8/7/2019 data protection and privacy-india http://slidepdf.com/reader/full/data-protection-and-privacy-india 1/17 Table of contents 1. Introduction--------------------------------------------------------------2 2. Data anddata processing------------------------------------------------5 3. Data protection a ndtherighttoinformation-----------------------6 4. Conclusion----------------------------------------------------------------- 16
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
1. Introduction--------------------------------------------------------------2 2. Data and data processing------------------------------------------------5 3. Data protection and the right to information-----------------------6
samples, models, data material held in any electronic form and information relating to any
priv ate body w hich can be accessed by a public authority under any other law for the time
being in force;
This legislation was born out of the liberal interpretation given to Article 19( 1) ( a) of the
Constitution w hich guarantees the fundamental rights to free speech and expression. The
prerequisite for enjoying this right is know ledge and information. The absence of authentic
information on matters of public interest w ill only encourage w ild rumours and speculations
and avoidable alleg ations ag ainst individuals and institutions. Therefore, the R ight to
Information becomes a constitutional right, being an aspect of the right to free speech and
expression w hich includes the right to receive and collect information. This w ill also help the
citizens perform their fundamental duties as set out in Article 51A of the Constitution. A
fully informed citizen w ill certainly be better equipped for the performance of these duties.
Thus, access to information w ould assist citizens in fulfilling these oblig ations.
As no right can be absolute, the R ight to Information has to have its limitations. There w ill
always be areas of information that should remain protected in public and national interest.Moreover, this unrestricted right can have an adverse effect of an overload of demand on
administration. So the information has to be properly, clearly classified by an appropriate
Unlike the US and EU there is no specific enactment on Data Protection in India. How ever,
the Indian government is under increasing pressure from business process outsourcing
operations and call centers in India that handle large volumes of data from the U.S. and
Europe to pass a Data Protection Law. The Ministry of Information Technology and
National Association of Software and Service Companies ( NASSCOM) are in the process of
drafting legislation to amend the country·s existing Information Technology Act of 2000,
w ith the intention of bringing the data protection regime up to the standard required by the
US and the EU.
The grow th of the computer industry in the last tw o decades has been amazing . Along w ith
this grow th, accompanied an increase in the quantity and av ailability of data stored by priv ate companies and the Government almost in all the countries of the w orld including India. The
ease w ith w hich information is transmitted and stored has created an information market in
w hich personal data is bought and sold to v arious groups. The key to the information age is
the sw ift transfer and storage of digital data. For marketeers and corporations some of the
most important data traded involves information about our personal histories. W hether it be
buying habits, driving records, medical records or credit reports, this information is a hugely
v aluable commodity . As these companies go from source to source, collecting as much
pertinent personal information as possible, citizen·s priv acy is being slow ly eroded.
There must, therefore, certainly be a point w here society draw s the line and declares certain
pieces of information off the market. There is no doubt that w e cannot protect all data, bit
by bit, byte by byte, but something must be done. Much of this problem arises from the f act
that there is little or no leg al protection of personal data and the R ight to Information Act is
not sufficient to protect such priv ate and personal data w hich is w hy the government is
considering the passing of a data protection law w hich w ill fulfil such objective.
Data in everyday language is a synonym for information. In the exact sciences there is a clear
distinction betw een data and information, w here data is a measurement that may be
disorg anized and w hen the data becomes org anized it becomes information. Data may relate
to reality, or to fiction. Data about reality consists of propositions2. A large class of
practically important propositions are measurements or observ ations of a v ariable. Such
propositions may comprise numbers, w ords or images3.
According to Article 2(a) of the Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data, ¶personal data·
shall mean any information relating to an identified or identifiable natural person ( ¶data
subject·); an identifiable person is one w ho can be identified, directly or indirectly, in particular by reference to an identification number or to one or more f actors specific to his
physical, physiological, mental, economic, cultural or social identity .
Today, possibly the largest amount of recorded personal information is in the form of
government records. From birth to death, the Government keeps track of all the major
events in our lives. R ecords are kept for driver·s licences, marriage licences, property
ow nership, criminal activities, tax information, voter registration, and much more. Some of
this information is confidential but most of it is stored in the form of public records and
´public recordsµ are just that public.4 Therefore there is a strong need for a law w hich
governs those information w hich is personal to an individual.
