data protection: a global scenario [fulfilling...
TRANSCRIPT
ISSN 2455-4782
17 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
DATA PROTECTION: A GLOBAL SCENARIO [FULFILLING UNMET
NEEDS SINCE AGES OR AN EMERGING THREAT TO PRIVACY?]
Authored by: Kavya Lalchandani*
* 2nd Year BBA LLB Student, National Law University Odisha
______________________________________________________________________________
ABSTRACT
Privacy is what individuals view as independence. The developed nations had realised the
importance of data protection long before the developing nations and devised their laws
accordingly. This article is an exploratory one which covers the laws of data protection in various
International forums and with examples of developing countries like Brazil, Mexico and India. It
specifically focuses on scenario of India after Right to Privacy was declared as a fundamental
right under Article 21, Constitution of India, 1950 in 2017. It is also pertinent for one to take a
note of disputed Aadhaar scheme and analyse its implications in the Indian context.
“Wherever the real power in a Government lies, there is the danger of oppression. In our
Governments, the real power lies in the majority of the Community, and the invasion of private
rights is chiefly to be apprehended, not from the acts of Government contrary to the sense of its
constituents, but from acts in which the Government is the mere instrument of the major number
of the constituents.” ― James Madison1
1James Madison, Letters and Other Writings of James Madison, Vol 3.
ISSN 2455-4782
18 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
INTRODUCTION
Right to Privacy is not a new concept which is emerging in the twenty-first century but is a concept
which has been under reform in the present century. This is because the world is getting more
technologically advanced due to globalization and continuous development in Information
Technology has and is taking place over the years. One of the few essential aspects of privacy is
data protection. While in most of the developed countries, privacy has been recognized as a
fundamental right2, some of the developing countries are yet to join the league.
Black Law’s Dictionary defines ‘Right to Privacy’ as right to personal autonomy and right of a
person and person’s property to be free from unwarranted public scrutiny or exposure.3
Since the most technological advancements are taking place in the developing countries, this
article analyses how the laws of such countries are ready or not equipped enough to absorb such
advancements. This article will also talk about the provisions that the United Nations incorporates
with regards to Privacy and Data Protection across borders. Various regional and state
organisations have also been discussed with their data protection laws like EU, AU and APEC.
Developing countries like Mexico, Brazil in detail with special reference and elaborate description
of privacy laws in India have also been discussed.
DEFINING AND CONCEPTUALISING PRIVACY
Different authors have different approach and definitions for privacy. While none of them is a
guaranteed or correct definition of the right, these definitions give us different perspectives of this
right. Some authors have tried to define privacy while some are of the view that privacy is as
complex as a subject that it cannot be explained or defined and some even criticize the concept.
This leads us to the subjective approaches towards ‘Privacy’.
2 Garner, Black Law’s Dictionary, (10thedn Thomson Reuters 2014) 786. A right derived from natural or
fundamental law; a significant component of liberty, encroachments of which are rigorously tested by Courts to
ascertain soundness of purported governmental justifications. 3 Garner, Black Law’s Dictionary, (10thedn Thomson Reuters 2014) 1521.
ISSN 2455-4782
19 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
William M. Beany opined that “even the most strenuous advocate of a right to privacy must confess
that there are serious problems of defining the essence and scope of this right.”4 So, he believed
that privacy cannot be understood in its true meaning.
Daniel J. Solove believed that Privacy can be covered under 6 headings viz. “the right to be let
alone, limited access to self, secrecy; control over personal information; personhood; intimacy”.5
This definition has attracted a lot of criticism for being too narrow and too wide at the same time.
According to John Reidenberg, privacy is about balancing the protection of fundamental rights
and reasonable flow of information.6
Amitai Etzioni is the one who criticised the concept and believed that there exists a balance
between social responsibilities and individual rights as it exists for common good and the best way
to curtail the governmental control in private life is to have less privacy.7
INTERNATIONAL ORGANISATIONS AND PRIVACY
The issue of privacy is not just restricted to municipal laws or individual state laws but are felt
globally across the borders. Various forums and conventions like the United Nations (UN),
Organisation for Economic Co-operation and Development (OECD), APEC (Asia-Pacific
Economic Co-operation), European Convention on Human Rights (ECHR), United Nations
Human Rights Convention (UDHRC) through Office of the High Commissioner of Human
Rights(OHCHR) and United Nations Conference on Trade and Development (UNCTAD).
4 William M. Beany, The Right to Privacy and American Law (31 L. & Contemp. Probs. 1996) 253-255. 5Daniel J. Solove, Conceptualizing Privacy (90 Cal. L. Rev. 2002) 1087. 6 Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace (52 Stan L. Rev. 2000)
1315. 7 Amitai Etzioni, The Limits of Privacy (1999).
ISSN 2455-4782
20 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD)
PRIVACY GUIDELINES
It lays down principles for ‘National Implementation’ and ‘International Co-operation’. The
‘OECD Guidelines on the Protection of Privacy and Trans border Flows of Personal Data’ lay
down 8 principles of National Implementation.8These guidelines were the first set of guidelines
that were published in September 1980.
