PART-I

INTRODUCTION

1.1 Preface

Modern day social and commercial transactions necessarily require sharing of information. All

social networking, mobile applications, e-commerce platforms run on the sole minimum

procedure of sharing of some personal or sensitive information. The world is witnessing a phase

where data transfer/ sharing of information is rampant in all forms of communications and

transactions. These modern day system of transactions and communications are not restricted

only to sharing information which is a general information having no legal ramifications, and

individual’s privacy at stake, changing contours of data transfers and transactions have many

legal and related implications associated with it. Since the nature of information being shared and

transferred may comprise very sensitive information, medical information, banking information,

biometric information and defense related information etc. between the transferor and transferee,

the transfer/sharing of such information may warrant big legal implications. Implications of such

sharing in modern applications and communications are unknown because of multifarious known

and unknown reasons.

1.1.1 Mobile applications

Uses of “mobile applications” are best examples into discerning the implications of sharing of

information. World of mobile communication is overwhelmed with the new kinds of

applications, hereinafter referred as “app”. Use of apps on mobile telephony through internet

makes life simple in different walks, facilitates communication, paves for the better and faster

commerce, assists medically, logistically etc., but the flip side of use of apps on this medium

poses myriad hazards

and legal issues, which are either not known or if known are inadequately understood and

legislated worldwide. The feat of science and technology, especially use and facets of apps

amazes one with the unimaginable promises and utility, but simultaneously it reminds the myth

of Frankenstein monster, wherein the scientist creates the monster, nurtures it, feeds it and tames

it for his benefit, but in the end the monster turned monstrous and kills the scientist.

The kind of putative uses of different apps coming to fore are posing a challenge for the snail

paced law to tackle and regulate those unprecedented usages. Some of the off late examples of

such apps include the creation of “Heath apps” or “Medical apps”. The potential benefits of these

apps are vast and expanding. Innumerable benefits of these apps include monitoring of personal

health, monitoring of personal behavior in terms of achieving goals set and stipulated by

individuals. Weight loss apps, personal goal apps and heath predictions apps are some examples

to name a few. These apps are advantageous at micro as well as macro level. At micro level the

individual remains driven by the standards set to be achieved by him and her, at macro level the

data collected through such apps is of high value in terms of calculating and predicting health

risks in a given society and setup1. That may be used to improve public health responses to

different outbreaks, can save lives in endemic situations.

In the case of health and medical apps, the user has to manually furnish certain heath records and

personal information which is supposed to be handled and stored in the app repository. Another

set of medical and health apps that has got inbuilt sensors to collect heath parameters of the

person are also available and being embedded in different computing devices. The risks in the

case of later app led devices are far more vis-à-vis to the former where user has to manually

provide the data

1
Hall. S. Timothy, The Quantified Self Movement: Legal Challenges and Benefits of Personal Biometric Data
Tracking, 7 Akron Intell. Prop. J. 27 2014-2015.
 and health information. Generally the user’s information remains very sensitive information, so

its upkeep and handling is a crucial issue. The task of overall maintenance of repository, keeping

it secure and its prevention from the evil designs of miscreants lies with whom is the most

perplexing question.

Moreover, news like creation of a “medical app” that can check the potency/fertility of human

sperm through the camera of the mobile phone changes entire discourse relating to interface of

technology and privacy of individual information. 2 This creation would require the user to place

the sperm in front of the specially designed camera of the smart phone and the app having

capability to instantly diagnose the sperm potency and its fertility would create the sample

instantaneously to be analyzed by the online medico who can gauge the sperm count and other

related things in mere three seconds. “The device works by recording a small amount of semen,

which needs to be placed on a plastic sheet around five minutes after ejaculation: the camera is

pressed up to the sample to record it, while apparently keeping the phone itself semen-free

(probably for the best if you want to keep on using it to Snapchat and catch Pokémon)”.3

Smartphones are helping people in the diagnosis of medical ailments: eye problems and HIV

status can also be diagnosed through Smartphone enabled with smart apps.4

There is no doubt about the fact that these portable computing devices which are called mobile

2
Tomoko Otake, App to Let Men Sperm Count at Home, The Japan Times, May 1st, 2016 (accessed 31-06-2016),
http://www.japantimes.co.jp/news/2016/05/01/business/corporate-business/app-to-let-men-test-sperm-count-at-
home/#.V6BgPmh97IU
3
David Nield, You Can Now Check How Healthy Your Sperm is Using Your Smartphone: The Ultimate Selfie,
Science Alert (accessed 31-06-2016), http://www.sciencealert.com/new-smartphone-microscope-lets-men-check-the-
health-of-their-own-sperm
4
Fiona Macdonald, This $34 Dollar Smartphone Accessory Diagnoses HIV in Fifteen Minutes, Science Alert
(accessed 31-06-2016), http://www.sciencealert.com/this-34-smartphone-accessory-diagnoses-hiv-in-15-minutes-
phones/smart phones are making life easy, convenient and cost effective. Smartphones along

with apps are used to monitor different health parameters. Smartphones are keeping the

blueprints of user’s health data, medical data, and biometric data and keeping “individually

feed/collected biometric data of the user5 and are helpful at micro as well macro level as

discussed above.

1.1.2 Service/Commercial Applications

Apart from that, different apps are posing different and unknown complications. “Taxi apps”

have their own challenges, wherein the personal information of the user and his location gets

trekked. The physical hacking and physical crimes can be committed against person by knowing

the location of the person.

In the Indian market “service apps” have gained prominence over a period of time, the hacker or

the miscreant can take the information by intercepting between the device and the database, and

can commit any physical crime. “Commercial apps” or “service apps” have their different set of

challenges and requirements.

1.1.3 Iris & Biometric Recognition

The sharing of very sensitive information for internet banking and mobile banking has taken a

new shape with “iris information” and biometric information like “finger print identification” as

a password for one’s account. Some banks in India and abroad have started offering these

services and some are still thinking of implementing these services through iris recognition and

biometric identification.

5
Supra note 1
 1.1.4 Voice recognition

“Voice recognition” for customer identification is already in place with some of the banks in

India and abroad. Indian banks have not yet started using voice as the substitute for password.

But, it is being used to identify the customer at customer support centers. Banks are collecting

samples from their routine customers and are keeping the data of seven metrics of voice such as

inflection, tone, voice modulation etc. sometimes with the permission of the customers and

sometimes without their prior knowledge.6 Data experts are of the view that voice alone cannot

provide full-fledged protection, it needs to be clubbed with some other form of protection as

well. The apprehension of data experts to the effect that hackers may get their hands to voice

samples and it would be very easy for them to fool around the customers seems very cogent in

present scenario7Domain experts are watching it carefully and trying to understand the nuances

profoundly.

1.1.5 Instances of Serious Privacy Erosion

Some of the leading mobile phone companies are already claiming this new identification

process to be the safest especially with android devices, when the notion of weakness and

susceptibility of android is known to everyone, with an aim to add another layer of security to the

android devices. Where biometric protections on cell phones like “Samsung6” and “iPhone 6”

can be broke open and have been done in one instance in the past month by Michigan state

university police department along with help of Dr. Anil Jain, Professor at Michigan state

university, and that too in

6
Rachel Chitra and RanjaniAyyarl, Your Voice to Become New Password for Phone Banking, The Times of India,
July 28, 2016 (Accessed on 06-08-2016) http://timesofindia.indiatimes.com/tech/computing/Your-voice-to-become-
7
Id
less than $500, so it is not necessarily true that another layer added will make it immune to any

impending attempt to hack. This news has instilled fear among leading cell phone manufacturers

who are claiming biometric as the new age solution for privacy protection and data security.

Earlier to that, in the month of March, 2016 the federal judge of the house judiciary committee

Washington, DC, United States has ordered Apple co. to assist FBI technically in obtaining

access to the data on the device of the accused of the December, 2015 terrorist attack in San

Bernardino, California.

