The Minister of State for Communications & Information Technology Shri Sachin Pilot, informed Rajya Sabha today that Section 43A of the amended Information Technology Act, 2000 establishes a legal framework for data privacy protection in India. It mandates ‘body corporates’ to implement ‘reasonable security practices’ for protecting ‘sensitive personal information of individuals. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) rules, 2011 notified on 11.4.2011 under section 43A of the Act explicitly define ‘reasonable security practices’ and ‘sensitive personal information’. The rules mandates that body corporate must provide policy for privacy and disclosure of information, so that user is well aware of the type of personal data collected, purpose of collection and usage of such information. The rules also specify mode of collection of information, disclosure of information, transfer of information and reasonable security practices and procedures. All body corporate in India are required to comply with the provisions of the rules.
The Information Technology Act, 2000 and the rules prescribe therein requires the body corporate to publish the privacy policy. Google has published a Privacy Policy on their website.
Any change in the privacy policy is not within the purview of amended Information Technology Act, 2000.
Section 43A of the Act and the Rules notified therein reflect global principles of privacy and are similar to EU Data Protection Directive and provide means for effective implementation by establishing procedural / enforcement mechanisms such as requirement of yearly audit of by the Government approved independent auditor.
Certain media reports have appeared on changes in Google’s privacy policy. France’s independent privacy watchdog, the CNIL (nationale de I’informatique et des libertes) stated that the changes made do not comply with European law. Another report states that European Union (EU) feels the new privacy policy makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service. It may be mentioned that Privacy is a fundamental right in Europe.
Rectification of conflict between Google, an US Company and European Directive on Data Protection is not within the purview of Government of India.
The new Google Privacy Policy provides information to the end users as to how their personal information is collected, for which it is collected, processed and secure. The end users, however, need to fully understand the privacy policy of Google, the consequences of sharing their personal information and their privacy rights before they start using online services.
