data protection and privacy-india

8/7/2019 data protection and privacy-india

http://slidepdf.com/reader/full/data-protection-and-privacy-india 1/17

Table of contents

1. Introduction--------------------------------------------------------------2 2. Data and data processing------------------------------------------------5 3. Data protection and the right to information-----------------------6

4. Conclusion-----------------------------------------------------------------16



Page 1 of 17

CHAPTER 1: INTRODUCTION

¶Inform

ation·

as

aterm

h

as

been

derived

from

the

Latin

w ords

¶Form

ation·

and

¶Form

a·

w hich means giving shape to something and forming a pattern, respectively . Information

adds something new to our awareness and removes the v agueness of our ideas. Section 2(f)

of The R ight to Information Act, 2005 defines w hat information is. It provides that:

"information" means any material in any form, including records, documents, memos, e-

mails, opinions, advices, press releases, circulars, orders, log books, contracts, reports, papers,

samples, models, data material held in any electronic form and information relating to any

priv ate body w hich can be accessed by a public authority under any other law for the time

being in force;

This legislation was born out of the liberal interpretation given to Article 19( 1) ( a) of the

Constitution w hich guarantees the fundamental rights to free speech and expression. The

prerequisite for enjoying this right is know ledge and information. The absence of authentic

information on matters of public interest w ill only encourage w ild rumours and speculations

and avoidable alleg ations ag ainst individuals and institutions. Therefore, the R ight to

Information becomes a constitutional right, being an aspect of the right to free speech and

expression w hich includes the right to receive and collect information. This w ill also help the

citizens perform their fundamental duties as set out in Article 51A of the Constitution. A

fully informed citizen w ill certainly be better equipped for the performance of these duties.

Thus, access to information w ould assist citizens in fulfilling these oblig ations.

As no right can be absolute, the R ight to Information has to have its limitations. There w ill

always be areas of information that should remain protected in public and national interest.Moreover, this unrestricted right can have an adverse effect of an overload of demand on

administration. So the information has to be properly, clearly classified by an appropriate

authority .



Page 2 of 17

The usual exemption permitting Government to w ithhold access to information is generally

in respect of the these matters: ( 1) International relations and national security; (2) Law

enforcement and prevention of crime; ( 3) Internal deliberations of the government; ( 4)

Information obtained in confidence from some source outside the Government; (5)

Information which, if disclosed, would violate the privacy of an individual; (6) Information, particularly

of an economic nature, w hen disclosed, w ould confer an unf air adv antage on some person

or subject or government; (7) Information w hich is covered by leg al/professional privilege,

like communication betw een a leg al advisor and his client and (8) Information about

scientific discoveries and inventions and improvements, essentially in the field of w eapons.1

The submitted project w ork deals w ith an area that can very w ell be associated w ith the right

to priv acy of a person. We do not have a separate law to obtain personal information related to the

requester himself. Right to Information Act is being used for both purposes, i.e. to obtain personal

information as well as non-personal information, which sometimes creates confusion. In USA, Priv acy Act

is used to obtain personal information and Freedom of Information ( FOI) Act is used for

obtaining other information. Similarly in UK , Data Protection Act is used to obtain personal

information and Freedom of Information Act is used for obtaining other information.

Separate Data Protection or Priv acy law is necessary to obtain personal information related

to the requester herself and at the same time to protect unnecessary disclosure to others. The

project deals w ith data protection and the leg al regime relating to it in the EU and India.

Data protection is nothing but maintaining the secrecy, integrity and authenticity of data relating to a person

or otherwise, which is very important in international transactions and also for the person himself. Bank

account details, passport and visa portfolios, balance sheet of a company, solvency status of

a person etc. are all details w hich need protection w hile processing or transfer in

transnational jurisdiction. There may be other numerous f acts and figures about entities that

require adequate protection and secrecy and therefore, a strong leg al regime protecting the

same is the need of the hour ow ing to the w hooping increase in transnational transactions.

The project tries to look into the status of law in EU and India and analyses the same to

bring out the positive and neg ative points.

