled the sourcing of personal information for the insurance business from becoming an industry.

The less savory aspect of this regulation is that it seems to legalize and encourage the trade of databases of personal information from the government, which meets all the qualifications of a referral company, to insurance companies. In a report published in a prominent newspaper,11 a senior IRDA official reportedly said that "both state and central agencies have huge databases, not only in the urban and semi-urban areas but also in rural India. For example, it will be a coup if a health insurer can tie up with a government agency, such as a state hospital." The same article quotes the MD of a private insurance company as saying that, "Organisations such as BSNL, MTNL and even Railways have a huge customer base. So far, we've not entered into agreement with any such agency but we may explore this opportunity".12

Outsourcing Regulations: In February 2011, the IRDA issued guidelines permitting insurance companies to outsource their non-core functions including a range of data entry, telemarketing, receiving complaints and other functions.13 The guidelines require the insurer to "take appropriate steps to require that third party service providers protect confidential information of both the Insurer and its clients from intentional or inadvertent disclosure to unauthorized persons".14

Health Insurance Portability Regulations: In February 2011, with a view to promoting competition in health insurance services, the IRDA issued a circular on Health Insurance portability. The guidelines direct all health insurers "that the entire database including the claim details of the policies, where the policyholders has opted for portability, shall be shared with their counterparts, if requested by the counterpart within seven working days of such request by the counterpart".15 Pursuant to these guidelines, in June 2011, the IRDA issued a press release announcing the setting up, by October 2011, of a database to facilitate health insurance portability between different companies.16 In September 2011, comprehensive guidelines were issued on health insurance portability according to which insurance companies would be provided a web-based facility created by the Authority to input all relevant details on health insurance policies issued by them to individuals who wish to move to another company. These details would then be accessible by the new insurer. As of writing, however, this web-based interface has not yet been launched.

The National Health Insurance Scheme

The Rashtriya Swasthya Bima Yojna (RSBY) was launched in 2008 by the Ministry of Labour and Employment, Government of India to provide health insurance coverage for Below Poverty Line (BPL) families. The objective of RSBY is to provide protection to BPL households from financial liabilities arising out of health shocks that involve hospitalization. Beneficiaries under RSBY are entitled to hospitalization coverage up to Rs. 30,000 for most of the diseases that require hospitalization. The scheme aims to enroll up to 300 million Indians by 2012.17

One of the hallmarks of the scheme is its heavy reliance on smart cards to ensure delivery of services. The website of the scheme claims that currently, as many as 25 million smart cards have been issued to beneficiaries. Under the scheme, each state selects an insurance company to fulfill the mandate of the scheme within the territory of the state. The insurance company in turn enters into agreements with hospitals, which will be the sites of service delivery. The state supplies the insurance company with a full list of BPL households enumerated according to the previous census.18 It is the insurance company that is responsible for enrolling beneficiaries by obtaining their biometric data (fingerprints and photographs) and issuing them a smart card. Currently, the various insurance companies in each state have their own software and databases. According to one account, "a central server has been established wherein participating insurers (or TPAs on behalf of insurer) push/upload data in batches. Original bio-metric data containing finger prints, photographs etc., is submitted in CD/hard disk separately".19 However, owing to inconsistencies in storage formats between insurers, a Central Data Management Agency is envisaged which would consolidate the data held by the various insurers and be "a comprehensive, uniform system" to operate the scheme.20 Once installed, this CDMA would have the potential to become a National Health Record system.

Public Health

Under the Epidemic Diseases Act 1897, if a State Government is satisfied that the state is "visited by, or threatened with, an outbreak of any dangerous epidemic disease" then it may take measures to check the outbreak. Such measures may include "inspection of persons travelling by railway or otherwise, and the segregation, in hospital, temporary accommodation or otherwise, of persons suspected by the inspecting officer of being infected with any such disease." In 2009, the Act was invoked in the state of Maharashtra to combat Swine Flu. Rules were promulgated requiring anyone with swine flu symptoms to go to designated government hospitals and providing that severely affected would be quarantined. The rules allowed local councils to check students for signs of swine flu in schools.21

Data Sharing and Open Government

There are no laws forbidding data sharing either amongst government departments or between the government on the one hand and private agencies on the other. In some cases, for instance, in insurance, regulations affirmatively provide for the organized sharing of databases between the government and insurance companies. (see above). In other cases, such as e-passports and driving licenses, the government has entered into contracts with private companies to deliver electronic services which involve transactions on vast amounts of personal information.

As noted above, over the past decade the state has been entering into contracts with private companies to provide electronic services and back-end processing which typically involves extensive sharing of personal information about citizens between the government and these private companies. Regardless of the existence of any articulated policy thrust towards data sharing, the Indian state has been in the practice of data sharing for at least a decade.

Alongside its many practices of data sharing, the Indian state has also issued several policy documents that expressly or impliedly encourage data sharing. Typically these are contained as injunctions in 'Information Technology' or 'E-Governance policies' issued periodically by the Central or State Governments.

