PRIVACY LAW – GLOBAL PERSPECTIVE

In October 2007 the British Prime Minister Gordon Brown had to personally apologize for the loss of two disks containing personal information of 25 million citizens leading to fears of breach of privacy. This breach was expected to cost the government 1.5 billion GBP. Its immediate effect was the resignation of the head of revenue and customs.

Closer home in Noida two BPO employees were arrested as they had leaked private information of clients of a leading British telecom company. The total loss was pegged at Rs.1.75 crore. Similarly in November 2005 Parsec Technologies had complained of data theft by one of its employees and subsequent investigations had led to the arrest of 4 people.

The above mentioned incidents could all have been avoided if a little precaution would have been taken for secure data protection. For example in Britain a mere expense of 5000 GBP for erasing sensitive information would have avoided the loss of 1.5 billion GBP.

These incidents bring to the fore the increasing importance of data protection in consonance with greater awareness about privacy protection. An organization would choose to ignore this critical aspect only at its own peril. This article will try and explain the concept of privacy and data protection and will elucidate about the global standards in this field while also exploring the situation as it stands in India and also suggest steps which are needed to improve the privacy laws as they exist in India.

Privacy: -- Attempting a definition

Privacy is the ability of an individual or group to seclude them or information about themselves and thereby reveal them selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share basic common themes.

For the purpose of this article we need to understand Data Privacy. Though the word privacy itself defies easy definition, privacy means many things in different contexts; different people, cultures, and nations have a wide variety of expectations about how much privacy a person is entitled to or what constitutes an invasion of privacy, the term Data Privacy can be defined as the evolving relationship between technology and the legal right to privacy in the collection and sharing of private data about ones self. It refers to concerns about how data is collected, stored and associated it also includes issues such as whether an individual has any ownership rights to data about them and/or the right to view, verify , challenge and modify any such data.

The Global Scenario: -- Emergence of Heightened Enlightenment

The law in the United Kingdom was framed by its parliament in 1984 and known as Data Protection Act. This was later replaced by the act of 1988. This act covers data which can be used to identify a living person and applies only to data held in a computer or any other device which operates automatically to a given command. The act mandates that persons and organizations which store personal data must register with the information commissioner appointed under the act.

The US has taken a different approach; it has adopted the sectoral approach which comprises a mix of legislation regulation and self regulation. In US data is grouped according to utility and importance and then different classes of protection is provided to different classes of data. Examples of the laws passed in US include the Privacy Act in 1974, the Electronic Communication Privacy Act and the Consumer Internet Privacy Protection Act. However the US government has been reluctant to impose a regulatory burden on activities which could hamper its development and has looked for an answer in self regulation.

The Canadian laws are one of the most stringent and comprehensive. There are multiple federal acts including the Canadian Charter of Rights and Freedoms, the Privacy Act and for data protection the Personal Information Protection and Electronic Documents Act (PIPEDA). Apart from this provincial level legislation also exists which account for more specific cases of personal privacy protection against commercial organizations examples of this are the Personal Information Protection Acts of Alberta and British Columbia. The country has also brought about regulations to govern the use of video surveillance by private organizations and requires the organizations, apart from other measures, to post signs informing of surveillance as well as storing of the recorded images in a secure location and its destruction as soon as its need ends.

The European Union is the centre of interests in these laws and its guidelines are by far the most strict. It has said that the EU countries will cease to part with any information it considers a matter of protection unless the other country also adheres to similar law as are in force in the EU. In EU data protection came in the year 1995 with the passage of EU directive 95/46/EC, popularly known as the Data Protection Directive. This directive relates to the processing of personal data and the movement of data. It lists several rules that companies have to abide by while collecting and using someone's personal data. The EU later issued directive 2002/58/EC to ensure that all member nations adopt the guidelines concerning the processing of personal data and the protection of personal privacy in the e-communications services. The EU directive provides for a 3 pronged approach; firstly personal ownership of data and individual consent for the use of data; secondly companies are allowed to use the data collected for only those purposes as are previously identified and thirdly it is only a set of minimum requirements and the member nations are free to take more stringent measures if they feel the need to do so.

Privacy in India- Attitudes and Awareness

While the European Union and the United States have stringent data protection regulations, India sadly has not adapted to the changing needs of the times and does not have a comprehensive data protection regime. All that one may find is a couple of provisions relating to Privacy in the Indian Constitution and a few sections in the Information Technology Act, 2000. Astonishing how legal experts in the United States recognized the need to conserve "individual privacy" as early as 1890. However, the lack of explicit privacy legislation did not hinder their efforts to develop an elaborate edifice of privacy protection principles that form the bedrock upon which contemporary privacy protection regulation rests.

