This paper evaluates the discrete components of the National Digital Health Blueprint, proposed by the Ministry of Health and Family Welfare under Government of India, in protecting privacy of individuals while allowing for sharing of health data. The authors look at Daniel Solove's taxonomy of privacy and evaluate the various features of the blueprint to see how it fares on protecting the specific types of privacies. The paper ends with a few recommendations on how the mechanisms can be improved by changing/adding a few technical and institutional components proposed in the blueprint.

This paper analyses India’s proposed data protection framework vis-à-vis Europe’s GDPR, in light of the latter’s impact assessment report. It analyses how adept India’s framework is with respect to its unique institutional requirements, and how it is necessary to assess the economic impact of such a framework carefully – arguing that GDPR-style data protection could have a disparate impact on certain sectors in India. This paper is important to understand the differences between Indian and European data privacy needs and how India’s law can fill such gaps.

This paper presents a critical analysis of the Personal Data Protection Bill, 2019 and argues that the proposed framework is ineffective in protecting the right to privacy, and will likely decrease business efficiency while empowering the government with overly wide powers to circumvent data protection principles. It argues that the Bill fails to represent the evolved conception of privacy in India post Puttaswamy, and does not holistically account for the needs of the digital economy. It presents three primary issues – first, that a consent based framework is often counterproductive in protecting user data and that strengthening the same is not the effective way forward [refer to the NIPFP Paper above]; second that its preventive framework imposes a disproportionate impact on small and private businesses with respect to compliance costs; and third that the Data Protection Authority has vast supervisory powers, which will most likely be over-ambitious from a implementation point of view and has potential for allowing unreasonable state access. The paper further critiques the lack of safeguards in checking unlawful government access of data as envisaged in Puttaswamy, in light of S. 35 of the PDP Bill, 2019.

This webpage collates information on the deployment of facial recognition technology in India.

The paper argues that any future data sharing law must amply justify the involved ‘common good’ to resist any challenge to it. The law should undertake a legitimate reallocation exercise so that data can be made available to all, reclaiming its public good nature. Further, the specific models of Business-to-Government data sharing being mulled over in various places have been identified. The paper also touches upon provisions of other constitutions, which have a focus on economic objectives, in terms of justifying data sharing laws in the future. The paper concludes by affirming constitutional tenability of such laws to be framed in the future, in India and elsewhere.

The author argues that there is no anchoring legislation from which the power to mandatorily impose the app can be sourced, and in any case, the imposition is a disproportionate restriction on the right to privacy. 

The report delves into communications surveillance in India and takes an in-depth look at various aspects of India's surveillance machinery, including enabling provisions of law, service provider obligations, and known mechanisms. It examines compliance of India's legal provisions on surveillance with the International Principles on the Application of Human Rights to Communications Surveillance that were formulated after a global consultation with civil society groups, industry, and international experts in communications surveillance law, policy, and technology.

The book discusses three key ideas: (i) the conception of privacy and privacy law, as one which is constantly shaped by technological changes; (ii) the critique of the Indian privacy policy, as one shaped by the Indian bureaucracy; and (iii) the need to transcend ‘consent’ as the core idea of privacy and the exploration of new principles.

‘Dissent on Aadhaar’ argues that Aadhaar was never really about welfare. The essays in this book explain how the project opens the doors to immense opportunities for government surveillance and commercial data-mining. Focusing on Aadhaar, but drawing lessons from ID projects from other parts of the world also, this book alerts readers to the dangers lurking in such expansive digital ID projects.

The paper critically examines the data localisation policy in India and its impact on India’s trade agreements. It argues for the adoption of a dynamic data localisation policy for specific sectors and issues, which is implemented through the least intrusive mechanism. It suggests that such a policy should replace the data-mirroring requirement in the PDP Bill.

This paper discusses the efficacy of consent and notice, which form the basis for most privacy policies. The empirical research concludes that in India, consent and notice can only achieve the desired goal of giving people control over their data if they are drafted in a more comprehensive and user-friendly manner.

This Working Paper attempts to present a detailed draft data protection framework for regulating the FinTech Industry. It explains the gap in existing laws, i.e. S. 43A of the IT Act and the SPDI Rules, with respect to specific security standards and protocols to ensure data privacy in financial transactions. The Paper proposes for its rules to be implemented as a measure for Fintech Entities to absolve themselves of any liability against claims of negligence under s. 43A of the IT Act. It contains standards of confidentiality, establishment of codes of best practice within fintech associations, duty to notify the Indian Computer Emergency Response Team as well as relevant users of any data breach and ensuring information security through risk assessment, encryption, incident management, cyber security planning and training, etc.

This working paper intends to inform public policy formation in India across various stakeholders, specifically government authorities, technologists, public health practitioners and digital rights groups. The paper undertakes a comparative review of international literature as well as a substantive analysis of the use and publication of health data, specific development of surveillance technologies around location tracking and finally the deployment of contact tracing through handheld device applications.

The widespread adoption of facial recognition technologies by the public and private sectors, without any meaningful debate or regulation, raises a number of concerns. These concerns revolve around issues of transparency, privacy and civil liberties, accuracy and effectiveness, and evidence of biased outcomes. This paper outlines the various contexts in which the use of this technology is being discussed in India and the challenges that it presents on account of the lack of an informed policy debate and appropriate legal and procedural safeguards. It focuses, in particular, on the proposed National Automated Facial Recognition System and the many ways in which it falls short of satisfying the tests laid down by the Supreme Court in the Puttaswamy right to privacy case.