These Principles are:
Collection Limitation Principle
Data Quality Principle
Purpose Specification Principle
Use Limitation Principle
Security Safeguards Principle
Openness Principle
Individual Participation Principle
Accountability Principle
The International Co-operation calls for the member countries to keep the laws relating to privacy
and data protection simple and compatible with other member states, help in sharing of
information, assist in investigation of matters and strive to develop domestic and trans-border laws
with regards to privacy.9
These guidelines are not binding on the member states but have been adopted in the municipal
laws of the states and are being followed by them. These guidelines apply to ‘personal data’ which
has been defined by OECD as “any information relating to an identified or identifiable individual
(data subject).”10
8‘OECD Guidelines on the Protection of Privacy and Transborder flows of personal data’
<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
#part2> accessed 20th December 2017. 9Ibid<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata
.htm#part5> accessed 20 December 2017. 10Ibid.<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonalda
ta.htm#part1> accessed 20 December 2017.
ISSN 2455-4782
21 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
In 2013, the first update to these guidelines was notified by OECD which concentrated on two key
issues, risk management and improved interoperability. The concepts that came into the picture
are: National Privacy Strategy, Privacy Management Programs and Data Security Breach
Notification.11 The OECD is continuously trying to come up with an improved set of guidelines
and is currently working on it.
ASIA-PACIFIC ECONOMIC COOPERATION (APEC)
APEC consists of 21 nations in the Pacific Region and has its own privacy framework which was
released in December, 2005. It is applicable to the member states and their trade partners.
The policymakers of APEC realized that if the information system is not secure and consumers
fear making online transactions then the full potential of the economy will not be realized in the
global arena. Therefore, it provides for a flexible framework to information privacy protection and
avoids creation of unnecessary barriers in the APEC economies.12
The OECD 1980s ‘Guidelines’ form the basis for formulation of principles that govern the APEC
framework with its main focus on privacy of information in trade.
The following Privacy Principles were formulated in the Part III of the APEC Privacy
Framework13:
Preventing harm that may be caused through misuse of information.
Notice to the individual so that he or she is aware of what information is being collected
and why.
Collection Limitation ensures that the information collected is relevant for the purpose
for which such information was collected.
Personal Information Collected involves transfer or disclosure of information only for
the purposes relevant for the collection and allied purposes.
Choice should be provided to the consumer or the customer wherever possible for better
options in relation of collection and usage of their personal information.
11Ibid. 12‘APEC Privacy Framework’<https://www.apec.org/Publications/2005/12/APEC-Privacy-Framework>accessed 23
December 2017. 13Ibid.
ISSN 2455-4782
22 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Integrity of personal information should be ensured by keeping the information, which
is useful, up-to-date.
Security Safeguards should apply to the people who are in possession of such information
which include protection from data theft and unauthorised use of data which should be
reassessed from time to time and appropriate actions should be taken taking the sensitivity
of data into consideration.
The opportunity of Access and Correction should be available to all individuals whose
information is held by the controller.
Accountability, like in OECD, the controller and holder of such information should be
able to answer to the individual for not complying with the above-mentioned principles.
It provides for similar implementation strategies both at national and international level.
At national level it includes: “Maximizing benefits of privacy protections and Information flows,
giving effect to the APEC Privacy Framework, Educating and publicizing domestic privacy
protections, Cooperation between the public and private Sectors, providing for appropriate
remedies in situations where privacy protections are violated, Mechanism for Reporting Domestic
Implementation of the APEC Privacy Framework.”14
At an International level implementation tasks include: “Information sharing among member
economies, Cross-border cooperation in Investigation and Enforcement, Cooperative development
of Cross-border Privacy Rules.”15
In 2011, APEC countries devised a system of CBPRs (Cross Border Privacy Rules System) for
making the APEC Privacy Framework operative on an International level. For achieving
accountability, it would take the help of both government agencies and private bodies.16Currently
five countries are a part of CBPRs: USA, Japan, Canada, Mexico, and Republic of Korea. It has 4
main criteria for the businesses:
Recognition Criteria for Organisations
14‘APEC Privacy Framework’ <https://www.apec.org/Publications/2005/12/APEC-Privacy-Framework,PartIV>
accessed 23 December 2017. 15Ibid. 16 Information Privacy Law, Solove Sschwartz, 3rd Edn, Aspen Publishers, Page 1067, Privacy Protection in Asia-
Pacific
ISSN 2455-4782
23 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Intake Questionnaire for Organisations
Assessment Criteria for Joint Oversight Panel to process the questionnaire (certified
Accountability Agents). Accountability Agents are independent APEC CBPRs agents.
Regulatory Co-operative Arrangement for ensuring enforcement by participating APEC
economies.17
Under CBPRs, another concept known as the ‘Privacy Recognition for Processors’ was developed
due to the narrow application of the APEC’s Privacy framework only on controllers. For reliability
of processors, it was necessary for the controller to have the requisite accountable processors with
whom they could contract with. PRPs or Privacy Recognition for Processors lists down the basic
criteria to be met in order to be recognized by the Accountability Agent and highlights processors’
privacy policies.18
EUROPEAN CONVENTION ON HUMAN RIGHTS (ECHR)
Soon after Universal Declaration of Human Right (UDHR) came in to force, ECHR was adopted.
European Commission of Human Rights, European Court on Human Rights and the council of
ministers play a key role in implementation of the provisions of the Convention.
European Courts are the key in enforcing the rights especially when it comes to human rights. The
role of courts towards the society has been highlighted in various judgements. In Jeronovičs v.
