|
Privacy Issues in Data Protection : National and International Laws
by Faizan Mustafa†
Cite as : (2004) PL WebJour 16
The jurisprudence of privacy has a fragmented history. Privacy, as a distinct legal concept, probably has its origin in an essay published in 1890.1 Louis Brandeis and Samuel Warren reviewed the long history of protection under the English common law for various individual liberties and private property, and extrapolated a general “right to privacy”.2 Ironically, the United States still does not have a privacy law with general application to the private sector. Instead, it has a patchwork of sector-specific laws. Similarly, the British law of privacy has not gone beyond remedy for the breach of confidence despite a recommendation by the Law Commission to enact a law on privacy. Thus 113 years after Warren and Brandeis’s seminal article, privacy issues are at the centre stage again. Popular concerns about the implication of widespread use of computers in public and private sector led to the adoption of data protection laws in various European jurisdictions. The first was the German State of Hessen in 1970. Since then more than 40 countries around the world have enacted data protection laws intended to protect the individual’s right to privacy by restricting the manner in which information about them may be processed in the private sector3 and which protect the integrity of personal consumer data. However, most of the existing data protection laws will be replaced by the European Union Data Protection Directive of 2002. A number of other countries have laws regulating processing of personal data in the public sector such as the Privacy Act of USA. While the vast majority of countries in the world including India do not yet have a data protection laws, a number of them either have general privacy rights, sometimes entrenched in a constitution, or have sector-specific privacy laws. An attempt is made in this paper to raise the vital issues relating to collection and disclosure of personal information due to freedom of information. Since the Freedom of Information Act, 2003 has now become the law of the land in India, data protection and privacy issues are bound to come to the fore sooner than later. The paper discusses the implication of personal data collection by the Government at length. The issues are involved in transborder flow of personal data in this age in information technology have also been examined. The paper critically examines various international and national data protection laws.
Personal data and the governmental records
Possibly the largest amount of recorded personal information is in the form of government records. From birth to death, the Government keeps track of all the major events in our lives. Records are kept for driver’s licences, marriage licences, property ownership, criminal activities, tax information, voter registration, and much more. Some of this information is confidential but most of it is stored in the form of public records and “public records” are just that public. There are already few restrictions (at least in US, Canada, Australia and New Zealand, just to name a few and now in India also with the enactment of the Freedom of Information Act, 2003) and the right to information demands still fewer restrictions on the release of information with the Government. To demonstrate the scope of this personal information, let us look at the US Department of Motor Vehicles (DMV) records as an example. They contain:
(i) your name;
(ii) birth date;
(iii) house and mailing addresses;
(iv) physical description;
(v) licence number;
(vi) social security number;
(vii) failures to appear in court;
(viii) failures to pay traffic fines;
(ix) major traffic convictions for the past seven years;
(x) minor traffic convictions for the past three years;
(xi) the name of the person who owns the vehicle;
(xii) vehicle year, make and body style;
(xiii) year the vehicle was bought by the current owner and previous owners’ names and addresses going back three years;
(xiv) name of the lien-holder if the loan for the vehicle has not yet been paid in full.
Even though these confidential records are protected, some of the data stored in public records does seem a bit intrusive. For instance anyone can find out if you had a minor traffic conviction in the past three years. Noisy neighbours are not the only ones that access these files; DMV files are routinely consulted by employers, insurance companies, attorneys and private investigators. In the United States, these records used to be sold to marketeers, but access has been restricted since 1990. One may argue that what is the big deal if someone can access this information? If you are applying for a job from a self-insured employer and you have numerous major traffic convictions, you may represent an insurance risk that the employer may be unwilling to take. Your DMV record is just the beginning. All “property records are open for public inspection”, “court records unless they involve a juvenile, “are usually public”, “divorce records are public documents and are usually considered part of court files”, and “records of arrests are also public”. This is the situation in several other countries as well including India.
As part of the Violent Crime Control and Law Enforcement Act of 1994, Congress enacted the Driver’s Privacy Protection Act of 1994 to establish rules governing the disclosure of individually identifiable information from the State Department of Motor Vehicles Record. The Act became effective from 1997. The Driver’s Privacy Protection Act restricts the ability of the Motor Vehicle Department to disclose motor vehicle operator permits, motor vehicle titles and motor vehicle registrations. Information on accidents, driving violations and driver’s status is expressly excluded from the federal disclosure rules. For covered information, only those disclosures specifically authorised in the Act are allowed. Violations are punishable by a criminal fine or by a civil fine against the Department of Motor Vehicles.
