Data Protection, Privacy and Corporate Compliance [India]

Data Protection, Privacy and Corporate Compliance: Solutions for India Rodney D. Ryder

Introduction - Structure

Part 1 - The need for legislation

Opportunities for India - Data protection obstacles

Privacy concerns

Current law in India

Part 2 - Data Protection: Compliance Challenges and Strategies

Data Protection legislation around the world

European Commission Directive and UK Act

Data Protection in Hungary, Australia, United States

Balancing Privacy and Security

The need for legislation Opportunities for India

Opportunities for India Three sunrise sectors of the economy face obstacles caused by a lack of a comprehensive data protection regime in India - E-commerce - ITES - outsourcing and BPO - Bioinformatics If India is to fully exploit these opportunities, it should provide a conducive legislative framework -

Speed and Convenience

Mobile access

Personalised and tailored

Data mining sophistication

Loss of control

Insecurity

Lack of confidence

Increased scepticism

Low uptake of eCommerce

The need for legislation - to boost e-Commerce

Technological advances in data storage and transmission

Globalisation of communications - the internet

Convergence and standardisation of technologies

Increasing importance of data processing

The need for legislation - to boost e-Commerce

90%: Business should advise:

who may have access

how information might be used

91%: Business should seek permission before using for marketing

Respect for personal information is the aspect of service that matters most to more than a third of consumers

Consumer attitudes to privacy US Federal Privacy Commissioner’s Research Report - July 2001

The need for legislation - to boost ITES sector

Often entirely dependent on data

Customer Relationship Management

Outsourcing and BPO: e.g. - Human Resource management

- card processing

Data Mining services

India is particularly well-placed to excel in ITES sector, with large, relatively cheap, highly-skilled, English-Speaking workforce

Data from Europe accounts for around 20% of ITES revenues at present. If India had “adequate” status it could be much more.

The need for legislation - to boost Bioinformatics

Emerging applications:

gene decoding

mapping genomes

functional genomics

functional proteomics

data mining for biomarkers

All involve use of IT to process genetic data,

or information derived from genetic data

Ethical questions needing legislative answers

In what circumstances should people be required to give DNA samples or disclose genetic information? Consider mandatory disclosure to employers, insurance companies, adoption agencies, law enforcement agencies, or courts.

How should DNA samples and genetic information of unborn foetuses, minors, or other persons lacking legal capacity be dealt with?

Should compulsory security measures be applicable to storage of DNA samples and derived genetic information?

Who should own genetic data or information derived from it?

The need for Data Protection Legislation

All three sectors depend upon transmission and processing of personal data

All three sectors would wish to be able to accept personal data from Europe

In all three sectors the lack of a data protection regime is an increasingly large barrier to growth

The need for legislation Privacy Concerns

Privacy concerns

A fundamental human right

the right of the individual to be let alone

Information Privacy (data protection) - personal data

Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc

Communications Privacy - mail, telephone, e-mail etc

Territorial privacy - domestic privacy; CCTV; ID checks etc

“ Public” aspects - surveillance, police powers and national security

“ Private” aspects - commercial use of data

Privacy concerns

Focus on Information Privacy and Data Protection

but note legislation may also be required in relation to:

surveillance of communications

surveillance of computer systems and networks

monitoring of employees - internet, phone, drugs testing, genetic testing etc

satellite surveillance

biometrics and other identification technologies

genetic testing

E.g. in UK:

- Human Rights Act 1998

- Telecommunications (Data Protection and Privacy) Regulations 1999

- Regulation of Investigatory Powers Act 2000

- Telecoms Lawful Business Practice Interception of Communication Regs 2000

Growth of Importance of Privacy

Overview - major International and US regulations

1948 UN Universal Declaration of Human Rights

1970 US Fair Credit Reporting Act

1974 US Privacy Act

1976 International Covenant on Civil and Political Rights

1980 OECD Guidelines on Protection of Privacy

1980 US Privacy Protection Act

1995 European Commission Directive on Data Protection

1994 US Communications Assistance to Law Enforcement Act

1996 US Health Insurance Portability and Accountability Act

1998 US Children's Online Privacy Protection Act

1998 European Member States implement Directive

1999 US Financial Services Modernization Act

BUSINESS ISSUES HUMAN RIGHTS

The need for legislation Current Law in India

Privacy and Data Protection law in India

There is no general data protection law in India:

Constitution Article 21

Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”

International Covenant on Civil and Political Rights 1966 Article 17:

No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Law of privacy (Tort Law) – Action for unlawful invasion of privacy

Information Technology Act 2000

Section 43 (a)

Penalty for unauthorised access to a computer system

Section 43 (b) -

Penalty for unauthorised downloading or copying of data without permission

Section 72 -

Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned , disclosing such information to another person

Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions

ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications

A general data protection law in India?