Latvia, the court went on to say that “the Court’s rulings serve not only to decide those cases
brought before it but, more generally, to elucidate, safeguard and develop the rules instituted by
the Convention, thereby contributing to the observance by the States of the engagements
undertaken by them as Contracting Parties. Although the primary purpose of the Convention
system is to provide individual relief, its mission is also to determine issues on public-policy
grounds in the common interest, thereby raising the general standards of protection of human
17Available at http://cbprs.org/GeneralPages/About.aspx (last accessed on 26/2/2018) 18‘APEC Privacy Recognition for Processors (“PRP”), Purpose and Background’,
<http://www.cbprs.org/generalpages/apeccbprsystemdocuments.aspx> accessed 30 December 2017.
ISSN 2455-4782
24 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
rights and extending human rights jurisprudence throughout the community of the Convention
States.”19
There are various articles that deal with the issue of human rights but for the purposes of this article
only Article 8 which is concerned with Privacy will be discussed.
Article 8 deals with the “Right to Respect for Family and Private Life”. It states that “1. Everyone
has the right to respect for his private and family life, his home and his correspondence. 2. There
shall be no interference by a public authority with the exercise of this right except such as is in
accordance with the law and is necessary in a democratic society in the interests of national
security, public safety or the economic well-being of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for the protection of the rights and freedoms of
others.”20
The Convention by virtue of Article 8, considers Right to Privacy as an important human right and
how other rights like prohibition of discrimination [Article 14, ECHR], right to life [Article 2] and
others are related to it.
The four types of subjects stated in the Article against which the rights can be claimed are one’s
own private life, family life, home and correspondence. It further lists down exception only in case
of public interests.
It entrusts the state and private individuals or entities with both the negative obligation of
abstaining from carrying out any act which arbitrarily infringes the privacy of anyone in context
of the four interests stated above and with a positive obligation considering the intensity and degree
of infringement. It depends on the fundamental principle, values and morals. It also impliedly
imposes an obligation on the State to make sure that the citizens’ right is not interfered with
arbitrarily by itself or by any other individual.
19Jeronovičs v Latvia[GC], App no. 44898/10, § 109 (ECHR 2016) 20 European Convention on Human Rights 1950, art 8.
ISSN 2455-4782
25 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
UNHRC (UNITED NATIONS HUMAN RIGHTS COMMISSION) AND
INTERNATIONAL COVENANT ON CIVIL AND POLITICAL RIGHTS (ICCPR)
We have already seen that Right to Privacy is and should be a fundamental right of every person
but the question is, is it also a human right? And if it is, then its violation will be considered as
violation of human rights.
The advancement of technology was noted by the UN OHCHR [United Nations Office of High
Commissioner of Human Rights] and it seemed to be a matter of great concern that there might be
a lot of disruptions and interceptions on human rights due to this reason.Soe of the biggest
technological advancement with risks are the growth in Business Process Outsourcing sectors
(BPO) and ITES (Information Technology Services) and it has led to a lot of apprehension of both
internal and cross border misuse of personal data.
It is pertinent to note that Article 12 of the Universal Declaration of Human Rights (UDHR) and
Article 17 of the International Covenant on Civil and Political Rights (ICCPR) categorically state
that “No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, or to attacks upon his honour and reputation. Everyone has the right to the
protection of the law against such interference or attacks.”21
In 2013, the UN General Assembly called upon the state parties to respect and devise stringent
laws with regard to protection of privacy of personal data of a person. State Surveillance must
safeguard the Right to Privacy.22
Some nations which are developing are trying to develop the mechanism of safe data transfers both
internally and cross borders as they are expanding their operations, while some countries have
localised data transfers and have imposed restriction on transfer data abroad like Russian
Federation.
The UNCTAD publishes reports on privacy both at national and international level every year and
lays down significant legislations around the world.
21Universal Declaration on Human Rights 1948, art 12; The International Covenant on Civil and Political Rights
1966, art 17 22‘A Human Rights Based Approach to Data Protection’
<http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx> accessed 1January 2018.
ISSN 2455-4782
26 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
THE COUNCIL OF EUROPE CONVENTION 108
While there are a plethora of non- binding Data Protection Regulations, the Convention 108 or
Council of Europe Data Protection Convention of 1981 is a binding international agreement and
also the most accepted one. When it comes to data protection, measures on a national level both;
OECD and Convention 108 act as the basis for forming the guidelines.
The Convention in the first place was only for European Countries several non-European countries
are its members and more are soon to join. All the members except Turkey have ratified the
Convention.
After the Lisbon Treaty came into force in 2009, data protection was guaranteed as a fundamental
right to the citizens under the treaty. The Article 16 reads as: “I. Everyone has the right to the
protection of personal data concerning him or her. II Such data must be processed fairly for
specified purposes and on the basis of the consent of the person concerned or some other legitimate
basis laid down by law. Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified. III. Compliance with these rules shall be
subject to control by an independent authority.”23
The first non-European country to become party to the Convention was Uruguay in August
2013.24Recently, Mauritius is looking forward to be a part of the Convention while Tunisia just
became a member and ratified the Convention in May 2017.It is the only international agreement
that is binding on its signatories.25
EU DIRECTIVE PROTECTION DIRECTIVE
The EU Directive came into force on 1995 which governs data protection laws of the members of
EU. The Directive creates a system of rights and obligation. The Directive is sought to impose
obligations on processors of personal data and deals with security and accountability issues and
when it comes to giving a right, the individuals have the right to regulate the manner in which the
information provided by them or of them may be utilized.
