Date post: | 08-Apr-2018 |
Category: |
Documents |
Upload: | bornautocrat |
View: | 218 times |
Download: | 0 times |
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 1/17
Table of contents
1. Introduction--------------------------------------------------------------2 2. Data and data processing------------------------------------------------5 3. Data protection and the right to information-----------------------6
4. Conclusion-----------------------------------------------------------------16
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 2/17
Page 1 of 17
CHAPTER 1: INTRODUCTION
¶Inform
ation·
as
aterm
h
as
been
derived
from
the
Latin
w ords
¶Form
ation·
and
¶Form
a·
w hich means giving shape to something and forming a pattern, respectively . Information
adds something new to our awareness and removes the v agueness of our ideas. Section 2(f)
of The R ight to Information Act, 2005 defines w hat information is. It provides that:
"information" means any material in any form, including records, documents, memos, e-
mails, opinions, advices, press releases, circulars, orders, log books, contracts, reports, papers,
samples, models, data material held in any electronic form and information relating to any
priv ate body w hich can be accessed by a public authority under any other law for the time
being in force;
This legislation was born out of the liberal interpretation given to Article 19( 1) ( a) of the
Constitution w hich guarantees the fundamental rights to free speech and expression. The
prerequisite for enjoying this right is know ledge and information. The absence of authentic
information on matters of public interest w ill only encourage w ild rumours and speculations
and avoidable alleg ations ag ainst individuals and institutions. Therefore, the R ight to
Information becomes a constitutional right, being an aspect of the right to free speech and
expression w hich includes the right to receive and collect information. This w ill also help the
citizens perform their fundamental duties as set out in Article 51A of the Constitution. A
fully informed citizen w ill certainly be better equipped for the performance of these duties.
Thus, access to information w ould assist citizens in fulfilling these oblig ations.
As no right can be absolute, the R ight to Information has to have its limitations. There w ill
always be areas of information that should remain protected in public and national interest.Moreover, this unrestricted right can have an adverse effect of an overload of demand on
administration. So the information has to be properly, clearly classified by an appropriate
authority .
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 3/17
Page 2 of 17
The usual exemption permitting Government to w ithhold access to information is generally
in respect of the these matters: ( 1) International relations and national security; (2) Law
enforcement and prevention of crime; ( 3) Internal deliberations of the government; ( 4)
Information obtained in confidence from some source outside the Government; (5)
Information which, if disclosed, would violate the privacy of an individual; (6) Information, particularly
of an economic nature, w hen disclosed, w ould confer an unf air adv antage on some person
or subject or government; (7) Information w hich is covered by leg al/professional privilege,
like communication betw een a leg al advisor and his client and (8) Information about
scientific discoveries and inventions and improvements, essentially in the field of w eapons.1
The submitted project w ork deals w ith an area that can very w ell be associated w ith the right
to priv acy of a person. We do not have a separate law to obtain personal information related to the
requester himself. Right to Information Act is being used for both purposes, i.e. to obtain personal
information as well as non-personal information, which sometimes creates confusion. In USA, Priv acy Act
is used to obtain personal information and Freedom of Information ( FOI) Act is used for
obtaining other information. Similarly in UK , Data Protection Act is used to obtain personal
information and Freedom of Information Act is used for obtaining other information.
Separate Data Protection or Priv acy law is necessary to obtain personal information related
to the requester herself and at the same time to protect unnecessary disclosure to others. The
project deals w ith data protection and the leg al regime relating to it in the EU and India.
Data protection is nothing but maintaining the secrecy, integrity and authenticity of data relating to a person
or otherwise, which is very important in international transactions and also for the person himself. Bank
account details, passport and visa portfolios, balance sheet of a company, solvency status of
a person etc. are all details w hich need protection w hile processing or transfer in
transnational jurisdiction. There may be other numerous f acts and figures about entities that
require adequate protection and secrecy and therefore, a strong leg al regime protecting the
same is the need of the hour ow ing to the w hooping increase in transnational transactions.
The project tries to look into the status of law in EU and India and analyses the same to
bring out the positive and neg ative points.
