Online Privacy and Data Protection Law

1 | P a g e

Law

Information and Communication Technology

Online Privacy and Data Protection Law

2 | P a g e

Items Description of Module

Subject Name Law

Paper Name Information and Communication Technology Module Name/Title Online Privacy and Data Protection Law

Module Id XIX

Objectives 1. To understand the concept Privacy and online Privacy issues.

2. To appreciate various modes of online violation of privacy issue.

3. To analyse the Privacy regualtion of European Union and India.

4. To understand the concept of data protection.

5. To explain the protection provided to data protection under various jurisdictions.

6. To enumerate the principles laid down for collection and processing of information

Prerequisites Basic knowledge of Cyberspace and cyber law

Role Name Affiliation

Principal Investigator Prof. (Dr.) Ranbir Singh

Vice Chancellor, National Law University, Delhi Co-Principal

Investigator

Prof. (Dr.) G.S.

Bajpai

Registrar, National Law University Delhi Paper Coordinator Dr. Aparajita Bhatt Assistant Professor,

National Law University Delhi Content Writer/Author Dr. Gurujit Singh Assistant Professor,

Guru Govind Singh Indra Prastha University, New Delhi

Content Reviewer Mr. Sunil Abraham Centre for Internet and Society, Bangaluru

3 | P a g e

1. Introduction

The development of technology and overdependence of State and individuals for their social economic activities on Information and Communication Technology (ICT) has its benefits as well as demerits. It provides platform for proliferation of social and economic activities in boundary less territory. Sharing crucial information of various natures through this medium happens deliberately or innocently. The sophisticated technology through software and hardware transmit, stores and process confidential information of private nature of subjects with or without their permission, causing them social and economic loss. The social and economic loss some times is beyond recovery for the States as well as subjects and therefore it has resulted to worldwide attempts made by States in their respective jurisdiction to regulate privacy and data protection. The current module is an attempt to understand the concept of Privacy and Data protection. The difference is not clear cut as they are just like twins, but not identical. The module discusses the traditional and online privacy and data protection regulations with regards to the jurisdiction of United States, European Union and India.

2. Concept of Privacy 2.1 Offline Privacy

The word ‘Privacy’ is derived from Latin word ‘privatus’ meaning ‘separated or deprived from the rest, solitude’. The concept of privacy is not uniform around the globe due to various reasons such as historial, cultural and religious beliefs and practices resuting to different value system in the societies. An information which may be considered as private information by one turns out to be public for others. However, irrespective of this inherent difficulties ‘privacy’ is considered as the private information of individual’s life or conditions outside the public domain. It covers the personal aspects of information related to individual and denotes his or her right to decide the extent of his willingness to share with others. It is right to be left alone.¹ Hirshleifer emphasise that the concept of privacy is not to be misunderstood as idea of secrecy. Rather the concept might be describe as autonomy within society. It is broader concept than secrecy. It reflects the particular kind of social structure togather with supporting social ethics.² Prosser recognise the four categories of privacy rights as (a) unresonably unjustifed breach the seculsion and solitude of another, (b) use of

1 William L. Prosser, 'Privacy' [1960] Cal. L. Review 383, 389.

2Jack Hirshleifer, 'Privacy: Its Origin, Function and Future' (http://www.econ.ucla.edu 1979)

<http://www.econ.ucla.edu/workingpapers/wp166.pdf> accessed 10.07.2014.

4 | P a g e

indvidual’s name for other’s advantage, (c) putting the private facts in public domain, and (d) defaming.³ The concept of Privacy has been recognised as human rights in various International Conventions like Universal Declaration of Human Rights⁴, International Covenant on Civil and Political Rights⁵ and European Human Right Convention⁶.

Much water has flown under the bridge till date in the form of introduction of latest shophisticated technologies right from internet in smart phones to terristerial Satelliates and GPS technology penetrating individual’s social and private life. Due to overdependence of human beings on latest technologies in their professional and personal life the concept of privacy broadly covers a broad range of information as categoriesd below;

2.2. Online Privacy

Internet or cyberspace is a boundary less space. Though, this space is in intangible form, but its presence has been felt with the development of sophisticated technologies which changed the pace of social economic development. Rapid expansion and development of sophisticated technology has added online version of information which are private in nature to the traditional forms of privacy information already available in the form of records. The new version of privacy information includes the online activities of users during professional and non professional access to internet. The online privacy information are the browsing habits of the users, date and time of visit, queries on the search engine, address of the page last visited, most visited websites, name and Uniform Resource Locator, users action at site, time spent at

3 Supra note 1.

4Universal Declaration of Human Right, Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

5 International Covenant on Civil and Political Rights, Article 17 of; (1).No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. (2)Everyone has the right to the protection of the law against such interference or attacks.

6European Convention on Human Right, Article 8: Right to respect for private and family life: (1) everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Privacy

Information Privacy relating to

Credit information, Medical Report,

Governement Records etc.

Bodily Privacy like Genetic mapping, DNA,

Drug testing, Physical selves

etc.

Personal Privacy of Communication

like Telephone call details, emails, sms etc.