Indian constitution has not yet granted but only reasoned this right. The existing law just affords a principle which if properly invoked may protect the privacy of the individual and Indian judiciary has been using judicial activism to widen the ambit of the Constitution of India, 1950, Article 21, where the seeds of the privacy rights may be found and extending the protection granted by it. In recent times, however, this right has acquired a constitutional status. This journey began in 1963, when for the first time the issue regarding Right to Privacy was raised in Kharak singh V/S State of Utter Pradesh. The Question was whether Right to Privacy might be implied from existing Fundamental Rights in the Constitution of India, 1950, Articles 19(1)(d), 19(1)(e) and 21. Majority opinion was that our Constitution does not in express terms confer any such right on the citizens. Minority opinion (SUBBA RAO J.) was in favour of inferring right to privacy from right to personal liberty under the Constitution of India, 1950, Article 21. This right again came for examination before the Supreme Court of India in Govind V/s state of Madhya Pradesh , and this time Supreme Court took a more elaborate view and accepted a limited right to privacy as an emanation from Articles 19 (1)(a), 19 (1)(d) and 21. It was also said that the right is not absolute. So, reasonable restriction may be imposed on this right. These restrictions must be the same as are provided under the Constitution of India, 1950, Article 19, clause 2.

However, a detail analysis of the Right to Privacy was done by the Supreme Court in R. Rajagopal V/s State of Tamil Nadu. It was held that the right to privacy no longer subsists when the matter becomes the matter of public record, subject to certain exceptions. It was declared that the right to privacy in recent times has acquired Constitutional status. It is implicit in right to life and personal liberty.

Supreme Court also laid down certain proposition defining right to privacy and thereby reconciling the two fundamental rights that is right to privacy and freedom of Speech. Important propositions laid down were:

(1)  Right to privacy is implicit in the Constitution of India, 1950, Article 21. It means a right to be let alone. A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, child bearing and education amongst other matters. Position may, however, be different, if a person voluntary thrusts him into controversy or voluntarily invites or raises a controversy;

(2)  There is an exception to this rule. Once a matter becomes a matter of public record, the right no longer subsists. However, in interest of decency (the Constitution of India, 1950, Article 19(2)) an exception must be carved out to this rule, namely, a female who is a victim of sexual assault, kidnap, abduction or a like offence must not be subjected to the indignity of her name and the incident being publicized in press/media; and

(3)  The second exception to this right is that in case of public officials, this right is not available with regard to their acts and conduct relevant to the discharge of their official duties.

Need for a Privacy Statute in India

There exists in India an impending need to frame a model statute which safeguards the Right to Privacy of an individual, especially given the emergence of customer-service corporate entities which gather extensive personal information relating to it’s customers. It’s evident that despite the presence of adequate non-mandatory, ethical arguments and precedents established by the Supreme Court of India; in the absence of an explicit privacy statute, the right to privacy remains a de facto right, enforced through a circuitous mode of reasoning and derived from an expansive interpretation of either Constitutional law or Tort law.

The urgency for such a statute is augmented by the absence of any existing regulation which monitors the handling of customer information databases, or safeguards the Right to Privacy of individuals who have disclosed personal information under specific customer contracts viz. contracts of insurance, credit card companies or the like. The need for a globally compatible Indian privacy law cannot be understated, given that trans-national businesses in the services sector, who find it strategically advantageous to position their establishments in India and across Asia. For instance, India is set to emerge as a global hub for the setting up and operation of call centers, which serve clients across the world. Extensive databases have already been collated by such corporates, and the consequences of their unregulated operations could lead to a no-win situation for customers in India who are not protected by any privacy statute, which sufficiently guards their interests. Even within the present liberal global regulatory paradigm, most governments would be uncomfortable with a legal regime, which furthers commercial interests at the cost of domestic concerns.

Issues that would need to be addressed by any prospective privacy legislation in India are:

i. Limited Purpose

The particular purpose for gathering information by an organization must be specified at or before the time the information is collected.

ii. Safeguards

In the case of insurance companies or other customer service-related or data processing companies, the gathering and collation of personal information on individuals would need to be conserved and secured by a regulated data security system.

iii. Accountability

Corporates would need to establish a system whereby all information disclosure systems are duly audited/accounted and monitored, keeping in view the rationale/occasion for every disclosure made

iv. Prior Consent

Corporates could include express clauses in their agreements, which include an express authorization from the individual allowing the companies to use/disclose personal information for it’s own internal purposes or that of it’s affiliates or group companies.

v. Limits to Use, Disclosure and Retention

Any information sharing with other members of the insurance industry or with other corporate entities should be made only after seeking an express authorization from the customer.

vi. Information-Sharing

The confidentiality and sensitivity of such information makes it necessary for corporates to avoid any data sharing arrangement or customer information disclosure agreements without the prior consent of the individuals.

Conclusion

In conclusion, the issue that remains to be addressed, is not the shape of the prospective privacy legislation in India, or it’s intricacies, but the need to put in place a privacy law enforcement regime that addresses the nouveau-emergent privacy issues, in the context of convergence of various modes of communication, within a reasonable period of time. As Ronald Dworkin said in his article "Objectivity and Truth: You'd Better Believe It", “We want to live decent, worthwhile lives, lives we can look back on with pride not shame. We want our communities to be fair and good and our laws to be wise and just. These are enormously difficult goals, in part because the issues at stake are complex and puzzling." Complex as it may be, the concept of privacy protection is an area that needs our lawmakers attention, and rightly so.