Considering the
recent developments, it is reasonable to expect that we shall soon be seeing a
"Data Protection Act of India" as a response to the Sting Operation of SUN.
Now it is time
for us to look at what such a "Data Protection Act" may contain and how it
will address the issues presently discussed.
Presently the
UK Data Protection Act is the model on which we can discuss the emerging
Indian Laws since it is the most comprehensive.
We may observe
that the UK act emerged more as a "Right to Protection of Privacy" of UK
citizens while we in India are discussing the issue from the point of view of
protection of data of BPO clients.
Keeping with
its origin the UK act talks about the "Privacy Rights of Individuals" and
proceeds to set up a system for its protection. It defines a "Data Controller"
who holds the information of the "Data Subject". It also defines what is
"personal data", "Sensitive personal data" etc. The "Data Controller" includes
the BPOs or Websites or other organizations which collect data for a specified
purpose and also process them and keep them in storage.
UK act also
defines certain punishments and a "Commissioner" and "Tribunal" to
implement the enforcement.
The Act also
covers the "Right to Information" of the individuals to a certain extent.
If we are
discussing a "Data Protection Act of India" we are therefore discussing first
"Right to Privacy of Indian Citizens", and then setting up an "Authority for
Data Protection" along with other aspects of what is "Data"? etc.
It should also address the obligations of ISPs and how they handled customer
information.
In this whole
gamut "Protection of Data of a Non Indian Citizens entrusted to an Indian BPO"
may not be a central point of focus.
On the other
hand the current discussion has been prompted only by the need to protect data
in the hands of the Indian BPOs though not of Indian Citizens.
In this
context, it is possible to look at a legislation for "BPO Regulation" without
any specific "Privacy Protection for Indian Citizens" or vice-versa.
India has been
a terrorist prone country and the depth to which privacy rights can be
protected here is far less than in UK. Also the level of protection for
personal information in the hands of the Government is perhaps far less than
desirable. In such a situation, the law may try to provide more controls and
less obligations to the Government. it may address only issues of data in the
hands of "Non Government Agencies".
The human
rights activists will therefore be not happy with such laws that do not
provide any protection to the individuals beyond what is presently available
as a presumption under the Constitutional rights.
In case we
draft a "Data Protection Act", it is therefore unlikely to be welcome by the
human rights activists.
In case the law
is properly drafted and is non discriminatory between Indian Citizens and
foreigners, between private sector and the Government, then the Government
will be under extreme pressure to meet the standards and will be a defaulter
itself.
In this
context, it is necessary for the Government to either go the entire distance
and provide full privacy protection for Indian Citizens through this law, or
to think of addressing the present issue as a problem of the BPO industry and
look for setting up a "BPO Regulatory Authority" or more appropriately, a "BPO
Development Authority" and let such an agency address the security issues that
have become a center of controversy.
Such an
approach will be more flexible and easy on legislation. It can also ensure a
public private partnership in policy formulation in the form of "Guidelines"
that can be kept in tune with the developments.
(Comments
welcome)
Naavi
July 1, 2005
Related Article/Information:
UK Data
Protection Act
Data
Protection Act..Time to Debate..
Data
Protection Laws in India
Victory
for Media Pressure
Beware
of Abuse of Law!!
Media
Disinformation on Data Protection Laws in India
India
Has A Robust Data Protection Law !