Territory Privacy like intrusion or

tresspassing at home or workplace etc.

against consent.

5 | P a g e

each page, files uploaded or downloaded etc. These online activities are tracked by interested group for their own advantage. In fact technology has introduced new means of storing and exploiting privacy related information against the person concerned causing him social humiliation and economic loss. The various means in the form of sophisticated technology i.e., software allow compilation of information automatically from various activities of the users. Some of the methods of collecting information in cyberspace are as follow;

1. The search engine Google’s ‘Web history’ stores one’s clicking behaviour. Another advertising program of Google i.e., ‘AdSense’ use cookies to track the nature and content of page visited. This helps them to analyze them the interest of the user.

Based on the analyses, they personalized the advertisement according to the choice of users.⁷

2. The software package like ‘Sentry’ and ‘FamilySafe’ allow parents to keep a close watch the online activities of the children. The online chatting, emails, websites visited by children are monitored by the parents.⁸

3. Various technologies such as data mining, statically analyses, face recognition, voice recognition are assembled from various sources like search engines, community sites, 4. photo tagging websites, discussion forums, deep pocket inspections etc. are used to unsolicited data aggregation. The profiles or database generated are then used for different business purposes (marketing, economic and social status of individuals etc.).⁹

5. Cookies are software that is placed on user’s web browser while he accesses the browser. It stored information relating to various activities performed by users at times and places and transmit information to web browser. Every time the user access website, the cookie updates activity of users to website. In fact, they create archive of information relating to users activity right from the login name, password, and credit card number, address to upload or download of information. The popular browsers allow cookies with the option to the users to disable them completely or selectively by incorporating a cookie manager who store the cookies and allow the users to manage it as per his requirements. Some browsers allow the third party cookies. Most

7 European Commission, 'The Future of Online Privacy and Data Protection ' in, EU Study on the Legal analysis of a Single Market for the Information Society: New Rules for a New Age? (1st, DLA PIPER, EU 2009)

<https://ec.europa.eu/digital-agenda/en/news/legal-analysis-single-market-information-society-smart- 20070037> accessed 15.08.2014.

8 Id.

9 Id.

6 | P a g e

browsers by fault have the third parties cookies such as mozila firefox, Internet Explorer, Opera and Google Chrome.¹⁰ Advertising agencies use this technique to track users across various sites. Placing the cookies help them to target users according to their preference. The cross border nature of activities and access of information create genuine private international issues as regulation of privacy and the processing for data generation vary according to jurisdictions. Mostly the privacy policies incorporate choice of law provisions indicating the law applicable to resolve the privacy related issues. They are one sided agreements of the nature of click wrap contract or browse Wrap contract. Therefore their legality is always an important issue.

6. Spams are unsolcited emails sent to one’s email. They are kind of invasion to communiation privacy. Genrally they are from unrecognised source and therefore difficult to identify the messanger. Mostly they are used for commercial or pormoting products and received number of times. They ususally contain offensive information or contents, deceptive or fraudulent information and vioplate the privacy.

7. Phishing is unsolicited messages or emails that pretned to be from the authentic and legitimate source such as bank, lottery competition. They lure user to give personal and financial information therby causing economic and emotional loss.

8. Identity theft is unauthorised acces to one’s personal information such as name, address, email etc. and pretneds to be authentic user. Posing as authentic user they cause econmic loss or do wrongful actvities.

9. Web bug is an invisible object embeded to webpage or email to chack or track the reader of the webpage or email.

All the above sophisticated nature of technologies in the form of software in some way violate the privacy right of individuals “to be left alone” even in cyberspace.

10 Wikipedia, 'HTTP cookie' (http://en.wikipedia.org ) <http://en.wikipedia.org/wiki/HTTP_cookie> accessed 15.08.2014.

7 | P a g e

1. Google's web history option

2. specific software package to keep track of cyber movements like ‘Sentry’

and ‘Family Safe’

3. data mining, big data

4. photo tagging, community sites, discussion forum, deep pocket

inspections

5. cookies

•6. spam

•7.phishing

•8. Malware

•9. Identity theft

•10. web bug

8 | P a g e

3. Protection of Privacy 3.1 European Union

EU has adopted Data Protection Directives 95/46/EC¹¹ and Electronic Privacy Directives (E- Privacy) 2002/58/EC¹² to regulate issues related to online privacy and data protection respectively. The new Directive 2009/136/EC,¹³ amend the E-Privacy directive on some important issues. The amended Article 6 (3) of new Directives provides that for marketing electronic communication services or value added services, the provider of service may process data to the extent and duration necessary for such services or marketing with the permission of users. Users are vested with rights to withdraw their consent. Article 6 states that traffic data generated by users at the time of electronic transactions should be erased when they are no longer required for the purpose of transmissions. Therefore, till the time payments are not processed, storing of information is allowed.¹⁴ Article 12 directs the Member States to take consent of user or subscriber before their details are printed on the public directory. The users should have the option to determine whether to include the information in directory or not. Giving consent does not withdraw his right to verify or withdraw the information. With regard to unsolicited communications, the amended Article 13 allow the automated calling and communication system or email for the purpose of direct marketing on the prior permission of users. It further prohibits the email for direct marketing which disguise or conceal the identity of the sender on whose behalf the communication is made.¹⁵ Recital 24 states that spyware, web bugs, hidden identifiers and other similar device enter the user’s computer or terminal without their knowledge at the time of user accessing the websites. Such device should be allowed only for legitimate purpose with the consent of

11 Directives (EC) 95/46/EC On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data Official Journal of the European Communities [1995] OJ LL 281 /31, available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN accessed on 14.08.2014.

