Thursday, May 18, 2006

Data Transfers, Data Privacy and Corporate Compliance

For decades, businesses have collected consumer data without much complaint. Every time a consumer completes a warranty card, the information on that card heads for a large corporate database, which subsequently drives dinner-time telephone solicitations. But the Internet makes it exponentially simpler to amass large quantities of extremely detailed personal information. To many, this ease, efficiency, volume and vigour of electronic data collection is an uncomfortable marriage of George Orwell and Adam Smith.

The basic structure
Privacy Law structured in its present context with Data Protection legislation on the lines of the EU Model is the norm for any business in the Internet Economy. Compliance with Privacy Law is of great practical relevance for any company doing business in today’s global information economy. It is important that organisations understand Privacy in Online Business and in the context of information management.

Data transfer takes place routinely in the course of everyday business transaction. A brief examination of the EU Directive and related principles such as the European Privacy Commissioner’s Model Contract clauses, the US Safe Harbor Principles, the European Convention on Human Rights and the UN Universal Declaration of Human Rights provide us with the possible content for a Code of Conduct.

It is important for companies/organisations to remember that it might be conceivable to profit for separate codes for the processing of employing data. Further a company might want separate rules for the processing of sensitive data (say medical data).

India has no data protection or privacy laws. Privacy has been in most cases interpreted as the right to be let alone as enshrined in Article 21 of the Constitution. However, except for the tort of unlawful invasion of privacy, there is no recourse against private parties.

Data Transfers and the IT Enabled Services Sector:
Both individuals and companies should be concerned about how the legal rules regarding the holding of information might apply to them. There are three perspectives from which the issue can be seen. The first is from the point of view of the individual person about whom data is held, the second is from the point of view of the commercial organisation holding the data and the third relates to the impact on the first two processes of the widespread development of computer use and of the internet.

These days it would be difficult to envisage a commercial venture, whether new or existing, which did not use computers for its everyday activities. This inevitably involves the storage of data either about its own employees, its existing clients and customers, about potential targets or about third parties. The definition of “personal data” under present European data protection legislation (as envisaged by the EC Data Protection Directive 1995) is wide enough for it to cover practically any information held about a human individual. This is because the simplest information such as a name associated with a terrestrial address will constitute personal data for the purposes of the legislation.

Holding such personal data requires the organisation in question to obtain registration with the data protection registrar (the Information Commissioner) and to provide specific details of the purposes for which the data is held. This obligation is supported by criminal sanctions if registration has not been obtained or if, following registration, the data which is held is not held and used in accordance with the eight principles laid down under the legislation.

All personal data which is held must comply with these eight principles. They are:-
Personal data shall be processed fairly and lawfully.
It must be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose.
The data held must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
It must be accurate, and where necessary, kept up to date.
It must not be kept for longer than is necessary for the purposes for which it was obtained.
It must be processed in accordance with the rights of data subjects under the Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred outside the European economic area unless the recipient provides an adequate level of protection (equivalent to the data protection principles within the European Union).

It will be obvious from reviewing the above set of eight principles that there is considerable overlap between the principles as well as quite a degree of opportunity for individual interpretation of the terms.

Special rules allow data to be processed if this is necessary in connection with legal proceedings. The application of this principle is relatively clear as regards the rights and duties of law enforcement agencies but not necessarily quite so clear when the issue arises regarding, for example, the use by an insurer of sensitive personal data about its insured. The point here is that if an insurer holds and uses data about an insured which might have a bearing on the level of risk to be accepted in a contract of insurance then the potential conflict of information between the use of that data needs to be identified, recognised and used in accordance with the obligation to use fairly.

Regretfully, the legislation does not provide any guidance to what is meant by the word “lawful” in the context of data processing. Decided case law suggests that the natural meaning of “unlawful” is “something which is contrary to some law or enactment or is done without lawful justification or excuse”. An essential prerequisite for the processing of personal data is that the data subject has given consent to the processing. That consent must be informed and unequivocal. It is also an important entitlement of the data subject that if information is held about them then they are entitled to ask to see exactly what is held and, where appropriate, they can insist on incorrect information being amended. A nominal fee can be charged for providing the information but it is important to recognise that if a request to supply data is not adequately fulfilled then the data holder may be the subject of a criminal prosecution under the legislation.

One of the fundamental consequences of the development of the Internet is that national boundaries are far easier to be crossed, often without those who are using the Internet being aware that this is happening. It is not unusual for Internet trading sites to carry personal data about customers. There is, therefore, the risk that the personal data might, albeit innocently and inadvertently, move outside the confines of the European Union. This is potentially a major problem for data users because, under the Data Protection Act, no personal data can be exported anywhere outside the European Union unless it is sent to a jurisdiction with equivalent legislative protection for data or unless it is subject to express confidentiality provisions. This is that data ‘exported’ to call centres, BPO operations, in India is governed by a contract structured in terms relating to European law, with jurisdiction and governing law in Europe.

Unfortunately, any business user of data must care about the operation of the legislation because there are quite a number of issues which need to be taken very carefully into consideration to ensure that the use of personal data is in accordance with the principles of the relevant legislation and is also consistent with the terms of the registration which all users must obtain.

Rodney D. Ryder is a lawyer specialising in trade and technology laws.

No comments: