ISSN 2455-4782

17 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

DATA PROTECTION: A GLOBAL SCENARIO [FULFILLING UNMET

NEEDS SINCE AGES OR AN EMERGING THREAT TO PRIVACY?]

Authored by: Kavya Lalchandani*

* 2nd Year BBA LLB Student, National Law University Odisha

______________________________________________________________________________

ABSTRACT

Privacy is what individuals view as independence. The developed nations had realised the

importance of data protection long before the developing nations and devised their laws

accordingly. This article is an exploratory one which covers the laws of data protection in various

International forums and with examples of developing countries like Brazil, Mexico and India. It

specifically focuses on scenario of India after Right to Privacy was declared as a fundamental

right under Article 21, Constitution of India, 1950 in 2017. It is also pertinent for one to take a

note of disputed Aadhaar scheme and analyse its implications in the Indian context.

“Wherever the real power in a Government lies, there is the danger of oppression. In our

Governments, the real power lies in the majority of the Community, and the invasion of private

rights is chiefly to be apprehended, not from the acts of Government contrary to the sense of its

constituents, but from acts in which the Government is the mere instrument of the major number

of the constituents.” ― James Madison1

1James Madison, Letters and Other Writings of James Madison, Vol 3.

ISSN 2455-4782

18 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

INTRODUCTION

Right to Privacy is not a new concept which is emerging in the twenty-first century but is a concept

which has been under reform in the present century. This is because the world is getting more

technologically advanced due to globalization and continuous development in Information

Technology has and is taking place over the years. One of the few essential aspects of privacy is

data protection. While in most of the developed countries, privacy has been recognized as a

fundamental right2, some of the developing countries are yet to join the league.

Black Law’s Dictionary defines ‘Right to Privacy’ as right to personal autonomy and right of a

person and person’s property to be free from unwarranted public scrutiny or exposure.3

Since the most technological advancements are taking place in the developing countries, this

article analyses how the laws of such countries are ready or not equipped enough to absorb such

advancements. This article will also talk about the provisions that the United Nations incorporates

with regards to Privacy and Data Protection across borders. Various regional and state

organisations have also been discussed with their data protection laws like EU, AU and APEC.

Developing countries like Mexico, Brazil in detail with special reference and elaborate description

of privacy laws in India have also been discussed.

DEFINING AND CONCEPTUALISING PRIVACY

Different authors have different approach and definitions for privacy. While none of them is a

guaranteed or correct definition of the right, these definitions give us different perspectives of this

right. Some authors have tried to define privacy while some are of the view that privacy is as

complex as a subject that it cannot be explained or defined and some even criticize the concept.

This leads us to the subjective approaches towards ‘Privacy’.

2 Garner, Black Law’s Dictionary, (10thedn Thomson Reuters 2014) 786. A right derived from natural or

fundamental law; a significant component of liberty, encroachments of which are rigorously tested by Courts to

ascertain soundness of purported governmental justifications. 3 Garner, Black Law’s Dictionary, (10thedn Thomson Reuters 2014) 1521.

ISSN 2455-4782

19 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

William M. Beany opined that “even the most strenuous advocate of a right to privacy must confess

that there are serious problems of defining the essence and scope of this right.”4 So, he believed

that privacy cannot be understood in its true meaning.

Daniel J. Solove believed that Privacy can be covered under 6 headings viz. “the right to be let

alone, limited access to self, secrecy; control over personal information; personhood; intimacy”.5

This definition has attracted a lot of criticism for being too narrow and too wide at the same time.

According to John Reidenberg, privacy is about balancing the protection of fundamental rights

and reasonable flow of information.6

Amitai Etzioni is the one who criticised the concept and believed that there exists a balance

between social responsibilities and individual rights as it exists for common good and the best way

to curtail the governmental control in private life is to have less privacy.7

INTERNATIONAL ORGANISATIONS AND PRIVACY

The issue of privacy is not just restricted to municipal laws or individual state laws but are felt

globally across the borders. Various forums and conventions like the United Nations (UN),

Organisation for Economic Co-operation and Development (OECD), APEC (Asia-Pacific

Economic Co-operation), European Convention on Human Rights (ECHR), United Nations

Human Rights Convention (UDHRC) through Office of the High Commissioner of Human

Rights(OHCHR) and United Nations Conference on Trade and Development (UNCTAD).

4 William M. Beany, The Right to Privacy and American Law (31 L. & Contemp. Probs. 1996) 253-255. 5Daniel J. Solove, Conceptualizing Privacy (90 Cal. L. Rev. 2002) 1087. 6 Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace (52 Stan L. Rev. 2000)

1315. 7 Amitai Etzioni, The Limits of Privacy (1999).

ISSN 2455-4782

20 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD)

PRIVACY GUIDELINES

It lays down principles for ‘National Implementation’ and ‘International Co-operation’. The

‘OECD Guidelines on the Protection of Privacy and Trans border Flows of Personal Data’ lay

down 8 principles of National Implementation.8These guidelines were the first set of guidelines

that were published in September 1980.

These Principles are:

Collection Limitation Principle

Data Quality Principle

Purpose Specification Principle

Use Limitation Principle

Security Safeguards Principle

Openness Principle

Individual Participation Principle

Accountability Principle

The International Co-operation calls for the member countries to keep the laws relating to privacy

and data protection simple and compatible with other member states, help in sharing of

information, assist in investigation of matters and strive to develop domestic and trans-border laws

with regards to privacy.9

These guidelines are not binding on the member states but have been adopted in the municipal

laws of the states and are being followed by them. These guidelines apply to ‘personal data’ which

has been defined by OECD as “any information relating to an identified or identifiable individual

(data subject).”10

8‘OECD Guidelines on the Protection of Privacy and Transborder flows of personal data’

<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

#part2> accessed 20th December 2017. 9Ibid<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata

.htm#part5> accessed 20 December 2017. 10Ibid.<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonalda

ta.htm#part1> accessed 20 December 2017.

