Is Your Aadhaar Number Confidential?*

Earlier this week, an agency entrusted with enrolling individuals under the Aadhaar scheme inadvertently published Mahendra Singh Dhoni’s personal information online. When it was pointed out this amounted to a gross violation of privacy, the government released a statement confirming that such publication was illegal and that the agency had accordingly been blacklisted. Another post indicated that several databases containing individuals’ Aadhaar numbers can be obtained by a simple online search. Over the last few months, the government has made the Aadhaar number mandatory for a host of benefits, including essential schemes such as the mid-day meal scheme for school children. As Aadhaar increasingly becomes the gateway to accessing benefits, the lack of clarity about how the number can be used, displayed or stored deserves further attention.

Aadhaar was introduced in 2009 as a way to plug leakages in the welfare delivery mechanism. It proposed to do so by creating a secure authentication mechanism that is capable of accurately verifying the identity of beneficiaries. Under the regulations framed under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (‘Aadhaar Act’), this can be done in three ways –

  • Demographic authentication – requires some demographic information (such as name or address) along with one’s Aadhaar number
  • One Time Password authentication – authentication through a One Time Password, sent to an individual’s registered mobile number, coupled with one’s Aadhaar number
  • Biometric authentication – uses biometrics along with the Aadhaar number

However, besides authentication, the Aadhaar number, usually printed on paper card and laminated has gained wide currency as a regular identification card. It is popularly used as a proof of identity, and photocopies of it are readily submitted where identity proof is required for compliance with certain legal obligations (such as hotel reservations, use of a cyber-café etc.). The wide circulation of information printed on these cards – Aadhaar numbers as well as basic demographic information such as one’s name and address, makes it susceptible to misuse.

To illustrate, if an entity opted to authenticate its customers using the ‘demographic authentication’ model, the easy availability of such information would make it exceptionally easy to avail the service under a false identity. Even for authentication using biometrics, it has been repeatedly argued that fingerprints can easily be copied and re-created. This points to a need for more restricted use of the Aadhaar number, and stringent safeguards for its storage and sharing.

The legal framework does not specifically prohibit the use of Aadhaar as an identity document, but news reports indicate that the UIDAI does regard this as being problematic. In the weeks following demonetisation, the UIDAI, through its Twitter handle, had ‘advised’ people not to share their Aadhaar numbers printed on such cards. It further warned that if a photocopy was being submitted, it should be self-attested and the purpose for sharing should be clearly stated to avoid misuse. This form of advisory, without any formal action to tackle concerns regarding misuse of Aadhaar data raises several concerns.

The Aadhaar (Sharing of Information) Regulations 2016 (Regulations) require that any individual or entity that collects the Aadhaar number must –

  • Not publish or publicly display it;
  • Ensure its security and confidentiality;
  • Ensure that numbers have been redacted before publishing any database that contains them;
  • Not transfer it in an unencrypted form, except when required for correction errors or grievance redressal; and
  • Not hold such data for longer than is necessary to achieve the desired purpose.

However, a blog post that has been shared widely shows that organisations including government departments have been callous in how they store Aadhaar information. Under the Regulations, this constitutes a violation of Section 29 of the Aadhaar Act. Such a lapse in storing Aadhaar information is punishable with imprisonment for a term which may extend to three years or a fine that may extend to ten thousand rupees or both (in case of a company, the fine may extend to one lakh rupees). However, it remains to be seen if the UIDAI will initiate any action against these entities.

This highlights another weakness of Aadhaar’s legal framework – it does not allow individuals to approach the court for any instance of data mismanagement. The complaint can only be initiated at the behest of the UIDAI. As a result, individuals whose data has been made public can only hope that the UIDAI will take action against erring entities. A recent report highlights that the UIDAI has only initiated criminal complaints in three out of 1390 complaints received by it so far.

Besides this major lacuna, what qualifies as adequate security for storing Aadhaar numbers remains unknown, as the regulations do not prescribe any standard. They are therefore inadequate to ensure that the Aadhaar number remains confidential.

So is the Aadhaar number confidential? The law certainly seems to suggest so, but its wide use as an identity proof indicates otherwise. It is apparent that the Aadhaar is popularly used as an identity document, contrary to its original purpose as a means for authentication or verification of identity. Despite being in contradiction with the scheme of the regulations, there has been little effort on the UIDAI’s part to initiate any course correction. It has been pointed out that one reason for this could be that it will reduce the public acceptability of Aadhaar, and public perception may take a hit. But it is extremely short-sighted to sacrifice individuals’ security and privacy in order to maintain public perception.

