It is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. The right not to be subjected to unsanctioned invasion of privacy by the government, corporations or individuals is part of many countries’ privacy laws, and in some cases, constitutions. The privacy laws differ from country to country. Key privacy terminology includes following
- Data controller: An entity (whether a natural or legal person, public authority, agency or other body) which alone, jointly or in common with others determines the purposes for which and the manner in which any item of personal information is processed.
- Data processor: An entity (whether a natural or legal person, public authority, agency or any other body) which processes personal information on behalf and upon instructions of the Data Controller
- Data subject: An identified or identifiable individual to whom personal information relates, whether such identification is direct or indirect (like, by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural or social identity)
In the late 19th century, the invention of cameras spurred similar ethical debates as the internet does today. During a Harvard Law Review seminar in 1890, Warren and Brandeis defined privacy from an ethical and moral point of view to be “central to dignity and individuality and personhood. Privacy is also indispensable to a sense of autonomy — to ‘a feeling that there is an area of an individual’s life that is totally under his or her control, an area that is free from outside intrusion.’ The deprivation of privacy can even endanger a person’s health.” Over 100 years later, the internet and proliferation of private data through governments and ecommerce is a phenomenon which requires a new round of ethical debate involving a person’s privacy.
Privacy can be decomposed to the limitation of others’ access to an individual with “three elements of secrecy, anonymity, and solitude.” Anonymity refers to the individual’s right to protection from undesired attention. Solitude refers to the lack of physical proximity of an individual to others. Secrecy refers to the protection of personalized information from being freely distributed.
Individuals surrender private information when conducting transactions and registering for services. Ethical business practice protects the privacy of their customers by securing information which may contribute to the loss of secrecy, anonymity, and solitude. Credit card information, social security numbers, phone numbers, mothers’ maiden names, addresses and phone numbers freely collected and shared over the internet may lead to a loss of Privacy.
Fraud and impersonation are some of the malicious activities that occur due to the direct or indirect abuse of private information. Identity theft is rising rapidly due to the availability of private information in the internet. For instance, seven million Americans fell victim to identity theft in 2002, and nearly 12 million Americans were victims of identity theft in 2011 making it the fastest growing crime in the United States. Public records search engines and databases are the main culprits contributing to the rise of cyber crime. Listed below are a few recommendations to restrict online databases from proliferating sensitive personnel information.
- Exclude sensitive unique identifiers from database records such as social security numbers, birth dates, hometown and mothers’ maiden names.
- Exclude phone numbers that are normally unlisted.
- Clear provision of a method which allows people to have their names removed from a database.
- Banning the reverse social security number lookup services.
Private Data Collection
Data warehouses are used today to collect and store huge amounts of personal data and consumer transactions. These facilities can preserve large volumes of consumer information for an indefinite amount of time. Some of the key architectures contributing to the erosion of privacy include databases, cookies and spyware.
Some may argue that data warehouses are supposed to stand alone and be protected. However, the fact is enough personal information can be gathered from corporate websites and social networking sites to initiate a reverse lookup.
Social media service providers collect user data and track user to get details on user browsing habits and use the data also for developing targeted advertisements as well as web pages or links as per user preference. Google has been collecting detailed user data essentially, as market research, which is then used to enhance their services. While the improvements that come as a result of Google’s data collection may benefit us all, it does come at a cost. Various Google services collect data as
- Google Search – Data is used to create predicted searches, display popular search terms on Google Trends, and provide advertisers with statistics regarding specific searches.
- Gmail – After parsing the information they receive, Google uses it to display targeted advertisements and make changes to the service based on how people are using it.
- Google Apps – While these apps are supposed to collect information on how you are using them, there have been cases in which this information was unintentionally shared. Docs, for example, had an issue that shared various documents with previous contacts that were not intended to see them.
- Google Maps and Earth – Pictures taken using Google’s satellite display a bird’s-eye view of places for anyone to see, forcing visual data to be collected from people that don’t even use the internet. Maps also collects data on the locations users are requesting directions to and from. Forced data collection of private property that is put on public display doesn’t sit well with many people.
- Google Talk – It collects data on how you interact with the software, such as when and where you click on the interface.
- Google Chrome – It collects information regarding how the browser was downloaded, when it was installed, and what searches are made using it. Aside from giving Google better access to the terms being searched, Chrome also collects information pertaining to how user interact with the browser.
- YouTube – YouTube provides Google with all of the information that they need to know about user’s video viewing habits.
Facebook also collects plethora of data. The only way out is to use browser plug-ins to stop online data collection and by not posting any sensitive or personal information. France is considering a range of creative taxation schemes on Google and Facebook for personal data collection of France’s citizens.
Legal Issues – Social media websites creates practical challenges in understanding how laws apply to the different parties under various scenarios.
Privacy and data protection regulations restrict transfer of personal information across national
borders, which includes restricting both the physical transfer of data and remote access to the data. Transfers from all countries with national legislation are restricted, so this includes EU and European Economic Area (EEA) countries, Argentina, Australia, Canada, Hong Kong and New Zealand. From EU/EEA countries, personal information can be transferred to countries that have “adequate protection”, namely all other EU/EEA member states and also Switzerland, Canada, Argentina and Israel (since all have regulations deemed adequate by the EU). No other countries have privacy regulations that are deemed adequate, so if information is to be sent to these countries then other approaches need to be used. One such mechanism is that information can be transferred from EU country to the US if receiving entity has joined US Safe Harbor agreement.
Privacy laws vary according to jurisdiction, but EU countries generally only allow PII (Personally identifiable information) to be processed if the data subject is aware of the processing and its purpose, and place special restrictions on the processing of sensitive data (for example, health or financial data), the explicit consent of the data owner being part of a sufficient justification for such processing.
Few privacy related laws are discussed as applicable
- United Kingdom: UK Data Protection Act 1998 and Privacy and Electronic Communications (EC Directive) Regulations 2003
- India: Information Technology Act of 2000
- United States: Children’s Online Privacy Protection Act of 1998 (COPPA), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA), Privacy Protection Act of 1980 (PPA), Right to Financial Privacy Act of 1978 (RFPA) and Video Privacy Protection Act of 1988
Privacy Laws in India
The first time this topic was ever raised was in the case of Kharak Singh vs. State of UP where the Supreme Court held that Regulation 236 of UP Police regulation was unconstitutional as it clashed with Article 21 of the Constitution. It was held by the Court that the right to privacy is a part of right to protection of life and personal liberty. Here, the Court had equated privacy to personal liberty.
The question of the right to be let alone again came on the front in the case of R. Rajagopal vs. State of Tamilnadu also known popularly as the Auto Shankar Case. A prisoner had written his autobiography in jail describing the conditions there and the nexus between prisoners and several IAS and IPS officers. He had given the autobiography to his wife so that she may publish it in a particular magazine. However, the publication was restrained in various matters and the question arose whether anyone has the right to be let alone and particularly in jail.
Each individual needs his/her private space for whichever activity (assuming here that it shall be legal). The state accordingly gives each individual that right to enjoy those private moments with those whom they want to without the prying eyes of the rest of the world. The individual does not want to share his thoughts with the world and this right will help protect his interests.
The Ministry of Information Technology introduced Privacy Rules On 11 April 2011, the Government of India (specifically the Ministry of Information Technology) (“Ministry”) introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rule s”). This, together with clarifications to the Privacy Rules issued via Press Note dated 24 August 2011 by the Ministry (“Press Note”) aims to implement a data privacy regime in India. This requires body corporates collecting, using, transferring, handling and/or dealing with sensitive personal data or information of persons to, among other things, seek their consent.
Other requirements set out in the Privacy Rules, which are discussed in detail below, include:
- informing data subjects that the concerned data or information is being collected and to make them aware of the purpose of that collection
- not retaining such data or information for longer than is necessary for the purposes for which it has been collected
- using such data or information only for the purpose for which it was collected
- giving data subjects access to their data or information and the power to correct inaccuracies and a right to opt-out of consent so given
- publishing a privacy policy
- appointment of a grievance officer.
Information Technology Act, 2000 (“IT Act”), read with the Privacy Rules, forms the applicable legislation with regard to data privacy in India.
Section 43-A of the IT Act requires a body corporate possessing, handling or dealing with sensitive personal data or information to implement reasonable security practices to prevent wrongful loss or gain of such data or information. Although the term “body corporate” has been defined as any company, including a “firm, sole proprietorship or other associations of individuals engaged in commercial or professional activities”, there was not enough clarity whether both Indian and overseas body corporates may fall within the ambit of this definition. Further, both the terms “reasonable security practices and procedures” and “sensitive personal data or information” have not been defined in the said section.
Apart from this, various provisions of the Indian Penal Code, 1860 are also applicable in matters dealing with defamation and theft.