ISSN 2455-4782

21 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

In 2013, the first update to these guidelines was notified by OECD which concentrated on two key

issues, risk management and improved interoperability. The concepts that came into the picture

are: National Privacy Strategy, Privacy Management Programs and Data Security Breach

Notification.11 The OECD is continuously trying to come up with an improved set of guidelines

and is currently working on it.

ASIA-PACIFIC ECONOMIC COOPERATION (APEC)

APEC consists of 21 nations in the Pacific Region and has its own privacy framework which was

released in December, 2005. It is applicable to the member states and their trade partners.

The policymakers of APEC realized that if the information system is not secure and consumers

fear making online transactions then the full potential of the economy will not be realized in the

global arena. Therefore, it provides for a flexible framework to information privacy protection and

avoids creation of unnecessary barriers in the APEC economies.12

The OECD 1980s ‘Guidelines’ form the basis for formulation of principles that govern the APEC

framework with its main focus on privacy of information in trade.

The following Privacy Principles were formulated in the Part III of the APEC Privacy

Framework13:

Preventing harm that may be caused through misuse of information.

Notice to the individual so that he or she is aware of what information is being collected

and why.

Collection Limitation ensures that the information collected is relevant for the purpose

for which such information was collected.

Personal Information Collected involves transfer or disclosure of information only for

the purposes relevant for the collection and allied purposes.

Choice should be provided to the consumer or the customer wherever possible for better

options in relation of collection and usage of their personal information.

11Ibid. 12‘APEC Privacy Framework’<https://www.apec.org/Publications/2005/12/APEC-Privacy-Framework>accessed 23

December 2017. 13Ibid.

ISSN 2455-4782

22 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Integrity of personal information should be ensured by keeping the information, which

is useful, up-to-date.

Security Safeguards should apply to the people who are in possession of such information

which include protection from data theft and unauthorised use of data which should be

reassessed from time to time and appropriate actions should be taken taking the sensitivity

of data into consideration.

The opportunity of Access and Correction should be available to all individuals whose

information is held by the controller.

Accountability, like in OECD, the controller and holder of such information should be

able to answer to the individual for not complying with the above-mentioned principles.

It provides for similar implementation strategies both at national and international level.

At national level it includes: “Maximizing benefits of privacy protections and Information flows,

giving effect to the APEC Privacy Framework, Educating and publicizing domestic privacy

protections, Cooperation between the public and private Sectors, providing for appropriate

remedies in situations where privacy protections are violated, Mechanism for Reporting Domestic

Implementation of the APEC Privacy Framework.”14

At an International level implementation tasks include: “Information sharing among member

economies, Cross-border cooperation in Investigation and Enforcement, Cooperative development

of Cross-border Privacy Rules.”15

In 2011, APEC countries devised a system of CBPRs (Cross Border Privacy Rules System) for

making the APEC Privacy Framework operative on an International level. For achieving

accountability, it would take the help of both government agencies and private bodies.16Currently

five countries are a part of CBPRs: USA, Japan, Canada, Mexico, and Republic of Korea. It has 4

main criteria for the businesses:

Recognition Criteria for Organisations

14‘APEC Privacy Framework’ <https://www.apec.org/Publications/2005/12/APEC-Privacy-Framework,PartIV>

accessed 23 December 2017. 15Ibid. 16 Information Privacy Law, Solove Sschwartz, 3rd Edn, Aspen Publishers, Page 1067, Privacy Protection in Asia-

Pacific

ISSN 2455-4782

23 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Intake Questionnaire for Organisations

Assessment Criteria for Joint Oversight Panel to process the questionnaire (certified

Accountability Agents). Accountability Agents are independent APEC CBPRs agents.

Regulatory Co-operative Arrangement for ensuring enforcement by participating APEC

economies.17

Under CBPRs, another concept known as the ‘Privacy Recognition for Processors’ was developed

due to the narrow application of the APEC’s Privacy framework only on controllers. For reliability

of processors, it was necessary for the controller to have the requisite accountable processors with

whom they could contract with. PRPs or Privacy Recognition for Processors lists down the basic

criteria to be met in order to be recognized by the Accountability Agent and highlights processors’

privacy policies.18

EUROPEAN CONVENTION ON HUMAN RIGHTS (ECHR)

Soon after Universal Declaration of Human Right (UDHR) came in to force, ECHR was adopted.

European Commission of Human Rights, European Court on Human Rights and the council of

ministers play a key role in implementation of the provisions of the Convention.

European Courts are the key in enforcing the rights especially when it comes to human rights. The

role of courts towards the society has been highlighted in various judgements. In Jeronovičs v.

Latvia, the court went on to say that “the Court’s rulings serve not only to decide those cases

brought before it but, more generally, to elucidate, safeguard and develop the rules instituted by

the Convention, thereby contributing to the observance by the States of the engagements

undertaken by them as Contracting Parties. Although the primary purpose of the Convention

system is to provide individual relief, its mission is also to determine issues on public-policy

grounds in the common interest, thereby raising the general standards of protection of human

17Available at http://cbprs.org/GeneralPages/About.aspx (last accessed on 26/2/2018) 18‘APEC Privacy Recognition for Processors (“PRP”), Purpose and Background’,

<http://www.cbprs.org/generalpages/apeccbprsystemdocuments.aspx> accessed 30 December 2017.

