Explanation

India has established privacy regime through a patchwork of legislations and regulations, unlike the European countries that have horizontal privacy laws. The Information Technology Act - IT Act 2000 – was amended in 2008 to regulate privacy aspects and to provide assurance to customers that their privacy is protected through the use of ‘reasonable security practices’. It achieved its purpose to some extent, but it does not satisfy all the requirements and expectations of a comprehensive privacy law. To address this, the Indian government is working on a comprehensive Privacy Protection Bill, which is likely to be based on Justice AP Shah Report, to which DSCI and NASSCOM have contributed as members.

Explanation

The earliest formal articulation of Privacy Principles was the formulation of the Code of Fair Information Practices (also known as Code of Fair Information Principles or FIPS) in the US in 1974. These are also sometimes referred to as Fair Information Privacy Principles or FIPPs as well. Initially, five principles were laid down which evolved to eight by 1977. These were developed by a US government advisory committee under the Department of Health, Education and Welfare (HEW) and subsequently augmented by a Privacy Protection Study Commission (PPSC). FIPs were developed and evolved in response to the growing use of automated data systems containing information about individuals - maintained by both public and private sector organizations In parallel, there was action in Europe as well. In the 1970s, European nations began to enact privacy laws beginning with Sweden, Germany and then France. By 1980, the Council of Europe adopted a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Convention was the first legally binding international treaty on data protection. The Organization for Economic Cooperation and Development (OECD) proposed similar privacy guidelines around the same time as the Council of Europe’s original 1980 effort. A group of government experts developed the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD adopted the recommendation, which became applicable on 23 September, 1980. Informally, these are known as the OECD Guidelines. OECD principles formed the basis of many national data protection legislations and model codes amongst the OECD countries. The OECD guidelines were endorsed by the US Federal Trade Commission (FTC) subsequently. They have gone on to become one of the most widely adopted guidelines in the privacy domain.

Explanation

Page No 36 of PBok At a high level, Privacy Principles can be grouped into the following two categories: Principles that advocate user engagement: Principles such as Notice, Consent, Collection Limitation, Access & Correction etc. are user centric principles and involve user transactions. Principles that are aligned to organizational context: Principles such as Purpose Limitation, Accountability, Disclosure, Security/Safeguard etc. talk about the norms and organizational measures for ensuring privacy protection by the organization.