E-Governance in India: Legal Solutions

E-Governance: Technology, Law and Compliance Rodney D. Ryder

Introduction - Structure

Part 1 – Governance on the Internet - The need for legal strategy vis-à-vis technology issues

The opportunities

Legal concerns

Part 2 - Data Protection: Compliance Challenges and Strategies

Data Protection legislation around the world

European Commission Directive and UK Act

Balancing Privacy and Security

The need for legal strategy The opportunities

Technology as a growth driver

Restructuring global commerce: the intense volume of information; simplicity of transfer

Ownership of information increasingly hard to protect

Evolving business methods: change or die

The degree and extent of exposure also manifold

The history of ‘regulations’ on the Internet

<Cyberspace> as introduced by William Gibson [A place governed by its own laws]

“ Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]

Benkler’s layers – the physical, the code and content [in communications theory]

Lessig <Code and other laws of Cyberspace>

Notes on Technology Law

Electronic Commerce and Consumer Confidence

Electronic Data Interchange Model of Contracting

UNCITRAL Model Law on Electronic Commerce

Regulations and the history of trade

The undue rush to legislate where angels where to tread

The evolution of Internet Law and Practice: the Indian experience

Domestic regulation: an international perspective

Legal infrastructure issues in an international context

Governance on the Internet: Welcome to Sealand…

Speed and Convenience

Mobile access

Personalised and tailored

Data mining sophistication

Loss of control

Insecurity

Lack of confidence

Increased scepticism

Low uptake of eCommerce

The need to envision future problem areas

Technological advances in data storage and transmission

Globalisation of communications - the internet

Convergence and standardisation of technologies

Increasing importance of data processing

The Indian Information Technology Act and Governance

Electronic Commerce Transactions: “functional equivalence”

Electronic Filing

Maintenance of electronic records

No right that the Government must accept

“… The use of technology and communication systems by the government to transform interaction with citizens, business and other arms of the government”. [World Bank]

The dichotomy: government hierarchy versus the ‘open architecture’ of the Internet

Digital Signatures and Electronic Records

The purpose of instituting digital signatures

After all, digital signatures are a PAIN!

Banks in India are also following an Enterprise CA mode [Citibank is an example, to minimise liability under the US Gramm-Leach-Bliley Act]

Under the RBI Guidelines, it is not only ‘identity’ which matters but also ‘reputation’ and ‘integrity’

At the crux: the level of confidence

The root of confidence

The Government is at the root of confidence

The life cycle of the digital signature certificate is attested by the Controller of Certifying Authorities [CCA]

The CCA licenses Certifying Authorities [CAs] and certifies the ‘public key’

The certificate provided by a licensed CA offers non-repudiation rights

Crime and the Internet

Hacking, Source code attacks,

Obscenity and Pornography,

Accessing designated protected systems,

Making available Digital Signature for fraudulent purpose

Severe punishments prescribed for offences.

Police granted extensive powers of investigation, search and seizure.

Solutions

Understanding the relationship between the ‘criminal act’ and the ‘medium’

A crime manual for all [What is a crime on the Internet? How to prepare a report? What kind of evidence is required?]

Establishing an effective internal mechanism

Understand the offences that are ‘incidental’ [blackmail, cyberstalking]

Prompt and effective enforcement of rights against individuals perpetrating fraud [www.punjabnationalbank.com]

The need for a data privacy policy Privacy Concerns and Data Collection

Privacy concerns

A fundamental human right

the right of the individual to be let alone

Information Privacy (data protection) - personal data

Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc

Communications Privacy - mail, telephone, e-mail etc

Territorial privacy - domestic privacy; CCTV; ID checks etc

“ Public” aspects - surveillance, police powers and national security

“ Private” aspects - commercial use of data

Privacy concerns

Focus on Information Privacy and Data Protection

but note legislation may also be required in relation to:

surveillance of communications

surveillance of computer systems and networks

monitoring of employees - internet, phone, drugs testing, genetic testing etc

satellite surveillance

biometrics and other identification technologies

genetic testing

E.g. in UK:

- Human Rights Act 1998

- Telecommunications (Data Protection and Privacy) Regulations 1999

- Regulation of Investigatory Powers Act 2000

- Telecoms Lawful Business Practice Interception of Communication Regs 2000

Growth of Importance of Privacy

Overview - major International and US regulations

1948 UN Universal Declaration of Human Rights

1970 US Fair Credit Reporting Act

1974 US Privacy Act

1976 International Covenant on Civil and Political Rights

1980 OECD Guidelines on Protection of Privacy

1980 US Privacy Protection Act

1995 European Commission Directive on Data Protection

1994 US Communications Assistance to Law Enforcement Act

1996 US Health Insurance Portability and Accountability Act

1998 US Children's Online Privacy Protection Act

1998 European Member States implement Directive

1999 US Financial Services Modernization Act

BUSINESS ISSUES HUMAN RIGHTS

The need for legislation Current Law in India

Privacy and Data Protection law in India

There is no general data protection law in India:

Constitution Article 21

Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”

International Covenant on Civil and Political Rights 1966 Article 17:

No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Law of privacy (Tort Law) – Action for unlawful invasion of privacy

Current law in India

Information Technology Act 2000

Section 43 (a)

Penalty for unauthorised access to a computer system

Section 43 (b) -

Penalty for unauthorised downloading or copying of data without permission

Section 72 -

Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned , disclosing such information to another person

Current law in India

Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions

ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications

A general data protection law in India?

National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Possible approaches to Data Protection Data Protection Worldwide

Data Protection legislation worldwide NONE PENDING IN PLACE EUD or ‘ADEQUATE’

AFGHANISTAN

ALBANIA

ALGERIA

AMERICAN SAMOA

ANDORRA

ANGOLA

ANGUILLA

ANTARCTICA

ANTIGUA AND BARBUDA

ARGENTINA

ARMENIA

ARUBA

AUSTRALIA

AUSTRIA

AZERBAIJAN

BAHAMAS

BAHRAIN

BANGLADESH

BARBADOS

BELARUS

BELGIUM

BELIZE

BENIN

BERMUDA

BHUTAN

BOLIVIA

BOSNIA AND HERZEGOVINA

BOTSWANA

BOUVET ISLAND

BRAZIL

BRITISH INDIAN OCEAN TERRITORY

BRUNEI DARUSSALAM

BULGARIA

BURKINA FASO

BURUNDI

CAMBODIA

CAMEROON

CANADA

CAPE VERDE

CAYMAN ISLANDS

CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS (KEELING) ISLANDS COLOMBIA COMOROS CONGO COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC EAST TIMOR ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS (MALVINAS) FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA FRENCH SOUTHERN TERRITORIES GABON GAMBIA GEORGIA GERMANY GHANA GIBRALTAR GREECE GREENLAND GRENADA GUADELOUPE GUAM GUATEMALA GUINEA GUINEA-BISSAU GUYANA HAITI HEARD ISLAND AND MCDONALD ISLANDS HOLY SEE (VATICAN CITY STATE) HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKSTAN KENYA KIRIBATI KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN LITHUANIA OURG LUXEMBOURG MACAU MACEDONIA MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NIUE NORFOLK ISLAND NORTH KOREA NORTHERN MARIANA ISLANDS NORWAY OMAN PAKISTAN PALAU PALESTINIAN TERRITORY, OCCUPIED PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES PITCAIRN POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA SOUTH GEORGIA SOUTH KOREA SPAIN SRI LANKA SUDAN SURINAME SVALBARD AND JAN MAYEN SWAZILAND SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TOKELAU TONGA TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS TUVALU UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES (safe harbor) US MINOR OUTLYING ISLANDS URUGUAY UZBEKISTAN VANUATU VENEZUELA VIET NAM VIRGIN ISLANDS, BRITISH VIRGIN ISLANDS, U.S. WALLIS AND FUTUNA WESTERN SAHARA YEMEN YUGOSLAVIA ZAMBIA ZIMBABWE