23 Lisbon Treaty 2009, art 16 24J.-Ph. Walter Chair of the T-PD Deputy Commissioner,The role of Convention 108 in the international
cooperation, Federal Data Protection and Information Commissioner, Switzerland 25‘Tunisia ratifies Convention 108 and affirms commitment to the protection of personal data’, 17 May
2017<https://www.accessnow.org/tunisia-ratifies-convention-108-affirms-commitment-protection-personal-data/>
accessed 2 January 2018
ISSN 2455-4782
27 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Article 1 defines the objective of the directive which is; “1. In accordance with this Directive,
Member States shall protect the fundamental rights and freedoms of natural persons, and in
particular their right to privacy, with respect to the processing of personal data.
2. Member States shall neither restrict nor prohibit the free flow of personal data between Member
States for reasons connected with the protection afforded under paragraph 1.”26
The scope of the directive as set out in Article 3 deals with collection of data through automatic
means or non-automatic means through filing system. It operates only where the EU Community
Law is in force and not beyond those boundaries. Right of Access to data and Right to Object on
legitimate grounds are given under Article 12 and Article 14 respectively.
The main provision which deals with this area is Article 25. Article 25(1) state that EU members
can transfer their personal data to other countries only when they have proper mechanisms of data
protection in place. Article 25(6) is extension of Clause 1 in the sense that it lists down what are
the criteria that are to be met by the receiver country of the personal information. According to
UNCTAD Report, only following countries have been able to meet the criteria and are approved
for transfer of information viz. Canada, Switzerland, Argentina, Andorra, Faeroe Islands, Isle of
Man, Israel, Jersey, New Zealand and Uruguay.
Article 26(2) allows the transfer of data where the “controller adduces adequate safeguards with
respect to the protection of the privacy and fundamental rights and freedoms of individuals and as
regards the exercise of the corresponding rights; such safeguards may in particular result from
appropriate contractual clauses.”27
Because of the openness of the principles in the Convention, it has gained a wide acceptance
among the nations across the world. It is soon to get replaced by EU General Data
Protection Regulation (GDPR) in May 2018. It is “designed to harmonize data privacy laws across
Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations
across the region approach data privacy.”28
26 European Union Directive on Data Protection 1995, art 1 27European Union Directive on Data Protection 1995, art 26(2) 28‘GDPR Enforcement’ <https://www.eugdpr.org/> accessed 2 January 2018
ISSN 2455-4782
28 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
PRINCIPLES IN DATA PROTECTION ACT, 1998
The EU law on data protection is perhaps the most comprehensive one and it sets as an example
for other states to strengthen their data protection laws. For instance, Article 10 of the Data
Protection Act relates to obtaining data from the data subject (the person to which the data or
information belongs to)29 while Article 11 deals with obtaining data about the data subject form a
third party.30
Perhaps, the most important lesson that can be learnt is the set of 8 data protection principles as
given in Schedule 1 of the Act and Schedule 231 of the Act sets out the minimum standards for
data protection to be followed.
Schedule 1 enumerates following principles:
“Personal data shall be processed fairly and lawfully and, in particular, shall not be
processed unless at least one of the conditions in Schedule 2 is met and in the case of
sensitive personal data, at least one of the conditions set out in Schedule 3 or either of the
two Statutory Instruments below is met.
Personal data shall be obtained only for one or more specified and lawful purposes, and
shall not be further processed in any manner incompatible with that purpose or those
purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this
Act.
Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or
damage to, personal data.
29 Data Protection Act 1998, art 10 30 Data Protection Act 1998, art 11 31 Data Protection Act 1998, schedule 2
ISSN 2455-4782
29 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Personal data shall not be transferred to a country or territory outside the European
Economic Area, unless that country or territory ensures an adequate level of protection for
the rights and freedoms of data subjects in relation to the processing of personal data.”32
THE EU BINDING CORPORATE RULES (BCRS)
The inter corporate transfers in EU are governed by Binding Corporate Rules (BCRs) which were
initially only concerned with the EU members but are so significant and accurate that companies
from around the world are adopting this mechanism. It is a set of specialized rules which govern
the transfer of personal data by huge corporate.
AFRICAN UNION
The African Union (AU) consists of a high-profile membership of 54-member states. The most
recent development with respect to cyber laws is the adoption of “African Union Convention
Cyber-Security and Personal Data (AU CCPDP) in mid-2014. It establishes both regional and
national framework for cyber-security. However, till 2016 there were no ratifications. Its extensive
framework of data protection laws is not going to bear any fruit because actual implementation
depends on the ratification but unfortunately there are none.
This is not the first initiative that AU has taken towards data protection. In 2011, the African Union
in collaboration with UN Economic Commission for Africa was determined to establish a credible
legal framework. It faced the similar problem of adoption by the member states still persists. The
‘AU Convention on Cyber Security and Personal Data Protection’ was adopted finally in 2014.33
It is a binding Convention. Later in the section of ‘National Laws’ for data protection Tanzania
and Nigeria will be dealt in detail with regards to their data protection framework.
There are various regional initiatives within Africa that aim to achieve data protection of their
member states. Two such regional initiatives are Economic Community of West African States
(ECOWAS) Supplementary Act and East African Communities Framework for Cyber Laws.
32 ‘The eight data protection principles’ University of Edinburg, <https://www.ed.ac.uk/records-management/data-
protection/what-is-it/principles> accessed 30 December 2017 33 African Union Convention on Cyber Security and Personal Data Protection 2014,
<https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection> accessed 3 January
2018
ISSN 2455-4782
30 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
ECOWAS Supplementary Act34 was launched in 2010 and is binding in nature. It urges the
member states to establish an authority for data protection and regulating the mechanism for data
protection. All the provisions are mandatory. ECOWAS has also launched ECOWAS Vision 2020
where technological advancement would be indispensable tool. In order to achieve that it is
pertinent for ECOWAS to properly implement the laws as there is a lot of scope of misuse of data
during this process.