__________________________________________________________________

*Builds on important disclosures made by @St_Hill in a post here.

Two Takes on the Right to be Forgotten

Last month saw important developments in the discourse around the right to be forgotten. Two high courts, Gujarat and Karnataka, delivered judgments on separate pleas to have particular judgments either removed from online repositories and search engine results or have personal information redacted from them. The Gujarat High Court dismissed the petition, holding that there was no legal basis to seek removal of a judgment from the Internet. On the other hand, the Karnataka High Court ordered the Court’s Registry to redact the aggrieved person’s name before releasing the order to any entity wanting to publish it. This post examines both judgments to understand the reasoning and legal basis for denying or accepting a claim based on the right to be forgotten.

 Gujarat High Court

According to the facts reproduced in the order, the petitioner in this case had criminal charges filed against him for several offences, including murder, which ultimately resulted in an acquittal. At the appellate stage too, the petitioner’s acquittal was confirmed. The judgment was classified as ‘non reportable’ but nevertheless published on an online portal that reproduces judgments from all superior courts in India. It was also indexed by Google, making it easily accessible. Being distressed about this, the petitioner sought ‘permanent restrain of free public exhibition of the judgement…over the Internet’.

While dismissing the petition, the Court held that it was permissible for third parties to obtain copies of the judgment under the Gujarat High Court Rules 1993, provided their application was accompanied by an affidavit and stated reasons for requiring the judgment. Moreover, it held that publication on a website did not amount to a judgment being reported, as the classification of ‘reportable’ was only relevant from the point of view of law reports. In the Court’s opinion, there was no legal basis to order such removal and the presence of the judgment on the Internet did not violate the petitioner’s rights under Article 21 – from which the right to privacy emanates.

The Court’s dismissal of the argument that a non-reportable judgment is on an equal footing with a reportable judgment is problematic, but hardly surprising. In a 2008 decision, while describing the functions of a law reporter that was a party before it, the Supreme Court observed that “the [law report] publishes all reportable judgments along with non-reportable judgments of the Supreme Court of India” The distinction between reportable and non-reportable judgments was not in issue, but it does call for some introspection on the legal basis and rationale for classification of judgments. In an article on the evolution of law reporting in India, the constitutional expert M.P Jain explains that law reports were created as a response to Indian courts adopting the doctrine of precedent. This is the doctrine that binds lower courts to decisions of the higher courts. Precedent is created when a court lays down a new principle of law or changes or clarifies existing law. Consequently, the decision to make a ruling reportable (ideally) depends on whether it sets a precedent or not. Presumably then, there is a lesser public interest in having access to non-reportable judgments as compared to reportable ones.

While there is a clear distinction between publication in a law report and publication of the transcript of the judgment, the lack of a public interest element could have been taken into account by the High Court while deciding the petition. Moreover, it is unclear how reliance on the High Court Rules helped the Court decide against the petitioner. Third parties may be entitled to obtain a copy of a judgment, but the motivation behind a right to be forgotten is to only make information less accessible, when it is determined that there is no countervailing interest in its publication. At its root, the right is intended to enable citizens to exercise greater control over their personal information, allowing them to live without the fear that a single Google search could jeopardise their professional or personal prospects.

Karnataka High Court

Less than three weeks after the Gujarat High Court’s decision, the Karnataka High Court ordered its Registry to redact the name of the petitioner’s daughter from the cause title as well as the body of an order before handing out copies of it to any ‘service provider’. It accepted the petitioner’s contention that a name-wise search on a search engine might throw up the order, adversely affecting his daughter’s reputation and relationship with her husband. The Court clarified that the name need not be redacted from the order published on the Court’s official website.

Towards the end, it remarked that such an action was ‘in line with the trend in Western countries’ where the right to be forgotten exists as a rule in ‘sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned’.

This statement is problematic. The right to be forgotten emanates from the right to privacy and data protection, which are both regarded as fundamental rights in Europe. Basing the right on ideas of honour and modesty [of women] creates some cause for concern. Further, an important distinction between this case and the one before the Gujarat High Court is that neither Google nor any website publishing court judgments were made parties to it. The claim was based on redaction of information from the source, rather than de-listing it from search engine results or deleting it from a website. This is interesting, because it allows us to think of the right to be forgotten as a comprehensive concept, instead of a singular right to de-list information from search engine results. It provides courts with a choice, allowing them to opt for the least restrictive means to secure an individual’s right to online privacy.

