.

 

In recent days there has been an increased concern in India about the impact of data protection laws enacted by other countries.

Without hesitation, the EU is the centre of interest in these laws and the EU guideline has even rattled the USA. According to the guidelines, EU countries will cease to part with data which are considered the subject matter of protection to any third country unless they adhere to similar laws.

There are commercial interests involved in implementing the guidelines as envisaged by EU and the US appears to be avoiding a law on the subject and preferring to let it be handled through self regulation.

US has however passed the HIPAA (Health Insurance Portability and Accountability Act of 1996) which provides protection for health information of individuals online.

A recent study has found that more than 40 countries around the world have enacted, or are preparing to enact, laws that protect the privacy and integrity of personal consumer data.

India is not however one amongst them. Some time back, NASSCOM did take some initiatives to push through a drafting exercise but it appears that the exercise has not been pursued further.

The EU guidelines are an out come of the OECD guidelines of 1980 which has listed eight broad principles to be adhered in protecting personal information of the citizens of the country.

They are,

1. Collection Limitation Principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3. Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

4. Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used  except:

a) with the consent of the data subject; or

b) by the authority of law.

5. Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

6. Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

7. Individual Participation Principle

An individual should have the right:

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;

b) to have communicated to him, data relating to him

within a reasonable time;

at a charge, if any, that is not excessive;

in a reasonable manner; and

in a form that is readily intelligible to him;

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

8. Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

The United States has endorsed the OECD Guidelines but appear to be dithering in its implementation.

Since the EU is applying pressure, the US may also fall in line in due course.

This will create a pressure on India also since one of the essential features of the law would be to prevent the flow of data to non complying countries and such a provision when implemented  may result in a loss of "Data Processing" business to some of the Indian companies.

In framing the laws in this regard, the data protection right of an individual may have to be balanced with the requirement of the law enforcement authorities who are demanding recording of every move that a Netizen makes on the net.

We are familiar with the level of interest of law enforcement authorities in India to monitor electronic transactions as expressed in the demand of the Mumbai police that every visitor to a Cyber cafe needs to be identified through  a photo-ID card and monitored.

As long as India is a country affected by terrorism of the kind we are presently facing, it will be difficult to pass any strict privacy laws in the country. Rather the POTA will ensure that information can be extracted forcibly if the authorities think it is necessary in the interest of the country.

Interception rights are already available in ITA-2000 and  will also be retained by authorities in the forthcoming legislation on Communication Convergence.

In this scenario, the Government has to tread carefully in enacting data protection laws. If it becomes necessary, the laws should be passed without jeopardizing the interests of the law enforcement authorities.

Naavi

 May 24, 2002

Related Articles:

Survey on Privacy Laws

Your Views can be sent here

.