1 http://www.rrtd.nic.in/RIGHT%20TO%20INFORMATION.html



Page 3 of 17

Unlike the US and EU there is no specific enactment on Data Protection in India. How ever,

the Indian government is under increasing pressure from business process outsourcing

operations and call centers in India that handle large volumes of data from the U.S. and

Europe to pass a Data Protection Law. The Ministry of Information Technology and

National Association of Software and Service Companies ( NASSCOM) are in the process of

drafting legislation to amend the country·s existing Information Technology Act of 2000,

w ith the intention of bringing the data protection regime up to the standard required by the

US and the EU.

The grow th of the computer industry in the last tw o decades has been amazing . Along w ith

this grow th, accompanied an increase in the quantity and av ailability of data stored by priv ate companies and the Government almost in all the countries of the w orld including India. The

ease w ith w hich information is transmitted and stored has created an information market in

w hich personal data is bought and sold to v arious groups. The key to the information age is

the sw ift transfer and storage of digital data. For marketeers and corporations some of the

most important data traded involves information about our personal histories. W hether it be

buying habits, driving records, medical records or credit reports, this information is a hugely

v aluable commodity . As these companies go from source to source, collecting as much

pertinent personal information as possible, citizen·s priv acy is being slow ly eroded.

There must, therefore, certainly be a point w here society draw s the line and declares certain

pieces of information off the market. There is no doubt that w e cannot protect all data, bit

by bit, byte by byte, but something must be done. Much of this problem arises from the f act

that there is little or no leg al protection of personal data and the R ight to Information Act is

not sufficient to protect such priv ate and personal data w hich is w hy the government is

considering the passing of a data protection law w hich w ill fulfil such objective.

CHAPTER 2: DATA and DATA PROCESSING



Page 4 of 17

Data in everyday language is a synonym for information. In the exact sciences there is a clear

distinction betw een data and information, w here data is a measurement that may be

disorg anized and w hen the data becomes org anized it becomes information. Data may relate

to reality, or to fiction. Data about reality consists of propositions2. A large class of

practically important propositions are measurements or observ ations of a v ariable. Such

propositions may comprise numbers, w ords or images3.

According to Article 2(a) of the Directive 95/46/EC of the European Parliament and

of the Council of 24 October 1995 on the protection of individuals with regard to the

processing of personal data and on the free movement of such data, ¶personal data·

shall mean any information relating to an identified or identifiable natural person ( ¶data

subject·); an identifiable person is one w ho can be identified, directly or indirectly, in particular by reference to an identification number or to one or more f actors specific to his

physical, physiological, mental, economic, cultural or social identity .

Today, possibly the largest amount of recorded personal information is in the form of

government records. From birth to death, the Government keeps track of all the major

events in our lives. R ecords are kept for driver·s licences, marriage licences, property

ow nership, criminal activities, tax information, voter registration, and much more. Some of

this information is confidential but most of it is stored in the form of public records and

´public recordsµ are just that public.4 Therefore there is a strong need for a law w hich

governs those information w hich is personal to an individual.

CHAPTER 3: DATA PROTECTION and The RIGHT TO INFORMATION

2

In common philosophical language, a proposition is the content of an assertion, that is, it is true-or-falseand defined by the meaning of a particular piece of language. The proposition is independent of the

medium of communication.3

http://en.wikipedia.org/wiki/Data#Meaning_of_data.2C_information_and_knowledge4 Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, (2004) PL WebJour

16



Page 5 of 17

W e live in a w orld of international data transmissions. Digitalization of information,

combined w ith continuous and dazzling technological developments, has increased the flow

and application of data. Information sharing now takes place on an international scale and

involves a tremendous amount of data referring to individuals5. Among the critical

regulatory challenges raised by such international information flow s is how to protect

individual privacy. In Europe, w here this issue receives the most concerted attention in

the w orld, the response is found in ´data protection law.µ This term refers to the leg al

structures that attempt to regulate know ledge and concealment of an individual·s personal

information6.

Also, the grow th of e-commerce requires consumer confidence, and priv acy is a key

requirement in building online consumer confidence. An increasing number of consumers

are concerned w ith how their personal information is used in the electronic marketplace, and

many consumers w ould rather forgo w eb-provided information and products than provide a

w ebsite their personal information w ithout know ing that site·s information practices7.