The growth of the computer industry in the last two decades has been amazing. Along with this growth, accompanied an increase in the quantity and availability of data stored by private companies and the Government, not only in the United States but almost in all the countries of the world including India. The ease with which information is transmitted and stored has created an information market in which personal data is bought and sold to various groups. The key to the information age is the swift transfer and storage of digital data. For marketeers and corporations some of the most important data traded involves information about our personal histories. Whether it be buying habits, driving records, medical records or credit reports, this information is a hugely valuable commodity. As these companies go from source to source, collecting as much pertinent personal information as possible, citizen’s privacy is being slowly eroded. The other major problem is that the integrity of data storage and digital communications is questionable. Genetic discrimination in the western world runs unchecked as insurers and employers freely sift through personal medical records. In the US, the Freedom of Information Act, 1966 establishes the right to know what the Government is doing. All government agencies must disclose all information unless that disclosure concerns one of the following:
(i) litigation;
(ii) the CIA;
(iii) internal agency memos;
(iv) personal matters;
(v) trade secrets;
(vi) classified documents;
(vii) law enforcement activities;
(viii) violating an individual’s privacy interests;
(ix) civil service examinations (to the extent it would affect the fairness of the tests).
The Freedom of Information Act thus prevents the Government from becoming a Wizard of Oz-like entity operating the Government behind a closed curtain. The Privacy Act of 1974 on the other hand establishes citizen’s right to know what information the Government collects from them, why it is collecting, who has accessed this information and allows them to receive a copy of this information. It also governs the activities of federal agencies with regard to why they may or may not collect certain pieces of data. The Privacy Act also allows for limited cases where another individual may access your records. These cases include:
(i) a purpose similar to the original reason for collecting the information;
(ii) for statistical research;
(iii) for law enforcement purposes;
(iv) when ordered by a court;
(v) if it is medically necessary for the requests to have access to the information.
There must, therefore, certainly be a point where society draws the line and declares certain pieces of information off the market. There is no doubt that we cannot protect all data, bit by bit, byte by byte, but something must be done. Much of this problem arises from the fact that there is little or no legal protection of personal data.... No government agency reviews privacy issues comprehensively or tries to map a coherent overall policy on the wide range of consumer, commercial and workplace privacy issues. A subtle code of ethics cannot serve in the place of federal legislation. The most glaring example of this lies in the difficulties associated with access to personal medical records. Is it fair that insurance companies and hiring offices may discriminate against people based on what is in their supposedly confidential medical records? Is it been made illegal to discriminate against someone because of a handicap, so should not that protection be extended to the information contained in the medical records? Taken from this point of view the answer would seem to be “perhaps yes”.
The US Supreme Court delivered a landmark decision in Department of Justice v. Reporters Committee For Freedom of Press.4 The case involved Freedom of Information Act requests from members of the news media for access to any criminal history records — known as “rap sheets” — maintained by the Federal Bureau of Investigation (FBI) regarding certain persons alleged to have been involved in organised crimes and improper dealings with a corrupt Congressman. Such records show any “history of arrests, charges, convictions, and incarcerations” on named individuals at the State and local (as well as federal) levels. In accordance with its general policy of not disclosing such records of compilations of arrest information, the FBI refused to disclose records on the one surviving individual involved in the case. The Supreme Court unanimously decided that disclosure of rap sheet would be an invasion of privacy under the Freedom of Information Act. The Court rejected the notion that there was no privacy interest in information that had been previously disclosed, finding an important difference between the scattered disclosure of the bits of information contained in a rap sheet and revelation of thereby sheet as a whole.
The Court held that the purpose of the Freedom of Information Act is the disclosure of official information that sheds light on an agency’s performance of its statutory duties. This purpose is not fostered by the disclosure of information about private citizens maintained in government files that reveal little or nothing about an agency’s conduct.
Although the information might be newsworthy, but this interest falls outside the ambit of public interest than the Freedom of Information Act was enacted to preserve.
