Privacy and Security Legal Issues in the present
By Shakeel Kudrolli
Telecommunications and computer databases have made it too easy to invade the private
lives of individuals. Computer Technology enhances not only collection and storage of data
about person but also its compilation and cross - referencing.
"Privacy" primarily concerns the individual and overlaps with the concept of liberty. It is an
individual's "right" "to be let alone". Right to personal privacy belongs to the category of
fundamental human rights and this right is enacted in most national constitutions and in
international basic documents on human rights.
According to the Supreme Court of India in the case of R. Rajagopal v/s. State of Tamil Nadu
reported in AIR 1995 SC 264, the right to privacy is implicit in the right to life and liberty
guaranteed to the citizens of India by Article 21 of the Constitution.
In the context of rights in electronic information, privacy of the person (rights to his name,
identity, photograph, voice), privacy of data of a person (information about a person's medical
history, tax records, insurance records, employment records, criminal records and the like)
and privacy of a person's communications (handwritten, typed, print or electronic) assume
importance. Misuse of such rights would constitute an invasion of privacy.
In the United States, the right to privacy that protects a person's electronic communications is
provided through the Federal Electronic Communications Privacy Act (ECPA). It was enacted
to address the growing problem of unauthorized persons deliberately gaining access to and
sometimes tampering with, electronic or wire communications that are not intended to be
available to the public. The ECPA applies both to the government and private persons and
entities. The two key issues that the ECPA addresses are: -
(a) Interception and disclosure of electronic communication and
(b) Unlawful access to stored electronic communication.
However, in view of the recent terrorist attacks, the US has introduced new stringent
legislation to protect security. The Anti Terrorism Bill broadens the powers of law enforcement
agencies. They only have to state to a judge that they are seeking information in connection
with a terrorist investigation in order to obtain records. The Bill provides a Sunset clause for a
review in December 2005.
Further, new US Privacy initiatives and guidelines for companies provide 4 courses of action
as follows: -
1. Appoint a Chief privacy officer
2. Audit and document privacy practices
3. Frequently review privacy policies.
4. Develop a public relations plan to deal with bad publicity in worst case.
In Europe, privacy rights in information about individuals have received much broader
protection than it has in the US. The EU Directive on privacy seeks to protect individual
privacy by prohibiting the improper collection, use and communication of data relating to
The provisions of the Directive are rather broad and encompass virtually any information
about an identifiable individual. It regulates all forms of processing of personal data, including
data collection, retrieval, use, making data available or destruction of data. A key provision of
the Data Protection Directive relates to trans border flow of data. According to Article 25 of the
Directive, personal data may not be transferred to a Country outside of the EU unless the
Country to which the data is sent ensures an adequate level of protection.
Section 72 of the Indian Information Technology Act, 2000 has dealt with the issue of breach
of confidentiality and privacy. It provides that a person who has access to confidential
information under the powers conferred to him under the Act and discloses such information
can be punished with imprisonment for upto 2 years or fine upto Rs. 1 lakh or both.
Comparing this provision with the ECPA, the section deals only with disclosure of confidential
information and not with interception and therefore its scope is limited.
However, the Communications Convergence Bill 2000, which is cleared by the Cabinet,
recently has addressed the issue of interception of communications. The principles laid down
by the Supreme Court in the Telephone Tapping Case of People's Union of Civil Liberties v/s.
Union of India reported in AIR 1997 SC 568 find an echo in the Convergence Bill. The Bill lays
down a detailed procedure to be followed by agencies desirous of intercepting messages or
communication. The interception of communications is to safeguard against misuse in the
interests of sovereignty and integrity of India, the Security of the State, friendly relation with
foreign States or public order or for preventing incitement to the commission of an offence.
Over the past quarter century, government agencies in the United States, Canada and Europe
have studied the manner in which entities collect and use personal information, their
"information practices" and the safeguards required to assure those practices are fair and
provide adequate privacy protection.
Self-Regulation is being advocated for addressing the issue. The five core principles of
privacy protection should form part of any self-regulatory policy. These are
a. Notice / Awareness
b. Choice / Consent
c. Access / Participation
d. Integrity / Security
e. Enforcement / Redress.
Unlike the United States or the European Union, India has not enacted separate legislations
on privacy such as Children's Online Privacy Protection Act and Gramm Leach Bliley Act,
which deals with consumer financial privacy. The GLB Act redefines financial holding
Companies to include Banks, Insurance and Security underwriters, Financial Institution,
Security Companies / Brokers Merchant Banks. The provisions cover requirement for
disclosure of private financial information, prohibits disclosure of the same to unaffiliated third
parties unless consumers are provided the right to opt out of such disclosure. What is to be
noted is that the Act enforces privacy provisions administratively. A consumer cannot sue if
there is a violation of his privacy rights. But what is sought to be done is that, through
mandato ry rules organizations have to comply with privacy rules and thus the consumer is
A US Federal District Court recently upheld the provisions of GLB Act. The Defendants, a
Consumer Reporting Agency (CRA) and a non profit consumer reporting agency trade
association, claimed, among other things that CRA's were not subject to the privacy
provisions of the GLB Act because they are not financial institutions. The Court held that they
were financial institutions subject to GLBA privacy regulations.
However, in spite of this, studies reports and surveys show lack of awareness of privacy
concerns. For example, Australia's amended Privacy Act is to come into force on 21st
December, 2001 but according to a recent Study by Andersen, 50% of the Sites Surveyed do
not provide details of how to contact the Company over privacy concerns. In U. K., the Data
protection Act came into force on 23rd October, 2001 and a recent study found lack of
awareness of the impending deadline.
On August 29, 2001, the Privacy Commissioner of Canada released the report of his Office's
review of the Canadian Firearms Program. The Report makes 34 detailed recommendations
aimed at reducing the privacy intensiveness of the program. The 3 main concerns addressed
by the Report were
1. Access and correction rights
2. Collection and use of personal information
3. In fusion.
The recommendation according to the Commissioner balances the need for public safety with
the fundamental right to privacy.
In a recent decision, the Delhi High court granted an ex parte injunction retraining sending of
derogating, defamatory abusive and obscene emails.
There is clearly a need to balance the Security concerns as against invasion of individual
privacy. Experience of various privacy policies and regulations show that a self regulatory
approach by and large needs to be followed although in areas such as consumer financial
privacy, there is need for special legislation. There is also a growing concern by privacy
advocates that in the present environment where emphasis is to address Security issues,
privacy of individuals will be compromised. It is therefore necessary that disclosure norms
which are likely to be laid down with respect to financial information of individuals to be
disclosed by Banks, Insurance Companies, Brokers etc. need to be stringently laid down to
ensure that these norms are not misused.
Source: http://www.inomy.com/ 11/21/2001