CHAPTER 3: DATA PROTECTION and The RIGHT TO INFORMATION
2
In common philosophical language, a proposition is the content of an assertion, that is, it is true-or-falseand defined by the meaning of a particular piece of language. The proposition is independent of the
medium of communication.3
http://en.wikipedia.org/wiki/Data#Meaning_of_data.2C_information_and_knowledge4 Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, (2004) PL WebJour
W e live in a w orld of international data transmissions. Digitalization of information,
combined w ith continuous and dazzling technological developments, has increased the flow
and application of data. Information sharing now takes place on an international scale and
involves a tremendous amount of data referring to individuals5. Among the critical
regulatory challenges raised by such international information flow s is how to protect
individual privacy. In Europe, w here this issue receives the most concerted attention in
the w orld, the response is found in ´data protection law.µ This term refers to the leg al
structures that attempt to regulate know ledge and concealment of an individual·s personal
information6.
Also, the grow th of e-commerce requires consumer confidence, and priv acy is a key
requirement in building online consumer confidence. An increasing number of consumers
are concerned w ith how their personal information is used in the electronic marketplace, and
many consumers w ould rather forgo w eb-provided information and products than provide a
w ebsite their personal information w ithout know ing that site·s information practices7.
According to the results of a Business W eek survey released in 1998, consumers not
currently using the Internet ranked concerns about personal information and
communication priv acy as the foremost reason they have stayed off the Internet8. These
findings suggest that effective and meaningful consumer priv acy protections need to be
implemented if the electronic marketplace is to grow significantly . Otherw ise, consumers w ill
remain wary of eng aging in electronic commerce, and this new marketplace w ill f ail to reach
its full potential.
DATA PROTECTION and THE EUROPEAN UNION
5
Reinhard Ellger, Der Datenschutz im grenzüberschreitenden Datenverkehr , 108-29 (1990). Ellger finds
that the most intensive transborder data flows occur in the following areas: (1) personnel departments; (2)banks, insurance companies, credit card companies, and credit bureaus; (3) direct marketing; (4) airlines,
travel agencies, and other business involved in tourism; (5) companies that seek to deliver goods to or
otherwise trade with international customers; and (6) within the public sector: police, customs, tax
departments, and public pension agencies6
Paul M. Schwartz, EUROPEAN DATA PROTECTION LAW AND RESTRICTIONS ON
INTERNATIONAL DATA FLOWS , 80 Iowa L. Rev. 471, cited from www.westlaw.com 7
Louis Harris and Associates, Inc. and Dr. Alan F. Westin, Commerce, Communications, and PrivacyOnline, A National Survey of Computer Users, 20-21 (1997).
8 Business Week/Harris Poll: Online Insecurity, BUSINESS WEEK, Mar. 16, 1998, at 102.
On July 25, 1995, the European Union·s Council of Ministers ( ́E.U. Councilµ) formally
adopted the Directive 95/46/EC of the European Parliament and of the Council on the
protection of individuals w ith reg ard to the processing of personal data and on the free
movement of such data. W hen enacted in 1995, the Directive was w idely considered the
´most important international development in data protection in the last decade.µ Its
comprehensive public policy approach is based upon ´the premise that priv acy is a human
right and data protection is an essential means to protect that right through a coherent and
enforceable leg al regime.µ9
Generally, the Directive has tw o overall objectives: ( 1) the protection of information priv acy
by Member States of the European Union; and (2) the prevention of restrictions on the free
flow of personal information among E.U. Member States, for reasons of priv acy protection.10 In order to realize these tw o objectives, the Directive comprises a mixture of
oblig ations for data processors11 that control personal data processing 12, together w ith the
enforcement of individuals· rights for those w ho are the subject of data processing . These
are reflected in a set of information priv acy principles set out in Chapter II ( General R ules
on the Law fulness of the Processing of Personal Data) of the Directive.