East African Communities Framework for cyber laws which was adopted in 2010 again provides
for a regulatory mechanism for data protection but does not make any specific recommendations
but provide for future research and development in this area. It is non-binding in nature. Kenya,
Rwanda, Tanzania and Uganda (four out of five members of EAC) have adopted cyber laws for
data protection and consumer protection. The Draft Bills framed by Kenya and Uganda have still
not been made as the law but draw references from EAC Framework. Since EAC did not take
national issues in to consideration, the member states like Kenya and Uganda though have taken
references but have divergence from the main framework.
The problem in these member states is the lack of resources and combination of national and
regional laws and regional with international laws for a comprehensive framework.
DEVELOPING COUNTRIES
The problem of data protection is predominant in developing countries. This section of the article
discusses few important laws, bills, regulations that have taken place in developing countries like
Brazil, Mexico and India in the past decade. This section will be dealt with special and elaborate
reference to India.
BRAZIL
Brazil’s international obligation of maintaining a data protection law comes from the fact that it
has ratified the ICCPR. Article 5 of the Federal Constitution of Brazil, 1988 gives to its citizens
the ‘Right to Privacy’. Article 5(X) states that “the privacy, private life, honour and image of
34ECOWAS, Supplementary Act A/SA.1/01/10 on Personal Data Protection
ISSN 2455-4782
31 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
persons are inviolable, and the right to compensation for property or moral damages resulting
from their violation is ensured”35
‘The Data Privacy Framework’ of Brazil apart from Article 5 of the Federal Constitution also
includes, Brazil Civil Rights Framework concerned with Internet; the Consumer Protection Code,
1990 ; the Credit Information Law, 2011; the Access to Information Law which deals with those
kind of information of individuals that is available in the public domain, 2011 and the Civil Rights
Framework for the Internet, 2014; Compliant Debtors List Act, Tax Code which gives secrecy of
information in tax matters, Bank Secrecy Act which gives secrecy in Financial Institutions.
The Constitution also includes the concept of ‘habeas data’ where in the consumer or the
concerned individual can get to know what information is held about them by the holder and can
also correct the information if needed.
While there are numerous provisions of the Acts which deal with data protection only few of the
examples would be stated in the paper for the purposes of stating the scheme in brief. Article 43
of the Consumer Protection Code states various rights of the Consumers when the databases or
registries are made which includes ‘right to correct the errors’, ‘prior approval of the consumers
has to be taken before opening any file or record’, ‘the information of the consumer held has to be
true and reliable’.36
Article 11 of the Civil Rights Framework for the Internet (which is limited to online activity) that
any act of collection, storage or transfer of data that occurs in the Brazilian Territory should be
done in compliance with Brazilian laws and rights.37
Despite of so many regulations in place, a comprehensive framework for data protection was not
present until the Draft Bill for protection of personal data was introduced in 2011 known as the
Protection of Personal Data Bill, 2011. It draws a heavy inspiration from EU Data Protection
Directive.
‘Personal Data’ is defined under Article 5 to be “data related to the natural person identified or
identifiable, including from identification numbers, locational data or electronic identifiers”.38
35 Federal Constitution of Brazil 1988, art 5(X) 36 Consumer Protection Code, art 43 37 Civil Rights Framework for the Internet, Brazil 2014, art 11 38 Protection of Personal Data Bill, Brazil 2011 art. 5
ISSN 2455-4782
32 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Article 6 lays down the general principles to be followed.39 The Bill is an exhaustive document
containing 9 chapters and 52 Articles.40
MEXICO
Mexico is a signatory to a number of International Agreements out of which Universal Declaration
of Human Rights (UDHR), International Pact of Civil and Political Rights (IPCPR) and American
Convention for Human Rights (ACHR) are of importance when it comes to Privacy.
Right to Privacy is recognized as a fundamental right in the Mexican Constitution. Article 16 of
the Mexican Constitution states that no one’s private and family life can be interfered with until
and unless there is written permission from a competent authority and any such interference shall
be properly justified.41 In 2009, a paragraph was added specifying the right to privacy. It reads as
follows: “Everyone has the right to enjoy protection of their personal data, and to access, correct
and cancel such data.
Everyone has the right to oppose disclosure of his data, according to the law. The law shall
establish exceptions to the criteria that rule the handling of data, due to national security reasons,
law and order, public security, public health, or protection of third party’s rights.”
Mexico is a part of several International Organisations of which APEC [Asia-Pacific Economic
Community and TPPA [Trans-Pacific Partnership Agreement]. By analogy, Mexico is a part of
and follows the APEC CBPRs.
The Mexican Penal Code also provides for some provisions penalizing the offenders in case of
privacy. Some of the enacting provisions are Articles 210, 211 And 214. While Article 210 and
211 state strict punishments against the offences of cybercrimes, Article 214prevents disclosure of
information that is held by government agencies.42
39 Protection of Personal Data Bill, Brazil 2011 art. 6 40‘Preliminary Draft Law for the Protection of Personal Data’<http://pensando.mj.gov.br/dadospessoais/texto-em-
debate/anteprojeto-de-lei-para-a-protecao-de-dados-pessoais/> accessed 3 January 2018 41 Constitution of Mexico 1917, art 16 42 Mexican Penal Code, art 210, 211 and 214
ISSN 2455-4782
33 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
The data protection framework, “Federal Law for the Protection of Personal Data in Control of
Private Persons” was established in 2010. The citizens are entrusted with ARCO Rights (Right to
Access, Rectify, Cancel and Object) under the Federal Personal Data Law.
