EMERGENCE OF DATA PROTECTION: OECD PRINCIPLES- DATA

PROTECTION POSITION IN INDIA, EU AND US.

PROJECT SUBMISSION TO FULFIL ACADEMIC REQUIREMENTS OF LAW & IT, IXTH SEMESTER, B. A. LL. B (H).

SUBMITTED BY: SYED UMAIR AHMED ANDRABI.

SUBMITTED TO: MADAM GARIMA GOSWAMI

Table of Contents
Acknowledgement .......................................................................................................... 3
Data Protection: An overview ......................................................................................... 4
Legality .......................................................................................................................... 4
The organization for Economic Co-operation and Development:..................................... 5
BASIC PRINCIPLES OF NATIONAL APPLICATION ................................................................ 6
Collection Limitation Principle .................................................................................................6
Data Quality Principle .............................................................................................................6
Purpose Specification Principle ...............................................................................................6
Use Limitation Principle ..........................................................................................................6
Security Safeguards Principle ..................................................................................................6
Openness Principle .................................................................................................................6
Individual Participation Principle .............................................................................................6
Accountability Principle ..........................................................................................................7
BASIC PRINCIPLES OF INTERNATIONAL APPLICATION: FREE FLOW AND LEGITIMATE
RESTRICTIONS................................................................................................................. 7
NATIONAL IMPLEMENTATION......................................................................................... 8
INTERNATIONAL CO-OPERATION .................................................................................... 8
Data privacy: India ......................................................................................................... 9
Indian Jurisprudence on Right to Privacy .................................................................................9
Current Issues Surrounding Data Privacy .................................................................................9
The IT Act, 2000 .................................................................................................................... 10
Data Protection in EU & USA ......................................................................................... 12
What Is the GDPR?................................................................................................................ 12
CONCLUSION ................................................................................................................ 15
BIBLIOGRAPHY ............................................................................................................. 16
 Acknowledgement
Now that the project stands complete, I intend to place on record my gratitude towards
all without whom completing the project would have been nothing but out of question.
In the first place, I thank our teacher concerned, Madam Garima Goswami as she time
and again helped me, guided me through, and answered all the queries that encountered
while my work relating to the project was afoot.
Secondly, I thank the library staff who liaised with us in searching material relating to
the project.
Thirdly and finally, I thank the almighty for the monumental tacit support, which
boosted my morale and help me stay confident all through my work upon the project,
placed forth by hand.
Data Protection: An overview
Data protection is the relationship between the collection and dissemination
of data, technology, the public expectation of privacy, legal and political issues surrounding
them.1 It is also known as data privacy.

The challenge of data privacy is to use data while protecting an individual's privacy
preferences and their personally identifiable information. The fields of computer
security, data security, and information security design and use software, hardware, and
human resources to address this issue.

Legality
The legal protection of the right to privacy in general – and of data privacy in particular –
varies greatly around the world.2
Laws and regulations related to Privacy and Data Protection are constantly changing, it is seen
as important to keep abreast of any changes in the law and to continually reassess compliance
with data privacy and security regulations.3 Within academia, Institutional Review
Boards function to assure that adequate measures are taken to ensure both the privacy and
confidentiality of human subjects in research.
Privacy concerns exist wherever personally identifiable information or other sensitive
information is collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues.
Data privacy issues may arise in response to information from a wide range of sources, such
as:4
 Healthcare records
 Criminal justice investigations and proceedings
 Financial institutions and transactions
 Biological traits, such as genetic material

1
Uberveillance and the social implications of microchip implants : emerging technologies. Michael, M. G.,
Michael, Katina, 1976-. Hershey, PA. ISBN 978-1466645820. OCLC 843857020
2
Rakower, Lauren (2011). "Blurred Line: Zooming in on Google Street View and the Global Right to
Privacy". brooklynworks.brooklaw.edu. Archived from the original on 11-11-2019.
3
Robert Hasty, Dr Trevor W. Nagel and Mariam Subjally, Data Protection Law in the USA. (Advocates for
International Development, August 2013.)"Archived copy" (PDF). Archived from the original (PDF) on 09-11-
19. Retrieved 11-11-19.
4
Programme Management Managing Multiple Projects Successfully. Mittal, Prashant. Global India Pubns.
2009. ISBN 978-9380228204. OCLC 464584332.
  Residence and geographic records
 Privacy breach
 Location-based service and geolocation
 Web surfing behaviour or user preferences using persistent cookies
 Academic research

The organization for Economic Co-operation and Development:

The Organisation for Economic Co-operation and Development is an intergovernmental

economic organisation with 36 member countries,5 founded in 1961 to stimulate economic
progress and world trade. It is a forum of countries describing themselves as committed
to democracy and the market economy, providing a platform to compare policy experiences,
seek answers to common problems, identify good practices and coordinate domestic and
international policies of its members. Most OECD members are high-income economies with
a very high Human Development Index (HDI) and are regarded as developed countries. As of
2017, the OECD member countries collectively comprised 62.2% of global nominal
GDP (US$49.6 trillion)6 and 42.8% of global GDP (Int$54.2 trillion) at purchasing power
parity. The OECD is an official United Nations observer.
In 1948, the OECD originated as the Organisation for European Economic Co-operation
(OEEC), led by Robert Marjolijn of France, to help administer the Marshall Plan (which was
rejected by the Soviet Union and its satellite states).7 This would be achieved by allocating
United States financial aid and implementing economic programs for the reconstruction of
Europe after World War II. (Similar reconstruction aid was sent to the war-torn Republic of
China and post-war Korea, but not under the name "Marshall Plan".)
In 1961, the OEEC was reformed into the Organisation for Economic Co-operation and
Development by the Convention on the Organisation for Economic Co-operation and
Development and membership was extended to non-European states. The OECD's
headquarters are at the Château de la Muette in Paris, France. The OECD is funded by

5
List of OECD Member countries – Ratification of the Convention on the OECD". OECD. Retrieved 11
November 2019.
6
World Economic Outlook Database". International Monetary Fund. 11 November 2019.
7
"Soviet Union rejects Marshall Plan assistance This Day in History — 7/2/1947". History.com. Retrieved 11
November 2019.
contributions from member countries at varying rates and had a total budget of €374 million
in 2017.

BASIC PRINCIPLES OF NATIONAL APPLICATION

Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be obtained
by lawful and fair means and, where appropriate, with the knowledge or consent of the data
subject.

Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the
extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

The purposes for which personal data are collected should be specified not later than at the
time of data collection and the subsequent use limited to the fulfilment of those purposes or
such others as are not incompatible with those purposes and as are specified on each occasion
of change of purpose.

Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with purpose specific principle except:
 a) with the consent of the data subject; or
 b) by the authority of law.

Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss
or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle
There should be a general policy of openness about developments, practices and policies with
respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual
residence of the data controller.

Individual Participation Principle

An individual should have the right:
 a) to obtain from a data controller, or otherwise, confirmation of whether or not the data
controller has data relating to him;
b) to have communicated to him, data relating to him within a reasonable time;
at a charge, if any, that is not excessive;
in a reasonable manner; and
in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to
be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data
erased, rectified, completed or amended.

Accountability Principle
A data controller should be accountable for complying with measures which give effect to the
principles stated above.

BASIC PRINCIPLES OF INTERNATIONAL APPLICATION: FREE FLOW

AND LEGITIMATE RESTRICTIONS
Member countries should take into consideration the implications for other Member countries
of domestic processing and re-export of personal data.

Member countries should take all reasonable and appropriate steps to ensure that trans-border
flows of personal data, including transit through a Member country, are uninterrupted and
secure.

