Concept of Privacy & Data Protection

8/8/2019 Concept of Privacy & Data Protection

1/35

Concept of Privacy & DataConcept of Privacy & Data

ProtectionProtection


2/35

PrivacyPrivacy-- natural rightsnatural rights

In North America, Warren & Brandeis assertion that privacy isIn North America, Warren & Brandeis assertion that privacy is

thethe right to be let aloneright to be let alone

It is an Individual right: to control the communication ofIt is an Individual right: to control the communication ofpersonal information, & as a property right.personal information, & as a property right.

As a property right, data are transferable & thus all privacyAs a property right, data are transferable & thus all privacy

rights can be lost.rights can be lost.

RiskRisk: Misuse of such information: Misuse of such information


3/35

Privacy Rights are inherently intertwined withPrivacy Rights are inherently intertwined with

information technologyinformation technology..

1.1. In 1967, telephones had become personal devices,In 1967, telephones had become personal devices,

2.2. In 1970s , new computing & recording technologies beganIn 1970s , new computing & recording technologies began

to raise concerns about privacy, resulting in the Fairto raise concerns about privacy, resulting in the Fair

Information Practice Principles.Information Practice Principles.


4/35

Brent v. MorganBrent v. Morgan ,,

299 S.W. 867 (Ky.1927)299 S.W. 867 (Ky.1927)

Every Person has a desire to keep a part of his life private. It isEvery Person has a desire to keep a part of his life private. It is

considered as a natural and an absolute or pure right springingconsidered as a natural and an absolute or pure right springingfrom the instincts of nature. The area of which one wants tofrom the instincts of nature. The area of which one wants to

keep away from the public may relate to ones personality,keep away from the public may relate to ones personality,

ones name, ones premises, ones private life, ones papersones name, ones premises, ones private life, ones papers

and the like.and the like.


5/35

In India, the right of privacy is part of Art 21 of theIn India, the right of privacy is part of Art 21 of the

constitution of India but it is not absolute. The disclosure ofconstitution of India but it is not absolute. The disclosure of

private information is justified under certain circumstances.private information is justified under certain circumstances.

The concept of privacy as fundamental right first evolved in thThe concept of privacy as fundamental right first evolved in th60s in the case of60s in the case ofKharak Singh v. State of U.P.,Kharak Singh v. State of U.P.,

AIR 1963 SC 1295,AIR 1963 SC 1295, the court held that the right to privacy is anthe court held that the right to privacy is an

integral part of the right to life. But with no clearintegral part of the right to life. But with no clear--cut laws, itcut laws, it

remains a grey area.remains a grey area.


6/35

If the offender is a private individual then there is no effectiveIf the offender is a private individual then there is no effective

remedy except in torts, where one can claim damages forremedy except in torts, where one can claim damages for

intruding in his privacy and no more, torts itself being grey.intruding in his privacy and no more, torts itself being grey.

The two judge bench observed that the right to privacyThe two judge bench observed that the right to privacyenshrined in the Art. 21 could be involved only against theenshrined in the Art. 21 could be involved only against the

state actions & not against private entities.state actions & not against private entities.


7/35

Art. 12 of the Universal Declaration of Human RightsArt. 12 of the Universal Declaration of Human Rights

States thatStates that,,

No one shall be subjected to arbitrary interference with hisNo one shall be subjected to arbitrary interference with hisprivacy, family, home or correspondence, nor to attack uponprivacy, family, home or correspondence, nor to attack upon

his honour and reputation. Everyone has the right to thehis honour and reputation. Everyone has the right to the

protection of the law against such interference or attacks.protection of the law against such interference or attacks.