Privacy Rules
Definitions
Personal Data
The Privacy Rules define “personal data” as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Apart from personal data, the Privacy Rules also define the term “sensitive personal data or information”. Even though both the terms have been defined in the Privacy Rules, the concepts tend to overlap. Different provisions are applicable to “personal information” and “sensitive personal data or information”, while some provisions are applicable to both. The interpretation of the Press Note and the current stance of the industry is that, while all the provisions of the Privacy Rules apply to sensitive personal data or information, only some provisions apply to personal data or information.
Data Processing
Neither the IT Act, nor the Privacy Rules define “processing”. In order to assess the applicability of the Privacy Rules better, we have considered and analyzed certain situations below in relation to the transfer and processing of data.
Person located in India – As per the Press Note, Privacy Rules are applicable to a person located in India. However, there is lack of clarity on whether the term “person” refers to “natural individuals” who are the providers of information, or body corporates collecting data.
If we assume that “person” refers to “natural individuals”, then a body corporate located overseas, which handles data of individuals located in India through a computer resource located in India, will have to comply with the Privacy Rules.
Body corporate located in India, computer resource located in India or overseas. Irrespective of the location of the computer resource (either in India or abroad) and the place of residence of the data subject, the Privacy Rules are applicable to all body corporates located in India.
Body corporate located overseas, computer resource located in India Section 43-A of the IT Act, read with Section 75, provides that the IT Act will be applicable to a body corporate located overseas, whose computer resource is located in India. However, the Press Note seems to be of the view that the Privacy Rules are not applicable to any body corporate located overseas. As per the interpretation t hat has been adopted, the Privacy Rules apply to all Indian body corporates and to those foreign body corporates which collect personal or sensitive personal data or information from Indian persons.
Processing by Data Controllers
There are no specific provisions for the same under applicable Indian laws.
Jurisdiction/Territoriality
A body corporate or any person on its behalf may transfer sensitive personal data or information or any other information, to any other body corporate or a person in India, or in any other country, only after it ensures that such jurisdictions provide the same level of data protection as is required to be in compliance with the Privacy Rules. Further, such transfer may be done only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf an d data subject. In the alternate, such data may be transferred with prior consent of the data subject. As per the accepted interpretation of the Privacy Rules, this provision is applicable for both personal and sensitive personal data or information.
Sensitive Personal Data
The primary deficiency of Section 43-A of the IT Act arose from the fact that sensitive personal information had not been defined. The Privacy Rules provide for a definition of sensitive personal information. It includes the following information relating to:
- passwords;
- financial information (e.g., bank account/credit or debit card or other
- payment instrument details);
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- biometric information (biometrics means the technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes);
- any detail relating to the above clauses as provided to a body corporate for providing services; and
- any of the information received under the above clauses for storing or processing under a lawful contract or otherwise.
However, any information available in the public domain or any information to be furnished to any government agency or which should be made available to the public under the Right to Information Act, 2005 has been expressly exempt from the scope of this definition.
Employee Personal Data
There are no additional requirements/definitions for employee personal data. If sensitive personal data or information of employees is being collected, then prior consent of such employees will be required.
Consent Requirements
General
An obligation has been imposed on a body corporate to obtain consent in writing (Rule 5 (1)) through letter or fax or email or other electronic means from the data subject with regard to sensitive personal data or information. Based on this, the privacy policy of each body corporate may contain an “I Agree” tab at the end of the text. A click on the tab by the reader of the privacy policy (i.e., the data subject) would be deemed to be valid consent under the Privacy Rules.
Additionally, the Privacy Rules require that, while collecting sensitive personal data or information directly from t he data subject, the body corporate must, inter-alia, inform the data subject of the purpose for which his or her information is being collected, that the information so collected may be transferred/disclosed and names/addresses of the agency collecting and retaining this information.
Further, a body corporate or any person on its behalf may collect any sensitive personal data or information only if the information is collected for a lawful purpose connected with an integral activity of the body corporate.
Sensitive Data
The requirement to obtain consent is applicable only if the body corporate is collecting sensitive personal data or information (see Section 5(a) above). It is unclear at present whether the same will be applicable for body corporates collecting non-sensitive personal data as well.
Minors
There are no specific guidelines with regard to data privacy under the IT Act or Privacy Rules regarding minors. However, the IT Act punishes publication or transmission of material depicting children in sexually explicit acts, in electronic form.
Employee Consent
Employee consent is required if his or her sensitive personal data or information is being collected, used, handled, stored and/or transferred by the employer (i.e., the body corporate). The requirements for such consent are the same as the general consent requirements.
Online/Electronic Consent
Initially, only written consent or consent through email or fax was allowed. However, the Press Note clarified that consent could also be obtained online/electronically.