However, the lack of a clear legal basis to allow or deny such claims raises cause for concern. As is already apparent, different high courts are likely to take divergent views on the right to be forgotten in the absence of an overarching data protection framework that grants such rights and prescribes limits to them. In several cases, the right to be forgotten will trigger a corresponding right to freedom of expression and the right to know. The criteria to balance these important but competing claims should be in place for courts to be able to decide such requests in a just manner.

Supreme Court considers installation of CCTV units in courts – but will it regulate what happens next?

Earlier this month, the Supreme Court heard a petition seeking directions to ensure audio-visual recording of the proceedings in trial courts. The reasoning behind the request was that recording proceedings would enhance the fairness of trials. The Supreme Court decided to limit the question to whether CCTV (video only) cameras may be installed at various locations in the courts, in order to better serve security and administrative needs.

This is not the first time the Supreme Court has discussed the use of CCTV cameras for security and other purposes. However, there is also no comprehensive law that deals with the use of CCTV cameras and related security and privacy issues.

In the present case, the Court initially noted that multiple courts, including the courts in Gurgaon have undertaken such efforts in the past. The Court then requested the additional solicitor general and a senior advocate present in the court as amicus to visit the courts in Gurgaon, and report on the matter within four weeks. It stated that once the report is received, it will consider directing installation of CCTV (video only) cameras at district courts in various states. It has also indicated that any recordings made by these CCTV cameras will not be available to the public, and will be retained for specified periods of time only.

The Court has considered the use of CCTV cameras in public places in previous cases. In Deputy Inspector General of Police and Anr. v. S. Samuthiram, a case regarding eve-teasing / sexual harassment, the Court took cognizance of such cases and the need for prevention mechanisms. Amongst other things, it directed all states and union territories to install CCTV cameras in public places. The CCTV cameras were to be positioned such that they act as a deterrent to potential offenders, and if an offence was committed, the offenders would be caught / identified.

In Dilip K. Basu v. State of West Bengal and Ors, the Court considered the request of the amicus, and directed state governments to: (a) take steps to install CCTV cameras in all the prisons in their respective states, within a period of one year from the date of the order (but not later than two years), and (b) consider installation of CCTV cameras in police stations in a phased manner depending upon the incidents of human rights violation reported in such stations.

State governments have also, in various instances, directed the installation of CCTV cameras in public places. In Tamil Nadu, the state government has directed that CCTV cameras must be installed in every public building. The cameras must be installed in accordance with the recommendations of the local police officers. Such recommendations may be made for purposes such as ensuring public order or controlling crimes and the reasons for the recommendation must be recorded in writing.

In Chandigarh, the local government released a set of draft rules meant to regulate mobile app-based transport aggregators (such as Uber and Ola). Among other things, these draft rules require that every taxi must install a CCTV unit to monitor activities inside the taxi in real time. The rules suggest that the video feed from the CCTV cameras should be linked to a control room established by the aggregator.

The above are some examples of courts and government bodies providing for installation and use of CCTV cameras and video recordings. There is a common trend among them – the orders and rules only deal with when and where the units are to be installed, and used. They do not, however, provide a procedural / regulatory mechanism to ensure proper, lawful use of such cameras and associated video recordings.

Maintenance of law and order, security, deterrence of criminal activity, and identification of offenders, are all important issues, and appropriate means should be adopted to provide for the same. At the same time, there needs to be a balance between such means, and individual rights, such as the right to privacy. These laws and orders largely deal with installation and use of CCTV cameras in public places, where some may argue that an individual does not have a reasonable expectation of privacy. However, reports suggest there is misuse of CCTV cameras, especially where installed in customer heavy locations such as retail outlets.

Such misuse could be dealt with under some existing provisions of laws such as the Information Technology Act, 2000 – for example under the provision which criminalizes capturing of images or videos of an individual’s private parts, or the data protection rules. However, these laws are of limited applicability, and deal mostly with sensitive personal information, and images or videos of a private / sexual nature. We do not currently have a comprehensive law that deals with  surveillance equipment and its use in public spaces. Although some states such as Tamil Nadu provide that CCTV cameras must be installed based on police recommendations, there is no general prohibition or restriction on their installation and use. Further, there are no specific restrictions on the collection, use, retention, or transfer of any video recordings, or information that is derived from such recordings. There is no mechanism put in place to deal with a situation where an individual’s data is shared without authorization.