Industrialised Countries Legislation timeline South Korea eCommerce Act In force January 1999 New Zealand Privacy Act In force 1 July 1993 United States (includes) CPP Act 1984 VPP Act 1988 COPP Act 1998 In force 21 April 2000 HIPA Act In force 14 April 2001 GLB Act In force 1 July 2001 ‘ General’ Act Under consideration Finland Personal DP Act In force 1 June 1999 Denmark Act on Processing f PD In force 1 July 2000 Luxembourg - Bill to be approved Netherlands Law on Protection PD ct In force 1 Sep 2001 Greece Protection Processing In force 10 April 1997 Ireland - Bill to be approved Eastern Europe Estonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00) Portugal Personal DP Act In force 27 October 1998 Spain Data Protection Act In force 13 January 2000 Canada PIP&ED Act Commenced 1 Jan 2001 United Kingdom Data Protection Act In force 1 March 2000 France - EUD Bill to be approved Australia Privacy Act In force 21 Dec 2001 Sweden Personal Data Act In force 24 October 1998 Belgium Data Protection Act In force 1 Sep 2001 Norway Personal D Reg Act In force 14 April 2000 Italy Data Protection Act In force 8 May 1997 Austria Data Protection Act In force 1 January 2000 Germany Data Protection Act In force 23 May 2001 Switzerland Data Protection Act In force 1 June 1999 Taiwan Computer Processed DP In force 11 August 1995 Hong Kong Personal Data (Privacy ) In force 20 Dec 1996 Mexico eCommerce Act In force 7 June 2000

Possible approaches to Data Protection Data Protection in Europe

European Data Protection Directive

Directive 95/46/EC of the European Commission

Now implemented in almost all Member States

e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 (in force March 2000) (“DPA”)

UK DPA 1998 - The Eight Principles 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-to-date. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act.

UK DPA 1998 - The Eight Principles 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.

UK DPA 1998 - Fair and Lawful Processing Personal data shall not be processed unless:- Schedule 2 (i) the data subject has given his or her consent; or (ii) processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of a data subject with a view to entering into a contract; or (iii) processing is necessary to comply with any legal obligations to which the registrant is subject; or (iv) processing is necessary to protect the vital interests of the data subject).

UK DPA 1998 - Fair and Lawful Processing

Sensitive Personal Data shall not be processed unless:

Schedule 3

- express consent of the data subject is obtained

Consent likely to be invalid unless

it is “informed” consent

it is freely given - ie Data Subject has a real choice

Transfers of Personal Data from Europe to India The Eighth Principle Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data.

Adequacy EEA = Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Lichtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden and UK. Other “adequate” countries = Switzerland, Hungary and Canada The following countries have Data Protection laws similar to the EU model and may well be designated “adequate” in near future: Australia, Guernsey, Hong Kong, Isle of Man, Israel, Japan, Jersey, New Zealand, Poland, Slovak Republic, Slovenia, Taiwan. India does not currently have any prospect of being granted “adequate” status.

Alternative grounds for Adequacy

Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if:

There is sufficient protection for individual data subjects

Having regard to: - nature of data being transferred;

- purposes for processing;

- security measures in place;

- individual rights to redress if things go wrong

Note - all of these could be covered in a Seventh-Principle type contract

Enforceability under the EC Directive

Enforceability is a key concept in the Directive

data subjects have rights enshrined in explicit rules rather than relying on abstract constitution or convention wording

individual data subjects can go to a person or authority empowered to act on their behalf, rather than going to court

a national agency enforces the rules

UK DPA 1998 - Offences Assessment by Commissioner, either of own accord or at request of a data subject. Enforcement notice by Commissioner requiring cessation or remedial action. Can include order to destroy all infringing data or other material used in connection with the processing of such data. Fines - (£5k in Sheriff/Magistrates court; unlimited in Court of Session or Crown Court) for each separate offence. Statutory Compensation for individuals suffering damage or distress. Personal liability of any director, manager, secretary or similar officer of the body corporate. Tortious Liability in addition to statutory liability.

Possible approaches to Data Protection Data Protection in the USA

Data Protection in the United States United States (Federal) Fair Credit Reporting Act 1970 Privacy Act 1974 Family Educational Rights and Privacy Act 1974 Cable TV Privacy Act 1974 Right to Financial Privacy Act 1978 Privacy Protection Act 1980 Cable Communications Policy Act 1984 Electronic Communications Privacy Act 1986 Video Privacy Protection Act 1988 Employee Polygraph Protection Act 1988 Telephone Consumer Protection Act 1991 Driver’s Privacy Protection Act 1994 Communications Assistance to Law Enforcement Act 1994 Health Insurance Portability and Accountability Act 1996 Children's Online Privacy Protection Act 1998 Deceptive Mail Prevention and Enforcement Act 1999 Financial Services Modernization Act 1999 ‘ General’ Act Under consideration? Safe Harbor In effect 2001