Of Data Protection, Privacy and Compliance

Privacy Law structured in its present context with Data Protection
legislation on the lines of the EU Model is the norm for any business in the
Internet economy. Compliance with Privacy Law is of great practical relevance
for any company doing business in today’s global information economy. It is
important that organisations understand privacy in online business and in the
context of information management.

India has no data protection or privacy laws. Privacy has been in most cases
interpreted as the right to be let alone as enshrined in Article 21 of the
Constitution of Madhya Pradesh, AIR 1975 SC 1378; R Rajagopal v. State of Tamil Nadu, the
Bandit Queen Case, People’s Union for Civil Liberties (PUCL) v. Union of
India, MANU/SC/0234/2003>. However, except for this sort of unlawful invasion of
privacy, there is no recourse against private parties.

Data Transfers and the IT Enabled Services Sector

Over the recent years there has been a considerable amount of publicity
regarding data protection legislation in Europe. Both individuals and companies
should be concerned about how the legal rules regarding the holding of
information might apply to them. There are three perspectives from which the
issue can be seen. The first is from the individual person whose data is held,
the second is from the commercial organisation holding the data and the third
relates to the impact on the first two processes of the widespread development
of computer use and of the Internet.

Data storage and privacy: The EU way Personal data shall be processed fairly and lawfully. It must be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose. The data held must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. It must be accurate, and where necessary, kept up to date. It must not be kept for longer than is necessary for the purposes for which it was obtained. It must be processed in accordance with the rights of data subjects under the Act.  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personal data shall not be transferred outside the European economic area unless the recipient provides an adequate level of protection (equivalent to the data protection principles within the European Union).

These days it would be difficult to envisage a commercial venture, whether
new or existing, which did not use computers for its everyday activities. This
inevitably involves the storage of data either about its own employees, its
existing clients or customers. The definition of "personal data" under
present European data protection legislation (as envisaged by the EC Data
Protection Directive 1995) is wide enough for it to cover practically any
information held about a individual.

This is because the simplest information such as a name associated with a
terrestrial address will constitute personal data for the purposes of the
legislation.

Holding such personal data requires the organisation in question to obtain
registration with the data protection registrar and to provide specific details
of the purposes for which the data is held. This obligation is supported by
criminal sanctions if registration has not been obtained or if, following
registration, the data which is held is not held and used in accordance with the
eight principles laid down under the legislation.

At any given point of time, any company would have considerable amount of
data that has to be handled lawfully. That data must, therefore, be held in such
a way that all the requirements of the legislation are complied with. For
sensitive data like credit ratings or personal medical information it is
imperative that its confidentiality is preserved and also explicit consent has
been taken to store and use the data.

Special rules allow data to be processed if this is necessary in connection
with legal proceedings. The application of this principle is relatively clear as
regards the rights and duties of law enforcement agencies but not necessarily
quite so clear when the issue arises regarding, for example, the use by an
insurer of sensitive personal data about its insured.

Regretfully, the Indian legislation does not provide any guidance to what is
meant by the word "lawful" in the context of data processing. An
essential prerequisite for the processing of personal data is that the data
subject has given consent to the processing. That consent must be informed and
unequivocal. The data subject is entitled to ask to see what is held and, where
appropriate, they can insist on incorrect information being amended. It is
important to recognize that if a request to supply data is not adequately
fulfilled then the data holder may be the subject of a criminal prosecution
under the legislation.

One of the fundamental consequences of the development of the Internet is
that national boundaries are far easier to be crossed. It is not unusual for
Internet trading sites to carry personal data about customers and there is a
risk that the personal data might, albeit innocently and inadvertently, move
outside the confines of the country. This is potentially a major problem for
data users. For example, under European Union's Data Protection Act, no personal
data can be exported anywhere outside the European Union unless it is sent to a
jurisdiction with equivalent legislative protection for data or unless it is
subject to express confidentiality provisions. So data 'exported' to BPO
operations, in India is governed by a contract structured in terms relating to
European law.

Model Data Protection Clauses

As India does not have a statutory data protection law, the Europe Privacy
Commissioner’s office recommends that the model contractual clauses proposed
by the European Union Commission be adopted so as to create a presumption of
adequacy. However, the use of contractual safeguards has not been completely
satisfactory. It is for this purpose that there is an increasing pressure to
create binding rules on data transfer. At present, companies governed by the
Seventh Principle type contract can transfer data to their Indian subsidiaries.
The proposals set out in corporate rules on data protection are suggestions,
which do not have affect in present.

There are no foreign equity caps applicable to companies engaging in data
processing, the next issue is whether or not governmental approvals have to be
obtained in order for a foreign company to establish a captive outsourcing
company. No prior approval is required, that is, the foreign company may avail
of the "automatic route" provided that the foreign investor does not
have a previous JV in India through an investment in shares or debentures or a
technical collaboration or a trade mark agreement in the same or allied field.

The general rule is that, if a foreign company has already entered into a JV
agreement with an Indian outsourcing company, then it will have to obtain prior
approval from the Foreign Investment Promotion Board (FIPB) in the Ministry of
Industry before it can establish its own wholly-owned BPO subsidiary in India.
Moreover, the foreign investor will have to provide a no objection certificate (NoC)
of the earlier Indian joint venture company to the FIPB before the approval will
be granted. The same NoC and prior approval requirements are applicable if the
foreign investor has entered into a technical collaboration with an Indian
outsourcing company.

Rodney D Ryder is a consultant on trade
and technology law.