1 http://www.rrtd.nic.in/RIGHT%20TO%20INFORMATION.html
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 4/17
Page 3 of 17
Unlike the US and EU there is no specific enactment on Data Protection in India. How ever,
the Indian government is under increasing pressure from business process outsourcing
operations and call centers in India that handle large volumes of data from the U.S. and
Europe to pass a Data Protection Law. The Ministry of Information Technology and
National Association of Software and Service Companies ( NASSCOM) are in the process of
drafting legislation to amend the country·s existing Information Technology Act of 2000,
w ith the intention of bringing the data protection regime up to the standard required by the
US and the EU.
The grow th of the computer industry in the last tw o decades has been amazing . Along w ith
this grow th, accompanied an increase in the quantity and av ailability of data stored by priv ate companies and the Government almost in all the countries of the w orld including India. The
ease w ith w hich information is transmitted and stored has created an information market in
w hich personal data is bought and sold to v arious groups. The key to the information age is
the sw ift transfer and storage of digital data. For marketeers and corporations some of the
most important data traded involves information about our personal histories. W hether it be
buying habits, driving records, medical records or credit reports, this information is a hugely
v aluable commodity . As these companies go from source to source, collecting as much
pertinent personal information as possible, citizen·s priv acy is being slow ly eroded.
There must, therefore, certainly be a point w here society draw s the line and declares certain
pieces of information off the market. There is no doubt that w e cannot protect all data, bit
by bit, byte by byte, but something must be done. Much of this problem arises from the f act
that there is little or no leg al protection of personal data and the R ight to Information Act is
not sufficient to protect such priv ate and personal data w hich is w hy the government is
considering the passing of a data protection law w hich w ill fulfil such objective.
CHAPTER 2: DATA and DATA PROCESSING
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 5/17
Page 4 of 17
Data in everyday language is a synonym for information. In the exact sciences there is a clear
distinction betw een data and information, w here data is a measurement that may be
disorg anized and w hen the data becomes org anized it becomes information. Data may relate
to reality, or to fiction. Data about reality consists of propositions2. A large class of
practically important propositions are measurements or observ ations of a v ariable. Such
propositions may comprise numbers, w ords or images3.
According to Article 2(a) of the Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data, ¶personal data·
shall mean any information relating to an identified or identifiable natural person ( ¶data
subject·); an identifiable person is one w ho can be identified, directly or indirectly, in particular by reference to an identification number or to one or more f actors specific to his
physical, physiological, mental, economic, cultural or social identity .
Today, possibly the largest amount of recorded personal information is in the form of
government records. From birth to death, the Government keeps track of all the major
events in our lives. R ecords are kept for driver·s licences, marriage licences, property
ow nership, criminal activities, tax information, voter registration, and much more. Some of
this information is confidential but most of it is stored in the form of public records and
´public recordsµ are just that public.4 Therefore there is a strong need for a law w hich
governs those information w hich is personal to an individual.
CHAPTER 3: DATA PROTECTION and The RIGHT TO INFORMATION
2
In common philosophical language, a proposition is the content of an assertion, that is, it is true-or-falseand defined by the meaning of a particular piece of language. The proposition is independent of the
medium of communication.3
http://en.wikipedia.org/wiki/Data#Meaning_of_data.2C_information_and_knowledge4 Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, (2004) PL WebJour
16
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 6/17
Page 5 of 17
W e live in a w orld of international data transmissions. Digitalization of information,
combined w ith continuous and dazzling technological developments, has increased the flow
and application of data. Information sharing now takes place on an international scale and
involves a tremendous amount of data referring to individuals5. Among the critical
regulatory challenges raised by such international information flow s is how to protect
individual privacy. In Europe, w here this issue receives the most concerted attention in
the w orld, the response is found in ´data protection law.µ This term refers to the leg al
structures that attempt to regulate know ledge and concealment of an individual·s personal
information6.
Also, the grow th of e-commerce requires consumer confidence, and priv acy is a key
requirement in building online consumer confidence. An increasing number of consumers
are concerned w ith how their personal information is used in the electronic marketplace, and
many consumers w ould rather forgo w eb-provided information and products than provide a
w ebsite their personal information w ithout know ing that site·s information practices7.