12 Directive (EC) 2002/58/EC Concerning The Processing Of Personal Data And The Protection Of Privacy In The Electronic Communications Sector (Directive On Privacy And Electronic Communications) Official Journal of the European Communities [2002] OJ LL 201/37, available at http://www.privacycommission.be/sites/privacycommission/files/documents/directive_2002_58_ec.pdf accessed on 14.08.2014.

13 The New Directive 2009/136/EC amend three directives i.e., Directive 2002/22/EC, Directive 2002/58/EC and Directive 2006/2004. Directive (EC) 2009/46/EC, available at http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF accessed on 15.08.2014.

14 Directive 2002/58/EC, Article 6(2)

15 Directive 2009/136/EC, Article 13(4)

9 | P a g e

the users. In case of Cookies the user should have the opportunity to refuse cookies or similar device.¹⁶

The new Directive adopts the “technical implementing measures” for uniformity in implementing measures when a personal data breach occurs.¹⁷ The provider of publicly available electronic communication services has to report this to a specific national authority within 24 hours after detection of breach. If it is not possible to inform within specified time of 24 hours, than within three days information should be provided. The provider should also inform the user or subscriber about the nature of information breached.

3.2 India

3.2.1 Privacy as Constitutional Right

Prior to Indian Constitution the scope and concept of privacy in India was determined under the criminal law and tort law for issues like libel and slander. Apart from the existing provision the Indian Constitution till 1960s did not define the concept of Privacy as right. The court got the opportunity in case of Kharak Singh v. State of Uttar Pradesh¹⁸. The Court was to decide the constitutionality of certain regulations relating to surveillance and domiciliary visits of the police. The constitutionality of this provision was challenged under the grounds that they violate the fundamental right to privacy under Article 21. The majority opinion in this case refused to recognise the right to privacy as part of fundamental right;

however they recognize the common law right of citizens to enjoy the liberty of their houses.

Further the apex court in the case of Govind v. State of Madhya Pradesh¹⁹ was more incline to consider the right to privacy as fundamental right. It is reflected in the opinion of Justice Mathew that;

“Rights and freedoms of citizens are set forth in the Constitution in order to guarantee that the individual, his personality and those things stamped with his personality shall be free from official interference except where a reasonable basis for the intrusion exists. … in this sense, many of the fundamental rights of citizens can be described as contributing to the right to privacy”.²⁰

16 Id., Recital 25

17 Directive 2009/136/EC , Article 4.

18 1964 SCR (1) 332

19 AIR 1975 SC 1378

20 Id.

10 | P a g e

The emergence of new rights to privacy as the fundamental right created conflict between the fundamental right to free speech and expression and fundamental right to privacy. The court resolved or balanced the rights in case of R. Rajagopal v. State of Tamil Nadu²¹. The Court held;

“(1) the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by article 21. It is a right to be let alone. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters.

None can publish anything concerning the above matters without his consent whether truthful or otherwise and whether laudatory or critical. If he does so he would be violating the right to privacy of the person concerned and would be liable in an action for damages. Position may, however, be different, if a person voluntarily thrust himself into controversy or voluntarily invited or raises controversy. (2) The rule aforesaid is subject to the exception, that any publication concerning the foresaid aspects becomes unobjectionable if such publication is based on public records including court records. This is for the reason that once a matter becomes the public record, the right to privacy no longer consist and it becomes a legitimate subject for comment for press and media among others.”²²

In the case of Mr. X v. Hospital Z²³ the apex Court continued to balance the conflict by recognizing that the medical records are generally considered to be private information of the individual. This right is subject to exception in the case where the non discloser of medical information could endanger the lives of other citizens. Further in the case of PUCL v. Union of India²⁴ the Court held that Telephone tapping without the proper safeguards in terms of proper procedure established by law is in violation and invasion of individual’s right to privacy. Apex court in this case ordered the creation of a review committee to review all surveillance measure authorized under the Act. The court ordered that the procedure has to be tested on the ground of article 14, 19, 21. Further in case of District Registrar and Collector v. Canara Bank,²⁵ the apex court ruled that the right to privacy exists and any unlawful invasion of privacy would make the offender liable to consequences as per law. The constitutional recognition of this right protects the privacy issue of individuals against the unlawful government invasion. Though right to privacy is not an absolute right and may lawfully restricted for the public order i.e., prevention of crime, disorder, protection of health, morals, protection of rights and freedom of others.

21 1994 SCC (6) 632

22 Id.

23 AIR 1999 SC 495

24 (1997) 1 SCC 30; AIR 1997 SC 568

25 (2005) 1 SCC 496

11 | P a g e

3.2.2 Definition of Privacy

The concept of privacy has not been defined in so far in any enactments in India. The protection against the misuse of privacy information is available in scattered form in various Acts. The Information Technology Act 2000 has incorporated the concept in response to the concern of European Union’s relating privacy data protection in India. The new Rules i.e., The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, defines the ‘personal information’ as it is any information of natural person, which is capable of identifying that person directly or indirectly with the help of other information available or likely available to body corporate.²⁶ The Rules identifies the ‘sensitive information’ under Section 3 as any information which consists of (a) Passwords, (b) Financial information such as bank account, credit card, debit card number, (c) Physical, physiological and mental health condition, (d) Sexual orientation, (e) Medical records and history, (f) Biometric information, (g) Any detail relating to the above provided to Body corporate, (h) Any of the above information received by Body corporate for processing, stored or processed under lawful contracts. However, The Rules 2011 does not apply to following two categories of information i.e., (i) information in public domain, and (ii) any information which is furnished under the Right to Information Act, 2005 or any other law for the time being.²⁷

Similarly, the Credit Information Companies (Regulation) Act (‘CICR’)²⁸ deals with privacy and data protection in the form of ‘credit information’. Section 2(d) defines ‘credit information’ as any information relating to (a) the amounts and the nature of loans or advances, amounts outstanding under credit cards and other credit facilities granted or to be granted, by a credit institution to any borrower; (b) the nature of security taken or proposed to be taken by a credit institution from any borrower for credit facility granted or proposed to be granted to him; (c) The guarantee furnished or any other non fund based facility granted or proposed to be granted by accredit institution for any of its borrower; (d) The credit

26The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules 2011, Section 2 (i).

27 Id., Section 3 proviso.

28The Credit Information Companies (Regulation) Act Act came into force from 14 December 2006 by official gazette notification as http://www.egazette.nic.in/EnhancedSearch.aspx. the was enacted with the twin purpose of regulation of credit information collected by the Credit Institution and to facilitate efficient distribution of credit by the financial, pubic financial institutions, financial corporation.

12 | P a g e

worthiness of any borrower of a credit institution; (e) Any other matter which the Reserve Bank of India may, consider necessary for inclusion in the credit information to be collected and maintained by credit information companies, and, specify, by notification in this behalf.

3.2.3. Privacy Regulation

There are no specific laws on the online privacy in India. However, the Indian Telegraph Act, 1885 under Section 5(2) empowers the government the right to intercept the messages. This right is not unguided as the language the section itself reflects. The grounds mentioned are the public emergency, public safety, sovereignty and integrity of India, the security of State, friendly relations with the foreign States, public order or prevention of incitement to the commission of offence. The reasons have to be in writing so that the arbitrariness of the decision can be taken care in case of misuse of the provisions. In the case of People’s Union of Civil Liberties v. Union of India,²⁹ the apex court laid down the procedural safeguards, which were incorporated by the Central Government by amending the Indian Telegraph Rules, 1951 in 1999 by inserting Rule 419A to safeguards the right to privacy of the individual. The new rule 419A restricts the power to phone taps to senior administrative officers.

Similar provisions exist in IT Act in the form of Section 69³⁰ and 69B³¹. These two sections are operationalised by two set of Rules incorporated by way of Amendment to the IT Act i.e., The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 and The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Regarding online privacy violation the IT Act deals with them under following sections;

1. Section 43(c) penalise any person who introduce any computer contaminants or virus into any computer system, or network to pay the compensation to the affected parties.

29 AIR 1997 SC 568

30 Information Technology Act, 2000, Section 69 deals with the Power of authorised officer under the direction of Central Government or State Government to issue directions for interception and monitoring or decryption of any information through any computer resource.

31 Id., Section 69B deals with the Power of any agency authorised by the Central Government to monitor and collect traffic data or information through any computer resource for cyber security.

13 | P a g e

2. Section 66A punish the person who sends offensive messages through communication services such as emails, social media etc. The punishment with imprisonment for a term which may extend to 3 years and fine.

3. Section 66B punish for dishonestly receiving stolen computer resource or communication device for imprisonment which may extend to 3 years or fine of Rs. 1 lakh or with both.

4. Section 66C provides punishment for identity theft which may extend to 3 years and fine of Rs. 1 lakh.

5. Section 66E provides punishment in the form of imprisonment for violation of privacy of any person without his knowledge which may extend to 3 years or fine of Rs. 2 lakh or both.