Like the OECD guidelines, the International standards like consent, purpose, legitimacy and
accountability form the basis of enacting the law. The basic premise is the purpose of collecting
such information shall be clearly defined with the owners’ consent.
The Federal Institution for Access to Information and Data Protection in Mexico is the body which
regulated and guarantees rights with respect to access to data. The mission, vision and the goals of
the institution lays down the basic principles of access to information and data protection.43 It
relies heavily on principles of accountability and transparency and thus involves a lot of
international participation which further strengthens the system.
INAI currently is the President of the ‘Network of Institutions for Transparency, Ethics and
Integrity of Public Servants (Network for Integrity).’
Formerly, from 2010 to 2016 the institution has presided over Ibero-American Data Protection
Network and the Transparency and Access to Information Network (Latin America). It is also a
participant in following international networks are “Asia-Pacific Privacy Authority Forum
(APPA);International Conference of Data Protection and Privacy Authorities
(ICDPPC);International Conference of Information Commissioners (ICIC);Open Government
Partnership (OGP);Global Privacy Enforcement Network (GPEN);Latin American Association of
Archives (ALA);International Council of Archives (ICA);International Research on Permanent
Authentic Records in Electronic Systems (Inter PARES).”44
Mexico being a developed country is quite ahead of its time to adopt so many frameworks for data
protection, for making its economy an inclusive economy and strengthening its economic
structure.
43National Institute for Transparency, Access to Information and Personal Data Protection,
http://inicio.ifai.org.mx/SitePages/English_Section.aspx accessed 4 January 2018 44Ibid , International Projection
ISSN 2455-4782
34 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
INDIA
The Indian Constitution is the lengthiest Constitution in the World with exhaustive provisions. It
is divided in 25 parts out of which Part 3 is of utmost significance as it contains the fundamental
rights. Fundamental Rights form the part of the basic structure of the Indian Constitution and this
part cannot be interfered with even by the State.
Article 21 of the Indian Constitution enumerates the Right to life and personal liberty. Initially
there were two cases where Supreme Court of India had ruled that Right to Privacy is not a
fundamental right.
HISTORY OF RIGHT TO PRIVACY IN INDIA: A SAGA OF JUDGEMENTS
In M.P. Sharma v Satish Chandra45 that the power of search and seizure is not subject to Right
to Privacy and the Constitutional Makers did not intend to import the meaning from U.S.
Constitution Fourth Amendment.
In Kharak Singh v State of Uttar Pradesh46 the majority held that “The right of privacy is not a
guaranteed right under our Constitution, arid therefore the attempt to ascertain the movements of
an individual is merely a manner in which privacy is invaded and is not an infringement of a
fundamental right guaranteed in Part III.” However, Justice Subba Rao and Justice Shah dissented
and stated that Right to Privacy was an inevitable component of Right to life and Personal liberty
guaranteed under Article 21 of the Constitution. They also drew a comparison with the U.S. law
categorically quoting the words of Judge, Frankfurter J., in Wolf v Colorado47, “pointing out the
importance of the security of one's privacy against arbitrary intrusion by the police, could have no
less application to an Indian home as to an American one.”
In Govind v State of Madhya Pradesh48, J. K. K. Matthew analyzed different perspectives of
privacy and decided that whether privacy is infringed or not will depend on case to case basis and
stated as follows “Too broad a definition of privacy will raise serious questions about the propriety
of judicial reliance on a right that is not explicit in the Constitution. The right to privacy will,
therefore, necessarily, have to go through a process of case by case development. Hence, assuming
45 M.P. Sharma v. Satish Chandra, 1954 AIR 300 46Kharak Singh v. State of Uttar Pradesh,1963 AIR 1295 47 Wolf v Colorado, 338 U.S. 25 48Govind v State of Madhya Pradesh, (1975) 2 SCC 148
ISSN 2455-4782
35 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
that the right to personal liberty. The right to move freely throughout India and the freedom of
speech create an independent fundamental right of privacy as an emanation from them it could
not he absolute. It must be subject to restriction on the basis of compelling public interest. But the
law infringing it must satisfy the compelling state interest test.”
In India, the Constitution of India is supreme and the preamble to the constitution instils in it the
concept of fraternity which further assures the principles of dignity of an individual. In S.S. Bola
v BD Sardana49 it was held by the Apex Court that liberty cannot be divorced from equality and
vice versa and both of them cannot be divorced from fraternity. By implication, for ensuring
equality and liberty in their true sense, fraternity is important for unity and integrity of the nation.
Justice H.R. Khanna while dissenting in the famous habeas corpus case ADM Jabalpur v
Shivakant Shukla50 held that the “heart of Article 21 is right to live with dignity”. By analogy,
Right to Privacy is inseparable from right to live with dignity (a component of right to life) under
Article 21.
Change is inevitable and a society only absorbs the change when it is capable enough to do it. A
lot of rulings in India are governed by the social scenario of the nation and hence, recently in the
case of Justice K.S. Puttuswamy (Retd.) v Union of India51, the Supreme Court of India held
Right to Privacy to be a fundamental right under Article 21. It is already an established principle
that Fundamental Rights do not exist in isolation but are made up of indivisible parts and such
parts and would be meaningless in practical sense is they are separated from each other.