According to the results of a Business W eek survey released in 1998, consumers not

currently using the Internet ranked concerns about personal information and

communication priv acy as the foremost reason they have stayed off the Internet8. These

findings suggest that effective and meaningful consumer priv acy protections need to be

implemented if the electronic marketplace is to grow significantly . Otherw ise, consumers w ill

remain wary of eng aging in electronic commerce, and this new marketplace w ill f ail to reach

its full potential.

DATA PROTECTION and THE EUROPEAN UNION

5

Reinhard Ellger, Der Datenschutz im grenzüberschreitenden Datenverkehr , 108-29 (1990). Ellger finds

that the most intensive transborder data flows occur in the following areas: (1) personnel departments; (2)banks, insurance companies, credit card companies, and credit bureaus; (3) direct marketing; (4) airlines,

travel agencies, and other business involved in tourism; (5) companies that seek to deliver goods to or

otherwise trade with international customers; and (6) within the public sector: police, customs, tax

departments, and public pension agencies6

Paul M. Schwartz, EUROPEAN DATA PROTECTION LAW AND RESTRICTIONS ON

INTERNATIONAL DATA FLOWS , 80 Iowa L. Rev. 471, cited from www.westlaw.com 7

Louis Harris and Associates, Inc. and Dr. Alan F. Westin, Commerce, Communications, and PrivacyOnline, A National Survey of Computer Users, 20-21 (1997).

8 Business Week/Harris Poll: Online Insecurity, BUSINESS WEEK, Mar. 16, 1998, at 102.



Page 6 of 17

On July 25, 1995, the European Union·s Council of Ministers ( ́E.U. Councilµ) formally

adopted the Directive 95/46/EC of the European Parliament and of the Council on the

protection of individuals w ith reg ard to the processing of personal data and on the free

movement of such data. W hen enacted in 1995, the Directive was w idely considered the

´most important international development in data protection in the last decade.µ Its

comprehensive public policy approach is based upon ´the premise that priv acy is a human

right and data protection is an essential means to protect that right through a coherent and

enforceable leg al regime.µ9

Generally, the Directive has tw o overall objectives: ( 1) the protection of information priv acy

by Member States of the European Union; and (2) the prevention of restrictions on the free

flow of personal information among E.U. Member States, for reasons of priv acy protection.10 In order to realize these tw o objectives, the Directive comprises a mixture of

oblig ations for data processors11 that control personal data processing 12, together w ith the

enforcement of individuals· rights for those w ho are the subject of data processing . These

are reflected in a set of information priv acy principles set out in Chapter II ( General R ules

on the Law fulness of the Processing of Personal Data) of the Directive.

These principles cover four general areas of concern: ( 1) data quality, (2) legitimate

processing, ( 3) rights of data subject and ( 4) security of data. The first principle, data quality,

has five specific requirements:

( 1) Fairness/Law fulness: Personal data must be ´processed f airly and law fully;µ13

9 Graham Pearce & Nicholas Platten, Orchestrating Transatlantic Approaches to Personal Data

Protection: A European Perspective, 22 FORDHAM INT¶L L. J. 2024, 2026 (1999).10 Article 1(2)11 µprocessor¶ shall mean a natural or legal person, public authority, agency or any other body which

processes personal data on behalf of the controller; µcontroller¶ shall mean the natural or legal person,public authority, agency or any other body which alone or jointly with others determines the purposes

and means of the processing of personal data; where the purposes and means of processing are

determined by national or Community laws or regulations, the controller or the specific criteria for his

nomination may be designated by national or Community law.12 µprocessing of personal data¶ (µprocessing¶) shall mean any operation or set of operations which is

performed upon personal data, whether or not by automatic means, such as collection, recording,

organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

13 Art. 6(1)(a)



Page 7 of 17

(2) Purpose Limitation: Personal data must be ćollected for specified, explicit and legitimate

purposes and not further processed in a way incompatible w ith those purposes;µ 14

( 3) R elev ance: Personal data must be ádequate, relev ant and not excessive in relation to the

purposes for w hich they are collected and/or for w hich they are further processed;µ15