8/35

Right to Privacy

Non- Interference Limited Accessibility InformationControl

Secrecy

Solitude Anonymity


9/35

1.1. Non InterferenceNon Interference-- It is a part & parcel of a right to be letIt is a part & parcel of a right to be letalonealone

2.2. Limited AccessibilityLimited Accessibility: limited accessibility consisting of: limited accessibility consisting ofthree elements:three elements:

a.a. SecrecySecrecy: the extent to which we are known to others: the extent to which we are known to others

b.b. SolitudeSolitude: the extent to which others have physical access to: the extent to which others have physical access tous,us,

c.c. Anonymity:Anonymity: the extent to which we are the subject of othersthe extent to which we are the subject of othersattentionattention


10/35

33.. Privacy as information ControlPrivacy as information Control

privacy is the claim of individuals, groups, or institutions toprivacy is the claim of individuals, groups, or institutions to

determine for themselves when, how, & to what extentdetermine for themselves when, how, & to what extent

information about them is communicated to othersinformation about them is communicated to others


11/35

Concept of EConcept of E--Privacy & Data Protection inPrivacy & Data Protection in

CyberspaceCyberspace

In the Internet Era, larger amounts of information is collectedIn the Internet Era, larger amounts of information is collected

and there as a greater likelihood that such information will beand there as a greater likelihood that such information will be

disclosed.disclosed.

Maintaining of databases is not as much difficult task asMaintaining of databases is not as much difficult task asmaintaining its integrity, so in this era the most concernedmaintaining its integrity, so in this era the most concerned

debate is going on to innovative a perfect method of datadebate is going on to innovative a perfect method of data

protection.protection.


12/35

In the electronic age, complete control over our privacy isIn the electronic age, complete control over our privacy is

not possible as we leave behind a trail of data, which oftennot possible as we leave behind a trail of data, which often

contains personal information, such as credit card,contains personal information, such as credit card,

insurance, banks, hospitals, schools, tax, credit history,insurance, banks, hospitals, schools, tax, credit history,

telephone etc. this can be analyzed from the followingtelephone etc. this can be analyzed from the following

illustrations:illustrations:--

1.1. On every login to the eOn every login to the e--mail account in the cyber cafes, themail account in the cyber cafes, the

electronic trail of password remained left there unsecured.electronic trail of password remained left there unsecured.


13/35

2. On every login to internet, there left behind an electronic trail2. On every login to internet, there left behind an electronic trailenabling website owners and advertising companies to getenabling website owners and advertising companies to getaccess to the preference and choices of the users by trackingaccess to the preference and choices of the users by trackingthem.them.

3. On every use of credit card for purchasing purpose, the trail of3. On every use of credit card for purchasing purpose, the trail ofbrand preference, place of shopping etc. left behind.brand preference, place of shopping etc. left behind.

4. Phone call signals of the police are easily tracked by the4. Phone call signals of the police are easily tracked by thenaxalites enabling them to know about the police plans.naxalites enabling them to know about the police plans.


14/35

Right to privacy is more of an implied obligation.Right to privacy is more of an implied obligation.

Nevertheless, the right to privacy in the advent ofNevertheless, the right to privacy in the advent of

information technology can be infringed by:information technology can be infringed by:

a.a. Utilizing private data already collected for a purpose otherUtilizing private data already collected for a purpose otherthan that for which it was collected;than that for which it was collected;

b.b. Unauthorized reading of eUnauthorized reading of e--mails of others;mails of others;

c.c. Sending of unsolicited eSending of unsolicited e--mails or spamming etc.mails or spamming etc.

Spammers collect eSpammers collect e--mail addresses from chatrooms,mail addresses from chatrooms,websites, customer lists, newsgroups, and viruses whichwebsites, customer lists, newsgroups, and viruses which

harvest users' address books, and are sold to otherharvest users' address books, and are sold to other

spammers.spammers.


15/35

Computer data containing personal information stored for aComputer data containing personal information stored for a

particular purpose, if used for some other purpose may breachparticular purpose, if used for some other purpose may breach

the private rights of individuals who may like to keep theirthe private rights of individuals who may like to keep their

personal history to themselves.personal history to themselves.

Many countries other than India have their data protectionMany countries other than India have their data protection

laws as a separate discipline. They have well framed andlaws as a separate discipline. They have well framed and

established laws, exclusively for the data protectionestablished laws, exclusively for the data protection

In India, information Technology Act, 2000, in Sec 72 dealsIn India, information Technology Act, 2000, in Sec 72 deals

with only to a very limited segment of the right to privacy.with only to a very limited segment of the right to privacy.


