Towards a Data Protection Framework (CCG Privacy Law Series)

Smitha and I are writing a series of papers on a data protection law for India, based on our research. We hope that our discussion of the options before us and their relative merits and demerits will help other engage with these difficult questions in a nuanced manner.

The first paper sets out the context for the data protection law. It discusses the
reasons and purpose for regulation and what specifically will be regulated.
It also discusses who will be regulated, since this is important while
considering the regulatory strategies to use while implementing the data
protection principles. It is available here.


CCG on the Privacy Judgment

Written by the Civil Liberties team at CCG

A 9 judge bench of the Supreme Court of India passed a landmark judgment two weeks ago, which unanimously recognized the right to privacy as a fundamental right under the Constitution of India. The Court found the right to privacy to be a part of the freedoms guaranteed across fundamental rights, and an intrinsic aspect of dignity, autonomy and liberty.

In 2012, a petition was filed before the Supreme Court by Justice K. S. Puttuswamy (Retd.), challenging the validity of Aadhaar. During the course of the hearings, the Attorney General argued that the Supreme Court in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1962) had found that there was no fundamental right to privacy in India, because of which its position in the Indian Constitution was debatable. As a consequence, the Court in its order on August 11, 2015 referred the question to a Constitution bench of the Supreme Court. Last month, the Constitution bench decided to refer the matter to a 9 judge bench, in view of M.P. Sharma and Kharak Singh being decided by an 8 judge bench, and a 6 judge bench respectively. A timeline of events, from the filing of the petition, to the constitution of the 9 judge bench, may be found here.

During the proceedings, the petitioners broadly argued that M.P. Sharma, and Kharak Singh were no longer good law; that privacy was an essential component of liberty, dignity and other core aspects of the Constitution; and the fundamental right to privacy could be located in a combined reading of the rights under Part III of the Constitution. Further, they argued that India’s international obligations presented an imperative to recognize the right. The respondents argued, among other things, that privacy was a vague concept, of which only certain aspects could be elevated to the status of a fundamental right, if at all. They argued that the right could be protected through the common law, or by statute, and did not need the protection of a fundamental right. Further, that the right to life, and the concomitant duty of the state to provide welfare, must trump privacy. An index of our posts reporting the arguments is also available below.

The petition and reference posed some critical questions for the Court. The Court had to evaluate whether privacy, as argued, was just an alien, elitist construct unsuitable to India, or a necessary protection in a digital age. It was further tasked with defining its safeguards and contours in a way that would not invalidate the right. Chinmayi Arun’s piece specifically addresses these concerns here.

Fortunately, the Supreme Court also has an illustrious history of recognizing and upholding the right to privacy. The Centre for Communication Governance recently published an infographic, illustrating the Court’s jurisprudence on the right to privacy across 63 years.

The Court eventually decided on an expansive articulation of the fundamental right to privacy. However, the judgment raises a few crucial implications. We at the Centre for Communication Governance have presented our analysis of the judgment in various news media publications. Chinmayi Arun, our Research Director, has presented her views on the judgment as part of a panel of experts here, and in an interview, here. She also argues that the Court seems to have left a significant leeway, presumably for intrusion by the state. Smitha presents a detailed assessment of the implications of the right to privacy here. The judgment has also been lauded for its critique of the Suresh Kumar Koushal v. NAZ Foundation, which recriminalized consensual same-sex intercourse. As Arpita writes here, a strong formulation of the right to privacy, with its close connection to bodily integrity, can forge a more progressive expression of the rights of women and sexual minorities.

While the judgment is a step forward, its effect and implementation are yet to be seen. Recently, in the ongoing matter of Karmanya Singh v. Union of India (WhatsApp data sharing case), the Puttaswamy judgment was visited. Following from the judgment, the petitioners argued that the state should protect an individual’s right to privacy even when it is being infringed by a non-state actor.

 Reports of arguments made before the Supreme Court:

Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.

CCG analyses on the Criminal Defamation ruling

Written by Nakul Nayak

Since the Supreme Court’s May 13th ruling on the constitutionality of criminal defamation laws in India, CCG has come out with two op-eds on the shortcomings of the judgment.

  1. In today’s Indian Express, Chinmayi Arun (Executive Director of CCG) raises important questions surrounding the implications of the judgment. Specifically, Chinmayi points out the glaring dissonance in the Central Government arguing for a right to reputation in the domain of defamation and simultaneously arguing against the fundamental right to privacy in the Aadhar hearings. Chinmayi also goes on to criticise the Supreme Court’s inadequate recognition of the powerful parties that use criminal defamation laws and their disparate impact on ordinary citizens. Her op-ed can be found here.
  2. A few days back, I wrote an opinion piece in Livemint arguing that criminal defamation laws can and have been used by state officials to obfuscate public inquiry. This affects the truth-seeking endeavour of free speech, apart from the fact that India necessitates a “public good” value to truthful statements to qualify as a defence. I also argue that section 199 of the CrPC, which enlists the procedure to be followed in any criminal defamation prosecution, envisages an additional avenue for silencing criticism of official conduct by allowing a public prosecutor to file a complaint even when the particular state servant may not have felt aggrieved. My op-ed can be found here.
  3. Post Script [May 27, 2016]: Anna Liz Thomas, a student at NALSAR University and an intern with CCG, has written an interesting piece analysing the arguments of the petitioners that were never countered or even addressed by the Supreme Court. Anna proceeds with look at the effect of these arguments and this, apart from making for a compelling read, makes one wonder whether the rebuttal of these arguments would have made the judgment a more informed and nuanced one. Anna’s post can be found here.

List of Petitions Tagged in the Aadhaar Matter

By Sarvjeet Singh & Joshita Pai

The Supreme Court has referred the issues of Aadhar and the larger issue of the right to privacy to a constitutional bench.

The Centre for Communication Governance at National Law University, Delhi has been tracking the case and is collecting various documents relating to it.

The details of various petitions and other information regarding the cases is available below. (The table is not exhaustive as we are still collecting information)

If you have any information or copy of petitions or submissions please mail them to or

S. No. Number & Title of the Case Advocate on Record Senior Advocate
1. WP (C) No. 494/2012

Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors.

Mr. Anish Kumar Gupta Mr. Soli Sorabjee
2. Transfer Case (Civil) No. 151/2013

S. Raju v. The Deptt. of Finance Reps. by Secy & Ors.

Mrs. Geetha Kovilan  
3. TP (C) No.152/2013

Vickram Crishna & Ors. v. UIDIA & Ors.

Mr. Rahul Narayan Ms. Meenakshi Arora
4. WP (C) No. 829/2013

S.G Vombatkere & Anr. v. UOI & Ors.

M/s. K.J. John & Co. Mr. Shyam Divan
5. WP (C) No. 833/2013

Aruna Roy & Anr. v. UOI & Ors.

M/s. Meharia & Company Mr. P.S. Narsimha (recused after being appointed an ASG)


6. WP (C) No. 932/2013

Nagrik Chetna Manch v. UOI & Ors.

Dr. Abhishek Atrey, Adv. Mr. Jayant Bhushan
7. TP (C) No. 312/2014

Indian Oil Corp. Ltd & Ors. v. Ashok Kumar Paikaray & Ors.

M/s. Meharia & Company  
8. TP (C) No. 313/2014

Indian Oil Corp. Ltd & Ors. v. All Orissa Consumer Protection Council & Ors.

M/s. Meharia & Company  
9. WP (C) No. 37/2015

Mathew Thomas v UOI & Ors.

Ms. Aishwarya Bhati Mr. Gopal Subramanium
10. WP (C) NO. 220/2015

S.G. Vombatkere & Anr. v. UOI & Ors.

M/s. K. J. John & Co.  
11. TP (C) No. 921/2015

UOI & Anr. v. Sri. V. Viswanadham & Ors.

Mr. D. S. Mahra Mr. A.K. Sanghi

Supreme Court refers clarifications on Aadhar to the larger bench

Written By Joshita Pai

The Supreme Court has rejected the plea of the Union Government and several other public organisations to stay the interim order passed on the 11th of August, 2015 in the Aadhar matter. The Court has declined the request for making Aadhar mandatory except for availing LPG and PDS services. It has referred all applications seeking clarification or revocation of the order to a larger bench of the Supreme Court, which would also be presiding on the issue of privacy.

The larger bench is yet to be constituted, however the lawyer for the petitioner has asked the Chief Justice to constitute the bench at the earliest and the Chief Justice has asked the petitioners to present their case in court tomorrow.