ISSN 2455-4782

24 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

rights and extending human rights jurisprudence throughout the community of the Convention

States.”19

There are various articles that deal with the issue of human rights but for the purposes of this article

only Article 8 which is concerned with Privacy will be discussed.

Article 8 deals with the “Right to Respect for Family and Private Life”. It states that “1. Everyone

has the right to respect for his private and family life, his home and his correspondence. 2. There

shall be no interference by a public authority with the exercise of this right except such as is in

accordance with the law and is necessary in a democratic society in the interests of national

security, public safety or the economic well-being of the country, for the prevention of disorder or

crime, for the protection of health or morals, or for the protection of the rights and freedoms of

others.”20

The Convention by virtue of Article 8, considers Right to Privacy as an important human right and

how other rights like prohibition of discrimination [Article 14, ECHR], right to life [Article 2] and

others are related to it.

The four types of subjects stated in the Article against which the rights can be claimed are one’s

own private life, family life, home and correspondence. It further lists down exception only in case

of public interests.

It entrusts the state and private individuals or entities with both the negative obligation of

abstaining from carrying out any act which arbitrarily infringes the privacy of anyone in context

of the four interests stated above and with a positive obligation considering the intensity and degree

of infringement. It depends on the fundamental principle, values and morals. It also impliedly

imposes an obligation on the State to make sure that the citizens’ right is not interfered with

arbitrarily by itself or by any other individual.

19Jeronovičs v Latvia[GC], App no. 44898/10, § 109 (ECHR 2016) 20 European Convention on Human Rights 1950, art 8.

ISSN 2455-4782

25 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

UNHRC (UNITED NATIONS HUMAN RIGHTS COMMISSION) AND

INTERNATIONAL COVENANT ON CIVIL AND POLITICAL RIGHTS (ICCPR)

We have already seen that Right to Privacy is and should be a fundamental right of every person

but the question is, is it also a human right? And if it is, then its violation will be considered as

violation of human rights.

The advancement of technology was noted by the UN OHCHR [United Nations Office of High

Commissioner of Human Rights] and it seemed to be a matter of great concern that there might be

a lot of disruptions and interceptions on human rights due to this reason.Soe of the biggest

technological advancement with risks are the growth in Business Process Outsourcing sectors

(BPO) and ITES (Information Technology Services) and it has led to a lot of apprehension of both

internal and cross border misuse of personal data.

It is pertinent to note that Article 12 of the Universal Declaration of Human Rights (UDHR) and

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) categorically state

that “No one shall be subjected to arbitrary interference with his privacy, family, home or

correspondence, or to attacks upon his honour and reputation. Everyone has the right to the

protection of the law against such interference or attacks.”21

In 2013, the UN General Assembly called upon the state parties to respect and devise stringent

laws with regard to protection of privacy of personal data of a person. State Surveillance must

safeguard the Right to Privacy.22

Some nations which are developing are trying to develop the mechanism of safe data transfers both

internally and cross borders as they are expanding their operations, while some countries have

localised data transfers and have imposed restriction on transfer data abroad like Russian

Federation.

The UNCTAD publishes reports on privacy both at national and international level every year and

lays down significant legislations around the world.

21Universal Declaration on Human Rights 1948, art 12; The International Covenant on Civil and Political Rights

1966, art 17 22‘A Human Rights Based Approach to Data Protection’

<http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx> accessed 1January 2018.

ISSN 2455-4782

26 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

THE COUNCIL OF EUROPE CONVENTION 108

While there are a plethora of non- binding Data Protection Regulations, the Convention 108 or

Council of Europe Data Protection Convention of 1981 is a binding international agreement and

also the most accepted one. When it comes to data protection, measures on a national level both;

OECD and Convention 108 act as the basis for forming the guidelines.

The Convention in the first place was only for European Countries several non-European countries

are its members and more are soon to join. All the members except Turkey have ratified the

Convention.

After the Lisbon Treaty came into force in 2009, data protection was guaranteed as a fundamental

right to the citizens under the treaty. The Article 16 reads as: “I. Everyone has the right to the

protection of personal data concerning him or her. II Such data must be processed fairly for

specified purposes and on the basis of the consent of the person concerned or some other legitimate

basis laid down by law. Everyone has the right of access to data which has been collected

concerning him or her, and the right to have it rectified. III. Compliance with these rules shall be

subject to control by an independent authority.”23

The first non-European country to become party to the Convention was Uruguay in August

2013.24Recently, Mauritius is looking forward to be a part of the Convention while Tunisia just

became a member and ratified the Convention in May 2017.It is the only international agreement

that is binding on its signatories.25

EU DIRECTIVE PROTECTION DIRECTIVE

The EU Directive came into force on 1995 which governs data protection laws of the members of

EU. The Directive creates a system of rights and obligation. The Directive is sought to impose

obligations on processors of personal data and deals with security and accountability issues and

when it comes to giving a right, the individuals have the right to regulate the manner in which the

information provided by them or of them may be utilized.