National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Possible approaches to Data Protection Data Protection Worldwide

Data Protection legislation worldwide NONE PENDING IN PLACE EUD or ‘ADEQUATE’

AFGHANISTAN

ALBANIA

ALGERIA

AMERICAN SAMOA

ANDORRA

ANGOLA

ANGUILLA

ANTARCTICA

ANTIGUA AND BARBUDA

ARGENTINA

ARMENIA

ARUBA

AUSTRALIA

AUSTRIA

AZERBAIJAN

BAHAMAS

BAHRAIN

BANGLADESH

BARBADOS

BELARUS

BELGIUM

BELIZE

BENIN

BERMUDA

BHUTAN

BOLIVIA

BOSNIA AND HERZEGOVINA

BOTSWANA

BOUVET ISLAND

BRAZIL

BRITISH INDIAN OCEAN TERRITORY

BRUNEI DARUSSALAM

BULGARIA

BURKINA FASO

BURUNDI

CAMBODIA

CAMEROON

CANADA

CAPE VERDE

CAYMAN ISLANDS

CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS (KEELING) ISLANDS COLOMBIA COMOROS CONGO COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC EAST TIMOR ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS (MALVINAS) FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA FRENCH SOUTHERN TERRITORIES GABON GAMBIA GEORGIA GERMANY GHANA GIBRALTAR GREECE GREENLAND GRENADA GUADELOUPE GUAM GUATEMALA GUINEA GUINEA-BISSAU GUYANA HAITI HEARD ISLAND AND MCDONALD ISLANDS HOLY SEE (VATICAN CITY STATE) HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKSTAN KENYA KIRIBATI KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN LITHUANIA OURG LUXEMBOURG MACAU MACEDONIA MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NIUE NORFOLK ISLAND NORTH KOREA NORTHERN MARIANA ISLANDS NORWAY OMAN PAKISTAN PALAU PALESTINIAN TERRITORY, OCCUPIED PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES PITCAIRN POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA SOUTH GEORGIA SOUTH KOREA SPAIN SRI LANKA SUDAN SURINAME SVALBARD AND JAN MAYEN SWAZILAND SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TOKELAU TONGA TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS TUVALU UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES (safe harbor) US MINOR OUTLYING ISLANDS URUGUAY UZBEKISTAN VANUATU VENEZUELA VIET NAM VIRGIN ISLANDS, BRITISH VIRGIN ISLANDS, U.S. WALLIS AND FUTUNA WESTERN SAHARA YEMEN YUGOSLAVIA ZAMBIA ZIMBABWE

Industrialised Countries Legislation timeline South Korea eCommerce Act In force January 1999 New Zealand Privacy Act In force 1 July 1993 United States (includes) CPP Act 1984 VPP Act 1988 COPP Act 1998 In force 21 April 2000 HIPA Act In force 14 April 2001 GLB Act In force 1 July 2001 ‘ General’ Act Under consideration Finland Personal DP Act In force 1 June 1999 Denmark Act on Processing f PD In force 1 July 2000 Luxembourg - Bill to be approved Netherlands Law on Protection PD ct In force 1 Sep 2001 Greece Protection Processing In force 10 April 1997 Ireland - Bill to be approved Eastern Europe Estonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00) Portugal Personal DP Act In force 27 October 1998 Spain Data Protection Act In force 13 January 2000 Canada PIP&ED Act Commenced 1 Jan 2001 United Kingdom Data Protection Act In force 1 March 2000 France - EUD Bill to be approved Australia Privacy Act In force 21 Dec 2001 Sweden Personal Data Act In force 24 October 1998 Belgium Data Protection Act In force 1 Sep 2001 Norway Personal D Reg Act In force 14 April 2000 Italy Data Protection Act In force 8 May 1997 Austria Data Protection Act In force 1 January 2000 Germany Data Protection Act In force 23 May 2001 Switzerland Data Protection Act In force 1 June 1999 Taiwan Computer Processed DP In force 11 August 1995 Hong Kong Personal Data (Privacy ) In force 20 Dec 1996 Mexico eCommerce Act In force 7 June 2000

Possible approaches to Data Protection Data Protection in Europe

European Data Protection Directive

Directive 95/46/EC of the European Commission

Now implemented in almost all Member States

e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 (in force March 2000) (“DPA”)

UK DPA 1998 - The Eight Principles 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-to-date. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act.

UK DPA 1998 - The Eight Principles 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.

UK DPA 1998 - Fair and Lawful Processing Personal data shall not be processed unless:- Schedule 2 (i) the data subject has given his or her consent; or (ii) processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of a data subject with a view to entering into a contract; or (iii) processing is necessary to comply with any legal obligations to which the registrant is subject; or (iv) processing is necessary to protect the vital interests of the data subject).