According to the results of a Business W eek survey released in 1998, consumers not
currently using the Internet ranked concerns about personal information and
communication priv acy as the foremost reason they have stayed off the Internet8. These
findings suggest that effective and meaningful consumer priv acy protections need to be
implemented if the electronic marketplace is to grow significantly . Otherw ise, consumers w ill
remain wary of eng aging in electronic commerce, and this new marketplace w ill f ail to reach
its full potential.
DATA PROTECTION and THE EUROPEAN UNION
5
Reinhard Ellger, Der Datenschutz im grenzüberschreitenden Datenverkehr , 108-29 (1990). Ellger finds
that the most intensive transborder data flows occur in the following areas: (1) personnel departments; (2)banks, insurance companies, credit card companies, and credit bureaus; (3) direct marketing; (4) airlines,
travel agencies, and other business involved in tourism; (5) companies that seek to deliver goods to or
otherwise trade with international customers; and (6) within the public sector: police, customs, tax
departments, and public pension agencies6
Paul M. Schwartz, EUROPEAN DATA PROTECTION LAW AND RESTRICTIONS ON
INTERNATIONAL DATA FLOWS , 80 Iowa L. Rev. 471, cited from www.westlaw.com 7
Louis Harris and Associates, Inc. and Dr. Alan F. Westin, Commerce, Communications, and PrivacyOnline, A National Survey of Computer Users, 20-21 (1997).
8 Business Week/Harris Poll: Online Insecurity, BUSINESS WEEK, Mar. 16, 1998, at 102.
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 7/17
Page 6 of 17
On July 25, 1995, the European Union·s Council of Ministers ( ́E.U. Councilµ) formally
adopted the Directive 95/46/EC of the European Parliament and of the Council on the
protection of individuals w ith reg ard to the processing of personal data and on the free
movement of such data. W hen enacted in 1995, the Directive was w idely considered the
´most important international development in data protection in the last decade.µ Its
comprehensive public policy approach is based upon ´the premise that priv acy is a human
right and data protection is an essential means to protect that right through a coherent and
enforceable leg al regime.µ9
Generally, the Directive has tw o overall objectives: ( 1) the protection of information priv acy
by Member States of the European Union; and (2) the prevention of restrictions on the free
flow of personal information among E.U. Member States, for reasons of priv acy protection.10 In order to realize these tw o objectives, the Directive comprises a mixture of
oblig ations for data processors11 that control personal data processing 12, together w ith the
enforcement of individuals· rights for those w ho are the subject of data processing . These
are reflected in a set of information priv acy principles set out in Chapter II ( General R ules
on the Law fulness of the Processing of Personal Data) of the Directive.
These principles cover four general areas of concern: ( 1) data quality, (2) legitimate
processing, ( 3) rights of data subject and ( 4) security of data. The first principle, data quality,
has five specific requirements:
( 1) Fairness/Law fulness: Personal data must be ´processed f airly and law fully;µ13
9 Graham Pearce & Nicholas Platten, Orchestrating Transatlantic Approaches to Personal Data
Protection: A European Perspective, 22 FORDHAM INT¶L L. J. 2024, 2026 (1999).10 Article 1(2)11 µprocessor¶ shall mean a natural or legal person, public authority, agency or any other body which
processes personal data on behalf of the controller; µcontroller¶ shall mean the natural or legal person,public authority, agency or any other body which alone or jointly with others determines the purposes
and means of the processing of personal data; where the purposes and means of processing are
determined by national or Community laws or regulations, the controller or the specific criteria for his
nomination may be designated by national or Community law.12 µprocessing of personal data¶ (µprocessing¶) shall mean any operation or set of operations which is
performed upon personal data, whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
13 Art. 6(1)(a)
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 8/17
Page 7 of 17
(2) Purpose Limitation: Personal data must be ´collected for specified, explicit and legitimate
purposes and not further processed in a way incompatible w ith those purposes;µ 14
( 3) R elev ance: Personal data must be ´adequate, relev ant and not excessive in relation to the
purposes for w hich they are collected and/or for w hich they are further processed;µ15
( 4) Accuracy: Personal data must be ´accurate and, w here necessary, kept up to date; every
reasonable step must be taken to ensure that data w hich are inaccurate or incomplete,
having reg ard to the purposes for w hich they are collected or for w hich they are further
processed, are erased or rectified;µ16 and
(5) Timeliness: Personal data must be ´kept in a form w hich permits identification of data
subjects for no longer than is necessary for the purposes for w hich the data w ere