A Member country should refrain from restricting trans-border flows of personal data between
itself and another Member country except where the latter does not yet substantially observe
these Guidelines or where the re-export of such data would circumvent its domestic privacy
legislation. A Member country may also impose restrictions in respect of certain categories of
personal data for which its domestic privacy legislation includes specific regulations in view
of the nature of those data and for which the other Member country provides no equivalent
protection.
Member countries should avoid developing laws, policies and practices in the name of the
protection of privacy and individual liberties, which would create obstacles to transborder
flows of personal data that would exceed requirements for such protection.

NATIONAL IMPLEMENTATION

In implementing domestically the principles set forth in Parts Two and Three, Member
countries should establish legal, administrative or other procedures or institutions for the
protection of privacy and individual liberties in respect of personal data. Member countries
should in particular endeavour to:
 a) adopt appropriate domestic legislation;
 b) encourage and support self-regulation, whether in the form of codes of conduct or
otherwise;
 c) provide for reasonable means for individuals to exercise their rights;
 d) provide for adequate sanctions and remedies in case of failures to comply with
measures which implement the principles set forth in Parts Two and Three; and
 e) ensure that there is no unfair discrimination against data subjects.


INTERNATIONAL CO-OPERATION
Member countries should, where requested, make known to other Member countries details
of the observance of the principles set forth in these Guidelines. Member countries should also
ensure that procedures for transborder flows of personal data and for the protection of privacy
and individual liberties are simple and compatible with those of other Member countries which
comply with these Guidelines.
Member countries should establish procedures to facilitate:
 information exchange related to these Guidelines, and
 mutual assistance in the procedural and investigative matters involved.
Member countries should work towards the development of principles, domestic and
international, to govern the applicable law in the case of transborder flows of personal data.
Data privacy: India

Indian Jurisprudence on Right to Privacy

Article 21: Article 21 of the Constitution of India provides that “No person shall be deprived
of his life or personal liberty except according to procedure established by law”. However, the
Constitution of India does not specifically recognize ‘right to privacy’ as a fundamental right.
ii. Whether the ‘right to privacy’ is a fundamental right was first considered by the Hon’ble
Supreme Court in the case of M. P. Sharma and Ors. v Satish Chandra, District Magistrate,
Delhi and Ors.8 , wherein the warrant issued for search and seizure under Sections 94 and 96
(1) of the Code of Criminal Procedure was challenged. The Hon’ble Supreme Court had held
that the power of search and seizure was not in contravention of any constitutional provision.
Further, the Hon’ble Supreme Court refrained from giving recognition to right to privacy as a
fundamental right guaranteed by the Constitution of India by observing as under: -

“17. A power of search and seizure is in any system of jurisprudence an overriding power of
the State for the protection of social security and that power is necessarily regulated by law.
When the constitution makers have thought fit not to subject such regulation to constitutional
limitations by recognition of a fundamental right to privacy, analogous to the Fourth
Amendment, we have no justification to import it, into a totally different fundamental right,
by some process of strained construction. Nor is it legitimate to assume that the constitutional
protection under Article 20(3) would be defeated by the statutory provisions for searches.”

Current Issues Surrounding Data Privacy

The Hon’ble Supreme Court has laid down a threefold requirement for State’s interference
with the fundamental rights. While the State may intervene to protect legitimate state interests,
(a) there must be a law in existence to justify an encroachment on privacy, which is an express
requirement of Article 21 of the Constitution,
(b) the nature and content of the law which imposes the restriction must fall within the zone
of reasonableness mandated by Article 14, and