Certain authorities within the country appear to have recognized this gap, and taken some steps towards addressing these issues. In Maharashtra, the local municipal corporation in Navi Mumbai has implemented a CCTV surveillance system to help the local police maintain law and order. The corporation has issued a ‘voluntary code of conduct’ in relation to all surveillance camera systems in public and private places. This document attempts to “provide a framework to all the stakeholders so that there is proportionality and transparency in their use of surveillance”. Among other things, it provides that (i) the use of a surveillance system must always be for a legitimate and specified purpose; (ii) establishments must be transparent about the use of CCTV cameras on their premises; and (iii) access to the video feed will be limited and subject to clearly defined rules on persons who can gain access and purposes for which access may be gained.

Even a limited framework such as this, goes a long way towards ensuring transparency and protection of individual rights and freedoms. Perhaps the Supreme Court will provide more nuanced directions, not only on the installation of CCTV cameras, but also on the use of associated video recordings when the matter is next brought up.

Delhi HC hears the the Right to be Forgotten Case

The pending right to be forgotten petition came up for hearing before the Delhi High Court today. The case seeks the deletion of a court order, which has been reproduced on the website Indiankanoon.com, on the ground that it violates the petitioners’ right to privacy and reputation. This post looks at some of the contentions raised before the Court today and its response to them. However, these are mere observations and the Court is yet to take a final decision regarding the petitioner’s prayer(s).

During the course of today’s hearing, the presiding judge observed that all orders of the court constitute public records and cannot be deleted. In any case, it was pointed out that judicial decisions are normally reported and accessible on the National Judicial Data Grid and their removal from a particular website would not serve the desired purpose. Moreover, the court thought that even if the petitioner’s relief was granted, removal of content from the Internet was a technical impossibility.

The Court however did acknowledge that certain information could be redacted from judicial orders in some cases. This is routinely done in cases related to rape or other sexual offences owing to the presence of a clear legal basis for such redaction. In the present case however, the Court appeared unconvinced that a similar legal basis existed for redacting information. The petitioner’s counsel contended that personal information might become obsolete or irrelevant in certain cases, reflecting only half-truths and causing prejudice to an individual’s reputation and privacy. However, the Court observed that orders of a court could not become obsolete, and the balance if any would always tilt towards the public interest in transparency.

On several occasions, the petitioner’s counsel made a reference to the European Court of Justice’s decision in Google Spain, which is commonly credited with creating the right to be forgotten in Europe. However, the Google Spain ruling created a distinction between deleting information from its source and merely delisting it from search engine results. Further, the delisting is limited to results displayed for search performed for a particular name, ensuring that the information continues to be indexed and displayed if Internet users perform a generic search. However, no distinction was made between delisting and erasure during the course of arguments in the present case.

As an alternate prayer, it was argued for the petitioner that his name be anonymised from the court order in question. Here again, the Court felt that there was no legal basis for anonymisation in the present case. In the Court’s opinion, the information in the order was not prejudicial to the petitioner, per se. The fact that information about a family dispute was accessible to the public at large was not seen as particularly damaging.

The Indian legal framework lacks a coherent policy for anonymisation of names in judicial decisions. Under the Indian Penal Code, publishing names of victims of certain offences is prohibited. Realising that the provision did not bar courts from publishing the names of the victim, the Supreme Court held that names should be anonymised from judgments too, keeping the object of the law in mind. However, research indicates that names continue to be published by courts in a substantial number of cases. A few other laws also provide a legal basis for anonymisation, but these are limited to cases such as minor victims of sexual offences or juvenile offenders. On a few occasions, courts have used their inherent powers to order anonymisation of party names in family cases – making the decision dependent on the discretion of a judge, rather than a result of a larger policy objective. Increasing digitization of court records and easy availability of judgments on the Internet has new implications for online privacy. Transparency of the judicial process is crucial, but in the absence of any larger public interest, anonymisation may be warranted in a wider range of cases than is currently permitted.