Internet and personal data issues
In addition to the issue of protection of personal data kept in government records, the impact of internet on collection and transfer of personal data has also come to the fore as emerging problems posed by the new technology. Since the beginning of its exponential growth in the early 1990s, ambitious claims have been made for the Internet. It will be the great democratiser, levelling the playing field of knowledge and access to ideas. It is a tool of liberation, the medium through which marginalised views can reach a wider audience — not only free from the State censorship but unmediated by the decisions of publishers or broadcasters. Strong encryption can provide absolute privacy and security for information sent via the Internet — as vital for political dissidents as for commercial transactions. And, of course, it can be used to enhance governmental transparency and accountability and to improve the quality of political participation.5 Yet there is another side to each of these claims. The opportunity to play on the level field is only to those with access. Only some 260 million people are “online” i.e. around 3% of the world’s population. It could be argued that it merely deepens the gulf between the information-rich and the information-poor. Internet does improve the individual’s access to government information but there are privacy concerns as well. Internet does provide yet another arena to State for surveillance.6 Until the problem of protection of personal data has been solved, public acceptance of the Internet for widespread online purchasing of goods and services — and transactions with the Government — will not really take off. Privacy concerns relate not only to interception and subsequent misuse of credit cards or personal data on the Internet but also extend to the Government use of information held on computers about individuals, such as health, tax and social security records, and to monitoring of what is downloaded from government web sites and by whom.7
If someone goes into a library, the staff can record which books they are borrowing, but no one monitors their browsing, or the topics they look up in reference books. But on the other hand, on the Internet, the computers holding the web pages log all comings and goings. The organisation running the site — in case of official information, the Government — has complete record of everything they look at, their interests and concerns.8 Andrew Ecclestone rightly says:
“Without the transparency afforded by building freedom of information and data protection principles into the systems which will deliver online government services, it is hard to see why people should trust the Government not to abuse the powers it will need to tie together the data from disparate sources. If the same ‘smart’ electronic card will in future be used for financial transactions, to hold medical records, criminal records, driving licence details and to authenticate my dealings with government departments, how can I be sure the Government will not abuse the technology to track my movements, lifestyle, reading matters and so on? This gap in public trust is going to be one of the biggest problems facing the wiring up of public service delivery, and strict freedom of information and data protection laws are the absolute requirements to bridge the divide.”9
But unfortunately, the Governments are going in the other directions. Many developing countries today are importing technologies of surveillance i.e. digital wiretapping equipments, scanners, tracking equipment, deciphering equipment, bugs and computer intercept system. In fact transfer of surveillance technology is the booming business now-a-days. A 1995 report, “Big Brother Incorporated”, by the watchdog organisation, Privacy International highlighted the extent of new lucrative trade. Simen Davies and Ian Hosen rightly observe:
“Western surveillance technology is providing valuable support to military and totalitarian authorities throughout the world. However, the justification advanced by the companies involved in this trade is identical to the justification advanced in arms trade i.e. the technology is neutral. Another view — certainly held by Privacy International — is that in the absence of legal protections, the technology can never be neutral. Even those technologies intended for ‘benign’ uses rapidly develop more sinister purposes.”10
There are thus very genuine concerns of privacy involved in Internet. An unregulated information superhighway is likely to maximise surveillance and increase the power of institutions in control of the technology.11 The European Court of Human Rights at Strasbourg, France also took note of this disturbing trend of wiretapping. In 1990, the Court severely criticised the French Government for illegal wiretapping.12 The Court clearly said that the French legal system does not provide even for the minimum degree of protection which its citizens are entitled to in a country committed to rule of law and human rights.