8
(1997) 1 SCC 301.
(c) the means which are adopted by the legislature must be proportional to the object and
needs sought to be fulfilled by the law.9 Therefore, going forward any laws which seek to
encroach upon the right of privacy of an individual would need to meet the test of
proportionality and reasonableness. It will take a few years before jurisprudence around what
constitutes reasonable and proportionate State interference settles temporarily. The validity of
Adhar Scheme will now be tested on the basis of this judgment.
It is often argued that India should adopt ‘rights based’ data protection model as opposed to
today’s ‘consent based’ model. Under the consent based model, the data controller is free to
use, process and share the data with any third parties, once the consent of the user is obtained.
However, not many are aware of the actual consequences of the indiscreet data sharing at the
time of providing consent. On the other hand the ‘rights based’ model allows the users to have
greater rights over his/her data while requiring the data controller to ensure than such rights
of the users are not breached. This leads to a greater autonomy of the users over their personal
data.
The decision of the Hon’ble Supreme Court empowers the citizens of India to seek judicial
relief in case of breach of its data privacy rights. This could have an impact on the privacy and
protection policies implemented by tech companies in India. The users can not only raise torts
based claims but can also invoke their fundamental right to privacy.

The IT Act, 2000

The Government has provided a legal framework for data protection and privacy through the
IT Act and the IT Rules in following manner: The IT Act, after its amendments in 2008, is
now equipped with multiple provisions catering to data protection, mandatory privacy
policies, and penalties to be imposed on breach of such privacy policies. Below are the
relevant provisions of the IT Act:
i. Section 43 (a), (b) and (i) - This section provides that any person, who without the
permission of the owner or, any other person who may be in charge of a computer, computer
system or computer network
a) accesses or secures access to such computer, computer system or computer network;
b) downloads, copies, or extracts any data, computer data base or information from such
computer, computer system or computer network which includes information or data held or
stored in any removal storage medium;

9
Mohd. Arif v Registrar, Supreme Court of India- (2014) 9 SCC 714.
c) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage
shall be liable to pay damages. shall be liable to pay damages by way of compensation not
exceeding the sum of INR 1,00,00,000 (Rupees One Crore) to the person so affected.

ii. Section 43A - This section is bedrock of data protection and provides that where a body
corporate possessing, dealing or handling any sensitive personal data or information in a
computer resource which it owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay damages by way of
compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crore).

iii. Section 66 C – This section deals with identity theft and provides that whoever,
fraudulently or dishonestly makes use of the electronic signature, password or any other
unique identification feature of any other person, shall be punished with imprisonment for a
term which may extend up to three years and shall also be liable to pay a fine of up to INR
1,00,000 (Rupees One Lakh)

iv. Section 66 E – This section provides that whoever, intentionally or knowingly captures,
publishes or transmits the image of a private area of any person without his or her consent,
under circumstances violating the privacy of that person shall be punished with imprisonment
which may extend up to three years or with fine not exceeding INR 200,000/- (Indian Rupees
Two Lakh) or with both.

v. Section 72 – This section provides that any person who has secured access to any electronic
record, book, register, correspondence, information, document or other material without the
consent of the person concerned and thereafter, discloses such electronic record, book,
register, correspondence, information, document or other material to any other person shall be
punished with imprisonment for a term which may extend to two years, or with fine which
may extend to INR 1,00,000 (Rupees One Lakh) , or with both.

vi. Section 72A - This section provides that, any person, including an intermediary28 who,
while providing services under the terms of a lawful contract, has secured access to any
material containing personal information about another person, with the intent to cause or
knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the
consent of the person concerned, or in breach of a lawful contract, such material to any other
person shall be punished with imprisonment for a term which may extend up to three years,
or with a fine which may extend up to INR 5,00,000 (Rupees Five Lakh), or with both.

Data Protection in EU & USA

Data Privacy and Protection in the United States and Europe U.S. and European Union (EU)
policymakers are focusing on protection of personal data with new and proposed legislation
and enforcement actions. Data breaches at companies such as Facebook, Google, and Marriott
have contributed to heightened public awareness. The EU’s General Data Protection
Regulation (GDPR)—which took effect on May 25, 2018—has drawn the attention of U.S.
businesses and other stakeholders, prompting debate on U.S. federal and state data privacy
and protection policies. Both the United States and the 28-member EU assert that they are
committed to upholding individual privacy rights and ensuring the protection of personal data,
including electronic data. However, data privacy and protection issues have long been sticking
points in U.S.-EU economic and security relations, in part because of differences in U.S. and
EU legal regimes and approaches to data privacy. The GDPR highlights some of those
differences and poses challenges for U.S. companies doing business in the EU. The United
States does not broadly restrict cross-border data flows and has traditionally regulated privacy
at a sectoral level to cover certain types of data. The EU considers the privacy of
communications and the protection of personal data to be fundamental rights, which are
codified in EU law. Europe’s history with fascist and totalitarian regimes informs the EU’s
views on data protection and contributes to the demand for strict data privacy controls. The
EU regards current U.S. data protection safeguards as inadequate; this has complicated the
conclusion of U.S.-EU information-sharing agreements and raised concerns about U.S.-EU
data flows. The transatlantic economy is the largest in the world, with goods and services trade
of $1.2 trillion in 2018. U.S.-EU trade of information and communications technology (ICT)
services and potentially ICT-enabled services was over $307 billion in 2017

What Is the GDPR?

The GDPR establishes a set of rules for the protection of personal data throughout the EU. It
seeks to strengthen individual fundamental rights and facilitate business by ensuring more
consistent implementation of data protection rules EU-wide. The EU hopes the GDPR will
further develop the EU Digital Single Market (DSM), aimed at increasing harmonization
across the bloc on digital policies. The GDPR identifies what is a legitimate basis for data
processing and sets out common rules for data retention, storage limitation, and record
keeping. The GDPR applies to (1) all businesses and organizations with an EU establishment
that process (perform operations on) personal data of individuals (or “data subjects”) in the
EU, regardless of where the actual processing of the data takes place; and (2) entities outside
the EU that offer goods or services (for payment or for free) to individuals in the EU or monitor
the behaviour of individuals in the EU. Processing certain sensitive personal data is generally
prohibited. Stronger and new data protection requirements in the GDPR grant individuals the
right to:
 Receive clear and understandable information about who is processing one’s personal data
and why;
 Consent affirmatively to any data processing;
 Access any personal data collected;
 Rectify inaccurate personal data;
 Erase one’s personal data, cease further dissemination of the data, and potentially have third
parties halt processing of the data (the “right to be forgotten”);
 Restrict or object to certain processing of one’s data;
 Be notified without “undue delay” of a data breach if there is a high risk of harm to the data
subject; and
 Require the transmission of one’s data to another controller (data portability).

The potential high penalties for noncompliance have attracted significant attention, since a
company or organization can be fined up to 4% of its annual global turnover or €20 million
(whichever is greater). Fines are assessed by the national supervisory authority (a Data
Protection Authority, or DPA) in each member state and subject to appeal in national courts.
The GDPR also requires some companies to hire data protection officers.
Many U.S. firms have made changes to comply with the GDPR, such as revising and
clarifying user terms of agreement and asking for explicit consent. While it creates more
requirements on companies that collect or process data, some experts contend that the GDPR
may simplify compliance for U.S. firms because the same set of data protection rules apply
across the EU. Also, companies established in the EU that engage in cross-border data
processing primarily only have to liaise with the supervisory authority of the EU country
where the firm is based (the “lead” authority), possibly decreasing administrative costs.
However, a firm is still subject to oversight and enforcement by the supervisory authority of
every country where it does business.