( 4) Accuracy: Personal data must be áccurate and, w here necessary, kept up to date; every

reasonable step must be taken to ensure that data w hich are inaccurate or incomplete,

having reg ard to the purposes for w hich they are collected or for w hich they are further

processed, are erased or rectified;µ16 and

(5) Timeliness: Personal data must be ´kept in a form w hich permits identification of data

subjects for no longer than is necessary for the purposes for w hich the data w ere

collected or for w hich they are further processed.µ17

The second principle, concerning the legitimate processing of personal data, has six

requirements:

( 1) Consent: Personal data may be processed only if ́the data subject has given his consent

unambiguouslyµ; or

(2) Contract: Personal data may be processed only if ́processing is necessary for the

performance of a contract to w hich the data subject is party or in order to take steps at

the request of the data subject entering the contract;µ or

( 3) Leg al Oblig ation: Personal data may be processed if ́processing is necessary for

compliance w ith a leg al oblig ation to w hich the controller is subject;µ or

( 4) V ital Interest: Personal data may be processed if ́processing is necessary in order to

protect the vital interest of the data subject;µ or

(5) Public Interest/Official Authority: Personal data may be processed if ́processing is

necessary for the performance of a task carried out in the public interest or in the

exercise of official authority vested in the controller or in the third party to w hom the data are disclosed;µ or

14

Art. 6(1)(b)15

Art. 6(1)(c)16 Art. 6(1)(d)17 Art. 6(1)(e)



Page 8 of 17

(6) Legitimate Interest: Personal data may be processed if processing is ńecessary for the

purposes of legitimate interests pursued by the controller or by the third party or parties

to w hom the data are disclosed, except w here such interests are overridden by the

interests or fundamental rights and freedoms of the data subject w hich require

protection under Article 1( 1).µ18

The third principle pertains to rights of the data subject, the person w hose personal data is

collected and transmitted. This principle secures three rights:

( 1) R ight of Access: Every data subject has the right to obtain from the controller

ćonfirmation as to w hether or not data relating to him are processed and information at

least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to w hom the data are disclosed;µ

(2) R ight to Correct/Block Information: Every data subject has the right to obtain from the

controller ´the rectification, erasure, or blocking of data, the processing of w hich does

not comply w ith the provisions of this Directive, in particular because of the incomplete

or inaccurate nature of the data;µ19

( 3) R ight to Object: Every data subject has the right ´to object at any time on compelling

legitimate grounds relating to his particular situation to the processing of data relating to

him.µ20

The final principle concerns the security of the collected or transmitted personal data. The

Directive requires Member States to ímplement appropriate technical and org anizational

measures to protect personal data ag ainst accidental or unlaw ful destruction or accidental

loss and ag ainst unauthorized alteration, disclosure or access.µ21

The Directive specifies v arious mechanisms that aid in the implementation of these priv acy principles. It requires that each Member State enact legislation to fully address and

implement the Directive·s four information priv acy principles. Further, each E.U. Member

18

Art. 7(a) ± 7(f)19

Art. 12(1) ± (2)20 Art. 14(a)21 Art. 17(1)



Page 9 of 17

State must establish one or more public authorities to oversee and enforce priv acy

protections. The Directive also grants individual rights of enforcement. The Directive

requires that individuals be granted the right to seek a judicial remedy for any breach of a

Member State·s national law reg arding information priv acy, as w ell as a right to recover

compensatory damages. 22

The results of a research conducted by the Commission shed some light on some of the

more interesting considerations that help to g auge public perception, and the efficacy of the

Directive in making an impact on the personal data markets. For example, the Commission

found that despite the Directive·s requirement of apparently high standards of data priv acy,

44% of survey respondents considered the standards as a minimum protection of their

personal data rights. Somew hat paradoxically, 81% of respondents also considered the level of awareness of individuals reg arding data protection rights to be insufficient, bad, or very

bad. The same investig ation also revealed that although there was a general acceptance

among businesses of the need for data protection rights, there seemed to be a general apathy

towards fulfilling the oblig ations towards individuals w hen such data protection rights w ere

exercised.