This policy of illegal wiretapping is used widely by a very large number of countries today. Amongst the most common targets of these taps are human rights groups, reporters and political dissidents. Consequently human rights groups around the world use encryption to protect their communication and files, for instance, the African National Congress developed and successfully used encrypted email for years without it being compromised by the repressive and racist South African Government.13
The right to privacy is a controversial subject. One of the problems is that the very breadth of the idea, and its tendency, produces a lack of definition which weakens its force in the political discourse. In particular, when privacy takes the form of a right to liberty it is doubtful whether it can support arguments for very specific rights.14 Privacy, as a weapon in the protection of human right, is like a shotgun spraying bullets over a wide area of the individual’s behaviour and preferences, rather than a rifle delivering a powerful blow at a well-defined target. Privacy may have spatial and temporal elements. It has to do with protected interests. The core sense of privacy, the central interest which is proper to be defended by the law, is the field of “personal information”.15 Maintaining the confidentiality of personal information is important because “there are some things about us which, put simply, are nobody else’s business unless we choose to make them such”.16
In the moral and legal tradition of liberal individualism, the right to control personal information i.e. the right to disclose it selectively or not at all is the opposite from being coerced to disseminate personal information or to have to suffer such disclosures to others.17
The right to privacy is today incorporated in many international human rights instruments.18 In several countries the right is either provided in the constitution or has been statutorily recognised. This right to privacy is of great importance in the context of information networks, since operating in the network context i.e. logging-in, downloading, searching, surfing, visiting web sites, ordering and paying with credit cards, do require giving of lot of information about ourselves. The threat to our privacy results from our “profiling”, made possible by the accumulation of data relating to our preferences, purchasing patterns and lifestyles. The problem of privacy and data collection is reinforced when such profiles are not only used by the first receiver but sold or made accessible to other entities.19
One way to deal with such problems would be to avoid, as far as possible, the collection of identifiable personal data by allowing anonymous access to the network and anonymous consumption of services available. Anonymous use of the Internet may take a number of forms, such as anonymous browsing, anonymous publishing of content of World Wide Web, anonymous email message and anonymous posting of messages to news groups. Users may indeed wish to browse anonymously so that their personal details cannot be used without their knowledge.20 Technologies can also support certification mechanisms: web sites that adhere to specific criteria in their privacy practices can display an icon that can be used to verify information and compliance with the criteria. Privacy-enhancing technologies should not be seen primarily as novel technical developments or as additions to existing systems. Rather, they should be seen as a part of a design philosophy: one that encourages (in appropriate circumstances) the removal of identifiers linked to personal data, thereby anonymising the data.21
But then we must not ignore the dangers involved in this process as anonymity may be used by those engaged in illegal acts to protect themselves from detection and possible punishment. Anonymity should not be allowed to be used as a cloak to shield criminals and terrorists. As a compromise between the above two conflicting situations, there is increasing demand for the innovative privacy-enhancing, user-empowering technologies that are being developed today. Such technology-based solutions, involving cryptographic methods22 aim at allowing users to make informed decisions about collection, use and disclosure of personal information during interactions in information networks.
International data protection laws
National laws governing privacy and data protection do exist in some countries.23 For instance Australia has a Privacy Amendment (Private Sector) Act, 2000, Canada has the Personal Information Protection and Electronic Documents Act, 2000, New Zealand has the Privacy Act, 1993, UK has the Data Protection Act, 1998. But most countries in the world including India have no legislation at all.24 This is simply disgusting as the law should never lag behind technology. Moreover the Internet-users have a fundamental interest in knowing and deciding what personal data are processed in global information network.
There exist, however, some international legal instruments which help in providing the basis for development towards an international harmonisation of principles relating to data protection and right to privacy in the digital era i.e. the 1980 OECD Guidelines25, the 1981 Council of European Convention26 and the 1995 European Commission Directive27 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
Organisation for Economic Cooperation and Development (OECD) Guidelines
Given the global nature of network technologies, international cooperation is a key aspect of online protection of privacy and personal data. The geographic ties that once bound data collectors to data subjects do not necessarily exist on global networks, and transborder exchanges of personal data are increasing. In order to secure effective privacy protection on global networks and to avoid unnecessary restrictions on transborder flows of personal data, OECD countries have started working to build bridges between their different approaches to ensuring data protection on global networks. In late 1980, OECD issued a set of guidelines concerning privacy of personal records. Although broad, the OECD Guidelines underpin most current international agreements, national laws and self-regulation policies. The guidelines are a “soft law” instrument and have no legally binding force. Although the guidelines were voluntary, yet roughly half of the OECD members had already passed or proposed privacy protecting laws. The OECD Guidelines briefly lay down the following principles—
1. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of data subject.
2. Personal data should be relevant to the purposes for which they are to be used and should be accurate, and complete and kept up to date.
3. Personal data should not be disclosed except with specified purposes without the consent of the data subject and by the authority of law. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
4. An individual should have the right to obtain from the data controller, or otherwise, confirmation of whether or not the data controller has data relating to him and to have communicated to him, data relating to him within reasonable time.