Many schemes such as digilocker which will serve as an e-locker for official documents and the Online Registration System, an e-health-centric initiative by Deity require one to enter their Aadhar number for access; there has been a blatant disregard of the limited purpose prescribed by the order. The Court, earlier in the month asked the Centre to strictly comply with the order and reminded it that the mandatory nature of aadhar is applicable only to LPG and PDS schemes.

The reservation of a clarification and a stay on the application of aadhar is certainly going to pace up the setting up of a constitutional bench. The execution and continuation of several projects and social schemes now hinge on the decision of the Court. The Constitutional bench is now entrusted with deciding on the scope and utility of Aadhar, over and above determining the existence of privacy as a fundamental right.

Aadhar case: Ready Reckoner

By Shrutanjaya Bhardwaj

Date Summary Links
23 September 2013

The Supreme Court issued an interim order saying that Aadhaar card is not mandatory. It observed that:

“No person should suffer for not getting the Aadhaar card in spite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar card voluntarily, it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant.”

Outlook India,

Zee News


8 October 2013 The Court rejected the Centre’s plea to revise its earlier order and make Aadhaar cards mandatory for social welfare schemes heavily subsidized by the government. NDTV
26 November 2013 The Court passed an order impleading all states and UTs in the case. Order
24 March 2014

The Supreme Court reiterated the above:

“If there are any instructions that Aadhaar is mandatory, it should be withdrawn immediately.”

The Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person. In doing so, it reversed the order of the P&H High Court.

[Different case: The High Court order was aimed at helping investigations into a 14-month-old rape case in Goa.]

Dailymail, Hindu, Indian Express, Livemint
3 February 2015

The Court asked the Narendra Modi government to clear its stand on whether it intends to continue with the UPA government’s plan to allow Aadhar as proof of identity for direct transfer of cash for social welfare schemes. The bench, headed by Chief Justice HL Dattu, sought the clarification from Solicitor General Ranjit Kumar:

“We have read it in the newspapers that there is some rethinking on the scheme. You have to tell us by Friday next,” the bench said.

Financial Express
13 February 2015 Solicitor General Ranjit Kumar cleared the Government’s stand, saying that the Government will go ahead with the UID project. Deccan Herald
13 February 2015 RBI was impleaded as a party, since the petitioner had claimed that the central bank was asking for the Aadhaar number to open bank accounts and know-your-customer documents. Livemint
16 March 2015

The Solicitor General admitted and the Court took note of the fact that the Aadhaar number was being asked for by governmental agencies for anyone to be able to avail their services. Relevant extracts from Order:

“In the meanwhile, it is brought to our notice that in certain quarters, Aadhar identification is being insisted upon by the various authorities, we do not propose to go into the specific instances. Since Union of India is represented by learned Solicitor General and all the States are represented through their respective counsel, we expect that both the Union of India and States and all their functionaries should adhere to the Order passed by this Court on 23rd September, 2013.”

Hindu, DNA,

Business Standard

16 July 2015 The Centre urged the Court to vacate its two-year old stay on mandatory Aadhaar cards, citing the “tremendous success” of the Aadhaar project. Telegraph India
21 July 2015 Attorney General Mukul Rohtagi told the Court that the matter needed to be transferred to a Constitution Bench, since important questions were being raised. Livemint
22 July 2015 Attorney General Mukul Rohtagi told the Court that there is no fundamental right to privacy in India, as per an eight-judge bench decision of 1954. Indian Express
22 July 2015 The Court said it was inclined to refer the matter to a higher bench. Newsgram
22 July 2015 Matter part heard in Court – Mukul Rohtagi, K.K. Venugopal finished submissions and Shyam Divan started – listed for 23 July.
23 July 2015 Matter part heard in Court – Shyam Divan argued for the first half of the day, and Gopal Subramaniam argued for the second half – listed for 28 July.  
28 July 2015 Matter part heard in Court, listed for 29 July  
29 July 2015 Matter part heard in Court, listed for 30 July  
30 July 2015 Centre opposed plea seeking initiation of contempt proceedings in Court Zee News
30 July 2015 Matter part heard in Court, listed for 4 August  
6 August 2015 Order reserved – on whether the matter must be referred to a higher, Constitution bench or not – to be given out on Tuesday, 11 August Indian Express, Economic Times

(Shrutanjaya is an intern at CCG & a fourth year student at National Law University, Delhi)