As a concept, some form of the right to be forgotten may be essential in today’s age. However, it’s successful implementation is entirely dependent on clear legal principles that strike a balance between competing rights. In the absence of a comprehensive data protection legislation, this is difficult. However, besides the question of a right to be forgotten, this petition presents an interesting opportunity for the Court to analyse and perhaps frame guidelines where anonymisation may be adequate to protect privacy, without delisting or deleting any content.

Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.

Privacy Concerns Under the HIV Bill 2014

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 (the HIV Bill) is likely to be tabled in the Rajya Sabha in the current winter session. The HIV Bill is aimed at preventing and controlling the spread of Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) and protecting the human rights of those affected by HIV and AIDS.

Important human rights considerations under the HIV Bill include prohibiting discrimination against HIV+ persons and also addressing the causes from which such discrimination stems. Lack of safeguards for sensitive medical information such as a person’s HIV status and the subsequent use of this information for other purposes enhance the scope for discrimination. In an attempt to address this, the Bill imposes several obligations on central and state governments, healthcare providers and establishments (such as organisations, cooperative societies etc.). This post examines the provisions relating to three critical aspects of the HIV Bill – informed consent, disclosure of information and clauses related to confidentiality.

INFORMED CONSENT

Clause 2(n) defines “informed consent” under the HIV Bill. There are two elements to this definition. The first element stipulates that consent must be without any coercion, undue influence, fraud, mistake or misrepresentation. The second element requires that consent must be obtained after being informed of the risks, benefits and alternatives to the proposed intervention and in a language or manner that can be understood by the individual giving consent.

Clause 5 of the HIV Bill mandates that informed consent must be sought before subjecting any person to an HIV test, or if an HIV+ person or persons residing with her are subjected to any medical treatment, intervention or research. If the person in question is incapable of giving consent, it is to be sought from her representative.

Further, this clause stipulates that informed consent includes counselling both before and after such a test is conducted.

Clause 6 of the HIV Bill lays down four exceptions where medical interventions can be carried out without obtaining such consent. The first exception pertains to a court order that may require a person to undergo an HIV test if the court feels that this information is necessary to determine the issues before it.

The second exception allows the procuring, processing, distribution or use of a human body or parts (such as tissues, blood, semen or other bodily fluids) for medical research or therapy. This exception is extremely broad in its scope. The Bill does not define either ‘medical research’ or ‘therapy’. It is difficult to ascertain the exact purpose for this exemption based on the text of the Bill alone. Furthermore, it is unclear why an exception should be made for medical research at all. For example, South Africa’s ‘National HIV Counselling and Testing Policy Guidelines’ require informed consent to be in writing in the context of research and clinical trials. This exception also states that if the person undergoing the test requests its result prior to donation, she would only be entitled to it after having undergone post-test counseling.

The third exception deals with HIV tests for epidemiological or surveillance purposes where the test is anonymous and not for the purpose of determining a person’s HIV status. However, the subjects of these tests are required to be informed of the purposes of such a study. Again, despite the fact that the test is anonymous, it is unclear why the obligation to seek informed consent has been done away with. Participation in any study must be voluntary and based on an informed decision.

The final exception allows an HIV test to be conducted for screening purposes in licensed blood banks.

DISCLOSURE OF HIV STATUS

Clause 8 provides that no person can be compelled to disclose their own HIV status unless required to do so ‘by an order’ which states that the disclosure is necessary in the interest of justice or for the determination of issues before it. This clause fails to mention that the order must be by a competent court. The Parliamentary Standing Committee Report on this Bill had recommended this addition citing ambiguity in the existing provision. However, the HIV Bill has not been amended to reflect this recommendation.

The HIV Bill states that any person who has information about another’s HIV status or any other private information, which was either imparted in confidence or in a fiduciary relationship, cannot disclose or be compelled to disclose such information except with the informed consent of that person. This clause requires the consent to be recorded in writing.

However, the Bill envisages six situations where such disclosure may be made without seeking informed consent.

The first exception deals with disclosure made to another healthcare provider who is involved in the treatment or counseling of that person, provided that the disclosure is necessary for the treatment.

The second exception allows disclosure pursuant to an order of a court when the information is necessary in the interest of justice or for determination of any issue before it. Seeing that this exception permits disclosure specifically pursuant to a court order, there is no reasonable explanation for the vague drafting of the first part of Clause 8.

The third exception permits disclosure in suits or legal proceedings when such information is necessary for filing the proceedings or instructing one’s lawyers.

The fourth exception allows a physician or a counsellor to disclose the HIV+ status of a person to his or her partner if they reasonably believe that the partner is at significant risk of HIV transmission. However, Clause 9 stipulates safeguards for this. Such disclosure is only permissible if the HIV+ person has been counseled to inform their partner and the physician or counsellor is satisfied that this is not likely to happen. They are under an additional obligation to inform the HIV+ person of their intention to disclose this information to their partner. This information can only be disclosed in person and after the partner has been counselled.

Clause 9 further provides that if the HIV+ person is a woman who is at the risk of being abandoned or abused (physically or mentally) as a result of such disclosure, the counsellor or physician has an obligation to not inform her partner. This clause also absolves the physician or counsellor from any civil or criminal liability arising out of disclosure or non-disclosure under this clause.

The fifth exception allows disclosure if it relates to statistical or other information if it is reasonably clear that it cannot lead to that person’s identification. The last exception permits disclosure to officers of the central and state governments or the State AIDS Control Society for the purposes of monitoring, evaluation or supervision. This exception is also couched in extremely broad and vague terms. Ideally, the law must explicitly mention the specific Authority or officers who may have access to this information.

OBLIGATIONS OF ESTABLISHMENTS

Clause 11 of the HIV Bill requires every establishment (body corporate, co-operative society, organisations etc.) to adopt data protection measures to store HIV related information of persons. These measures will be framed by way of guidelines by the government, including mechanisms for accountability and liability.

SPECIAL PROCEDURE IN COURT

The HIV Bill also incorporates procedures to ensure confidentiality during judicial processes. It allows the court to pass an order to – a) suppress the identity of a person by using a pseudonym; b) hold the proceedings in camera; or c) restrain any publication that would disclose the identity of such person, if an application is made to this effect.

PENALTIES

It is pertinent to note that the HIV Bill makes no mention of any penalty for a breach of obligations under Clause 5 (pertaining to informed consent) and Clause 8 (pertaining to disclosure of information).

It also mandates every state government to create an Ombudsperson to hear complaints but almost all aspects pertaining to the Ombudsman’s qualifications, functions, jurisdiction have been left to delegated legislation by the relevant state. Further, Clause 24 stipulates that the Ombudsperson can inquire into violations ‘in relation to healthcare services by any person…’. While this might include violations related to informed consent, it remains unclear if the scope of the Ombudsman’s powers will include complaints related to unlawful disclosure of information.

The Bill must be welcomed for introducing procedural safeguards in medical interventions related to HIV+ persons. However, a lot of the provisions, including exceptions, suffer from over breadth and vagueness. Furthermore, the absence of any penalty for breach of provisions relating to informed consent and disclosure of information almost render these safeguards futile.

“The Right to be Forgotten”: Balancing Personal Privacy with the Public’s right to access Information

Evolution of the right and Global framework

In the Internet age, when access to information is quick and easy, procuring personal information or past records about an individual is no longer a herculean task. The relevance of such information or the duration for which such data should be available for public access has hitherto not been debated.

There is growing global debate on a new right called “the right to be forgotten” or “the right of erasure”. This right allows people to request for removal of their personal information/data online after a period of time or if such information/data is no longer relevant. The origin of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit à l’oubli. The rationale behind this right was to allow criminal offenders who have already served their sentence to object to the publication of information regarding their crime and conviction. This was done to ease their process of social integration.

It was along these lines that the 1995 EU Data Protection Directive acknowledged the right to be forgotten. Under the Directive, it was stipulated that the member states should give people the guaranteed right to obtain from the ‘controller’ the rectification, erasure or blocking of data relating to them, the processing of which does not comply with the provisions of the Directive. The term ‘controller’ here refers to a natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of processing personal data.

In May 2014, the Court of Justice of the European Union (‘Court’) recognized the right to be forgotten as a part of the fundamental right to privacy in the Google case. The plaintiff, in this case, had requested for delinking of search results appearing on Google and the deletion of newspaper articles appearing online with respect to bankruptcy proceedings against him. The Court held that individuals have a right to request search engines to delink information which causes prejudice to them. However, the Court was careful to state that this right is not absolute and can be applied only when the data becomes ‘inadequate, irrelevant, excessive, not kept up to date, or kept for longer than necessary’ with respect to the purpose for which it was collected or processed. Accordingly, the Court directed Google to delink the search results in the instant case. It was further held that the publication of accurate data may be lawful at a given point in time, but in due course, it might become inconsistent with the law.