16/35

Privacy in Technology Driven WorldPrivacy in Technology Driven World

There are means to capture digital footprints of user, who isThere are means to capture digital footprints of user, who is

browsing internet for various reasons. It all begins withbrowsing internet for various reasons. It all begins with

capturing IP address. An Internet Protocol address (IP address)capturing IP address. An Internet Protocol address (IP address)

is a numerical label that is assigned to devices participating inis a numerical label that is assigned to devices participating in

aa computer networkcomputer networkthat uses thethat uses the Internet ProtocolInternet Protocol forfor

communication between its nodes.communication between its nodes.

Whenever a person browses, sends eWhenever a person browses, sends e--mails, chats online, hemails, chats online, he

leaves distinctive IP address behind. By searching IPleaves distinctive IP address behind. By searching IP

registration database or conducting trace out, approximateregistration database or conducting trace out, approximatephysical location of IP address can be determined.physical location of IP address can be determined.


17/35

Other surveillance technologies used are: cookies, GlobalOther surveillance technologies used are: cookies, GlobalUnique Identifies (GUID), Web Bugs, eUnique Identifies (GUID), Web Bugs, e--mail or documentmail or document

bugs, spy ware & online digital Profiling.bugs, spy ware & online digital Profiling.

1.1. CookiesCookies--

It is a block of text (digital identification tags) which theIt is a block of text (digital identification tags) which thewebsite places in a file on a computer hard disk of a personwebsite places in a file on a computer hard disk of a personto track his activity.to track his activity.

2.2. GUIDGUID--

Globally Unique Identifier (GUID) is software embedded inGlobally Unique Identifier (GUID) is software embedded in

the computers hardware. It can be read remotely from acrossthe computers hardware. It can be read remotely from acrossthe network. For example on emay find GUID embedded onthe network. For example on emay find GUID embedded onEthernet cards, used in LAN. The result would beEthernet cards, used in LAN. The result would beeavesdropping of all the computers connected through LAN.eavesdropping of all the computers connected through LAN.


18/35

3. Web Bugs3. Web Bugs--

These are being increasingly used by online advertisers toThese are being increasingly used by online advertisers to

create users database. It occurs even though the person has notcreate users database. It occurs even though the person has not

clicked on the banner ad.clicked on the banner ad.

4. SPYWARE4. SPYWARE--

Some software developers have included code with in theirSome software developers have included code with in their

applications that cause the users computer to transmitapplications that cause the users computer to transmitinformation back to the software developer Via Internet.information back to the software developer Via Internet.


19/35

Privacy & Data Protection IssuesPrivacy & Data Protection Issues in IT Agein IT Age

BPOBPO && Call CentreCall Centre --

India is preferred destination for offshore BusinessIndia is preferred destination for offshore Business

Outsourcing (Financial, Education, Legal, Banking,Outsourcing (Financial, Education, Legal, Banking,

Healthcare, Marketing, Telecommunications services).Healthcare, Marketing, Telecommunications services).

TelemarketingTelemarketing--

India is faced with a new phenomenon called telemarketingIndia is faced with a new phenomenon called telemarketing

which has invaded millions of hapless Indians thanks to thewhich has invaded millions of hapless Indians thanks to the

widespread use of mobile phones and multiplicity of mobilewidespread use of mobile phones and multiplicity of mobile

telephone service providers in India.telephone service providers in India.


20/35

The tranquility and comfort of an individuals home or theThe tranquility and comfort of an individuals home or the

peaceful conduct of businesspeaceful conduct of business in an organization is rudelyin an organization is rudely

interruptedinterrupted by telephone callsby telephone calls made by telemarketingmade by telemarketing

executives on behalf of banks, financial institutions, mobileexecutives on behalf of banks, financial institutions, mobile

phone companies etc. with offers of lowphone companies etc. with offers of low--interest loans, freeinterest loans, free

credit cards & the like. Clearly there violation of personalcredit cards & the like. Clearly there violation of personal

privacy caused by such calls.privacy caused by such calls.


21/35

BesidesBesides invading their privacyinvading their privacy, such calls also have great, such calls also have great

potential forpotential for annoyance to the recipientsannoyance to the recipients since oftentimes theysince oftentimes they

are offered what they do not ever want or what they alreadyare offered what they do not ever want or what they already

have.have.