These principles cover four general areas of concern: ( 1) data quality, (2) legitimate
processing, ( 3) rights of data subject and ( 4) security of data. The first principle, data quality,
has five specific requirements:
( 1) Fairness/Law fulness: Personal data must be ´processed f airly and law fully;µ13
9 Graham Pearce & Nicholas Platten, Orchestrating Transatlantic Approaches to Personal Data
Protection: A European Perspective, 22 FORDHAM INT¶L L. J. 2024, 2026 (1999).10 Article 1(2)11 µprocessor¶ shall mean a natural or legal person, public authority, agency or any other body which
processes personal data on behalf of the controller; µcontroller¶ shall mean the natural or legal person,public authority, agency or any other body which alone or jointly with others determines the purposes
and means of the processing of personal data; where the purposes and means of processing are
determined by national or Community laws or regulations, the controller or the specific criteria for his
nomination may be designated by national or Community law.12 µprocessing of personal data¶ (µprocessing¶) shall mean any operation or set of operations which is
performed upon personal data, whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(6) Legitimate Interest: Personal data may be processed if processing is ´necessary for the
purposes of legitimate interests pursued by the controller or by the third party or parties
to w hom the data are disclosed, except w here such interests are overridden by the
interests or fundamental rights and freedoms of the data subject w hich require
protection under Article 1( 1).µ18
The third principle pertains to rights of the data subject, the person w hose personal data is
collected and transmitted. This principle secures three rights:
( 1) R ight of Access: Every data subject has the right to obtain from the controller
´confirmation as to w hether or not data relating to him are processed and information at
least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to w hom the data are disclosed;µ
(2) R ight to Correct/Block Information: Every data subject has the right to obtain from the
controller ´the rectification, erasure, or blocking of data, the processing of w hich does
not comply w ith the provisions of this Directive, in particular because of the incomplete
or inaccurate nature of the data;µ19
( 3) R ight to Object: Every data subject has the right ´to object at any time on compelling
legitimate grounds relating to his particular situation to the processing of data relating to
him.µ20
The final principle concerns the security of the collected or transmitted personal data. The
Directive requires Member States to ´implement appropriate technical and org anizational
measures to protect personal data ag ainst accidental or unlaw ful destruction or accidental
loss and ag ainst unauthorized alteration, disclosure or access.µ21
The Directive specifies v arious mechanisms that aid in the implementation of these priv acy principles. It requires that each Member State enact legislation to fully address and
implement the Directive·s four information priv acy principles. Further, each E.U. Member
State must establish one or more public authorities to oversee and enforce priv acy
protections. The Directive also grants individual rights of enforcement. The Directive
requires that individuals be granted the right to seek a judicial remedy for any breach of a
Member State·s national law reg arding information priv acy, as w ell as a right to recover
compensatory damages. 22
The results of a research conducted by the Commission shed some light on some of the
more interesting considerations that help to g auge public perception, and the efficacy of the
Directive in making an impact on the personal data markets. For example, the Commission
found that despite the Directive·s requirement of apparently high standards of data priv acy,
44% of survey respondents considered the standards as a minimum protection of their
personal data rights. Somew hat paradoxically, 81% of respondents also considered the level of awareness of individuals reg arding data protection rights to be insufficient, bad, or very
bad. The same investig ation also revealed that although there was a general acceptance
among businesses of the need for data protection rights, there seemed to be a general apathy
towards fulfilling the oblig ations towards individuals w hen such data protection rights w ere
exercised.
The most publicized, contentious, and onerous ( at least from a non-EU nation perspective)
provisions contained in the Directive are those that relate to the transfer of personal data to
so-called ´third countries.µ In essence, the Directive blocks all international transfers of data
to countries outside of the EU, w here the ´third country does not ensure an ¶adequate level
of protection·.µ23 Findings of adequacy are made by the Commission, in consultation w ith
the W orking Party established under article 29 of the Directive. Member States have an
oblig ation to inform the Commission of countries that do not enshrine such adequate
protection24.
22 Art. 2323 Art. 2524 Seth P. Hobby, THE EU DATA PROTECTION DIRECTIVE: IMPLEMENTING A WORLDWIDE
DATA PROTECTION REGIME AND HOW THE U.S. POSITION HAS PROGRESSED, 1 Int¶l L. &
W ith reg ard to damages av ailable in the event of a breach of data priv acy, Section 43( b) is
deficient in that the maximum penalty for this breach is monetary compensation in the paltry
amount of approximately $220,000. The maximum monetary damages av ailable for a breach,
w hich can potentially be w orth several times more, is clearly inadequate in a transnational
context. The more limited crimes of computer hacking and tampering are considered
criminal offenses under the IT Act of 2000: Section 65 offers protection ag ainst intentional
or know ing destruction, alteration, or concealment of computer source code. Section 66,
w hile offering no clear language that protects personal data, offers limited protection w hen
personal data is destroyed, deleted or altered. Both Sections 65 and 66 are punishable w ith
criminal penalties including jail time of up to 3 years .In addition to the protections discussed
above, Section 72 of the IT Act of 2000 offers some protection for breaches of
confidentiality and priv acy . Non-consensual disclosure of confidential information is punishable by imprisonment for up to 2 years.