collected or for w hich they are further processed.µ17
The second principle, concerning the legitimate processing of personal data, has six
requirements:
( 1) Consent: Personal data may be processed only if ́the data subject has given his consent
unambiguouslyµ; or
(2) Contract: Personal data may be processed only if ́processing is necessary for the
performance of a contract to w hich the data subject is party or in order to take steps at
the request of the data subject entering the contract;µ or
( 3) Leg al Oblig ation: Personal data may be processed if ́processing is necessary for
compliance w ith a leg al oblig ation to w hich the controller is subject;µ or
( 4) V ital Interest: Personal data may be processed if ́processing is necessary in order to
protect the vital interest of the data subject;µ or
(5) Public Interest/Official Authority: Personal data may be processed if ́processing is
necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller or in the third party to w hom the data are disclosed;µ or
14
Art. 6(1)(b)15
Art. 6(1)(c)16 Art. 6(1)(d)17 Art. 6(1)(e)
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 9/17
Page 8 of 17
(6) Legitimate Interest: Personal data may be processed if processing is ´necessary for the
purposes of legitimate interests pursued by the controller or by the third party or parties
to w hom the data are disclosed, except w here such interests are overridden by the
interests or fundamental rights and freedoms of the data subject w hich require
protection under Article 1( 1).µ18
The third principle pertains to rights of the data subject, the person w hose personal data is
collected and transmitted. This principle secures three rights:
( 1) R ight of Access: Every data subject has the right to obtain from the controller
´confirmation as to w hether or not data relating to him are processed and information at
least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to w hom the data are disclosed;µ
(2) R ight to Correct/Block Information: Every data subject has the right to obtain from the
controller ´the rectification, erasure, or blocking of data, the processing of w hich does
not comply w ith the provisions of this Directive, in particular because of the incomplete
or inaccurate nature of the data;µ19
( 3) R ight to Object: Every data subject has the right ´to object at any time on compelling
legitimate grounds relating to his particular situation to the processing of data relating to
him.µ20
The final principle concerns the security of the collected or transmitted personal data. The
Directive requires Member States to ´implement appropriate technical and org anizational
measures to protect personal data ag ainst accidental or unlaw ful destruction or accidental
loss and ag ainst unauthorized alteration, disclosure or access.µ21
The Directive specifies v arious mechanisms that aid in the implementation of these priv acy principles. It requires that each Member State enact legislation to fully address and
implement the Directive·s four information priv acy principles. Further, each E.U. Member
18
Art. 7(a) ± 7(f)19
Art. 12(1) ± (2)20 Art. 14(a)21 Art. 17(1)
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 10/17
Page 9 of 17
State must establish one or more public authorities to oversee and enforce priv acy
protections. The Directive also grants individual rights of enforcement. The Directive
requires that individuals be granted the right to seek a judicial remedy for any breach of a
Member State·s national law reg arding information priv acy, as w ell as a right to recover
compensatory damages. 22
The results of a research conducted by the Commission shed some light on some of the
more interesting considerations that help to g auge public perception, and the efficacy of the
Directive in making an impact on the personal data markets. For example, the Commission
found that despite the Directive·s requirement of apparently high standards of data priv acy,
44% of survey respondents considered the standards as a minimum protection of their
personal data rights. Somew hat paradoxically, 81% of respondents also considered the level of awareness of individuals reg arding data protection rights to be insufficient, bad, or very
bad. The same investig ation also revealed that although there was a general acceptance
among businesses of the need for data protection rights, there seemed to be a general apathy
towards fulfilling the oblig ations towards individuals w hen such data protection rights w ere
exercised.
The most publicized, contentious, and onerous ( at least from a non-EU nation perspective)
provisions contained in the Directive are those that relate to the transfer of personal data to
so-called ´third countries.µ In essence, the Directive blocks all international transfers of data
to countries outside of the EU, w here the ´third country does not ensure an ¶adequate level
of protection·.µ23 Findings of adequacy are made by the Commission, in consultation w ith
the W orking Party established under article 29 of the Directive. Member States have an
oblig ation to inform the Commission of countries that do not enshrine such adequate
protection24.