If the recipient is out of th local area of the service provider,If the recipient is out of th local area of the service provider,

she/ he will have the additional liability of paying roamingshe/ he will have the additional liability of paying roaming

charges for such unsolicited calls.charges for such unsolicited calls.


22/35

Sun Report in U.KSun Report in U.K..In June, 2005 one Indian BPO call centre was inIn June, 2005 one Indian BPO call centre was in

the eye of the storm when one of its employeesthe eye of the storm when one of its employeessold personal data belonging to large number ofsold personal data belonging to large number ofBritish Nationals to an undercover reporter fromBritish Nationals to an undercover reporter from

the British tabloid The Sunthe British tabloid The Sun The recent judgment of the Delhi StateThe recent judgment of the Delhi State

Consumer Disputes Redressal Commission (theConsumer Disputes Redressal Commission (thecommission0, which imposed total fine of Rs.commission0, which imposed total fine of Rs.75 Lakhs on Airtel, the Cellular Operators75 Lakhs on Airtel, the Cellular Operators

Association of India , ICICI Bank & AmericanAssociation of India , ICICI Bank & AmericanExpress Bank on a complaint of consumerExpress Bank on a complaint of consumerharassment by unsolicited telemarketing calls &harassment by unsolicited telemarketing calls &text messages assumes enormous significance.text messages assumes enormous significance.


23/35

Indias constitution provides protection for citizens privacyIndias constitution provides protection for citizens privacy

rights. Also, Sec. 427 of Indian Telegraph rules, 1951, interrights. Also, Sec. 427 of Indian Telegraph rules, 1951, inter

alia provides that telephone should not be used to disturb oralia provides that telephone should not be used to disturb or

irritate any persons or to transit any massage forirritate any persons or to transit any massage for

communication which may annoy a person.communication which may annoy a person.


24/35

Guidelines of Organization for Economic CoGuidelines of Organization for Economic Co--operation &operation &

DevelopmentDevelopment

1.1. Collection Limitation PrincipleCollection Limitation Principle--

There should be limits to the collection of personal data &There should be limits to the collection of personal data &any such data should be obtained by lawful & fair meansany such data should be obtained by lawful & fair meansand, where appropriate, with the knowledge or consent ofand, where appropriate, with the knowledge or consent of

the data subject.the data subject.

2.2. Data quality principleData quality principle--

Personal data should be relevant to the purposes for whichPersonal data should be relevant to the purposes for which

they are to be used, and to the extent necessary for thosethey are to be used, and to the extent necessary for thosepurposes, should be accurate, complete and kept uppurposes, should be accurate, complete and kept up--toto--date.date.


25/35

3. Purpose specification principle3. Purpose specification principle--

The purpose for which personal data are collected should beThe purpose for which personal data are collected should be

specified not later than at the time of data collection andspecified not later than at the time of data collection and thethe

subsequent use limitedsubsequent use limited to the fulfillment of those purposes.to the fulfillment of those purposes.

4. Use limitation Principle4. Use limitation Principle--

Personal Data should not be disclosed, made available orPersonal Data should not be disclosed, made available or

otherwise used except:otherwise used except:a)a) With the consent of the data subject, orWith the consent of the data subject, or

b)b) By the authority of law.By the authority of law.


26/35

5. Security Safeguards Principle5. Security Safeguards Principle--

Personal data should be protected by reasonable securityPersonal data should be protected by reasonable security

safeguards against such risks as loss or unauthorized access,safeguards against such risks as loss or unauthorized access,

destruction, use, modification or disclosure of data.destruction, use, modification or disclosure of data.

6. Accountability Principle6. Accountability Principle--

A data controller should be accountable for complying withA data controller should be accountable for complying with

measures which give effect to the principles stated above.measures which give effect to the principles stated above.


27/35

Position in U.K.Position in U.K.

As the range of information technology has expanded so theAs the range of information technology has expanded so the

law has adjusted & developed to deal with the newlaw has adjusted & developed to deal with the new

challenges it presents.challenges it presents.

