Advertisment

Of Data Protection, Privacy and Compliance

author-image
DQI Bureau
New Update

Privacy Law structured in its present context with Data Protection

legislation on the lines of the EU Model is the norm for any business in the

Internet economy. Compliance with Privacy Law is of great practical relevance

for any company doing business in today’s global information economy. It is

important that organisations understand privacy in online business and in the

context of information management.

Advertisment

India has no data protection or privacy laws. Privacy has been in most cases

interpreted as the right to be let alone as enshrined in Article 21 of the

Constitution of Madhya Pradesh, AIR 1975 SC 1378; R Rajagopal v. State of Tamil Nadu, the

Bandit Queen Case, People’s Union for Civil Liberties (PUCL) v. Union of

India, MANU/SC/0234/2003>. However, except for this sort of unlawful invasion of

privacy, there is no recourse against private parties.

Data Transfers and the IT Enabled Services Sector



Over the recent years there has been a considerable amount of publicity

regarding data protection legislation in Europe. Both individuals and companies

should be concerned about how the legal rules regarding the holding of

information might apply to them. There are three perspectives from which the

issue can be seen. The first is from the individual person whose data is held,

the second is from the commercial organisation holding the data and the third

relates to the impact on the first two processes of the widespread development

of computer use and of the Internet.

Data

storage and privacy: The EU way
Personal

data shall be processed fairly and lawfully.
It must be

obtained only for one or more specific and lawful purposes,

and shall not be further processed in any manner incompatible

with that purpose.
The data held

must be adequate, relevant and not excessive in relation to

the purpose or purposes for which it is processed.
It must be

accurate, and where necessary, kept up to date.
It must not be

kept for longer than is necessary for the purposes for which

it was obtained.
It must be

processed in accordance with the rights of data subjects under

the Act.
 Appropriate

technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and

against accidental loss or destruction of, or damage to,

personal data.
Personal data

shall not be transferred outside the European economic area

unless the recipient provides an adequate level of protection

(equivalent to the data protection principles within the

European Union).
Advertisment

These days it would be difficult to envisage a commercial venture, whether

new or existing, which did not use computers for its everyday activities. This

inevitably involves the storage of data either about its own employees, its

existing clients or customers. The definition of "personal data" under

present European data protection legislation (as envisaged by the EC Data

Protection Directive 1995) is wide enough for it to cover practically any

information held about a individual.

This is because the simplest information such as a name associated with a

terrestrial address will constitute personal data for the purposes of the

legislation.

Holding such personal data requires the organisation in question to obtain

registration with the data protection registrar and to provide specific details

of the purposes for which the data is held. This obligation is supported by

criminal sanctions if registration has not been obtained or if, following

registration, the data which is held is not held and used in accordance with the

eight principles laid down under the legislation.

Advertisment

At any given point of time, any company would have considerable amount of

data that has to be handled lawfully. That data must, therefore, be held in such

a way that all the requirements of the legislation are complied with. For

sensitive data like credit ratings or personal medical information it is

imperative that its confidentiality is preserved and also explicit consent has

been taken to store and use the data.

Special rules allow data to be processed if this is necessary in connection

with legal proceedings. The application of this principle is relatively clear as

regards the rights and duties of law enforcement agencies but not necessarily

quite so clear when the issue arises regarding, for example, the use by an

insurer of sensitive personal data about its insured.

Regretfully, the Indian legislation does not provide any guidance to what is

meant by the word "lawful" in the context of data processing. An

essential prerequisite for the processing of personal data is that the data

subject has given consent to the processing. That consent must be informed and

unequivocal. The data subject is entitled to ask to see what is held and, where

appropriate, they can insist on incorrect information being amended. It is

important to recognize that if a request to supply data is not adequately

fulfilled then the data holder may be the subject of a criminal prosecution

under the legislation.

Advertisment

One of the fundamental consequences of the development of the Internet is

that national boundaries are far easier to be crossed. It is not unusual for

Internet trading sites to carry personal data about customers and there is a

risk that the personal data might, albeit innocently and inadvertently, move

outside the confines of the country. This is potentially a major problem for

data users. For example, under European Union's Data Protection Act, no personal

data can be exported anywhere outside the European Union unless it is sent to a

jurisdiction with equivalent legislative protection for data or unless it is

subject to express confidentiality provisions. So data 'exported' to BPO

operations, in India is governed by a contract structured in terms relating to

European law.

Model Data Protection Clauses



As India does not have a statutory data protection law, the Europe Privacy

Commissioner’s office recommends that the model contractual clauses proposed

by the European Union Commission be adopted so as to create a presumption of

adequacy. However, the use of contractual safeguards has not been completely

satisfactory. It is for this purpose that there is an increasing pressure to

create binding rules on data transfer. At present, companies governed by the

Seventh Principle type contract can transfer data to their Indian subsidiaries.

The proposals set out in corporate rules on data protection are suggestions,

which do not have affect in present.

There are no foreign equity caps applicable to companies engaging in data

processing, the next issue is whether or not governmental approvals have to be

obtained in order for a foreign company to establish a captive outsourcing

company. No prior approval is required, that is, the foreign company may avail

of the "automatic route" provided that the foreign investor does not

have a previous JV in India through an investment in shares or debentures or a

technical collaboration or a trade mark agreement in the same or allied field.

Advertisment

The general rule is that, if a foreign company has already entered into a JV

agreement with an Indian outsourcing company, then it will have to obtain prior

approval from the Foreign Investment Promotion Board (FIPB) in the Ministry of

Industry before it can establish its own wholly-owned BPO subsidiary in India.

Moreover, the foreign investor will have to provide a no objection certificate (NoC)

of the earlier Indian joint venture company to the FIPB before the approval will

be granted. The same NoC and prior approval requirements are applicable if the

foreign investor has entered into a technical collaboration with an Indian

outsourcing company.

Rodney D Ryder is a consultant on trade

and technology law.

Advertisment