22 Art. 2323 Art. 2524 Seth P. Hobby, THE EU DATA PROTECTION DIRECTIVE: IMPLEMENTING A WORLDWIDE
DATA PROTECTION REGIME AND HOW THE U.S. POSITION HAS PROGRESSED, 1 Int¶l L. &
Mgmt. Rev. 155, cited from www.westlaw.com
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 11/17
Page 10 of 17
DATA PROTECTION IN INDIA
India does not currently have a specific data protection law. Data protection and priv acy are
given scattered and rather sparse coverage by existing law s. The existing data protection
law s, are scattered in law s pertaining to information technology, intellectual property, crimes,
and contractual relations. Under increasing pressure from BPO operations and call centers in
India that handle large volumes of data from the United States and Europe, the Indian
government is contemplating the passage of a comprehensive law protecting data.
Until such time as India enacts adequate data protection law s, the current law s in India are
the only protection offered for data priv acy violations. Unlike the Directive, w hich imposes
liability on each participant w ithin the chain of command w ho f ailed to protect the sanctity
of the data, India·s existing law s only prosecute those individuals w ho directly violate law s
related to computer systems or copyright. Entities are exempt for breaches of data priv acy,
unless such a violation was made know ingly . Unlike the Directive, w hich protects data
breaches by limiting its collection and use, the Indian law s do not specify conditions under
w hich data can be collected and used.
An analysis of the existing Indian laws is placed below : 1. IT Act of 2000
Section 43( b) of the IT Act of 2000, affords cursory safeguards ag ainst breaches in data
protection. The scope of Section 43( b) is limited to the unauthorized dow nloading, copying
or extraction of data from a computer system: essentially unauthorized access and theft of
data from computer systems. Section 43( b) is limited in scope, and f ails to meet the breadth
and depth of protection that the E.U. Directive mandates. The law creates personal liability
for illeg al or unauthorized acts, w hile making little effort to ensure that internet service
providers or netw ork service providers, as w ell as entities handling data, be responsible for
its safe distribution or processing . Furthermore, the liability of entities is diluted in Section
79 of the Act, w hich inserts ¶know ledge· and ¶best efforts· qualifiers prior to assessing
penalties.
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 12/17
Page 11 of 17
W ith reg ard to damages av ailable in the event of a breach of data priv acy, Section 43( b) is
deficient in that the maximum penalty for this breach is monetary compensation in the paltry
amount of approximately $220,000. The maximum monetary damages av ailable for a breach,
w hich can potentially be w orth several times more, is clearly inadequate in a transnational
context. The more limited crimes of computer hacking and tampering are considered
criminal offenses under the IT Act of 2000: Section 65 offers protection ag ainst intentional
or know ing destruction, alteration, or concealment of computer source code. Section 66,
w hile offering no clear language that protects personal data, offers limited protection w hen
personal data is destroyed, deleted or altered. Both Sections 65 and 66 are punishable w ith
criminal penalties including jail time of up to 3 years .In addition to the protections discussed
above, Section 72 of the IT Act of 2000 offers some protection for breaches of
confidentiality and priv acy . Non-consensual disclosure of confidential information is punishable by imprisonment for up to 2 years.
In contrast to the IT Act of 2000, the E.U. Directive envisions much broader violations
associated w ith breach of data security than does the limited sphere of the IT Act of 2000.
As described previously, the E.U. Directive provides for protections in the entire chain of
control of data and creates systems of security and associated penalties w ithin the v arious
stages of data processing . For instance, the Directive prescribes limits to the collection of
personal data, requiring that a purpose for the data collection be articulated. The Directive also requires that data must be obtained by law ful and f air means and, w here appropriate,
w ith the know ledge or consent of the data subject; personal data should be relev ant to the
purposes for w hich they are to be used, and, to the extent necessary for those purposes,
should be accurate, complete and kept up-to-date. A reformation of the IT Act of 2000
should encompass the principles contained in the Directive related to limitation of data
collection, data quality, specified purpose, use limitation, security safeguards, individual
participation and accountability 25.
2. Indian Criminal Laws
25 Vinita Bali, DATA PRIVACY, DATA PIRACY: CAN INDIA PROVIDE ADEQUATE PROTECTION
FOR ELECTRONICALLY TRANSFERRED DATA?, 21 Temp. Int¶l & Comp. L.J. 103, cited from
www.westlaw.com
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 13/17
Page 12 of 17
The Indian criminal law s do not specifically address breaches of data priv acy . Under the
existing Indian Penal Code, liability for such breaches must be inferred from tangentially
related crimes. For instance, Section 403 of the Indian Penal Code imposes criminal penalty
for dishonest misappropriation or conversion of ́mov able propertyµ for one·s ow n use.
Mov able property has been defined as property w hich is not attached to anything, and not
land. Although no jurisprudence has developed on this interpretation, arguably, mov able
property encompasses computer-relayed data and intellectual property . W rongful
misappropriation of data, or conversion for one·s ow n use may, under this interpretation, be
punishable as a crime in India.
In addition, Indian Penal Code Section 405 provides criminal penalties for criminal breach
of trust. W hoever, being in any manner entrusted w ith property, or w ith any dominion over
property, dishonestly misappropriates or converts to his ow n use that property, or
dishonestly uses or disposes of that property in violation of any direction of law prescribing
the mode in w hich such trust is to be discharged, or of any leg al contract, express or implied,
w hich he has made touching the discharge of such trust, or w illfully suffers any other person
so to do, commits ¶criminal breach of trust.· Section 420 of the Indian Penal Code may also
offer some protection for f ailure to adequately protect data. Section 420 pertains to
dishonest delivery of property to a third person.
The absence of specific provisions relating to data protection is clearly visible in the Indian
Criminal Law regime.
3. Intellectual Property Law Protection
Computer software (including computer programs, databases, computer files, preparatory
design material and associated printed documentation, such as users· manuals) have
copyright protection under Indian law s. Computer programs per se are not patentable, being
patentable only in combination w ith hardware. Thus in India, by past practice and under current law s, copyright is the preferred mode of protection for computer software. The
Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter
commensurate w ith the gravity of the offense. Section 63B of the Indian Copyright Act
provides that any person w ho know ingly makes use on a computer of an infringing copy of
computer program can be punishable for a maximum of three years in prison.
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 14/17
Page 13 of 17
4. Contractual Relations
Priv ate contractual terms have been used as a means for filling the g ap left by the IT Act of
2000 and other law s in India. Until a tighter data protection leg al regime is in place, the U.S.
and other countries outsourcing to India are relying upon contractual oblig ations to impose
oblig ations for protecting and preserving data. There is grow ing recognition w ithin the out-
sourcing industry that contractual oblig ations do not provide the most efficient or effective
recourse. In the event of a breach of the security of data, getting effective remedy under the
contractual oblig ations is time consuming and often insufficient26.
Overall, few incidents of misuse of data by employees of Indian business service providers
have arisen to date. How ever, the few that have occurred have set off alarms for both
American and Indian companies. For example, in June 2005, American business
outsourcers and their Indian counterparts w ere extremely concerned w hen Interpol was
asked to investig ate alleg ations that a 24 ² year - old w orker at Infinity e-Search, a w eb
marketing company in New Delhi, had sold information that he obtained from call center
w orkers at a BPO company . An undercover British reporter from a London tabloid
new spaper, The Sun, claimed that the Infinity e-Search employee sold him Barclay Bank
account details for 1,000 U.K. customers. The account holders· secret passw ords, addresses,
phone numbers, and passport details w ere allegedly sold for 350,000 rupees (INR 350,000), w hich is the equiv alent of around U.S. $8,000. This situation points out the flaw s in having
sensitive information in the hands of offshore employees in a developing country w here the
temptation may be great to make v ast amounts of money in local currency by selling
information to unscrupulous buyers, particularly w hen the exchange rate makes the
purchase cost in the w estern country relatively minimal.27
26 Ibid .27 Deborah Roach Gaut, OFFSHORE OUTSOURCING TO INDIA BY U.S. AND E.U. COMPANIES:
LEGAL AND CROSS - CULTURAL ISSUES THAT AFFECT DATA PRIVACY REGULATION IN
BUSINESS , 6 U.C. Davis Bus. L.J. 13, cited from www.westlaw.com
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 15/17
Page 14 of 17
CHAPTER 4: CONCLUSION
In conclusion, it can be said that in India, the existing leg al regime in relation to data
protection is not strong and consolidated. W e do not have a separate law to obtain personal information related to the requester himself . R ight to Information Act is being used for both
purposes, i.e. to obtain personal information as w ell as non-personal information, w hich
sometimes creates confusion and creates issues relating to the priv acy of the individuals. The
regime in EU is much w ide and specific as compared to India. Specific law s in relation to
data protection are the need of the hour in the Indian leg al system. The provisions that are
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 16/17
Page 15 of 17
currently present are insufficient to match up the standards of secrecy and protection that
the other jurisdictions are contemplating and demanding in the present scenario. For e.g . in
the EU, the standards set up by the directive w ith respect to data protection take into
consideration the purposes for w hich data is required to be processed and transferred, the
time limit for w hich data w ould be legitimately required, consent of the data subject for data
processing and his right to object to such processing etc. These are provisions that can to a
good extent ensure data protection. The Indian leg al regime should be modified to include
the above aspects so as to match up w ith the international demands of data protection. If it
is not done, international transactions including data transfer and processing w ould be
difficult to be executed in coming times ow ing to the high data protection standards
demanded by the EU, US and other developed countries.
Also, it can be concluded that Article 25 of the EU directive that blocks all international
transfers of data to countries outside of the EU, w here the ´third country does not ensure an
¶adequate level of protection· is a very onerous conditions both for the EU members and the
developing countries. This is particularly so because the determination w hether a particular
third country has adequate safeguards for data protection or not is to rest w ith the
Commission. Therefore, even w hen a third country has decent level of safeguards, it may not
be able to transact data w ith an EU member, if the Commission is not subjectively satisfied
about the adequacy . This can prove to be am impediment w ith respect to processing and
transfer of data across nations involving EU members.
BIBLIOGRAPHY AND REFERNCES
Websites
y http://righttoinformation.gov .in/
y http://www.rrtd.nic.in
y http://en.w ikipedia.org/
y http://www.w estlaw.com
8/7/2019 data protection and privacy-india
http://slidepdf.com/reader/full/data-protection-and-privacy-india 17/17
Page 16 of 17
y www.google.co.in
y www.jstor.org
Articles
y Faizan Mustaf a, Priv acy Issues in Data Protection : National and International Law s,
(2004) PL W ebJour 16
y Paul M. Schwartz, EUROPEAN DATA PROTECTION LAW AND
RESTR ICTIONS ON INTERNATIONAL DATA FLOWS, 80 Iowa L. R ev . 471,
cited from www.w estlaw.com
y Louis Harris and Associates, Inc. and Dr. Alan F. W estin, Commerce,
Communications, and Priv acy Online, A National Survey of Computer Users, 20-21
( 1997).
y Graham Pearce & Nicholas Platten, Orchestrating Transatlantic Approaches to
Personal Data Protection: A European Perspective, 22 FORDHAM INT·L L. J.
2024, 2026 ( 1999).
y Seth P. Hobby, THE EU DATA PROTECTION DIRECTIVE:
IMPLEMENTING A WORLDW IDE DATA PROTECTION REGIME AND
HOW THE U.S. POSITION HAS PROGRESSED, 1 Int·l L. & Mgmt. R ev . 155, cited from www.w estlaw.com
y V inita Bali, DATA PR IVACY , DATA PIRACY : CAN INDIA PROV IDE
ADEQUATE PROTECTION FOR ELECTRONICALLY TRANSFERRED
DATA?, 21 Temp. Int·l & Comp. L.J. 103, cited from www.w estlaw.com
y Deborah R oach Gaut, OFFSHORE OUTSOURCING TO INDIA BY U.S. AND
E.U. COMPANIES: LEGAL AND CROSS - CULTURAL ISSUES THAT
AFFECT DATA PR IVACY REGULATION IN BUSINESS, 6 U.C. Davis Bus.
L.J. 13, cited from www.w estlaw.com