Data Protection in UK: Data Protection Act 1998Data Protection in UK: Data Protection Act 1998

The data protection Act came into force in March 2000.The data protection Act came into force in March 2000.

It does not mention privacy, but provides a way forIt does not mention privacy, but provides a way for

individuals to enforce control on information.individuals to enforce control on information.


28/35

Conti..Conti..

Definition of Data Protection:Definition of Data Protection:

11. Prevention of misuse of personal data. Prevention of misuse of personal data legal safeguards tolegal safeguards to

prevent misuse of information about individual people on aprevent misuse of information about individual people on a

medium including computers.medium including computers.

2.2. Installation of Safeguard of Personal Data:Installation of Safeguard of Personal Data:

The adoption of administrative, technical or physicalThe adoption of administrative, technical or physical

deterrents to safeguard personal data.deterrents to safeguard personal data.


29/35

Conti..Conti..

Principles of data protection in UKPrinciples of data protection in UK

Personal data shall be processes in according to rights underPersonal data shall be processes in according to rights under

this act.this act.

No transfer of personal data outside the European economicNo transfer of personal data outside the European economic

area unless that country or territory ensures an adequate levelarea unless that country or territory ensures an adequate level

of protection for the rights & freedoms of data subjects inof protection for the rights & freedoms of data subjects inrelation to the processing of personal data.relation to the processing of personal data.


30/35

ContCont

Personal DataPersonal Data

Personal Data relates to a living individual who can bePersonal Data relates to a living individual who can be

identifiedidentified

1.1. From the data & other information in the possession of , orFrom the data & other information in the possession of , orlikely to come into the possession of, data controller.likely to come into the possession of, data controller.

2.2. Physical & Mental ConditionPhysical & Mental Condition


31/35

Data protection PrinciplesData protection Principles

Personal data shallPersonal data shall

1.1. Be obtained & processed fairly & Lawfully.Be obtained & processed fairly & Lawfully.

2.2. Be held only for lawful purposes, which are describedBe held only for lawful purposes, which are describedin the register entry.in the register entry.

3.3. Be used or disclosed only for lawful or compatibleBe used or disclosed only for lawful or compatiblepurposes.purposes.

4.4. Be accurate & , where necessary, kept up to date.Be accurate & , where necessary, kept up to date.5.5. Be surrounded by proper security.Be surrounded by proper security.


32/35

Cont..Cont..

ExceptionsExceptionsSec. 28Sec. 28-- National Security Processing of Data, which do notNational Security Processing of Data, which do not

safeguard national security not allowed.safeguard national security not allowed.

Sec. 29Sec. 29-- Crime & TaxationCrime & TaxationData processed for the prevention or detection crime, theData processed for the prevention or detection crime, the

apprehension or prosecution of offenders, or the assessment orapprehension or prosecution of offenders, or the assessment or

collection of taxes are exempt from the first data protectioncollection of taxes are exempt from the first data protection

principle.principle.


33/35

Cont..Cont..

Section 36Section 36-- Domestic PurposesDomestic Purposes

Processing by an individual only for the purposes of thatProcessing by an individual only for the purposes of that

individuals personal, family or household affairs.individuals personal, family or household affairs.


34/35

DataData Protection in EuropeProtection in Europe

There are two important policies in Europe in relation to dataThere are two important policies in Europe in relation to data

protection.protection.

1.1. The Council of Europes Convention on Data Protection &The Council of Europes Convention on Data Protection &

2.2. The EU Data Directive.The EU Data Directive.

1.1. The Council of Europes Convention on Data ProtectionThe Council of Europes Convention on Data Protection

The convention recognizes the right to privacy as one of theThe convention recognizes the right to privacy as one of the

fundamental human rights.fundamental human rights.2.2. EU DirectiveEU Directive-- The EU Data protection Directive reaffirmsThe EU Data protection Directive reaffirms

the principals of council of Europe Convention.the principals of council of Europe Convention.


35/35

Privacy is the interest that individuals have in Privacy is the interest that individuals have in

sustaining a personal space,sustaining a personal space,

free from interference by other peoplefree from interference by other people

and organisationsand organisations

Documents

Concept of Privacy & Data Protection