3.2.4. Exception to privacy rule

Section 69 of the IT Act creates exception for the Central government or the State government relating to the issue of privacy. The Act enumerates the grounds on the basis the State can order the agency of the appropriate authority to intercept, monitor or decrypt any information received, stored or transmitted. The grounds are mentioned under the Act are (a) Interest of the sovereignty or integrity of India, (b) Defence of India, (c) security of State,(d) Friendly relation with foreign state, (e) Public order, (f) Preventing incitement to the commission of any cognizable offence. The Act requires the proper procedure to be adopted before making use of the exception i.e., the reasons of interception, monitor or decrypt should be reasonable and justified as per the law. Any of the above grounds or more than one ground is justified enough for the use of exception. The Section allows the subscriber or intermediary or any person in charge of the computer resources to facilitates and give assistance to provide access to or secure access to the computer resources generating, transmitting, receiving or storing such information, or intercept, monitor, or decrypt the information, provide information stored in computer resources.³² Section 69B empowers the Central Government or the State Government to monitor and collect traffic data or information to enhance cyber security and for the identification, analysis and prevention of intrusion or spread of

“computer contaminant”³³ in the country. In this regard the intermediaries or any person in

32 Id., Section 69(2)

33Id., Meaning of the term has been referred to Section 43 (i) which means any set of computer instructions that are designed (a) to modify, destroy, record, transmit data or programme residing within a computer, computer

14 | P a g e

charge of the computer resource shall facilitate the online access to the computer resource generating, transmitting, receiving or storing such traffic data³⁴ or information.³⁵ In case the intermediary intentionally or knowingly creates barrier then it may be punished with an imprisonment for a term which may extend to 3 years and liable to fine.³⁶Central Government has laid down the procedure in The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

3. 2.5.National Policy of Privacy

Understanding the need to analyse the Privacy Rules, the Planning Commission, Government of India, formed a committee under the Chairmanship of Justice A. P. Shah, former Chief Justice of Delhi Court. After brainstorming session the committee submitted its report³⁷ and proposed a national privacy policy. The guiding principles of the proposed National Policy are as follows;

1. Notice: Data controller shall give notice to individuals a clear, concise and simple language notice to individual during collection and later on also. During the collection of data such notice should incorporate the (1) kinds of personal information; (2) purpose for collection; (c) use of information; (d) whether disclosure to third party or not; (e) security safeguards against loss of information; (e) process of access and correction of own personal information; (f) contact details of privacy officers.

Later on the requirement of notice in the following cases; (a) data breach to be notified when applicable; (b) notification relating to the sue of information other than the purpose; (c) notify the change in privacy policy of controller; (d) any other information as per appropriate authority.

2. Choice and Consent: Option of in or out has to be given to the individuals regarding every stage of data collection, processing, and disclosure except in case of authorised agencies.

system or computer network; (b) by any means to usurp the normal operation of the computer, computer system, or computer network.

34 Id., Section 69B Explanation - Traiffic data means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communication origin, destination, route, time, data, size duration or type of underlying service or any other information.

35 Id., Section 69B(2)

36 Id., Section 69B(4)

37Report of the Group of Experts on Privacy, by Chief Justice A P Shah, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf accessed on 15.08.2014.

15 | P a g e

3. Collection limitation: Limited information should be collected as per the purpose of collection in lawful manner and with the consent of data subject.

4. Purpose limitation: Personal data collected and processed under direction of controller should be adequate and relevant to the purpose for which it is processed.

Retention of data should be in compliance with the National Privacy Principle.

5. Access and Correction: Individual shall access information about them held with Controller. Right to access also include right to correction, amendments or deletion in case of inaccurate information.

6. Disclosure of information: Disclosure to third party allowed after the consent of data subjects. Disclosure to law enforcement agencies must in accordance with the law.

7. Security: Data controller to secure personal information against loss, unauthorised access, destruction, use, processing, modification, deanonymization, unauthorised disclosure or other reasonably risks.

8. Openness: data controller should take all necessary steps to implementing and adopting policies, practices, procedure and system in proportion to the sensitivity of data.

9. Accountability: data controller to comply with measure which gives effect to privacy principles.

3.3 Concept of Data Protection

Privacy and Data protection are not similar concepts, though they share some common features. They are just like twins, but not identical.³⁸ Data protection does not raise privacy issues and not prohibitive if they are legitimately processed as per the directions of appropriate authorities. The scope of data protection is narrow as well as broad than privacy as both concepts aim to protect partially the rights and values of others. Though privacy is the starting point to identify and determine the principles of data protection.³⁹ Privacy rights are personal rights whereas data protection has proprietary value also.

The Cambridge English Dictionary defines ‘Data’ as information in the form of facts or numbers, collected and examined scientifically to be used for the decision making. At

38 European Union, 'The Future of Online Privacy and Data Protection ' in (eds), Legal Analysis of a Single Market for the Information Society: New Rules for a New Age? (1st, DLA PIPER, 2009), available at https://ec.europa.eu/digital-agenda/en/news/legal-analysis-single-market-information-society-smart-20070037 accessed on 15.08.14.

39 Id. p. 4.

16 | P a g e

computer age it is information in electronic form that is stored and used by the computer with the help of sophisticated software to analyse a situation and take decision. In the absence of specific legislation on the data protection the Information Technology Act 2000 defines

‘Data’ as;

“a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.”⁴⁰

The word ‘processed’ in the above definition is not defined by the Act. While personal information can be in the form of verbal or non verbal, the data is properly stored and analysed information for the commercial nature of decision making. Due to commercial utility of the information analysed as data, it has proprietary values. There are reports in the past of selling or misuse of data information without the permissions of individuals by corporate houses for commercial benefits putting the integrity and security of individual in danger.⁴¹

3.3.1 OECD Principles for Data collection;

The online activities allow plenty of information to disseminate and store in cyberspace. The sophistication of technology recognises important information and creates data information.

The processing of data information is a major concern for the users of internet because many of the times data is collected without prior permission or in case of consent the user does not know the purpose for its use. The Organisation for Economic Development (OECD) has introduced the guidelines for collection and processing of data information for the member states in 1980s. Counties like USA and EU had participated actively. While EU adopted the guidelines in its directives, the USA though participated actively but did not do much in this

40 Information Technology Act, 2008, Section 2(O).

41 The Economic Times, 'Toughen law enforcement: Indian BPOs need to be extra vigilant' (http://articles.economictimes.indiatimes.com 2006) <http://articles.economictimes.indiatimes.com/2006-10- 05/news/27466453_1_indian-bpo-data-theft-bpo-industry> accessed 10.07.2014

17 | P a g e

regards. OECD has revised it guidelines relating to protection of data in 2013.⁴² Part two of the report lays down 8 guiding principles for data collection as follows;

1. Collection Limitation Principle: Limited Data should be collected in a fair and lawful manner.

2. Data Quality Principle: Data should be accurate and used only for the purpose for which it was collected.

3. Purpose Specification Principle: Purpose of the data collection should be specified at the time of collection.

4. Use Limitation Principle: Data should not be disclosed to others apart from the purpose for which it is collected without the consent of subject or without the authority of law.

5. Security Safeguards Principle: Reasonable security safeguards should be taken to protect data from any kind of alteration, destruction, unauthorised access, modification, disclosure of data.

6. Openness Principle: Openness with regard to the collection and development of data required.

7. Individual Participation Principle: Subjects should have right to (a) obtain information relating to their data, (b) to have communicated to them the information within reasonable time, (c) to give reasons if information is denied, (d) challenge the data in case of wrong information and get erased it.

8. Accountability Principle: Accountability of maintain data as per above principles with the data controller.⁴³

3.4 Data Protection Laws 3.4.1 European Union

Directive of Data Protection 1995/46/EC regulates the data protection in EU. The directives regulate the automated or non automated processing⁴⁴ of personal data⁴⁵. It allows the

42 OECD Report on Recommendations of the Councils Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data, 2013, available at http://www.oecd.org/sti/ieconomy/2013- oecd-privacy-guidelines.pdf accessed on 15.08.2014.

43 Id.

44Directive 1995/46/EC, Article 2(b) - “ Means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”

45Id., Article 2(a) - “any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an

18 | P a g e

processing through wholly or partial automated methods.⁴⁶ Article 7 requires some conditions to be fulfilled for the processing of data such as:

1. The subject has given consent; or

2. Processing is part of the contract to which subject is a party or on the request of subject prior to contract; or

3. Processing is in accordance with a legal obligation; or

4. Processing is necessary for to protect the interest of subject; or

5. Processing is necessary for the performance of task in the public interest or performed under the official authority of controller or in a third party to whom the data are disclosed; or

6. Processing is necessary for legitimate interest pursued by controller.

Further article 10 and 11 states that subject should be informed about the identity of controller or his representatives and the purpose of the processing of data in case where he himself provides the information or where the information is collected from somewhere else.

Subjects are vested with rights to access⁴⁷ and object⁴⁸ the information relating to processing of his personal data. The right to access allow the data subject to direct the controller to rectify, erase or blocking of data the processing which does not comply with the provisions of directives. The recent ruling of European Court of Justice in the case of Google Spain SL. V.

Agencia Española de Protección de Datos (AEPD)⁴⁹ directed the Google to withdrew the information from their website. Court held that Individuals have the right under certain conditions to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purpose of data processing. The case is popularly known as right to forgotten.

identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

46 Id., Article 3(1)

47 Id., Article 12

48 Id., Article 14

49C-131/12, case available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text&page Index=0&part=1&mode=DOC&docid=152065&occ=first&dir&cid=437838 accessed on 17.08.2014.

19 | P a g e

Further the Directive allow the protection of data to be compromised in cases of (a) national security, (b) defence, (c) public security, (d) prevention, investigation, detection and prosecution of criminal offences, (e) monitoring or regulatory functions of State.⁵⁰

3.4.2 India

3.4.2.1 Information Technology Act

The laws relating to data protection are in scattered form under various Acts.⁵¹ The Information Technology Act 2000 (Amendment 2008) (IT Act) provides civil and criminal remedy in case of any violation relating to data protection.

Section 43 of the Act lays down specifically various kinds of acts committed by any person who without the prior permission of the owner or in charge of the computer, computer system or computer network does any of the following activities having potential to affect directly or indirectly the issue of privacy and data protection. The Section impose penalty by way of compensation on any such person. The various acts enumerated under the Section are as follows;

a. Accesses or secure access to any computer, computer system or network or computer resource,⁵²

b. Downloads, copies or extracts any data, computer data or information including any information stored in removable storage medium,⁵³

c. Introduces or causes to introduce any computer contaminants like computer virus into any computer system⁵⁴

d. Damages or cause to damage any computer, computer system or computer network, data or computer data base or any other programme⁵⁵

e. Disrupt or cause to disrupt of any computer⁵⁶

f. Denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means⁵⁷

50 Id., Article 13

51Currently, there is no exclusive enactment in India on Privacy and data protection. However, the Bill Relating to Privacy bill and Data Protection is pending before the parliament.