23 Lisbon Treaty 2009, art 16 24J.-Ph. Walter Chair of the T-PD Deputy Commissioner,The role of Convention 108 in the international

cooperation, Federal Data Protection and Information Commissioner, Switzerland 25‘Tunisia ratifies Convention 108 and affirms commitment to the protection of personal data’, 17 May

2017<https://www.accessnow.org/tunisia-ratifies-convention-108-affirms-commitment-protection-personal-data/>

accessed 2 January 2018

ISSN 2455-4782

27 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Article 1 defines the objective of the directive which is; “1. In accordance with this Directive,

Member States shall protect the fundamental rights and freedoms of natural persons, and in

particular their right to privacy, with respect to the processing of personal data.

2. Member States shall neither restrict nor prohibit the free flow of personal data between Member

States for reasons connected with the protection afforded under paragraph 1.”26

The scope of the directive as set out in Article 3 deals with collection of data through automatic

means or non-automatic means through filing system. It operates only where the EU Community

Law is in force and not beyond those boundaries. Right of Access to data and Right to Object on

legitimate grounds are given under Article 12 and Article 14 respectively.

The main provision which deals with this area is Article 25. Article 25(1) state that EU members

can transfer their personal data to other countries only when they have proper mechanisms of data

protection in place. Article 25(6) is extension of Clause 1 in the sense that it lists down what are

the criteria that are to be met by the receiver country of the personal information. According to

UNCTAD Report, only following countries have been able to meet the criteria and are approved

for transfer of information viz. Canada, Switzerland, Argentina, Andorra, Faeroe Islands, Isle of

Man, Israel, Jersey, New Zealand and Uruguay.

Article 26(2) allows the transfer of data where the “controller adduces adequate safeguards with

respect to the protection of the privacy and fundamental rights and freedoms of individuals and as

regards the exercise of the corresponding rights; such safeguards may in particular result from

appropriate contractual clauses.”27

Because of the openness of the principles in the Convention, it has gained a wide acceptance

among the nations across the world. It is soon to get replaced by EU General Data

Protection Regulation (GDPR) in May 2018. It is “designed to harmonize data privacy laws across

Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations

across the region approach data privacy.”28

26 European Union Directive on Data Protection 1995, art 1 27European Union Directive on Data Protection 1995, art 26(2) 28‘GDPR Enforcement’ <https://www.eugdpr.org/> accessed 2 January 2018

ISSN 2455-4782

28 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

PRINCIPLES IN DATA PROTECTION ACT, 1998

The EU law on data protection is perhaps the most comprehensive one and it sets as an example

for other states to strengthen their data protection laws. For instance, Article 10 of the Data

Protection Act relates to obtaining data from the data subject (the person to which the data or

information belongs to)29 while Article 11 deals with obtaining data about the data subject form a

third party.30

Perhaps, the most important lesson that can be learnt is the set of 8 data protection principles as

given in Schedule 1 of the Act and Schedule 231 of the Act sets out the minimum standards for

data protection to be followed.

Schedule 1 enumerates following principles:

“Personal data shall be processed fairly and lawfully and, in particular, shall not be

processed unless at least one of the conditions in Schedule 2 is met and in the case of

sensitive personal data, at least one of the conditions set out in Schedule 3 or either of the

two Statutory Instruments below is met.

Personal data shall be obtained only for one or more specified and lawful purposes, and

shall not be further processed in any manner incompatible with that purpose or those

purposes.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or

purposes for which they are processed.

Personal data shall be accurate and, where necessary, kept up to date.

Personal data processed for any purpose or purposes shall not be kept for longer than is

necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of data subjects under this

Act.

Appropriate technical and organisational measures shall be taken against unauthorised or

unlawful processing of personal data and against accidental loss or destruction of, or

damage to, personal data.

29 Data Protection Act 1998, art 10 30 Data Protection Act 1998, art 11 31 Data Protection Act 1998, schedule 2

ISSN 2455-4782

29 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Personal data shall not be transferred to a country or territory outside the European

Economic Area, unless that country or territory ensures an adequate level of protection for

the rights and freedoms of data subjects in relation to the processing of personal data.”32

THE EU BINDING CORPORATE RULES (BCRS)

The inter corporate transfers in EU are governed by Binding Corporate Rules (BCRs) which were

initially only concerned with the EU members but are so significant and accurate that companies

from around the world are adopting this mechanism. It is a set of specialized rules which govern

the transfer of personal data by huge corporate.

AFRICAN UNION

The African Union (AU) consists of a high-profile membership of 54-member states. The most

recent development with respect to cyber laws is the adoption of “African Union Convention

Cyber-Security and Personal Data (AU CCPDP) in mid-2014. It establishes both regional and

national framework for cyber-security. However, till 2016 there were no ratifications. Its extensive

framework of data protection laws is not going to bear any fruit because actual implementation

depends on the ratification but unfortunately there are none.

This is not the first initiative that AU has taken towards data protection. In 2011, the African Union

in collaboration with UN Economic Commission for Africa was determined to establish a credible

legal framework. It faced the similar problem of adoption by the member states still persists. The

‘AU Convention on Cyber Security and Personal Data Protection’ was adopted finally in 2014.33

It is a binding Convention. Later in the section of ‘National Laws’ for data protection Tanzania

and Nigeria will be dealt in detail with regards to their data protection framework.

There are various regional initiatives within Africa that aim to achieve data protection of their

member states. Two such regional initiatives are Economic Community of West African States

(ECOWAS) Supplementary Act and East African Communities Framework for Cyber Laws.

