India is one of the more challenging contexts for privacy protection. Despite strong constitutional safeguards and a large presence in the international outsourcing economy, there are continuing debates about the need for consumer protections or human rights protections because of 'cultural' issues. For instance, while there are mounting concerns about the abuse of personal information by malicious third parties, there are also claims that the Indian people accept of privacy violations for 'commercial reasons'.1
Article 21 of the Constitution protects the life or personal liberty of persons. The Supreme Court has in cases over the past 40 years recognised and set out a right of privacy in this and other sections of the Constitution which protects individuals’ family life, interference from wiretapping and other intrusions into private life by government bodies. Recently, the courts have upheld the right to privacy as the protection of dignity in the case of homosexuality (banning homosexuality was a breach of dignity of the individual)2 and rape (as a violation of privacy and personal integrity).'3 Prior to the recent decision on homosexuality, surveys showed strong support for the criminalisation of homosexuality (as high as 69%4) and the government argued that 'Western values' should not be copied by India.5 There were reports that the police were intentionally raiding clinics to victimise health workers who helped homosexuals.6
There is no comprehensive data protection act in India. There is increasing agreement that a data protection act would be useful, especially in promoting and protecting the large Indian outsourcing industry, which has come under criticism for security lapses. A Personal Data Protection Act was introduced in 2006 but has not yet been adopted. A recent review for the European Commission found overall that the existing regulatory system was inadequate for protection of EU personal data.
Industry has set up the Data Security Council of India to act as a watchdog on privacy issues. It promotes self regulation based on international best practices, and consults regularly with international industry associations.
The Information Technology Act was adopted in 2000 to promote e-commerce. It includes provisions on digital signatures and penalties for illegal intrusions, viruses and other computer crimes, and requires the disclosure of encryption keys. There are new penalties for breaching confidentiality and privacy. The Information Technology (Amendment) Bill,2006 proposed changes to the law including a general penalty for anyone who “intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent” (s. 49), It also provides for extremely broad powers of interception and decryption (s. 33).
The use of communications by terrorists continues to give rise to debates, including the limitation on encryption use, and discussions of emulating U.S. and UK surveillance plans at ISPs. The Supreme Court recently upheld a law that allowed for interception of telephone and other electronic communications media, despite a lower court striking it down stating that it violated the Central Telegraph Act.7 Meanwhile, there are reports that the judiciary is itself under surveillance.8
Cybercafés across India are increasingly being required by local authorities to keeps details of their users’ identities and activities, including the use of biometrics. There are reports that police are visiting cybercafes daily to review the list of users.9
The Citizenship Act, 1955 was amended by the Citizenship (Amendment) Act, 2003 to allow for the compulsory registration of all citizens, the issuing of identity cards, and the creation of a National Register of Citizens operated by the Registrar General, in part to increase security.10 Multi-Purpose National Identity cards (MNIC) were first issued in pilot programs in 2007 and have been extended to 12 states as of March 2008. The cards include a National Identity Number (NIN) and biometrics. A government ministerial committee approved the creation a unique ID number for each citizen in November 2008, and the programme to develop the numbering system began in June 2009.
Upon election, the new government repealed the controversial Prevention of Terrorism Act in 2004 which allowed for significant surveillance to be used with little oversight. Since the Mumbai attacks, however, there have been calls for new powers of surveillance and detention.
On consumer protection issues, the Supreme Court decided in August 2008 that unregistered telemarketing companies should be banned from making unsolicited calls.11 There is media coverage about links between unsolicited calls and poorly secured databases in companies.12 There are increasing reports of concerns about cyber-security particularly in the banking sector. In one study, over 80 banks were found to have inadequate security mechanisms to protect online account users.13 Yet reports also indicate that India is actually investing more in security than other countries, and investments are increasing at a greater rate than in Europe.14
Under the Telecom Unsolicited Commercial Communications Regulations 2007 issued by the Telecom Regulatory Authority of India, a Do-Not-Call List has been created so that individuals will not receive unwanted marketing calls.15 This includes SMS. There are reports that more than 18m people have signed up, resulting in 81,000 complaints;16 though this amounts to only 5% of the population, so there is some consideration of making it a stronger safeguard'. There are increasing concerns about IT security, particularly for consumers facing attacks on mobile devices,17 malware, and social engineering.18 There are concerns about the lack of consumer education on privacy and security issues. A survey of wireless networks in Mumbai found that 36% were unprotected.19 Increasingly, guides are appearing in media outlets on how to guard against fraud20 and in particular how to avoid mobile banking fraud.21
The Credit Information Companies (Regulation) Act, 2005 requires that credit records agencies follow privacy principles when collecting or processing personal information for credit purposes.
There are limited protections in the Penal and Civil code relating to breach of confidence and fraud. The Consumer Protection Act, 1986 appears to have no specific protections.
The Right to Information Act was adopted in 2005. It gives individuals broad rights to demand information from central government and state bodies. It created a number of information commissions across the country to enforce it. The Central Information Commission in Delhi supports the adoption of a privacy law and could possibly become the enforcement agency for the law.22
Meanwhile, there are some remarkable privacy and human rights issues in India.