This Report presents a comprehensive overview of the operation of Big Tech in India, and highlights the primary ways in which such companies impact our society – (a) exercise of market power, (b) shaping thoughts through their role as key information gateways, (c) personalisation at the cost of individual privacy and autonomy and (d) influence on national sovereignty, democracy and accountability. From the perspective of privacy and data protection, the Report argues that it is important to supplement the current consent based data protection model with accountability model, which holds individuals accountable for what they do with the data they collect consensually and any direct consequences thereof. It further proposes a tentative data stewardship model, under which data stewards will exercise more minute control over how data is to be used, thereby allowing the individuals they represent to have greater, albeit indirect, control over their information. Finally, it presents a case for privacy respecting business models that requires Big Tech deviate from the current privacy intrusive forms of advertising, for example switching to contextual or geographic advertising.

This paper presents an ethnographic study of Delhi Police’s data collection practices in context of the smart policing tool known as Crime Mapping, Analytics and Predictive System (CMAPS). 

This working paper evaluates Indian legislations and policies against privacy principles it sets out. It is helpful in understanding the need for a privacy law, highlighted prior to Puttaswamy and the Srikrishna Committee Report.

This article discusses the urgent need for a strong privacy law in India. It traces the right to privacy under Article 21 of the Constitution and the case law relating to the same. Specifically, it addresses how people may be vulnerable to breaches of privacy due to the mass collection of data for public schemes such as the Unique Identification system devised by the government of India.

This article argues that there is a need for a better definition of the rights and duties of the Press. 

This article traces the jurisprudence relating to the right to privacy in India. It refers extensively to the position of laws in the United States and discusses the opinions of relevant thinkers. It attempts to define the criteria along which the right to privacy must be defined in India.

There have been disturbing press reports and articles on the Information Technology (Amendment) Act, 2008. These accounts broadly wallow about the increase in the police powers of the state. They contend that the amendment grants legal sanction to online surveillance inexorably whittling down internet privacy. This article seeks to examine this prevalent notion. It discovers that legal provisions for online surveillance, monitoring and identification of data have been inserted in a narrow and defined class of circumstances governed by tenuous procedures. At first glance it may seem that these procedures and safeguards by themselves increase the right to privacy. However, on a deeper study it is revealed that they are found wanting due to the nature of internet communications. The article takes a comprehensive look at the state of online privacy in India arising out of the Information Technology Act, 2000.

This article analyses the constitutional jurisprudence relating to the right to privacy. Particularly, it addresses the exceptions to the application of the right to privacy as discussed by Justice B.P. Jeevan Reddy in the case R. Rajagopal v. State of Tamil Nadu.

This article discusses the increasing need for a privacy regime in India, in light of the growing business process outsourcing industry and the accumulation of large amounts of personal information. The authors have conducted a survey and conclude that there is a serious lack of awareness with respect to the right to privacy.

Electronic media, as compared to print media, has an added advantage as visuals have greater impact and ramification. They directly and immediately influence the minds of the viewers.

With the growth in the number of News Channels and the increasing practice of showing “breaking news”, the electronic media has come to play a major role in stirring public opinion and conscience as well. It is this potency to reach the public that enjoins on all the channels to understand and realise the heavy responsibility that is thrust on them. They should ensure that there is no case of misuse of the freedom. Keeping in mind the role a responsible media can play in disseminating information and creating awareness among masses without crossing the limits that a civilised society would expect, the electronic media should define its role. Freedom of the media is indeed an integral part of the freedom of speech and expression; and an essential requisite of a democratic set up. The Indian Constitution has guaranteed this freedom by way of a Fundamental Right. The media, which is obligated to respect the rights of individuals, is also expected to work within the framework of legal principles and provisions so that the right to privacy of an individual is not unnecessarily infringed at any cost whatsoever.

An expert group chaired by retired Justice A.P. Shah was created by the Planning Commission to set out principles for an Indian privacy law. In its report in October 2012, it concluded that the two laws were inconsistent on the “permitted grounds for surveillance, the type of interception that is permitted to be undertaken (monitoring, tracking, intercepting etc.), the type and granularity of information that can be intercepted, the degree of assistance that authorized agencies can demand from service providers, and the destruction and retention requirements of intercepted material.” These differences, it concluded, “have created an unclear regulatory regime that is non-transparent, prone to misuse, and that does not provide remedy for aggrieved individuals.”

Specifically, the Report highlighted nine National Privacy Principles that must be incorporated into a privacy legislation in India. These principles are:

Prior Notice: Notice to be given by data collector to the individual concerned during data collection, data breaches, when access is granted to third parties, or when there is a change in the data collector’s policy.

Choice and Consent: Individuals must be given opt in/opt out choice with respect to collection of data. The individual must also be given the option to withdraw consent for collection of information at any point of time. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles

Collection Limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection

Purpose Limitation: A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals.

Access and Correction: Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data.

Disclosure of Information: A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure

Security: A data controller shall secure personal information that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, de-anonymization, unauthorized disclosure [either accidental or incidental] or other reasonably foreseeable risks.

Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Accountability: A data controller shall be accountable for complying with measures which give effect to the privacy principles.

In her research, Sonal Makhija, a Bangalore-based lawyer, tries to delineate the emerging privacy concerns in India and the existing media norms and guidelines on the right to privacy. The research examines the existing media norms (governed by Press Council of India, the Cable Television Networks (Regulation) Act, 1995 and the Code of Ethics drafted by the News Broadcasting Standard Authority), the constitutional protection guaranteed to an individual’s right to privacy upheld by the courts, and the reasons the State employs to justify the invasion of privacy. The paper further records, both domestic and international, inclusions and exceptions with respect to the infringement of privacy.