32 ‘The eight data protection principles’ University of Edinburg, <https://www.ed.ac.uk/records-management/data-

protection/what-is-it/principles> accessed 30 December 2017 33 African Union Convention on Cyber Security and Personal Data Protection 2014,

<https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection> accessed 3 January

2018

ISSN 2455-4782

30 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

ECOWAS Supplementary Act34 was launched in 2010 and is binding in nature. It urges the

member states to establish an authority for data protection and regulating the mechanism for data

protection. All the provisions are mandatory. ECOWAS has also launched ECOWAS Vision 2020

where technological advancement would be indispensable tool. In order to achieve that it is

pertinent for ECOWAS to properly implement the laws as there is a lot of scope of misuse of data

during this process.

East African Communities Framework for cyber laws which was adopted in 2010 again provides

for a regulatory mechanism for data protection but does not make any specific recommendations

but provide for future research and development in this area. It is non-binding in nature. Kenya,

Rwanda, Tanzania and Uganda (four out of five members of EAC) have adopted cyber laws for

data protection and consumer protection. The Draft Bills framed by Kenya and Uganda have still

not been made as the law but draw references from EAC Framework. Since EAC did not take

national issues in to consideration, the member states like Kenya and Uganda though have taken

references but have divergence from the main framework.

The problem in these member states is the lack of resources and combination of national and

regional laws and regional with international laws for a comprehensive framework.

DEVELOPING COUNTRIES

The problem of data protection is predominant in developing countries. This section of the article

discusses few important laws, bills, regulations that have taken place in developing countries like

Brazil, Mexico and India in the past decade. This section will be dealt with special and elaborate

reference to India.

BRAZIL

Brazil’s international obligation of maintaining a data protection law comes from the fact that it

has ratified the ICCPR. Article 5 of the Federal Constitution of Brazil, 1988 gives to its citizens

the ‘Right to Privacy’. Article 5(X) states that “the privacy, private life, honour and image of

34ECOWAS, Supplementary Act A/SA.1/01/10 on Personal Data Protection

ISSN 2455-4782

31 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

persons are inviolable, and the right to compensation for property or moral damages resulting

from their violation is ensured”35

‘The Data Privacy Framework’ of Brazil apart from Article 5 of the Federal Constitution also

includes, Brazil Civil Rights Framework concerned with Internet; the Consumer Protection Code,

1990 ; the Credit Information Law, 2011; the Access to Information Law which deals with those

kind of information of individuals that is available in the public domain, 2011 and the Civil Rights

Framework for the Internet, 2014; Compliant Debtors List Act, Tax Code which gives secrecy of

information in tax matters, Bank Secrecy Act which gives secrecy in Financial Institutions.

The Constitution also includes the concept of ‘habeas data’ where in the consumer or the

concerned individual can get to know what information is held about them by the holder and can

also correct the information if needed.

While there are numerous provisions of the Acts which deal with data protection only few of the

examples would be stated in the paper for the purposes of stating the scheme in brief. Article 43

of the Consumer Protection Code states various rights of the Consumers when the databases or

registries are made which includes ‘right to correct the errors’, ‘prior approval of the consumers

has to be taken before opening any file or record’, ‘the information of the consumer held has to be

true and reliable’.36

Article 11 of the Civil Rights Framework for the Internet (which is limited to online activity) that

any act of collection, storage or transfer of data that occurs in the Brazilian Territory should be

done in compliance with Brazilian laws and rights.37

Despite of so many regulations in place, a comprehensive framework for data protection was not

present until the Draft Bill for protection of personal data was introduced in 2011 known as the

Protection of Personal Data Bill, 2011. It draws a heavy inspiration from EU Data Protection

Directive.

‘Personal Data’ is defined under Article 5 to be “data related to the natural person identified or

identifiable, including from identification numbers, locational data or electronic identifiers”.38

35 Federal Constitution of Brazil 1988, art 5(X) 36 Consumer Protection Code, art 43 37 Civil Rights Framework for the Internet, Brazil 2014, art 11 38 Protection of Personal Data Bill, Brazil 2011 art. 5

ISSN 2455-4782

32 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Article 6 lays down the general principles to be followed.39 The Bill is an exhaustive document

containing 9 chapters and 52 Articles.40

MEXICO

Mexico is a signatory to a number of International Agreements out of which Universal Declaration

of Human Rights (UDHR), International Pact of Civil and Political Rights (IPCPR) and American

Convention for Human Rights (ACHR) are of importance when it comes to Privacy.

Right to Privacy is recognized as a fundamental right in the Mexican Constitution. Article 16 of

the Mexican Constitution states that no one’s private and family life can be interfered with until

and unless there is written permission from a competent authority and any such interference shall

be properly justified.41 In 2009, a paragraph was added specifying the right to privacy. It reads as

follows: “Everyone has the right to enjoy protection of their personal data, and to access, correct

and cancel such data.

Everyone has the right to oppose disclosure of his data, according to the law. The law shall

establish exceptions to the criteria that rule the handling of data, due to national security reasons,

law and order, public security, public health, or protection of third party’s rights.”

Mexico is a part of several International Organisations of which APEC [Asia-Pacific Economic

Community and TPPA [Trans-Pacific Partnership Agreement]. By analogy, Mexico is a part of

and follows the APEC CBPRs.

The Mexican Penal Code also provides for some provisions penalizing the offenders in case of

privacy. Some of the enacting provisions are Articles 210, 211 And 214. While Article 210 and

211 state strict punishments against the offences of cybercrimes, Article 214prevents disclosure of

information that is held by government agencies.42

39 Protection of Personal Data Bill, Brazil 2011 art. 6 40‘Preliminary Draft Law for the Protection of Personal Data’<http://pensando.mj.gov.br/dadospessoais/texto-em-

debate/anteprojeto-de-lei-para-a-protecao-de-dados-pessoais/> accessed 3 January 2018 41 Constitution of Mexico 1917, art 16 42 Mexican Penal Code, art 210, 211 and 214

ISSN 2455-4782

33 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

The data protection framework, “Federal Law for the Protection of Personal Data in Control of

Private Persons” was established in 2010. The citizens are entrusted with ARCO Rights (Right to

Access, Rectify, Cancel and Object) under the Federal Personal Data Law.