Justice B.N. Sri Krishna Committee has been formed by the Government in late 2017 to draft a
separate data protection law for India because there is a need of balance between individual’s right
to privacy and technological development.52
49S.S. Bola v BD Sardana ,1997 (8) SCC 522 50ADM Jabalpur v Shivakant Shukla, 1976 AIR 1207 51Justice K.S. Puttuswamy (Retd.) v Union of India, Writ Petition (Civil) No 494 Of 2012 52 Surabhi Aggarwal, ‘Justice BN Srikrishna to head Committee for data protection framework’The Economic
Times(New Delhi Aug 01, 2017) <https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn-
srikrishna-to-head-committee-for-data-protection-framework/articleshow/59866006.cms>
ISSN 2455-4782
36 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
ANALYZING THE JUDGEMENT IN K.S PUTTUSWAMY53
Justice D.Y. Chandrachud delivered the judgement on behalf of the majority and was very vocal
about how right to privacy is the “constitutional core of human dignity.”
The reasons for holding privacy as a fundamental right primarily has to bases (both international
and national): firstly, India has International Commitments as it is ICCPR and UDHR which have
been discussed above in detail and secondly, how right to privacy is a natural right and is a part of
right to live with dignity.
The majority have held one of the main reasons to be the need to change with the increasing change
in technology and the paragraph reads as “This Court has not embarked upon an exhaustive
enumeration or a catalogue of entitlements or interests comprised in the right to privacy. The
Constitution must evolve with the felt necessities of time to meet the challenges thrown up in a
democratic order governed by the rule of law. The meaning of the Constitution cannot be frozen
on the perspectives present when it was adopted. Technological change has given rise to concerns
which were not present seven decades ago and the rapid growth of technology may render
obsolescent many notions of the present. Hence the interpretation of the Constitution must be
resilient and flexible to allow future generations to adapt its content bearing in mind its basic or
essential features.54”
Three tests that were laid down for justifying encroachment of privacy are legality, necessity in
terms of state objective, and proportionality to ensure that there is a strong co-relation between
means and ends that the encroachers seeks to achieve.55
Data Protection under the judgement will be covered separately under the head of Data Protection
regime in India.
53Ibid at 52 54Ibid at 52, Para G of the Conclusion 55Ibid at 52 pp 180.
ISSN 2455-4782
37 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
DATA PROTECTION REGIME IN INDIA
The judgement devoted 3 paragraphs to how data protection regime is important for India. The
majority held that data protection of sensitive data is an important aspect of privacy and a balance
should be struck between information disclosure for nation’s security reasons and data protection
laws.
It also states that it is a complex process which will have to be developed over time and should be
non-discriminatory in nature while collection of any data. As stated above, India is a signatory to
various international agreements therefore there is additional responsibility to follow data
protection regime.
Although there is no separate law in India for data protection, Section 43A of the Information
Technology Act, 2000 is a legal protection granted concerning personal data protection. Initially
Information Technology Act did not have any provision for data protection but Section 43A was
inserted vide the Information Technology Amendment Act, 2008.
Section 43A reads as follows: “Where a body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer resource which it owns, controls or operates,
is negligent in implementing and maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable
to pay damages by way of compensation, not exceeding five crore rupees, to the person so
affected.”56
The explanation to the Section defines three terms viz. ‘body corporate’, ‘sensitive personal data’
and ‘reasonable security practices’. Two things are clear from the above section that only body
corporate is included in the ambit of the section and the nature of the liability is civil.Therefore,
the provision is very narrow in its operation.
Section 70 of the IT Act provides for imprisonment of the person who tries to access data from the
protected system by not following the relevant procedure.57
56 Information Technology Act 2000, s 43A 57Ibid, s 70
ISSN 2455-4782
38 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
Further, Section 72 provides for imprisonment for breach of confidentiality and privacy when a
person discloses the information of a person without his or her consent.58
AADHAAR: A THREAT TO PERSONAL DIGNITY OR A GAME CHANGER?
The Unique Identification Authority of India (UIDAI) rolled out Aadhaar scheme for residents of
India which gives a 12-digit unique identity number to its holders. ‘Aadhaar’ in Hindi means
foundation or base.
Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services Bill), 2016 is
a money bill with an objective “to provide for, as a good governance, efficient, transparent, and
targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from
the Consolidated Fund of India, to individuals residing in India through assigning of unique
identity numbers to such individuals and for matters connected therewith or incidental
thereto.”59It is rolled out as a mandatory disclosure scheme for the citizens to get the Aadhaar
Card made and then links it to avail various services and it also serves as a legitimate proof of
identity on all platforms. The people living below poverty line have to mandatorily get the Aadhaar
card made for availing the government security schemes.
Time and again the people have raised privacy concerns regarding linking of Aadhaar with various
security reasons, the most important being linkage with Bank accounts [verification of Permanent
Account Number (PAN)] and phone numbers. Although, the Government officials have vouched
for Aadhaar being completely safe and secure the concerns over it are still debatable. The
Government is making every effort to for making the process convenient by setting up Centers for
getting Aadhaar made in every district.
Till the time right to privacy was not recognized as a fundamental right, Aadhaar was a perfectly
valid mandatory scheme. But, after the decision of the Supreme Court of India with regards to
privacy, the mandatory nature of Aadhaar is a big question.