The most publicized, contentious, and onerous ( at least from a non-EU nation perspective)

provisions contained in the Directive are those that relate to the transfer of personal data to

so-called ´third countries.µ In essence, the Directive blocks all international transfers of data

to countries outside of the EU, w here the ´third country does not ensure an ¶adequate level

of protection·.µ23 Findings of adequacy are made by the Commission, in consultation w ith

the W orking Party established under article 29 of the Directive. Member States have an

oblig ation to inform the Commission of countries that do not enshrine such adequate

protection24.

22 Art. 2323 Art. 2524 Seth P. Hobby, THE EU DATA PROTECTION DIRECTIVE: IMPLEMENTING A WORLDWIDE

DATA PROTECTION REGIME AND HOW THE U.S. POSITION HAS PROGRESSED, 1 Int¶l L. &

Mgmt. Rev. 155, cited from www.westlaw.com



Page 10 of 17

DATA PROTECTION IN INDIA

India does not currently have a specific data protection law. Data protection and priv acy are

given scattered and rather sparse coverage by existing law s. The existing data protection

law s, are scattered in law s pertaining to information technology, intellectual property, crimes,

and contractual relations. Under increasing pressure from BPO operations and call centers in

India that handle large volumes of data from the United States and Europe, the Indian

government is contemplating the passage of a comprehensive law protecting data.

Until such time as India enacts adequate data protection law s, the current law s in India are

the only protection offered for data priv acy violations. Unlike the Directive, w hich imposes

liability on each participant w ithin the chain of command w ho f ailed to protect the sanctity

of the data, India·s existing law s only prosecute those individuals w ho directly violate law s

related to computer systems or copyright. Entities are exempt for breaches of data priv acy,

unless such a violation was made know ingly . Unlike the Directive, w hich protects data

breaches by limiting its collection and use, the Indian law s do not specify conditions under

w hich data can be collected and used.

An analysis of the existing Indian laws is placed below : 1. IT Act of 2000

Section 43( b) of the IT Act of 2000, affords cursory safeguards ag ainst breaches in data

protection. The scope of Section 43( b) is limited to the unauthorized dow nloading, copying

or extraction of data from a computer system: essentially unauthorized access and theft of

data from computer systems. Section 43( b) is limited in scope, and f ails to meet the breadth

and depth of protection that the E.U. Directive mandates. The law creates personal liability

for illeg al or unauthorized acts, w hile making little effort to ensure that internet service

providers or netw ork service providers, as w ell as entities handling data, be responsible for

its safe distribution or processing . Furthermore, the liability of entities is diluted in Section

79 of the Act, w hich inserts ¶know ledge· and ¶best efforts· qualifiers prior to assessing

penalties.



Page 11 of 17

W ith reg ard to damages av ailable in the event of a breach of data priv acy, Section 43( b) is

deficient in that the maximum penalty for this breach is monetary compensation in the paltry

amount of approximately $220,000. The maximum monetary damages av ailable for a breach,

w hich can potentially be w orth several times more, is clearly inadequate in a transnational

context. The more limited crimes of computer hacking and tampering are considered

criminal offenses under the IT Act of 2000: Section 65 offers protection ag ainst intentional

or know ing destruction, alteration, or concealment of computer source code. Section 66,

w hile offering no clear language that protects personal data, offers limited protection w hen

personal data is destroyed, deleted or altered. Both Sections 65 and 66 are punishable w ith

criminal penalties including jail time of up to 3 years .In addition to the protections discussed

above, Section 72 of the IT Act of 2000 offers some protection for breaches of

confidentiality and priv acy . Non-consensual disclosure of confidential information is punishable by imprisonment for up to 2 years.

In contrast to the IT Act of 2000, the E.U. Directive envisions much broader violations

associated w ith breach of data security than does the limited sphere of the IT Act of 2000.

As described previously, the E.U. Directive provides for protections in the entire chain of

control of data and creates systems of security and associated penalties w ithin the v arious

stages of data processing . For instance, the Directive prescribes limits to the collection of

personal data, requiring that a purpose for the data collection be articulated. The Directive also requires that data must be obtained by law ful and f air means and, w here appropriate,

w ith the know ledge or consent of the data subject; personal data should be relev ant to the

purposes for w hich they are to be used, and, to the extent necessary for those purposes,

should be accurate, complete and kept up-to-date. A reformation of the IT Act of 2000

should encompass the principles contained in the Directive related to limitation of data

collection, data quality, specified purpose, use limitation, security safeguards, individual

participation and accountability 25.