Like the OECD guidelines, the International standards like consent, purpose, legitimacy and

accountability form the basis of enacting the law. The basic premise is the purpose of collecting

such information shall be clearly defined with the owners’ consent.

The Federal Institution for Access to Information and Data Protection in Mexico is the body which

regulated and guarantees rights with respect to access to data. The mission, vision and the goals of

the institution lays down the basic principles of access to information and data protection.43 It

relies heavily on principles of accountability and transparency and thus involves a lot of

international participation which further strengthens the system.

INAI currently is the President of the ‘Network of Institutions for Transparency, Ethics and

Integrity of Public Servants (Network for Integrity).’

Formerly, from 2010 to 2016 the institution has presided over Ibero-American Data Protection

Network and the Transparency and Access to Information Network (Latin America). It is also a

participant in following international networks are “Asia-Pacific Privacy Authority Forum

(APPA);International Conference of Data Protection and Privacy Authorities

(ICDPPC);International Conference of Information Commissioners (ICIC);Open Government

Partnership (OGP);Global Privacy Enforcement Network (GPEN);Latin American Association of

Archives (ALA);International Council of Archives (ICA);International Research on Permanent

Authentic Records in Electronic Systems (Inter PARES).”44

Mexico being a developed country is quite ahead of its time to adopt so many frameworks for data

protection, for making its economy an inclusive economy and strengthening its economic

structure.

43National Institute for Transparency, Access to Information and Personal Data Protection,

http://inicio.ifai.org.mx/SitePages/English_Section.aspx accessed 4 January 2018 44Ibid , International Projection

ISSN 2455-4782

34 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

INDIA

The Indian Constitution is the lengthiest Constitution in the World with exhaustive provisions. It

is divided in 25 parts out of which Part 3 is of utmost significance as it contains the fundamental

rights. Fundamental Rights form the part of the basic structure of the Indian Constitution and this

part cannot be interfered with even by the State.

Article 21 of the Indian Constitution enumerates the Right to life and personal liberty. Initially

there were two cases where Supreme Court of India had ruled that Right to Privacy is not a

fundamental right.

HISTORY OF RIGHT TO PRIVACY IN INDIA: A SAGA OF JUDGEMENTS

In M.P. Sharma v Satish Chandra45 that the power of search and seizure is not subject to Right

to Privacy and the Constitutional Makers did not intend to import the meaning from U.S.

Constitution Fourth Amendment.

In Kharak Singh v State of Uttar Pradesh46 the majority held that “The right of privacy is not a

guaranteed right under our Constitution, arid therefore the attempt to ascertain the movements of

an individual is merely a manner in which privacy is invaded and is not an infringement of a

fundamental right guaranteed in Part III.” However, Justice Subba Rao and Justice Shah dissented

and stated that Right to Privacy was an inevitable component of Right to life and Personal liberty

guaranteed under Article 21 of the Constitution. They also drew a comparison with the U.S. law

categorically quoting the words of Judge, Frankfurter J., in Wolf v Colorado47, “pointing out the

importance of the security of one's privacy against arbitrary intrusion by the police, could have no

less application to an Indian home as to an American one.”

In Govind v State of Madhya Pradesh48, J. K. K. Matthew analyzed different perspectives of

privacy and decided that whether privacy is infringed or not will depend on case to case basis and

stated as follows “Too broad a definition of privacy will raise serious questions about the propriety

of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will,

therefore, necessarily, have to go through a process of case by case development. Hence, assuming

45 M.P. Sharma v. Satish Chandra, 1954 AIR 300 46Kharak Singh v. State of Uttar Pradesh,1963 AIR 1295 47 Wolf v Colorado, 338 U.S. 25 48Govind v State of Madhya Pradesh, (1975) 2 SCC 148

ISSN 2455-4782

35 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

that the right to personal liberty. The right to move freely throughout India and the freedom of

speech create an independent fundamental right of privacy as an emanation from them it could

not he absolute. It must be subject to restriction on the basis of compelling public interest. But the

law infringing it must satisfy the compelling state interest test.”

In India, the Constitution of India is supreme and the preamble to the constitution instils in it the

concept of fraternity which further assures the principles of dignity of an individual. In S.S. Bola

v BD Sardana49 it was held by the Apex Court that liberty cannot be divorced from equality and

vice versa and both of them cannot be divorced from fraternity. By implication, for ensuring

equality and liberty in their true sense, fraternity is important for unity and integrity of the nation.

Justice H.R. Khanna while dissenting in the famous habeas corpus case ADM Jabalpur v

Shivakant Shukla50 held that the “heart of Article 21 is right to live with dignity”. By analogy,

Right to Privacy is inseparable from right to live with dignity (a component of right to life) under

Article 21.

Change is inevitable and a society only absorbs the change when it is capable enough to do it. A

lot of rulings in India are governed by the social scenario of the nation and hence, recently in the

case of Justice K.S. Puttuswamy (Retd.) v Union of India51, the Supreme Court of India held

Right to Privacy to be a fundamental right under Article 21. It is already an established principle

that Fundamental Rights do not exist in isolation but are made up of indivisible parts and such

parts and would be meaningless in practical sense is they are separated from each other.