Information / Notice Requirements
An obligation is imposed on the body corporate or any other person collecting, receiving, possessing, storing, dealing with or handling information from a data subject on behalf of a body corporate, to provide a privacy policy for handling or dealing in personal information, including sensitive personal data or information. The body corporate is required to ensure that the privacy policy is available for viewing by the data subject who has provided such information under a lawful contract. The policy is to be published on the website of the body corporate or any person who handles the information on its behalf and should, among other things, clearly state the purpose of collection of information, the type of data being collected, the security measures undertaken to protect the information, details of practices and policies adopted with regard to handling such information and the policy for disclosure of such information to third parties.
The Press Note clarifies that, every body corporate which collects, stores, uses, possesses, deals with or handles sensitive personal data or information, will be required to fulfill the obligation of maintaining a privacy policy (as prescribed under Rule 4 of the Privacy Rules), irrespective of any contractual obligations.
Processing Rules
There are no specific rules in this regard.
Rights of Individuals
Access right
A body corporate must ensure that every data subject is provided with a right to review the information they had provided to the body corporate and ensure that any data or information found to be inaccurate or deficient is corrected or amended. However, the Privacy Rules have not laid down the procedure to be adopted for such review of information by the data subject.
Additional rights
Right to opt out – Every body corporate or any person on its behalf obtaining consent from data subjects to collect sensitive personal data or information, has an obligation to provide an option to the data subject to not provide the data or information sought to be collected. Further, even after such data has been collected, the data subject must be provided with the option to withdraw his or her consent given earlier for such collection. The rule from which the above is derived mentions “information including sensitive personal data or information”. The right to opt out is restricted to sensitive personal data or information alone.
Disclosure – A body corporate is precluded from disclosing sensitive personal data or information collected by it to any third party, without prior permission from the data subject, unless such disclosure has either been agreed to in the contract between the body corporate and the data subject or such disclosure is mandated under any applicable laws.
Further, the third party is restricted from further transferring sensitive personal information. From a reading of the Privacy Rules, these restrictions seem to apply only to sensitive personal data or information. Thus, a body corporate may disclose any other kind of information without the prior consent of the data subject, provided the same will not result in a breach of a lawful contract between the body corporate and the data subject.
Registration / Notification Requirements
No formal registration requirements apply.
Data Protection Officers
Every body corporate collecting/ using/ retaining or transferring sensitive personal data or information is obligated to designate a Grievance Officer in order to address any discrepancies and/ or grievances that any data subject may have. The names and contact details of such Grievance Officer must be published on the website of the body corporate. The Grievance Officer is required to redress the grievances of the data subject within one month from the date of receipt of grievance. However, there is no clarity on the qualification of the Grievance Officer.
International Data Transfers
International data transfers of personal data or information and/or sensitive personal data or information may be allowed only if such jurisdiction provides the same level of data privacy as that of the body corporate in India.
Security Requirements
The IT Act, read with the Privacy Rule s, state that a body corporate or a person acting on its behalf is required to implement “reasonable security practices”. Reasonable security practices will be considered to have been implemented if the body corporate has implemented security practices and standards such as the IS/ISO/IEC 27001: 2005 and has a comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures to ensure protection of information commensurate with industry standards. The body corporate or the person acting on its behalf is required to prove that they have implemented reasonable security control measures, if called upon to do so. However, the Privacy Rules are flexible regarding the security measures to be adopted. It recognizes any self regulating association which follows any other codes of best practice for data protection, provided the same is approved by the Central Government.
Further, in order to comply with this stipulation, a body corporate has the option to get its security measures audited via an independent auditor, appointed by the Central Government. As per the Privacy Rules, such audit should be undertaken once a year or when a significant upgrade is undertaken.
However, the Privacy Rules are ambiguous in this regard to the extent that it has not specified the mode of appointment of the auditor or the scheme of bearing expenses relating to the audit. A clarification from the Ministry is awaited regarding this.
Special Rules for the Outsourcing of Data Processing to Third Parties
Yes, specific requirements apply, as has been detailed above.
Enforcement and Sanctions
Yes, as per the IT Act, any body corporate which breaches Section 43-A is liable to pay damages by way of compensation to the data subject so affected. There is no limit on the amounts recoverable.
Data Security Breach
There are no legal requirements, including notification obligations, in the event of data security breach. Currently, it is not clear as to how the Privacy Rules may be implemented. However, given that there is no ceiling to the amount of damages that may be payable upon breach, it is advisable that a body corporate follows and implements the provisions of the Privacy Rules. There is no filing requirement for a whistle-blower hotline in jurisdiction