U.S. firms have voiced several concerns about the GDPR, including the need to construct a
compliance bureaucracy and possible high costs for adhering to the GDPR’s requirements.
While large firms have the resources to hire consultants and lawyers, it may be harder and
costlier for small and mid-sized enterprises (SMEs) to comply, possibly deterring them from
entering the EU market and creating a de facto trade barrier. Some U.S. businesses, including
several newspaper websites and digital advertising firms, opted to exit the EU market rather
than confront the complexities of GDPR. Some industry surveys show that GDPR’s
restrictions on the use and sharing of data may be limiting the development of new
technologies and deterring potential mergers and acquisitions. Although the GDPR is directly
applicable in EU member states, implementing legislation is required to enact certain parts of
the GDPR (e.g., appointment of a supervisory authority; ability to levy penalties). Critics note
that the GDPR permits diverging national legislation in specified areas (e.g., employment
data) and contend that this could lead to uneven implementation or enforcement. They also
note the potential for localization trade barriers in areas where divergence is allowed. The EU
reports that GDPR has increased European citizens’ awareness of their rights. Since taking
effect, European DPAs have received almost 145,000 GDPR complaints and have initiated a
range of enforcement actions, including issuing fines. In January 2019, France’s DPA (or
CNIL) imposed a €50 million fine on Google for a “lack of transparency, inadequate
information and lack of valid consent regarding the ads personalization.” In July 2019, the
United Kingdom’s DPA (the ICO) issued the largest penalty to date, imposing a €230 million
fine on British Airways for a data breach that affected half a million passenger records,
including users’ name, address, login, payment card, and travel booking details.
CONCLUSION
If we compare the present stage of data processing laws in India with the countries of Europe
and USA then we find that these countries are far ahead of India in this respect. Those
countries have particular and comprehensive laws relating to data protection and privacy.
There is one another thing which is to be noted that different type of data should be divided
into different categories as per the utility and importance of data. So, we are required to frame
a scheme that should be based on the categorical division of data as like USA, and even in the
UK, although there is no such categorical division but still some type of data is defined as
sensitive data; for the disclosure of this sensitive data. The provisions of the IT Act are
basically or the destruction/extraction of data, there is great lack of comprehensive guidelines
in this regard and the companies are required to rely on their private contracts, which process
is in itself complex lengthy. There are no special provisions related to the privacy of an
individual, only sec 72 deals with the violation of privacy, and that is confined only to those
persons on whom the power is conferred by this act.
Although there is one proposed Data Protection Bill, 2013 which deals with the collection use
and disclosure of the personal data. Some of the provisions are taken from the European
Directive on the Data Protection. In the act no category wise division of data was made, in
this regard we have to take inspiration from US laws.
So, a comprehensive data protection law is the need of the hour in India, although to follow
the foreign law of either UK or USA in totality will not be a good option. We have to divide
different type of data into different categories and then different degrees of protection should
be provided to different type of data. But that should be contained in one act, not in different
scattered pieces of legislation. We also required to prepare practical guidelines that what type
of personal data can be provided to others in specific circumstances, and what should not so
there may not be complexities as like in the case of UK. If we go for the enactment of a
comprehensive data protection laws then it would reduce the instances of data theft and more
and more foreign companies and firms would be interested in growing their business in India;
it would work like a boom to the sector of Information Technology in India.
BIBLIOGRAPHY
1. http://www.vaishlaw.com/article/information_technology_laws/data_protection_law
s_in_india.pdf?articleid=100324
2. http://uk.practicallaw.com/1-505-9607
3. http://www.majmudarindia.com/pdf/Data%20Protection%20in%20India.pdf
4. http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-
protection-and-the-it-act-india
5. http://ptlb.in/clpic/wp-content/uploads/2014/01/Data-Protection-Laws-In-India-And-
Privacy-Rights-In-India.pdf
6. http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf
7. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf
8. http://legalknowledgeportal.com/2013/06/24/data-privacy-and-protection-law-in-
india-understanding-the-regime/
9. http://nopr.niscair.res.in/bitstream/123456789/3561/1/JIPR%2011(2)%20125-
131.pdf
10. http://www.legalserviceindia.com/article/l368-Data-Protection-Law-In-India.html
11. http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-
business-law-essay.php