In recent days there has been an increased concern in India
about the impact of data protection laws enacted by other countries.
Without hesitation, the EU is the centre of interest in
these laws and the EU guideline has even rattled the USA. According to the
guidelines, EU countries will cease to part with data which are considered the
subject matter of protection to any third country unless they adhere to
similar laws.
There are commercial interests involved in implementing the
guidelines as envisaged by EU and the US appears to be avoiding a law on the
subject and preferring to let it be handled through self regulation.
US has however passed the HIPAA (Health Insurance
Portability and Accountability Act of 1996) which provides protection for
health information of individuals online.
A recent study has found that more
than 40 countries around the world have enacted, or are preparing to enact,
laws that protect the privacy and integrity of personal consumer data.
India is not however one amongst them. Some time back,
NASSCOM did take some initiatives to push through a drafting exercise but it
appears that the exercise has not been pursued further.
The EU guidelines are an out come of the OECD guidelines of
1980 which has listed eight broad principles to be adhered in protecting
personal information of the citizens of the country.
They are,
1. Collection Limitation Principle
There should be limits to the collection of personal data
and any such data should be obtained by lawful and fair means and, where
appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle
Personal data should be relevant to the purposes for
which they are to be used, and, to the extent necessary for those purposes,
should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle
The purposes for which personal data are collected should
be specified not later than at the time of data collection and the
subsequent use limited to the fulfilment of those purposes or such others
as are not incompatible with those purposes and as are specified on each
occasion of change of purpose.
4. Use Limitation Principle
Personal data should not be disclosed, made available or
otherwise used except:
-
a) with the consent of the data subject; or
b) by the authority of law.
5. Security Safeguards Principle
Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction,
use, modification or disclosure of data.
6. Openness Principle
There should be a general policy of openness about
developments, practices and policies with respect to personal data. Means
should be readily available of establishing the existence and nature of
personal data, and the main purposes of their use, as well as the identity
and usual residence of the data controller.
7. Individual Participation Principle
An individual should have the right:
-
a) to obtain from a data controller, or otherwise,
confirmation of whether or not the data controller has data relating to
him;
b) to have communicated to him, data relating to him
-
within a reasonable time;
at a charge, if any, that is not excessive;
in a reasonable manner; and
in a form that is readily intelligible to him;
c) to be given reasons if a request made under
subparagraphs (a) and (b) is denied, and to be able to challenge such
denial; and
d) to challenge data relating to him and, if the
challenge is successful to have the data erased, rectified, completed or
amended.
8. Accountability Principle
A data controller should be accountable for complying
with measures which give effect to the principles stated above.
The United States has endorsed the OECD Guidelines but
appear to be dithering in its implementation.
Since the EU is applying pressure, the US may also fall in
line in due course.
This will create a pressure on India also since one of the
essential features of the law would be to prevent the flow of data to non
complying countries and such a provision when implemented may result in
a loss of "Data Processing" business to some of the Indian companies.
In framing the laws in this regard, the data protection
right of an individual may have to be balanced with the requirement of the law
enforcement authorities who are demanding recording of every move that a
Netizen makes on the net.
We are familiar with the level of interest of law
enforcement authorities in India to monitor electronic transactions as
expressed in the demand of the Mumbai police that every visitor to a Cyber
cafe needs to be identified through a photo-ID card and monitored.
As long as India is a country affected by terrorism of the
kind we are presently facing, it will be difficult to pass any strict privacy
laws in the country. Rather the POTA will ensure that information can be
extracted forcibly if the authorities think it is necessary in the interest of
the country.
Interception rights are already available in ITA-2000 and
will also be retained by authorities in the forthcoming legislation on
Communication Convergence.
In this scenario, the Government has to tread carefully in
enacting data protection laws. If it becomes necessary, the laws should be
passed without jeopardizing the interests of the law enforcement authorities.
Naavi
May 24, 2002
Related Articles:
Survey on
Privacy Laws
Your Views
can be sent here