National E-Governance Plan

In May 2006, the Indian government approved the National E-Governance Plan (NeGP), which was conceptualized as a holistic approach towards making government services available to people in their localities through CSCs while meeting goals of efficiency, transparency, reliability, and affordability. The plan includes proposals for 'streamlining, aligning, optimizing and automating all internal processes across government boundaries'; with respect to courts, "online availability of judgments and cause list, e-filing of cases and notifications through e-mails"; and a portal providing "one-stop access to government services." The NeGP also lays the groundwork statewide area networks and data centers, and calls for research into "e-Government Enterprise Architecture Frameworks, Information Security, Data and Metadata Standards," among other areas. Most importantly, the plan calls for "establishing 100,000 broadband Internet enabled Common Service Centers (CSCs) in rural areas of the country."22

National Knowledge Commission recommendations23

In June 2005, Prime Minister Manmohan Singh constituted the National Knowledge Commission, an advisory body to the Office of the Prime Minister, (NKC) with the mandate to recommend policy reforms in the areas of "access to knowledge, creation and preservation of knowledge systems, [and] dissemination of knowledge and better knowledge services." The NKC was given a period of three years to conduct research and develop recommendations, which it issued in a series of reports now compiled in the "National Knowledge Commission Final Report 2006-2009." In its Final Report, the NKC made two recommendations particularly relevant to implementing an open government data in India. First, the NKC "recommended the establishment of a high-end National Knowledge Network connecting all " knowledge institutions in various fields and at various locations throughout the country, through an electronic digital broadband network with gigabit capacity".

Second, and more relevant to considerations for open government data specifically, the NKC proposed that the government create a series of "national web based portals on certain key sectors such as Water, Energy, Environment, Teachers, Biodiversity, Health, Agriculture, Employment, Citizens Rights etc. [serving] as a single window for information on the given sector for all stakeholders and ... managed by a consortium consisting of representatives from a wide range of stakeholders". The NKC recommended that "[a]ll government departments should easily make available data sets they have, in a digital format to the portal consortium." It is unclear to what extent this recommendation has been followed. The NKC recognized that "data that is traditionally collected and managed separately, unrelated to each other, should now be seen together." But it indicated that "[t]here are no platforms or mechanisms currently in place to allow this to be done easily" and recommended also the development of clear guidelines for appropriate data formats as well as the regular updating of hosted data.

Public Information Infrastructure24

In 2009, Prime Minister Manmohan Singh appointed Sam Pitroda to the cabinet-level position of Adviser to the Prime Minister for Public Information Infrastructure and Innovations, tasked with developing a unified policy for information standards and practices incorporating both intra-government affairs and citizens' services.

In June 2010, Mr. Pitroda's office uploaded online a slide presentation on 'strengthening Democracy and Governance: Public Information Infrastructure.'  The presentation provides a basic overview of his proposal for a robust information system implicating all levels of government but focusing access and delivery on the level of the panchayat, or village assembly, which it specifies as the nodal point for citizen services

Included in the scheme is a national repository of information on people, including citizenship, resident, and household data; places, including villages, towns, streets, schools, hospitals, government offices, factories, officers, residences, stations, mines, minerals, dams, plants, rivers, parks, forests, farms, etc.; and programs and other government offices, such as the National Rural Employment Guarantee Scheme, the Public Distribution System, girl child benefit schemes, pensions, the judiciary, police and prisons, treasuries, land records, universalization of elementary education, and the National Rural Health mission, among others.

Applications hosted on the PII will include a shared Geographic Information System (GIS) for the Survey of India; the National Disaster Management program; the Urban Ministry; the Departments of Space, Security, Environment, Health, and Rural Development; the Planning Commission; as well as private enterprises. Data from these entities will be publicly available on a single portal accessible by a variety of clients, including PCs and mobile phones. The portal will also incorporate applications, communities, mash-ups, and allow for a variety of analyses on data including survey, remote sensing data, census, education, and health data, as well as forest, land use and groundwater data.

National Data Sharing and Accessibility Plan (NDSAP)

The National Data Sharing and Accessibility Policy (NDSAP), released in draft form in May 2011 under the Department of Science and Technology, aims to set up a framework that would create a DATA.GOV.IN portal to release all non-classified data that is publicly held by various government departments.

Once finalized, under the policy, each department will have to provide a list of unshareable items that will be determined using the provisions in the RTI Act and a hypothetical Privacy Act. Then all other data sets will be considered safe to be opened to the public.

MetaData would also be provided which would allow people to know what data is available. A three pronged classification system would be created to deal with different types of data: Open Access, Registered Access, and Restricted. A data warehouse will be set up to house current and historical data so that this information in is one place. 25

The policy defines sensitive personal information as including information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of

-       any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

-       information related to financial information such as Bank account/credit card/debit card/other payment instrument details of the users

-       physiological and mental health condition

-       Medical records and history

-       Biometric information

-       information received by body corporate for processing, stored or processed under lawful contract or otherwise

It is still unclear what the future of this policy is. In June 2011, the government announced the imminent inauguration of a national government data portal. According to a newspaper account "All public data - from that on glacier meltdowns to monsoon charts to benami land - will be freely available at the click of a mouse with the launch of a national data portal next month."26 As of this writing, however, the NDSAP has not been approved by the Cabinet and no such portal is in existence.