Justice B.N. Sri Krishna Committee has been formed by the Government in late 2017 to draft a

separate data protection law for India because there is a need of balance between individual’s right

to privacy and technological development.52

49S.S. Bola v BD Sardana ,1997 (8) SCC 522 50ADM Jabalpur v Shivakant Shukla, 1976 AIR 1207 51Justice K.S. Puttuswamy (Retd.) v Union of India, Writ Petition (Civil) No 494 Of 2012 52 Surabhi Aggarwal, ‘Justice BN Srikrishna to head Committee for data protection framework’The Economic

Times(New Delhi Aug 01, 2017) <https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn-

srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms>

ISSN 2455-4782

36 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

ANALYZING THE JUDGEMENT IN K.S PUTTUSWAMY53

Justice D.Y. Chandrachud delivered the judgement on behalf of the majority and was very vocal

about how right to privacy is the “constitutional core of human dignity.”

The reasons for holding privacy as a fundamental right primarily has to bases (both international

and national): firstly, India has International Commitments as it is ICCPR and UDHR which have

been discussed above in detail and secondly, how right to privacy is a natural right and is a part of

right to live with dignity.

The majority have held one of the main reasons to be the need to change with the increasing change

in technology and the paragraph reads as “This Court has not embarked upon an exhaustive

enumeration or a catalogue of entitlements or interests comprised in the right to privacy. The

Constitution must evolve with the felt necessities of time to meet the challenges thrown up in a

democratic order governed by the rule of law. The meaning of the Constitution cannot be frozen

on the perspectives present when it was adopted. Technological change has given rise to concerns

which were not present seven decades ago and the rapid growth of technology may render

obsolescent many notions of the present. Hence the interpretation of the Constitution must be

resilient and flexible to allow future generations to adapt its content bearing in mind its basic or

essential features.54”

Three tests that were laid down for justifying encroachment of privacy are legality, necessity in

terms of state objective, and proportionality to ensure that there is a strong co-relation between

means and ends that the encroachers seeks to achieve.55

Data Protection under the judgement will be covered separately under the head of Data Protection

regime in India.

53Ibid at 52 54Ibid at 52, Para G of the Conclusion 55Ibid at 52 pp 180.

ISSN 2455-4782

37 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

DATA PROTECTION REGIME IN INDIA

The judgement devoted 3 paragraphs to how data protection regime is important for India. The

majority held that data protection of sensitive data is an important aspect of privacy and a balance

should be struck between information disclosure for nation’s security reasons and data protection

laws.

It also states that it is a complex process which will have to be developed over time and should be

non-discriminatory in nature while collection of any data. As stated above, India is a signatory to

various international agreements therefore there is additional responsibility to follow data

protection regime.

Although there is no separate law in India for data protection, Section 43A of the Information

Technology Act, 2000 is a legal protection granted concerning personal data protection. Initially

Information Technology Act did not have any provision for data protection but Section 43A was

inserted vide the Information Technology Amendment Act, 2008.

Section 43A reads as follows: “Where a body corporate, possessing, dealing or handling any

sensitive personal data or information in a computer resource which it owns, controls or operates,

is negligent in implementing and maintaining reasonable security practices and procedures and

thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable

to pay damages by way of compensation, not exceeding five crore rupees, to the person so

affected.”56

The explanation to the Section defines three terms viz. ‘body corporate’, ‘sensitive personal data’

and ‘reasonable security practices’. Two things are clear from the above section that only body

corporate is included in the ambit of the section and the nature of the liability is civil.Therefore,

the provision is very narrow in its operation.

Section 70 of the IT Act provides for imprisonment of the person who tries to access data from the

protected system by not following the relevant procedure.57

56 Information Technology Act 2000, s 43A 57Ibid, s 70

ISSN 2455-4782

38 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

Further, Section 72 provides for imprisonment for breach of confidentiality and privacy when a

person discloses the information of a person without his or her consent.58

AADHAAR: A THREAT TO PERSONAL DIGNITY OR A GAME CHANGER?

The Unique Identification Authority of India (UIDAI) rolled out Aadhaar scheme for residents of

India which gives a 12-digit unique identity number to its holders. ‘Aadhaar’ in Hindi means

foundation or base.

Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services Bill), 2016 is

a money bill with an objective “to provide for, as a good governance, efficient, transparent, and

targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from

the Consolidated Fund of India, to individuals residing in India through assigning of unique

identity numbers to such individuals and for matters connected therewith or incidental

thereto.”59It is rolled out as a mandatory disclosure scheme for the citizens to get the Aadhaar

Card made and then links it to avail various services and it also serves as a legitimate proof of

identity on all platforms. The people living below poverty line have to mandatorily get the Aadhaar

card made for availing the government security schemes.

Time and again the people have raised privacy concerns regarding linking of Aadhaar with various

security reasons, the most important being linkage with Bank accounts [verification of Permanent

Account Number (PAN)] and phone numbers. Although, the Government officials have vouched

for Aadhaar being completely safe and secure the concerns over it are still debatable. The

Government is making every effort to for making the process convenient by setting up Centers for

getting Aadhaar made in every district.

Till the time right to privacy was not recognized as a fundamental right, Aadhaar was a perfectly

valid mandatory scheme. But, after the decision of the Supreme Court of India with regards to

privacy, the mandatory nature of Aadhaar is a big question.