While the judgment in the Google case is a step in the right direction, it leaves much to be desired. The Court did not set out any guidelines or parameters to filter out information as ‘inadequate’ or ‘irrelevant’ or ‘excessive’. It has thrust the onerous task of balancing the right to privacy of an individual and the public’s right to access information on private search engines like Google. This raises critical questions regarding the suitability of private entities taking decisions which are of constitutional import. Pursuant to this judgment, the EU adopted the Data Protection Reforms which includes the right to be forgotten as an essential right under Article 17 of the Data Protection Regulations. This lays down the conditions for application of the right to be forgotten, and requires entities processing personal data to inform third parties regarding requests for erasure of links to any personal data. A detailed discussion of these regulations and their impact on India can be found here.

Challenges in enforcement

There are many legal and technical challenges in the enforcement of the right to be forgotten. The success rate of governments across the world in banning or removing pornographic websites or torrent sites from the Internet has not been great, since there are various ways of circumventing such bans. Further, the blocking or delinking of URLs by search engines does not guarantee that such information has been blocked or deleted from the Internet. There is also no way to ensure that such information is not uploaded again.

To enforce the ruling of the case discussed above, Google has created a mechanism through which an individual can make a request for taking down of or delinking of a specific search result bearing an individual’s name. Google evaluates such requests on various parameters like whether these results are an infringement on his right to privacy or whether such information is of public interest. In case of the former, the individual’s right to be forgotten trumps the public’s right to access information. However, if the information is of public interest, the right to information of the public prevails over privacy rights. This squarely makes Google the decision maker of the relevance, adequacy, and need for data to be available online for public access or not.

With the growing recognition of the right to be forgotten, the number of requests that search engines receive for taking down or delinking is only likely to increase, making it extremely difficult and cumbersome to scrutinize such requests manually. According to Google’s Transparency Report, as on 9th October, 2016, Google had received 565,412 requests for the removal of URLs. The Report further states that it has already evaluated 1,717,714 URLs since May, 2014. The Report shows that Google has removed 43.2% of the URLs from the requests received. With a substantial increase in the number of requests, search engines may even consider using algorithms to deal with such requests instead of manually evaluating the privacy rights vis-à-vis public interest.

Further, search engines are also likely to tread on the side of caution and accept such requests rather than face expensive legal challenges across jurisdictions for non-compliance. This right may be misused by individuals as it will lead to artificial alteration of the content available online which may result in the delinking of pertinent information.

Recent developments in India

The data protection regime and data privacy laws of India are not comprehensive and dynamic enough to respond to technological advances in the modes of collection, transfer and use of personal information. The Information Technology Act, 2000 and the rules framed under the Act make up the primary legal framework that governs this subject. The Delhi High Court is currently hearing a matter (Laksh Vir Singh Yadav vs. Union of India, WP(C) 1021/2016) where the petitioner has requested for the removal of a judgment involving his mother and wife from an online case database. The petitioner claims that the appearance of his name in the judgment is causing prejudice to him and affecting his employment opportunities. It will be interesting to see the outcome of this case and how the larger debate of the right to privacy of an individual versus the right of public to access information unfolds in this case.

It is pertinent to note that the Delhi High Court is dealing with the request for removal of a court order which is a public document. This request is unusual and distinct from a request for delinking of search results appearing in search engines like Google since such delinking does not result in the removal of the information itself. Allowing the removal of such judgments from online case databases could result in the expunging of public records. Furthermore, the removal of judgments from online public databases will obstruct public access to case materials shedding light on critical questions of law.

While implementing the right to be forgotten, a very fine balance has to be struck between the right to freedom of speech and expression, public interest and personal privacy. To balance these conflicting rights, the judiciary may consider implementing a system where personal information like names, addresses etc. of the litigants are redacted from reportable judgments/orders especially in personal disputes. The courts have, in the past, refrained from divulging the identities of parties in order to respect their privacy in many rape or medico-legal cases.

With many unanswered questions surrounding this right, India requires a comprehensive data protection regime to regulate the entities collecting and processing personal data and to define the terms of use, storage and deletion of such personal data. This will ensure that such entities are obliged to take due care of the personal data in their possession and will also provide a framework for dealing with requests for removal or erasure of such personal data.