- In July 2008, the full Electoral Rolls for Delhi were discovered online.
- Under the All India Services (Performance Appraisal Report) Rules, 2007, female civil servants are being asked to provide sensitive personal information such as their “detailed menstrual history”.
- There are discussions regarding mandatory pre-marital tests for HIV.23
- There are emergent concerns about the damage of reputation and abuse by the media, particularly of celebrities,24 as well as concerns about spying by individuals, e.g. the use of camera phones.25 The Supreme Court Chief Justice publicly stated that journalism must not encroach upon people's right to privacy, particularly during investigations, which could adversely affect their right to a fair trial.26
- There is increased discussion of the use of information technology for healthcare, but we have not been able to identify any discussions on privacy and security issues.27
- Google was sued in India by an Indian company demanding to reveal the name of a blogger who they claim is defaming them.28
- India is one of the only countries that continues to use narcotics to forcibly extract information from suspects.29 It is also the only country using brain mapping techniques using 'Brain Electrical Oscillations Signature' in court cases, resulting in one case where a woman was found guilty of murdering her former fiance.30
- Police have been accused of manipulating media coverage against suspects, by airing allegations even as the investigations were on-going, and have been accused of 'encroaching on the right to privacy'.31
Finally, there is much discussion on the 'culture of privacy' in India, where many commentators argue that Indians do not hold privacy as dearly as other countries and cultures. Some commentators, however, have noted that their culture of privacy is in transformation, and there appears to be a new society emerging where there is an expectation of privacy.32
- 1. 'Use of e-mails for cyber-crimes and terrorism', Merinews, July 30, 2008.
- 2. Nas Foundation vs. Government of NCT of Delhi, WP(C) No.7455/2001, Decided July 2, 2009 in the High Court of New Delhi.
- 3. Minor Contradictions in Rape Victims' Testimony may be ignored, Indian Supreme Court says', Medindia.net, July 19, 2008.
- 4. 'Do you think gay people should be imprisoned?', The Times of India, October 10, 2008.
- 5. 'No gay sex, please, government tells court', SindhToday.net, October 1, 2008.
- 6. 'Push to legalize homosexuality in India', Siddharth Srivastava, Asia Sentinel, September 19, 2008.
- 7. Caution needed', Daily News and Analysis India, September 2, 2008.
- 8. Judges feel bugged', Saurabh Malik, Tribune News Service, August 31, 2008.
- 9. 'Crime cafe', The Telegraph, August 11, 2008.
- 10. 'India plans UID number to strengthen security', Iftikhar Gilani, Pakistan Daily Times, November 11, 2008.
- 11. 'Disconnect unregistered telemarketing companies: Supreme Court tells Centre', J. Venkatesan, The Hindu, August 1, 2008.
- 12. 'Keep it private, Times of India, August 5, 2008.
- 13. Cybercrime police face loopholes in the system', Subhankar Kundu, IT Examiner, November 7, 2008.
- 14. 'PwC Security Study: India Improves, Europe Lags, Many Miss Basics', Erik Sherman, BNET, October 16, 2008.
- 15. Adieu Pesky Calls', Atul Cowshish, Asian Tribune, August 6, 2008.
- 16. Only 5% of telephone users register with NDNC', Business Standard, October 11, 2008.
- 17. Be alert, be safe', Nikita Upadhyay, Express Computer, July 28, 2008.
- 18. 'The year of social engineering', Express Computer, July 28, 2008.
- 19. 'Deloitte releases Mumbai Wireless Security Survey', MoneyControl.com, October 10, 2008.
- 20. e.g. 'Guard against ID thieves', Jagan Nathan Vaman, Business Line, September 29, 2008. and 'Prevent online frauds', Preeti Kulkarni, The Economic Times, September 25, 2008.
- 21. e.g. 'How to avoid mobile banking fraud', India Times, September 21, 2008.
- 22. 'Privacy in a transparent world', Prabodh Saxena, The Economic Times, July 28, 2008.
- 23. India: Should Pre-Marital HIV Testing be Mandatory' Juhie Bhatia, GlobalVoices, July 19, 2008.
- 24. Driven by sensationalism', Indira Jaisingh, The Hindu, August 3, 2008.
- 25. Panel to study possible limits on camera phone use', Niranjan Bharati and Jojie Thomas Philip, The Economic Times, August 23, 2008.
- 26. 'Journalism must not encroach upon right to privacy: Chief Justice of India', The Hindu, October 19, 2008.
- 27. IT 'Clicks' Healthcare, Sonal Shukla and Priti Pathak, Express Healthcare, September 2008.
- 28. 'Google sued in India for its Blogger service', Techwhack.com, August 15, 2008.
- 29. 'Narco test: Shunned around the world, but not in India', Rakesh Bhatnagar, Daily News and Analysis India, November 10, 2008.
- 30. 'India's use of brain scans in courts dismays critics', Anand Giridharadas, International Herald Tribune, September 15, 2008.
- 31. 'Cops manipulating media coverage against suspects', Manor Mitta, The Times of India, October 27, 2008.
- 32. 'No trespassing', Ankit Ajmera, Daily News and Analysis India, October 12, 2008.