In contrast to the IT Act of 2000, the E.U. Directive envisions much broader violations
associated w ith breach of data security than does the limited sphere of the IT Act of 2000.
As described previously, the E.U. Directive provides for protections in the entire chain of
control of data and creates systems of security and associated penalties w ithin the v arious
stages of data processing . For instance, the Directive prescribes limits to the collection of
personal data, requiring that a purpose for the data collection be articulated. The Directive also requires that data must be obtained by law ful and f air means and, w here appropriate,
w ith the know ledge or consent of the data subject; personal data should be relev ant to the
purposes for w hich they are to be used, and, to the extent necessary for those purposes,
should be accurate, complete and kept up-to-date. A reformation of the IT Act of 2000
should encompass the principles contained in the Directive related to limitation of data
collection, data quality, specified purpose, use limitation, security safeguards, individual
participation and accountability 25.
2. Indian Criminal Laws
25 Vinita Bali, DATA PRIVACY, DATA PIRACY: CAN INDIA PROVIDE ADEQUATE PROTECTION
FOR ELECTRONICALLY TRANSFERRED DATA?, 21 Temp. Int¶l & Comp. L.J. 103, cited from
design material and associated printed documentation, such as users· manuals) have
copyright protection under Indian law s. Computer programs per se are not patentable, being
patentable only in combination w ith hardware. Thus in India, by past practice and under current law s, copyright is the preferred mode of protection for computer software. The
Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter
commensurate w ith the gravity of the offense. Section 63B of the Indian Copyright Act
provides that any person w ho know ingly makes use on a computer of an infringing copy of
computer program can be punishable for a maximum of three years in prison.
Priv ate contractual terms have been used as a means for filling the g ap left by the IT Act of
2000 and other law s in India. Until a tighter data protection leg al regime is in place, the U.S.
and other countries outsourcing to India are relying upon contractual oblig ations to impose
oblig ations for protecting and preserving data. There is grow ing recognition w ithin the out-
sourcing industry that contractual oblig ations do not provide the most efficient or effective
recourse. In the event of a breach of the security of data, getting effective remedy under the
contractual oblig ations is time consuming and often insufficient26.
Overall, few incidents of misuse of data by employees of Indian business service providers
have arisen to date. How ever, the few that have occurred have set off alarms for both
American and Indian companies. For example, in June 2005, American business
outsourcers and their Indian counterparts w ere extremely concerned w hen Interpol was
asked to investig ate alleg ations that a 24 ² year - old w orker at Infinity e-Search, a w eb
marketing company in New Delhi, had sold information that he obtained from call center
w orkers at a BPO company . An undercover British reporter from a London tabloid
new spaper, The Sun, claimed that the Infinity e-Search employee sold him Barclay Bank
account details for 1,000 U.K. customers. The account holders· secret passw ords, addresses,
phone numbers, and passport details w ere allegedly sold for 350,000 rupees (INR 350,000), w hich is the equiv alent of around U.S. $8,000. This situation points out the flaw s in having
sensitive information in the hands of offshore employees in a developing country w here the
temptation may be great to make v ast amounts of money in local currency by selling
information to unscrupulous buyers, particularly w hen the exchange rate makes the
purchase cost in the w estern country relatively minimal.27
26 Ibid .27 Deborah Roach Gaut, OFFSHORE OUTSOURCING TO INDIA BY U.S. AND E.U. COMPANIES:
LEGAL AND CROSS - CULTURAL ISSUES THAT AFFECT DATA PRIVACY REGULATION IN
BUSINESS , 6 U.C. Davis Bus. L.J. 13, cited from www.westlaw.com
In conclusion, it can be said that in India, the existing leg al regime in relation to data
protection is not strong and consolidated. W e do not have a separate law to obtain personal information related to the requester himself . R ight to Information Act is being used for both
purposes, i.e. to obtain personal information as w ell as non-personal information, w hich
sometimes creates confusion and creates issues relating to the priv acy of the individuals. The
regime in EU is much w ide and specific as compared to India. Specific law s in relation to
data protection are the need of the hour in the Indian leg al system. The provisions that are