52 Information Technology Act, 2000, Section 43(a)

53 Id., Section 43(b)

54 Id., Section 43(c )

55 Id., Section 43(d)

56 Id., Section 43(e)

57 Id., Section 43(f)

20 | P a g e

g. Provides assistance to any person to access a computer, computer system or computer network in contravention of the provisions of this act, rules regulation etc.⁵⁸

h. Charges the services availed of by a person to the account of another person by tempering with or manipulating any computer, computer system or computer network.⁵⁹

i. Destroy, deletes or alters any information or diminish the value or utility of information or affects it by any means⁶⁰

j. Steals, conceal, destroy or alters or causes any person to do so with the intention to cause damages⁶¹

As per Section 43A, if the Body Corporate involved in processing, dealing or handling any

“sensitive personal data or information”⁶², is negligent in implementing, maintaining the

“reasonable security”⁶³ which causes the wrongful loss or wrongful gain to any person, then, such Body Corporate will be liable to pay compensation by way of damages to the person so affected. In pursuance of the power enshrined in Section 87(2) read with Section 43A of the IT Act, the Central Government has made rules for the collection, procession and security practice of the sensitive information in ‘The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules 2011’. The Rules laid down the following procedure to be followed while collecting Privacy information as follows;

a. It is imperative for the Body Corporate to make a privacy policy for handling of or dealing in personal information including sensitive information. For collecting sensitive information the consent has to be obtained in writing. Letter, fax, and email from the provider of information are recognised mode of consent.

b. Privacy policy should be published on website of Body Corporate or any person working on its behalf.

58 Id., Section 43(g)

59 Id., Section 43(h)

60 Id., Section 43(i)

61 Id., Section 43(j)

62 Sensitive Information has been defined in The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules 2011 Rules 2011.

63 Information Technology Act, 2000, Section 43A Explanation (ii) “Reasonable security practices and procedure” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law, such reasonable security practices and procedures, as may be prescribed by the Central government in consultation with such bodies or associations as it may deem fit;

21 | P a g e

c. The nature of sensitive information has to be recognized and informed the individuals about the purpose of collection. The information should be collected for the lawful purpose only. The relevance of information should relate to the function or activity of the Body Corporate. While collecting the information the body corporate should take the consent and awareness of purpose for the collection. The collection of information should be with the consent of individuals and they should be aware of the purpose of the collection of information.

d. The information collected should be used only for the purpose for which it has been collected and it shall not be retain for longer than it is required.

e. The body corporate or person on their behalf shall provide an option to the provider of the information to not to provide the data or information. Apart from that while availing services at any time the provider shall have the option to withdraw its consent and that shall be in writing.

f. Grievance of the provider related to the use of data should be address by the body corporate in a time bound manner i.e., within a month from the date of receive of grivennaces. Grievance officer should be designed for that purpose.

g. Disclose of the sensitive information by the body corporate to the third party cannot be done without the prior permission of the provider of information. However, prior permission is not required from the provider of information in case of Government agencies mandated under the law for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences.

h. Transfer of information by the body corporate to other person or body corporate is allowed in two conditions. First, the other body corporate located in India or outside shall ensure the same level of data protection that is adhere to by the body corporate.

Second, the transfer is allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

i. Reasonable security has to be maintained as per the requirement of IS/ISO/IEC 27001 on information Technology. In case a body corporate chooses to have independent security management then it shall get the code of best practices duly approved and notified by Central Government for effective implementation.

22 | P a g e

Chapter XI of the IT Act list out kinds of offences. Some of the offences directly or indirectly dealing with the issue of privacy and data protection are as follows:

1. Hacking is a serious threat to privacy and data maintained by body corporate or government agencies or individuals. Section 66 states that whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits the offence of hacking.⁶⁴ The punishment for hacking is imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both.

2. Section 66 B provide punishment to any person who retains or receive dishonestly any stolen information shall be punishable with imprisonment extended to a term of 3 years or fine extending to one lakh or both. Section 66 C punish the person who fraudulently or dishonestly make use the electronic signature, password or any other unique identification feature of any person to imprisonment for three years extended and fine of one lakh.

3. Further Section 72 provides that the penalty of Rs. 1 Lakh or imprisonment of a term which may be extended to 2 years or both, in case where any person who under the Act lawfully has been authorized secured access to any information without the consent of the person concerned and discloses such information to any other person. This section makes liable to Body Corporate or even public sector for the violation of privacy and data related information. Further, Section 72A provides the punishment of imprisonment of term extend to 3 years or fine of Rs. 5 Lakhs or both, in case any person or intermediary while providing the services under the lawful contract has secured access to personal information about the another person and knowingly intent to cause wrongful loss or wrongful gain by disclosing the information without the consent of the person concerned or breach the lawful contract relating to such material.