Financial Privacy

Various laws require banks in India to maintain secrecy in relation to their client data.

Customary/Statutory Banking Law

Both in banking customs27 as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 - Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 - Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of bank, and creditors are required in addition to affirm an oath of secrecy as provided:

Section 44. Obligation as to fidelity and secrecy.

(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information.

(2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.

In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, the Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty, but a qualified one subject to certain exceptions. Including a) the duty to obey an order under the Bankers' Books Evidence Act; b) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal; c) the issuance by a bank of a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and d) the familiar case where the customer authorises a reference to his banker.

The recent Payment and Settlement Systems Act  2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22 of the Act enjoins 'system providers' not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is a) required under the provisions of the Act; b) made with the express or implied consent of the system participant concerned; c) in obedience to the orders passed by a court of competent jurisdiction; or d) in obedience of a statutory authority in exercise of the powers conferred by a statute.

Reserve Bank of India regulations

The Reserve Bank of India (RBI) has periodically issued guidelines, regulations and circulars that require banks to maintain the confidentiality and privacy of customers.

The Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on "Right to Privacy" and "Customer Confidentiality" under a section titled "Protection of Customer Rights". The provisions, inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent.

Similarly, the Master Circular on Customer Service in Banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for "cross-selling purposes". It imposes a restriction on data collection by requiring Banks to "ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard".

In 2006, the Reserve Bank of India, along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the 'Code of Bank's Commitment to Customers' which most banks in India adhere to. Enforcement is through a series of internal grievance redress mechanisms within each bank, including a designated 'Code Compliance Officer' and an Ombudsman.

While these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.

Data protection in the financial sector

Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin, inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorized disclosure of information by the banks for gain.

Under the Income Tax Act, tax authorities are permitted to obtain information from a range of agencies 'such as banks, mutual funds, credit card companies " if they need it for any inquiry or proceedings"For instance, banks can be asked to provide details of their customers with cash deposits of over Rs 1 lakh. Credit card companies can be directed to furnish details about anyone who holds a card, irrespective of the value of purchases. Mutual funds have to give names and addresses of those who invest over Rs 1 lakh, when called for."28

In February 2011, the Securities Exchange Board of India (SEBI), in collaboration with the Ministry of Corporate Affairs, and the Reserve Bank of India (RBI) proposed a format known as eXtensible business reporting language (XBRL) to be used by companies to report their financial details. Although not immediately applicable, the format is expected to enhance corporate surveillance by providing for cross-validation of data by different government departments.29

Consumer Privacy

Broadly, there are four potential avenues for the protection of consumer privacy in India. First, individual organizations may voluntarily commit to protect the information of their clients through Privacy Policies. These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation.

Second, certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include withdrawal of recognition from the professional association and monetary penalties.

Third, consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act.

Finally, the newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data. This has already been discussed in preceding sections of this report.

Privacy Policies

Several Indian companies have publicly stated privacy policies that they display on their website. To an extent, these privacy policies have been given additional legal sanction by the Intermediary Due Diligence Rules notified under the Information Technology Act, which requires all data collectors to formulate and advertise such privacy policies. Redress for violation of these privacy policies may be obtained following the procedure under the IT Act or through civil courts.

Professional/Industrial Regulations

Advocates: Rules of Professional Conduct have been framed under the Advocates Act and establish a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege.  

Complaints of professional misconduct against advocates are referred to a Disciplinary Committee constituted under Section 36B of the Advocates Act, 1961 which is empowered to impose a range of sanctions from censure to suspension to striking the advocate off the rolls of the bar council.

Medical practitioners: Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy and have been discussed previously in this report in the context of medical privacy (see above).

Banking and Telecom industries: These industries each have regulatory authorities that have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators.

Consumer Protection Act 1986

The Consumer Protection Act, which was enacted with the objective to provide for better protection of the interests of the consumer, has emerged as a major source of relief to those who have suffered violations of their privacy.  According to the Consumer Protection Act 1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. The Act creates a three-tiered adjudicatory apparatus for the determination of consumer disputes, with the District Consumer Disputes Redressal Forum at the bottom, the State Consumer Disputes Redressal Commission occupying the intermediate tier and the National Consumer Disputes Redressal Commission at the apex. These Commissions have all the powers of a civil court to determine the issues before them. Complaints can be filed by consumers against traders or service providers for unfair trade practices,30 defective goods, deficiency in services, overcharging by a trader or service provider, and hazardous goods. Although the issue of violation of privacy has not arisen pointedly in too many consumer complaints, there are a few instances that stand out.

In Rajinder Nagar Post Office vs. Sh Ashok Kriplani31 a post-master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave "deficiency in service" on the part of the appellant. It was ruled that the right to privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service.

In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing.32 The Commission held that these were "unfair trade practices" under the Consumer Disputes Act, and also declared that every consumer annoyed by unsolicited telemarketing calls and text messages was to be compensated by a minimum of Rs 25,000.33 Although this decision was overruled on appeal by the Delhi High Court in 2010, it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.34