2. Indian Criminal Laws

25 Vinita Bali, DATA PRIVACY, DATA PIRACY: CAN INDIA PROVIDE ADEQUATE PROTECTION

FOR ELECTRONICALLY TRANSFERRED DATA?, 21 Temp. Int¶l & Comp. L.J. 103, cited from

www.westlaw.com



Page 12 of 17

The Indian criminal law s do not specifically address breaches of data priv acy . Under the

existing Indian Penal Code, liability for such breaches must be inferred from tangentially

related crimes. For instance, Section 403 of the Indian Penal Code imposes criminal penalty

for dishonest misappropriation or conversion of ́mov able propertyµ for one·s ow n use.

Mov able property has been defined as property w hich is not attached to anything, and not

land. Although no jurisprudence has developed on this interpretation, arguably, mov able

property encompasses computer-relayed data and intellectual property . W rongful

misappropriation of data, or conversion for one·s ow n use may, under this interpretation, be

punishable as a crime in India.

In addition, Indian Penal Code Section 405 provides criminal penalties for criminal breach

of trust. W hoever, being in any manner entrusted w ith property, or w ith any dominion over

property, dishonestly misappropriates or converts to his ow n use that property, or

dishonestly uses or disposes of that property in violation of any direction of law prescribing

the mode in w hich such trust is to be discharged, or of any leg al contract, express or implied,

w hich he has made touching the discharge of such trust, or w illfully suffers any other person

so to do, commits ¶criminal breach of trust.· Section 420 of the Indian Penal Code may also

offer some protection for f ailure to adequately protect data. Section 420 pertains to

dishonest delivery of property to a third person.

The absence of specific provisions relating to data protection is clearly visible in the Indian

Criminal Law regime.

3. Intellectual Property Law Protection

Computer software (including computer programs, databases, computer files, preparatory

design material and associated printed documentation, such as users· manuals) have

copyright protection under Indian law s. Computer programs per se are not patentable, being

patentable only in combination w ith hardware. Thus in India, by past practice and under current law s, copyright is the preferred mode of protection for computer software. The

Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter

commensurate w ith the gravity of the offense. Section 63B of the Indian Copyright Act

provides that any person w ho know ingly makes use on a computer of an infringing copy of

computer program can be punishable for a maximum of three years in prison.



Page 13 of 17

4. Contractual Relations

Priv ate contractual terms have been used as a means for filling the g ap left by the IT Act of

2000 and other law s in India. Until a tighter data protection leg al regime is in place, the U.S.

and other countries outsourcing to India are relying upon contractual oblig ations to impose

oblig ations for protecting and preserving data. There is grow ing recognition w ithin the out-

sourcing industry that contractual oblig ations do not provide the most efficient or effective

recourse. In the event of a breach of the security of data, getting effective remedy under the

contractual oblig ations is time consuming and often insufficient26.

Overall, few incidents of misuse of data by employees of Indian business service providers

have arisen to date. How ever, the few that have occurred have set off alarms for both

American and Indian companies. For example, in June 2005, American business

outsourcers and their Indian counterparts w ere extremely concerned w hen Interpol was

asked to investig ate alleg ations that a 24 ² year - old w orker at Infinity e-Search, a w eb

marketing company in New Delhi, had sold information that he obtained from call center

w orkers at a BPO company . An undercover British reporter from a London tabloid

new spaper, The Sun, claimed that the Infinity e-Search employee sold him Barclay Bank

account details for 1,000 U.K. customers. The account holders· secret passw ords, addresses,

phone numbers, and passport details w ere allegedly sold for 350,000 rupees (INR 350,000), w hich is the equiv alent of around U.S. $8,000. This situation points out the flaw s in having

sensitive information in the hands of offshore employees in a developing country w here the

temptation may be great to make v ast amounts of money in local currency by selling

information to unscrupulous buyers, particularly w hen the exchange rate makes the