3.4.2.3 Credit Information Companies (Regulation) Act, 2005

The Credit Information Companies (Regulation) Act, 2005 (‘CICR’)⁶⁵ was enacted with the twin purpose of regulation of Credit Information collected by the Credit Institution and to

64 Id., Section 66

65 Act came into force from 14 December 2006 by official gazette notification as http://www.egazette.nic.in/EnhancedSearch.aspx

23 | P a g e

facilitate efficient distribution of credit by the financial, pubic financial institutions, financial corporation.

The CICR Act deals with the privacy and data protection in the form of ‘credit information’.

The Act regulates the functioning of Credit Information Company by making it mandatory for the company to register under the Company Act, 1956.⁶⁶ Credit institution means a banking company and includes a banking company, subsidiary bank, co-operative bank, or non banking institution, public financial institution, housing financial institution, company engaged in the business of credit cards or similar cards etc.⁶⁷The Act authorise the credit information institutions to (i) Collect, process and collate information on trade, credit and financial standing of borrowers of the credit institution, (ii) to provide credit information to its specified users or to the specified users of any other credit information company, (iii) to provide credit scoring to its specified users or specified users of any credit information company or to other credit information companies, (iv) to undertake research project, (v) to undertake any other business as specified by RBI.⁶⁸

Chapter VI of the Act lays down the information privacy principles by the credit information company. Section 19 requires that the accuracy and security of credit information to be maintained by the credit information company or credit institution or specified user who is in possession or control of such information against any loss or use or unauthorised disclosure.⁶⁹ Section 20 suggests the privacy principles in relation to collection, processing, collating, recording, preservation, secrecy, sharing and usage of credit information as follows:

1. Purpose principle⁷⁰: The purpose for which the information may be used or restrict.

2. Determine the extent to check accuracy⁷¹: To check the veracity of information.

3. Preservation principle⁷²: Preservation of information for such period for which such information may be maintained.

66 Credit Information Companies (Regulation) Act, 2005, Section 2(e)

67 Id., Section 2(f)

68 Id., Section 14

69 Id., Section 19. A credit information company or credit institution or specified user, as the case may be, in possession or control of credit information, shall take such steps (including security safeguards as may be prescribed, to ensure that the data relating to the credit information maintained by them is accurate, complete, due protected against any loss or unauthorised access or use or unauthorised disclosure thereof.

70 Id., Section 20(b) the purpose for which the credit information may be used, restrictions or such use and disclosure thereof;

71 Id., Section 20(c ) the extent of obligation to check accuracy of credit information before furnishing of such information to credit information company or credit institution or specified user , as the case may be;

24 | P a g e

The Act adopts the flexible approach as RBI may introduce any other principle and procedure as may think fit depending on the nature of information.⁷³ Section 21 allows any person who applies for sanctions of credit to get a copy of his credit information on request. In case the person wants to make any kind of alteration in the credit information he should be allowed to do it. The Act impose penalty on the person who intentionally and knowingly gives a false information is liable for imprisonment for a term extends to one year and liable to fine.

Subsection (2) of Section 20 makes it clear that any credit information company or credit institution or any specified user wilfully perform any act engaged in any practices breach any principles is punishable with file not exceeding one crore rupees.⁷⁴ Sub section (5) impose responsibility on every credit institution company, credit institution or specified user in case of contravention or default in case committed by them is responsible for the default. It extends to every person who is in charge of or responsible to the credit information company, credit institution or specified user for the conduct of its business punishable accordingly.⁷⁵

4. Summary

Privacy rights are important for the overall growth of personality. This concept has to be defined properly and uniformly applied. This right is under threat due to development of technologies and overdependence of human being on technologies. The technologies have invaded the personal and public life of individuals. Privacy and Data protection right are twins but not identical. They are related to each other. The privacy rights are not absolute.

The Indian courts through number of judgments have declared that it is fundamental rights.

The courts through various judgments have balanced this right to a great extent. The new technologies introduce new means of privacy violation such as spamming, cookies, identity theft. There is a need for a comprehensive policy on privacy. In Indian context it is scattered in various Act. In the backdrop of ecommerce and BPO sector the Indian government has laid down the Rules 2011. However, a comprehensive policy is required. The Information Technology Act 2000 has number of civil and criminal liability to deal with the privacy data violation. The Rule 2011 provides the procedure of data collections. Credit information Act

72 Id., Section 20(d) preservation of credit information maintained by every credit information company, credit institution, and specified user as the case may be (including the period for which such information may be maintained , manner of deletion of such information and maintenance of records of credit information);

73 Id., section 20(f) any other principles and procedures relating to credit information which the reserve bank may consider necessary and appropriate and may be specified by regulation

74 Section 20(2)

75 Section 20(5)

25 | P a g e

deals with the protection of credit information. It impose penalty of civil and criminal nature.

It also laid down the principle to be followed regarding collection and use of information.

European Union has Directives relating to Privacy and Data protections. The objective of the Directive is to harmonise the law in European Union.