The Aadhaar contains a 12-digit unique identification number which is connected with biometric

and demographic data of the holder. A new sub-scheme that was rolled out was the AePS (Aadhaar

58Ibid, s 72 59The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

http://www.prsindia.org/administrator/uploads/media/AADHAAR/Aadhaar%20Bill,%202016.pdf

ISSN 2455-4782

39 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

enabled Payment System) where the biometrics of the person could be used for banking

transactions. The basic privacy concern in this regard is that the biometrics can be reproduced and

it can lead to data theft and data fraud.

The personal integrity of the individual is also at stake as the individual does not have any control

over the user of information.

In early January 2018, the UIDAI notified the launch of Virtual ID whereby the individual will not

have to reveal the actual Aadhaar number instead can generate a 16-digit revocable and temporary

number which will be linked to the biometrics of that person. Any number of Virtual Ids can be

created and the new virtual ID so created makes the old one redundant. This can be used for various

purposes like SIM verification. The UIDAI also cautioned the banks to follow limited KYC (Know

Your Customer) concept where limited need based details shall be made known from the

customers.60

The UIDAI claims that it uses one of the safest and most secure technologies for data storage and

during last seven years, there has not been any report of leak or misuse of data. UIDAI also adds

that it helped Government in conducting Direct Benefit Transfer for various schemes such as LPG

Subsidy, Scholarships, and Pensions directly into the bank accounts of beneficiaries thereby

eliminating corruption, leakages by middlemen etc.61

There are numerous petitions in the Supreme Court of India still pending challenging the Aadhaar

scheme and the decision is still pending. The petitions also claim that biometric information and

iris scans are intrude with bodily and informational privacy.62 The Supreme Court has raised

various concerns over the provisions of Aadhaar latest one being with regards to the homeless

60Business Today, Aadhaar and privacy: UIDAI brings Virtual IDs, Limited KYC to protect cardholders

(New Delhi January 11, 2018)http://www.news18.com/news/india/uidai-introduces-virtual-id-limited-kyc-to-

address-aadhaar-privacy-concerns-1628361.html 61Press Information Bureau, Personal data of individuals held by UIDAI is fully safe and secure (New Delhi 5

March 2017) <http://pib.nic.in/newsite/PrintRelease.aspx?relid=158849> 62Krishnadas Rajagopal, Constitution Bench likely to take up petitions challenging Aadhaar-linkage schemes, The

Hindu (New Delhi, 27 November 2017) <http://www.thehindu.com/news/national/constitution-bench-likely-to-take-

up-petitions-challenging-aadhaar-linkage-schemes/article20949908.ece>

ISSN 2455-4782

40 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

people. The Hon’ble Court remarked “How can a homeless person get an Aadhaar card? If he

doesn't have an Aadhaar card, he doesn't exist in the eyes of the government?”63

The final hearing commenced on the 17th January. Senior Advocate Shyam Divan has argued on

against Aadhaar and called Aadhaar an electronic mesh and leash. He also stated that Aadhaar

alters the relationship between citizens and the state and makes India a surveillance state thereby

reducing citizens to servitude.

CONCLUSION

“The right to personal privacy is precious. Without it, we are all potential victims for a prying

secret police.” -Lewis B. Smedes

The very first instance of data protection laws can be seen in OECD Guidelines for Privacy and

Data Protection and have been widely accepted and followed even by the developed nations and

organisations.

Various International and regional organisations like the UN, APEC, EU, AU have devised their

own Data Protection laws out of which the first directive was launched by EU which still continues

to have the most comprehensive, convincing and adopted framework.

Amongst the developing nations analyzed in the article, Mexico performs the best with the most

comprehensive data protection laws as compared to Brazil and India. While, Brazil has a draft bill

ready for becoming a law in the near future, Supreme Court of India’s latest ruling of declaring

the Right to Privacy as a fundamental right makes the citizen question the validity of Aadhaar

more so because of lack of data protection laws.

India is a developing country with a peculiar scenario and wholly inadequate data protection laws.

Technology has changed by leaps and bounds in India. It is quintessential to realize that the need

of the hour is to devise a comprehensive Data Protection Law is a pre-requisite for Indian Society.

63Press Trust of India, Do homeless people without Aadhaar card not exist for you? SC asks UP govt, Indian

Express(New Delhi January 2010)<https://www.ndtv.com/india-news/if-no-aadhaar-does-person-not-exist-for-

government-asks-supreme-court-1798371>

ISSN 2455-4782

41 | P a g e Journal on Contemporary Issues of Law [JCIL]

Volume 4 Issue 3

India is one of the biggest target markets for BPOs and it will be near to impossible to protect

Indian Citizens’ data if stringent steps are not taken by the Government to secure the data. It is all

the more important to realize that for an economy which is in its growing stage the citizens have

to feel confident for engaging themselves, through organisations and in their individual capacities,

in electronic commerce and cross border transactions.

The disputed Aadhaar scheme by the Indian Government has attracted a lot of criticism from every

stratum of the society. The poor section is unaware of the legal issues with Aadhaar and is ignorant

of its implications. For them it is just a mechanism to avail the benefits under the scheme. But, still

they are discontent with the fact that they have to carry this unique number with them even at a

ration shop and have to link everything with the Aadhaar.

The rich and the educated moot the validity of Aadhaar from a legal perspective more so after the

Right to Privacy being declared as a fundamental right.

While, the UIDAI has put forth many convincing arguments to instill confidence and acceptance

for Aadhaar being safe, they have failed to devise a mechanism for ensuring the safety of data. The

Constitution of India is drafted in an inclusive manner and since Aadhaar actually alters the

relationship of the Citizen with the state it is indicates towards building of an exclusive state.