The OECD Guidelines represent an attempt to balance the conflicting priorities of data protection and the free flow of information. The most fundamental limitation of these guidelines is that they have no legal force. They are not embedded in any convention. Moreover, the open-textured nature of the guidelines means that they can serve only as a loose framework for the harmonization of national laws.28
Council of European Convention
Unlike OECD, which is essentially concerned with the economic development of its member States, the Council of Europe has a broader political mandate. In 1968, the Parliamentary Assembly of the Council expressed concern over the adequacy of the European Convention on Human Rights in securing privacy protection in the context of information technology. In 1976, the Council established a committee of experts on data protection that reported its findings in early 1979 and the result was the Council of European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 1981. The Convention came into force on 1-10-1985 after five States had ratified it. So far twenty States had ratified the Convention. The Convention set forth the data subject’s right to privacy, enumerates a series of basic principles for data protection, provides for transborder data flows, and calls for mutual assistance between parties to treaty including the establishment of a consultation committee and a procedure for future amendment to the Convention.29 Two exceptions are permitted. One is where the first party gives special protection to a particular category of data and the second does not. The other is where the data are to be re-exported to a non-Convention State.
European Commission (EC) Directive
The Commission of European Community recommended that member States ratify the Council of Europe’s Convention and warned that it might introduce its own Directive on the subject. When it did so, the primary purpose of the Directive was to further standardise the level of protection across the community. The EC Data Protection Directive reaffirms the principles outlined in the Council’s Convention.30
The EC Directive is based on the idea that “data processing systems are designed to serve the human being” and therefore must respect fundamental rights and freedoms, notably the right to privacy. The processing of data is covered by the Directive only if it is automated or if data processed are contained in a filing system structured according to specific criteria and relating to individuals so as to permit easy access to the personal data in question. The Directive has its focus on access restriction and user transparency. The Directive says that European Union member States may transfer personal data only after determining that “the third country in question ensures adequate level of (data) protection”.31 The European Union shall consider “rule of law ... in the third country” to make this determination. The problem here is that this definition of adequacy is not enough. The Directive does not contain any clear criteria on this issue.
The Directive lays down the conditions which must be fulfilled for legally processing personal data. The conditions include that personal data must be “processed fairly and lawfully”, “collected for specified, explicit and legitimate purposes”, must be “accurate, and where necessary, kept up to date”, and “kept in a form which permits identification of ‘data subjects’ for no longer than is necessary for the purposes for which the data were collected”. The EC Directive prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health and sex life.32 The Directive also provides for exemptions for export of personal data for employment contract and for cases in which legal claims and citizen’s vital interests have to be defended. Thus there are limitations and exceptions, and if implemented responsibly, the Directive could, as representative of European institutions appear to believe, be less “draconian”.33 The European Union Member States had to bring into force laws, regulations and administrative provisions necessary to comply with the Directive at the latest by October 199834, as the Directive was to come in force by 25-10-1998. The passage of the Directive highlights an interesting irony. While it is clear that privacy invasion is recognised more than ever before, it is equally true that privacy invasion has never been so substantial. Earlier this year, a report commissioned by the European Parliament confirmed the existence of a network of supercomputers operated by the secretive United States National Security Agency, an agency responsible for intercepting communications across the world for the benefit of American business and Government.35
After discussing the international laws relating to data protection, it is now in the fitness of things to discuss some leading municipal laws relating to data protection including some discussion about the legal regime of data protection in India.
Data protection law in Britain
The Data Protection Act of 1998 is the current law in operation in Britain. The Act came into force on 1-3-2000. We had noted in the preceding chapter that Great Britain did pass a Data Protection Act in 1984 itself. The 1998 Act updates the 1984 Act in accordance with the European Union Directive. The 1998 Act covers records held by government agencies and private entities.
The first data protection principle of the 1998 Act provides that personal data shall be processed fairly and lawfully....36 It means that personal data will not be considered to be processed, “fairly”, unless certain information is provided, or made readily available, to the individual concerned.37 The information to be given to data subjects must include the identity of data controller or any nominated representative, the purpose or purposes for which the data are intended to be processed, and “any” further information which is necessary, having regard to the specific circumstances in which data are processed, to enable processing in respect of data subject to be “fair”.38 The Act says that record must not be processed unless one of the conditions is satisfied. These are set out in Schedule 2. In brief, processing of data is legitimate if the data subject has given his or her consent; or if it is necessary for the performance of a contract to which data subject is a party as for compliance with a legal obligation (other than contractual), or for certain public sector purposes.