purchase cost in the w estern country relatively minimal.27

26 Ibid .27 Deborah Roach Gaut, OFFSHORE OUTSOURCING TO INDIA BY U.S. AND E.U. COMPANIES:

LEGAL AND CROSS - CULTURAL ISSUES THAT AFFECT DATA PRIVACY REGULATION IN

BUSINESS , 6 U.C. Davis Bus. L.J. 13, cited from www.westlaw.com



Page 14 of 17

CHAPTER 4: CONCLUSION

In conclusion, it can be said that in India, the existing leg al regime in relation to data

protection is not strong and consolidated. W e do not have a separate law to obtain personal information related to the requester himself . R ight to Information Act is being used for both

purposes, i.e. to obtain personal information as w ell as non-personal information, w hich

sometimes creates confusion and creates issues relating to the priv acy of the individuals. The

regime in EU is much w ide and specific as compared to India. Specific law s in relation to

data protection are the need of the hour in the Indian leg al system. The provisions that are



Page 15 of 17

currently present are insufficient to match up the standards of secrecy and protection that

the other jurisdictions are contemplating and demanding in the present scenario. For e.g . in

the EU, the standards set up by the directive w ith respect to data protection take into

consideration the purposes for w hich data is required to be processed and transferred, the

time limit for w hich data w ould be legitimately required, consent of the data subject for data

processing and his right to object to such processing etc. These are provisions that can to a

good extent ensure data protection. The Indian leg al regime should be modified to include

the above aspects so as to match up w ith the international demands of data protection. If it

is not done, international transactions including data transfer and processing w ould be

difficult to be executed in coming times ow ing to the high data protection standards

demanded by the EU, US and other developed countries.

Also, it can be concluded that Article 25 of the EU directive that blocks all international

transfers of data to countries outside of the EU, w here the ´third country does not ensure an

¶adequate level of protection· is a very onerous conditions both for the EU members and the

developing countries. This is particularly so because the determination w hether a particular

third country has adequate safeguards for data protection or not is to rest w ith the

Commission. Therefore, even w hen a third country has decent level of safeguards, it may not

be able to transact data w ith an EU member, if the Commission is not subjectively satisfied

about the adequacy . This can prove to be am impediment w ith respect to processing and

transfer of data across nations involving EU members.

BIBLIOGRAPHY AND REFERNCES

Websites

y http://righttoinformation.gov .in/

y http://www.rrtd.nic.in

y http://en.w ikipedia.org/

y http://www.w estlaw.com



Page 16 of 17

y www.google.co.in

y www.jstor.org

Articles

y Faizan Mustaf a, Priv acy Issues in Data Protection : National and International Law s,

(2004) PL W ebJour 16

y Paul M. Schwartz, EUROPEAN DATA PROTECTION LAW AND

RESTR ICTIONS ON INTERNATIONAL DATA FLOWS, 80 Iowa L. R ev . 471,

cited from www.w estlaw.com

y Louis Harris and Associates, Inc. and Dr. Alan F. W estin, Commerce,

Communications, and Priv acy Online, A National Survey of Computer Users, 20-21

( 1997).

y Graham Pearce & Nicholas Platten, Orchestrating Transatlantic Approaches to

Personal Data Protection: A European Perspective, 22 FORDHAM INT·L L. J.

2024, 2026 ( 1999).

y Seth P. Hobby, THE EU DATA PROTECTION DIRECTIVE:

IMPLEMENTING A WORLDW IDE DATA PROTECTION REGIME AND

HOW THE U.S. POSITION HAS PROGRESSED, 1 Int·l L. & Mgmt. R ev . 155, cited from www.w estlaw.com

y V inita Bali, DATA PR IVACY , DATA PIRACY : CAN INDIA PROV IDE

ADEQUATE PROTECTION FOR ELECTRONICALLY TRANSFERRED

DATA?, 21 Temp. Int·l & Comp. L.J. 103, cited from www.w estlaw.com

y Deborah R oach Gaut, OFFSHORE OUTSOURCING TO INDIA BY U.S. AND

E.U. COMPANIES: LEGAL AND CROSS - CULTURAL ISSUES THAT

AFFECT DATA PR IVACY REGULATION IN BUSINESS, 6 U.C. Davis Bus.

L.J. 13, cited from www.w estlaw.com

data protection and privacy-india

Documents