The Aadhaar contains a 12-digit unique identification number which is connected with biometric
and demographic data of the holder. A new sub-scheme that was rolled out was the AePS (Aadhaar
58Ibid, s 72 59The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
http://www.prsindia.org/administrator/uploads/media/AADHAAR/Aadhaar%20Bill,%202016.pdf
ISSN 2455-4782
39 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
enabled Payment System) where the biometrics of the person could be used for banking
transactions. The basic privacy concern in this regard is that the biometrics can be reproduced and
it can lead to data theft and data fraud.
The personal integrity of the individual is also at stake as the individual does not have any control
over the user of information.
In early January 2018, the UIDAI notified the launch of Virtual ID whereby the individual will not
have to reveal the actual Aadhaar number instead can generate a 16-digit revocable and temporary
number which will be linked to the biometrics of that person. Any number of Virtual Ids can be
created and the new virtual ID so created makes the old one redundant. This can be used for various
purposes like SIM verification. The UIDAI also cautioned the banks to follow limited KYC (Know
Your Customer) concept where limited need based details shall be made known from the
customers.60
The UIDAI claims that it uses one of the safest and most secure technologies for data storage and
during last seven years, there has not been any report of leak or misuse of data. UIDAI also adds
that it helped Government in conducting Direct Benefit Transfer for various schemes such as LPG
Subsidy, Scholarships, and Pensions directly into the bank accounts of beneficiaries thereby
eliminating corruption, leakages by middlemen etc.61
There are numerous petitions in the Supreme Court of India still pending challenging the Aadhaar
scheme and the decision is still pending. The petitions also claim that biometric information and
iris scans are intrude with bodily and informational privacy.62 The Supreme Court has raised
various concerns over the provisions of Aadhaar latest one being with regards to the homeless
60Business Today, Aadhaar and privacy: UIDAI brings Virtual IDs, Limited KYC to protect cardholders
(New Delhi January 11, 2018)http://www.news18.com/news/india/uidai-introduces-virtual-id-limited-kyc-to-
address-aadhaar-privacy-concerns-1628361.html 61Press Information Bureau, Personal data of individuals held by UIDAI is fully safe and secure (New Delhi 5
March 2017) <http://pib.nic.in/newsite/PrintRelease.aspx?relid=158849> 62Krishnadas Rajagopal, Constitution Bench likely to take up petitions challenging Aadhaar-linkage schemes, The
Hindu (New Delhi, 27 November 2017) <http://www.thehindu.com/news/national/constitution-bench-likely-to-take-
up-petitions-challenging-aadhaar-linkage-schemes/article20949908.ece>
ISSN 2455-4782
40 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
people. The Hon’ble Court remarked “How can a homeless person get an Aadhaar card? If he
doesn't have an Aadhaar card, he doesn't exist in the eyes of the government?”63
The final hearing commenced on the 17th January. Senior Advocate Shyam Divan has argued on
against Aadhaar and called Aadhaar an electronic mesh and leash. He also stated that Aadhaar
alters the relationship between citizens and the state and makes India a surveillance state thereby
reducing citizens to servitude.
CONCLUSION
“The right to personal privacy is precious. Without it, we are all potential victims for a prying
secret police.” -Lewis B. Smedes
The very first instance of data protection laws can be seen in OECD Guidelines for Privacy and
Data Protection and have been widely accepted and followed even by the developed nations and
organisations.
Various International and regional organisations like the UN, APEC, EU, AU have devised their
own Data Protection laws out of which the first directive was launched by EU which still continues
to have the most comprehensive, convincing and adopted framework.
Amongst the developing nations analyzed in the article, Mexico performs the best with the most
comprehensive data protection laws as compared to Brazil and India. While, Brazil has a draft bill
ready for becoming a law in the near future, Supreme Court of India’s latest ruling of declaring
the Right to Privacy as a fundamental right makes the citizen question the validity of Aadhaar
more so because of lack of data protection laws.
India is a developing country with a peculiar scenario and wholly inadequate data protection laws.
Technology has changed by leaps and bounds in India. It is quintessential to realize that the need
of the hour is to devise a comprehensive Data Protection Law is a pre-requisite for Indian Society.
63Press Trust of India, Do homeless people without Aadhaar card not exist for you? SC asks UP govt, Indian
Express(New Delhi January 2010)<https://www.ndtv.com/india-news/if-no-aadhaar-does-person-not-exist-for-
government-asks-supreme-court-1798371>
ISSN 2455-4782
41 | P a g e Journal on Contemporary Issues of Law [JCIL]
Volume 4 Issue 3
India is one of the biggest target markets for BPOs and it will be near to impossible to protect
Indian Citizens’ data if stringent steps are not taken by the Government to secure the data. It is all
the more important to realize that for an economy which is in its growing stage the citizens have
to feel confident for engaging themselves, through organisations and in their individual capacities,
in electronic commerce and cross border transactions.
The disputed Aadhaar scheme by the Indian Government has attracted a lot of criticism from every
stratum of the society. The poor section is unaware of the legal issues with Aadhaar and is ignorant
of its implications. For them it is just a mechanism to avail the benefits under the scheme. But, still
they are discontent with the fact that they have to carry this unique number with them even at a
ration shop and have to link everything with the Aadhaar.
The rich and the educated moot the validity of Aadhaar from a legal perspective more so after the
Right to Privacy being declared as a fundamental right.
While, the UIDAI has put forth many convincing arguments to instill confidence and acceptance
for Aadhaar being safe, they have failed to devise a mechanism for ensuring the safety of data. The
Constitution of India is drafted in an inclusive manner and since Aadhaar actually alters the
relationship of the Citizen with the state it is indicates towards building of an exclusive state.