More stringent conditions govern the processing of sensitive data.39 The Act defines “sensitive personal data” as “personal data consisting of information as to a data subject’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of similar nature, membership of a trade union, physical or mental health or condition, sexual life, or commission or alleged commission or proceedings in relation to any offence”.40 Processing of sensitive data will be legitimate only if the data subject has given his or her explicit consent; processing is necessary in relation to an employment right or obligation; the processing is necessary to protect the vital interests of data subjects or another person in circumstances where consent is not obtainable or processing is for certain public sector purposes etc. The Data Protection (Processing of Sensitive Personal Data) Order, 200041 has provided for various additional circumstances in which sensitive personal data may be processed such as preventing or detecting any unlawful act.42
The Act also lays down that personal data shall not be transferred to a country outside the European Economic Community unless that country ensures adequate level of protection for the processing of personal data.43 Schedule 4 of the Act however lists nine exceptions, the first seven of which apply “automatically”, in the sense that no prior regulatory approval is needed. The most straightforward automatic exception is that the data subject has consented to the transfer.44 The Act also provided that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data.45 The Act requires data controller to process “personal data” in accordance with rights of data subjects under the Act.46 Thus a person will be regarded as contravening this principle if he fails to provide access to data required, fails to comply with a notice from a data subject requiring him to stop processing for certain purposes, or fails to comply with the procedures relating to automated decision-making.47 Section 13 of the Act gives a right to compensation where a person suffered damage as a result of contravention by a data controller of any of the requirements of the Act. It provides for limitation on the use of personal information, access to and corrections of records and requires that entities that maintain records register with the Information Commissioner. The office of the Information Commissioner is an independent agency that maintains the register and enforces the Act.48 As of 31-3-2002, there were 198,519 databases registered with the Information Commissioner.49 The agency received 12,479 requests for assessment and inquiries in 2001-02. There were 106 cases forwarded for prosecution resulting in 66 prosecutions and 33 convictions.50
Data protection laws in the United States
There is no single law in the United States that provides a comprehensive treatment of data protection or privacy issues. In addition to the constitutional interpretation and international agreements, there are a number of laws dealing with such issues. Protection for personal information in USA has been called “reactive, ad hoc and confused”.51 Laws are made only in response to specific perceived problems, as a result are usually narrow protections in specific instances than a coherent statement of what information may be private. This makes an explanation of exactly what information is protected, and how it is protected, difficult. In addition, many privacy laws have large loopholes, which make them hard to understand.
Following are some of the federal laws in the United States which cover the collection and use of personal information and consumer data—
The Privacy Act
The Privacy Act of 197452 is a companion to and extension of the Freedom of Information Act of 196653 (FOIA). FOIA did exempt the disclosure of personal and medical files that would constitute, “a clearly unwarranted invasion of personal privacy”.54 This provision was initially used to deny access to people requesting their own records. So the Privacy Act was also adopted both to protect personal information in the federal databases and to provide individuals with certain rights over information contained in those databases. The Act set forth some basic principles of “fair information practice” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It required that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The Act required federal agencies to publish an annual list of systems maintained by the agency that contain personal information.
The Video Privacy Protection Act
The Act55 forbids a video rental or sales outlet from disclosing information concerning what tapes a person borrows/buys or releasing identifiable information. The Act is enforced through civil liability action.
Electronic Communication Privacy Act
This statute56 prohibits the unauthorised interception or disclosure of many types of electronic communications, including telephone conversations and electronic mail, although disclosure by one of the parties to the communication is permitted. It applies both to the Government and private persons and entities. Violations are subject to civil and criminal penalties.
Electronic Funds Transfer Act
The Act57 requires institutions which deal with electronic banking services to inform their consumers of the circumstances under which automated bank account information will be disclosed to third parties, in the ordinary course of business. The violators are subject to civil and/or criminal penalties. The Act is enforced by the Federal Revenue Board.