UK DPA 1998 - Fair and Lawful Processing

Sensitive Personal Data shall not be processed unless:

Schedule 3

- express consent of the data subject is obtained

Consent likely to be invalid unless

it is “informed” consent

it is freely given - ie Data Subject has a real choice

Transfers of Personal Data from Europe to India The Eighth Principle Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.

Adequacy EEA = Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Lichtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden and UK. Other “adequate” countries = Switzerland, Hungary and Canada The following countries have Data Protection laws similar to the EU model and may well be designated “adequate” in near future: Australia, Guernsey, Hong Kong, Isle of Man, Israel, Japan, Jersey, New Zealand, Poland, Slovak Republic, Slovenia, Taiwan. India does not currently have any prospect of being granted “adequate” status.

Alternative grounds for Adequacy

Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if:

There is sufficient protection for individual data subjects

Having regard to: - nature of data being transferred;

- purposes for processing;

- security measures in place;

- individual rights to redress if things go wrong

Note - all of these could be covered in a Seventh-Principle type contract

Nine Exceptions A Data Controller can transfer data even if no adequacy exists if: 1. Data subject gives consent 2. Transfer is necessary for performance or entering into of a a contract between data subject and Data Controller 3. Transfer is necessary for conclusion or performance of a contract entered into between Data Controller and a third party which is entered into either at request of data subject or is in the interests of the data subject 4. Transfer is necessary for reasons of substantial public interest

Nine Exceptions A Data Controller can transfer data even if no adequacy exists if: 5. Transfer necessary for legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights 6. Transfer necessary to protect vital interests of the data subject 7. Data is on a public register and conditions for inspection are complied with 8. Transfer made on terms of kind approved by Commissioner (Standard Contractual Clauses - 27.12.01) 9. Transfer authorised by Commissioner

Enforceability under the EC Directive

Enforceability is a key concept in the Directive

data subjects have rights enshrined in explicit rules rather than relying on abstract constitution or convention wording

individual data subjects can go to a person or authority empowered to act on their behalf, rather than going to court

a national agency enforces the rules

Enforceability under the UK DPA 1998

Information Commissioner

Data Protection Notification procedure

UK DPA 1998 - Offences Assessment by Commissioner, either of own accord or at request of a data subject. Enforcement notice by Commissioner requiring cessation or remedial action. Can include order to destroy all infringing data or other material used in connection with the processing of such data. Fines - (£5k in Sheriff/Magistrates court; unlimited in Court of Session or Crown Court) for each separate offence. Statutory Compensation for individuals suffering damage or distress. Personal liability of any director, manager, secretary or similar officer of the body corporate. Tortious Liability in addition to statutory liability.

Possible approaches to Data Protection Data Protection in Hungary

Data Protection in Hungary

1992 Act on the Protection of Personal Data and Disclosure of Data of Public Interest

Addresses both Data Protection and Freedom of Information

Data Protection part follows EC Directive model

Establishes Parliamentary Commissioner for Data Protection and Freedom of Information

Has been approved as “adequate” by European Commission

Possible approaches to Data Protection Data Protection in Australia

The Australian Experience - European issues

Privacy Act 1988

Proposal amendments in 2000 suggested creation of self-regulatory National Privacy Principles

Opinion of official Working Party of all European Data Protection Commissioners 26 January 2001

Privacy Act amendments do not provide adequate protection for exports of personal information from Europe

likely to be endorsed by European Commission

will significantly impact dataflows from Europe

Australian Solution - contracts plus code?

Legislative amendment? - NO

Contractual approach?

standard terms

suitable for standard transfers - not others

indemnities to exporter for local processing

acceptance of foreign jurisdictions

acceptance of foreign proceedings

Code approach? - How does it work…

Australian Internet Industry Association Code

Simple system for identification of participants and obligations

Access and correction rights for foreigners

Covers employee and publicly available personal information

Requires notification of identity and purpose at or before time of collection

Requires prior consent for direct marketing

Restricts use and disclosure of sensitive information

Secondary uses of information are limited to those required by conflicting legal obligations, not those ‘authorised by law’

Possible approaches to Data Protection Data Protection in the USA

Data Protection in the United States United States (Federal) Fair Credit Reporting Act 1970 Privacy Act 1974 Family Educational Rights and Privacy Act 1974 Cable TV Privacy Act 1974 Right to Financial Privacy Act 1978 Privacy Protection Act 1980 Cable Communications Policy Act 1984 Electronic Communications Privacy Act 1986 Video Privacy Protection Act 1988 Employee Polygraph Protection Act 1988 Telephone Consumer Protection Act 1991 Driver’s Privacy Protection Act 1994 Communications Assistance to Law Enforcement Act 1994 Health Insurance Portability and Accountability Act 1996 Children's Online Privacy Protection Act 1998 Deceptive Mail Prevention and Enforcement Act 1999 Financial Services Modernization Act 1999 ‘ General’ Act Under consideration? Safe Harbor In effect 2001