Right to Financial Privacy Act
The Act58 mandates that the Federal Government present proper legal process or “formal written request” to inspect an individual’s financial records kept by a financial institution (including credit card companies) and gave simultaneous notice to the consumer to provide him/her with the opportunity to object. It provides for civil liability.
The Cable Communication Policy Act as amended by the Cable Television Consumer Protection Act
This statute59 establishes written disclosure requirements regarding the collection and use of personally identifiable information by cable television service providers and prohibits the sharing of such information without prior consent. It provides for civil liability.
Communications Act
This Act60 requires the Telecommunication Commission to protect the confidentiality of customer proprietary network information, such as the destinations and numbers of calls made by customers, except as required to provide the customer’s telecommunication service or pursuant to consumer consent.
Children Online Privacy Protection Act
The Act61 directs the Federal Trade Commission to promulgate regulations that govern the collection, use and disclosure of “personal information” obtained online from a child (defined as anyone under the age of 13) by an operation of a commercial web site or online service directed to children, as well as any operator with actual knowledge that it is collecting personal information from a child.62 “Personal information” is defined to include “individually identifiable information”, “such as child’s name, address, phone number, social security number, email address, or any other identities ... that permits physical or online contacting of a specific individual”. The Act further restricts any other information collected online that is combined with any of the above identifiers.63
Federal Aviation Act
The Department of Transportation Regulations promulgated under the authority of this Act64 generally require to keep passenger-manifest information, such as the names and destinations of passenger, confidential and prohibit use of this data for commercial or marketing purposes.
Health Insurance Portability and Accountability Act
The vital importance of privacy of medical records has been discussed earlier in the chapter. This Act65 mandates that the Secretary of Health must promulgate regulations regulating privacy of individually identifiable information if Congress does not enact a law by August, 1999. The regulations66 so issued include provisions such as restricting the disclosure of patient-identifiable information and providing the patient with notice about how such information will be used or disclosed to a third party. One of the most controversial provisions is that each patient must consent to uses and disclosures for treatment, payment, and health care operations. The use of the term consent is confusing because the rule states that each patient may be required to sign a standard consent form as a condition of receiving treatment or as a condition of having the insurer pay for the treatment.67 It is likely that every provider and payer will insist that the patient sign the standard consent. Under these conditions, mandatory consent is an oxymoron. The standard consent form will authorise the use and disclosure of patient information for many activities. The compliance with the rules is not required until April 2003, and it is certain that the rules will change before compliance is required.
In a high profile case recently, the Federal Trade Commission which is authorised to take legal action against companies for “deceptive” practices did just that against the Internet company Geocities, which used personal information gathered from its members for purposes other than those disclosed. The Federal Trade Commission reported to Congress in June 1998 that while the vast majority of web sites of all types collect some sort of personal information — such as name, email address, postal address, phone number, fax number, credit card number, social security number, demographic information or personal interests — a mere 14% of a comprehensive sample of sites openly disclosed some sort of privacy policy or information practice.68
Identity theft is another serious privacy invasion in today’s society. It occurs when someone gathers enough personal information on some other individual to assume that persons’s identity. Often, the criminal will use Internet to learn personally identifiable information about the victim, such as his/her name, address, social security number, mother’s maiden name etc. With this information, the criminal will apply for credit cards using the victim’s identity and purchase goods at will, leaving the victim to pay the bill. At present there are no significant laws against this form of identity theft.
In view of the terrorist attacks of 11th September, 2001, the United States has introduced new stringent legislation to protect security. The AntiTerrorism Act, 2001 broadens the power of law enforcement agencies. They only have to state to a judge that they are seeking information in connection with a terrorist investigation in order to obtain records. The Act, however, provides a sunset clause for a review in December 2005.
Data protection law in India
Unlike the United States or the European Union, India has not yet enacted a separate legislation on privacy. There has been an increased concern in India about the impact of data protection laws enacted in other countries. The National Task Force on Information Technology and Software Development had submitted an “Information Technology Action Plan” to the Prime Minister in July 1998, calling for the creation of National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data. It examined the UK Data Protection Act of 1998 as a model and recommended a number of cyber laws including one on privacy and encryption.69 It is disgusting that no legislative measure however has been considered on this vital issue to date. Former NASSCOM President Dewang Mehta on 20-9-2000 announced that the Government is likely to start work soon on framing data protection law in the country.70 He said that European Union laws would not permit companies there to outsource information technology services from countries which do not have an adequate level of data protection. It must be noted that the European Union accounts for around 20% of information technology revenues for India.
In May 2000, the Government passed the Information Technology Act, 2000. The Act provides for a set of laws intended to provide comprehensive regulatory environment for electronic commerce. The Act also addresses the question of computer crimes, hacking, damage to computer source code, breach of confidentiality and viewing of pornography. Chapter X of the Act creates a Cyber Appellate Tribunal to oversee adjudication of cyber crimes. After widespread protests and public outcry, sections requiring cyber cafes to create detailed records about their customer’s browsing habits were dropped. The Act gives broad discretion to law enforcement authorities through a number of provisions. Section 69 allows for interception of any information transmitted through a computer resource and requires that the user disclose encryption keys or face a jail term of seven years. Section 80 allows the Deputy Superintendent of Police (DSP) to conduct searches and seizures and seize suspects in public places without a warrant. Section 44 imposes stiff penalties on anyone who fails to provide requested information to authorities.
Section 72 deals with the issue of breach of confidentiality and privacy. It provides that a person who has access to confidential information under the powers conferred on him under the Act and discloses such information can be punished with imprisonment for up to two years of fine up to Rs 1 lakh or both. The section deals only with disclosure of confidential information and not with interception and therefore is limited in its scope.
In March 2001, the Central Bureau of Investigation (CBI) set up the Cyber Crime Investigation Cell (CCIC) to investigate offences under the Information Technology Act, 2000 and other high-tech crimes.71 In April 2002, India and the United States launched a Cyber Security Forum to collaborate on responding to cyber security threats. India’s Intelligence Bureau is reported to have developed an email interception tool similar to the carnivore system, which it claims to use in anti-terror investigations. In March 2002, the Government in spite of opposition from human rights organisations and opposition parties got the Prevention of Terrorism Act (POTA), 2002 passed in the joint session of Parliament as the Bill was defeated in the Rajya Sabha. POTA gives sweeping powers to arrest, intercept communications and curtail freedom of expression. Chapter V of POTA deals with the interception of electronic communications.
The Indian Parliament is presently examining a draft Communications Convergence Bill, 2001. The Bill was introduced in May 2001 and will come up for discussion in the coming session of Parliament. The Bill aims to create a “super regulator”, the Communications Commission for India, to oversee voice and data (including telecom, broadcasting and Internet) communications. Chapter XIV of the Bill deals with the interception of communication and punishment for unlawful interception. Section 63 places a burden on the service provider to provide information on their customers to the Government and allowing the Government to intercept any communication under a very low standard. The interception of communication is to safeguard against misuse in the interests of the sovereignty and integrity of India, the security of State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence. The Bill will repeal the Indian Telegraph Act, 1885, Indian Wireless Telegraphy Act, 1933, Cable Television Network (Regulation) Act, 1995 and Telecom Regulatory Authority of India Act, 1997.
The proposed Bill provides for immense control of the Government. The Government has been given the complete control of assignment of the spectrum. The proposed super regulator, Communications Commission of India (CCI) is nothing but a glorified mouthpiece of the Government. The Bill has given immense powers of censoring content to CCI.
A new issue that has come up recently as to the safety of cellphones and SMS (Short Messaging Service) messages. The Government now wants to peep into the texts of your SMS too. The Indian Home Ministry and the Indian Department of Telecommunications have been in a huddle over the last few weeks to discuss this under the ambit of what they claim as “cyber terrorism”.72 A plan is afoot to issue notices to all cellphone operators to deploy sophisticated equipment to help out not only call monitoring but also detailed SMS text and even emails. The Government’s move has rattled the cellphone industry. More so since this is currently not done anywhere else in the world. Experts are arguing that if SMS texts are retrieved even a year later, privacy of individuals would be seriously infringed upon.73
It can thus be concluded that there is a growing trend towards passing a data protection law. India cannot and should not lag behind for long. There is clearly a need to balance the security concerns as against invasion of individual privacy. The Government of India must legislate a data protection law sooner than later. Web sites must be mandated to follow strict guidelines on various issues concerning personal information. They must be required to follow the basic principles of data protection laws which are internationally accepted. Right to information in India without adequate protection of privacy and personal information will not bear the desired fruits.
|