1.1.6 Aadhar/ Unique Identification Authority of India in Indian context

The Government of India boasts to have obtained biometric information of 900 plus Million

people in last six years after the head start of India’s dream project under the Unique

Identification of India Authority (hereinafter “UIDAI”) in September, 2009. Effectively more

than one third of India’s population has been issued magical 12 digit identification through

which they get access to their subsidy, financial assistance and other Govt. promised benefits

easily and expeditiously. This initiative is primarily premised on giving uniform identification to

one and all despite age, caste, sex, race and religion. Even non-citizens were made the

beneficiaries, because possessing AADHAR does not validate the citizenship. The dream that

lies behind this mass project is to “REBOOT INDIA AND REALIZE A BILLION

ASPIRATIONS”.

Despite being seemingly cogent and very fanciful, it has many challenges so far as privacy and

personal sensitive information of those 900 plus million people are concerned. This project faced

strong resistance from the data security experts who opined that it would be a tool in the hands of

the Government to easily track people and as a corollary the state would become a “surveillance
 state” like U.S.A. where everything came to surface post “Snowden Revelations”8

1.1.7 Importance of data/ Information

One must be wondering by now as to how all this data debate is material and consequential, as to

how these entities in control and possession of data misuse it. Some may find it mere rhetoric

and call it an abstract discussion having no visceral arguments vindicating it, but the history has

demonstrated time and again the value and utility of any data, from the advent of internet (which

is premised on the U.S Army’s attempt to collect, share and gather information expeditiously) to

new age portable computing (which is a Pandora box, having and offering myriad services and

usages) which heavily relies and functions on data transfer. In modern times data is deemed a

most valuable asset of any entity and organization or country for that matter. Data collection, it’s

processing and analysis is considered game changing act. If one looks at new age mergers and

acquisitions of big companies, one can patently make out the utility of data being transferred as

an asset of high importance.9We share voluminous amount of data with the companies which we

use regularly. Google, Facebook, Yahoo all collect out data and they use it to target users

through advertisement. Lately Comcast (Pioneer ISP) has asked the Federal Communications

Commission for allowing it to share the browsing history of users to advertisers, so that it can

provide cheap and bargained services to the users.22 Other ISPs are already doing it without

authorization and permission of the customers and perhaps this is the reason of differential

pricing of ISPs services at different places. We are blissfully unaware that it’s happening,

notwithstanding the fact that

8
Supra Note 4
9
Len Shneyder, The Email, Data and Privacy Implications of Microsoft’s Acquisition of LinkedIn, The Crunch
(accessed 31-07-2016) https://techcrunch.com/2016/07/16/the-email-data-and-privacy-implications-of-microsofts-
acquisition-of-linkedin/
every user of Yahoo, Facebook and Google etc. experience it in routine manner. Don’t we get to

see different advertisements appearing invariably on our Facebook account and on Google page?

Through our social networking accounts we have become products for the big companies, almost

half a decade ago the concept of free services provided by the big companies like Facebook,

yahoo and Google was like a quagmire and hard to discern, but now with the way these big

companies are functioning it has become grossly manifest that they are monetizing voluminous

data of individuals and are deeply into the business of data transfer and that too without prior

authorization of the individuals who have become a mere commodity into the hands of these

unscrupulous entities. This is sheer dismantling of one’s privacy without information and

permission.

The problem we have as consumers is that most of us have been unwitting pawns

in a giant information game. We want the services for free, but have little concept

of the value of the information we give back in return. In fact, the European

Commission estimates that the value of personal data in the European Union will

hit more than $1 trillion by 2020. Looking at the profits of the giant Internet

companies begs the question: "Is there a case to be made that the trade is not fair

and that we are being taken advantage of because we don't know what the value

of our identity and other information really is?"It is hard to put a value on a single

person's data — but some have already started to try. The U.S. based

company, Datacoup, promises to pay users $8 a month to part with their data on

everything from credit cards to social media usage.

1.1.8 Social Deterioration

Ofcom, the media watchdog, said that huge numbers of the nation’s 50 million internet users had

admitted neglecting housework, being late for work, and even bumping into people in the street,

because they were “hooked” on their digital devices. So is the situation of citizens of other

nations where not only the adults and professionals are glued to their devices, rather the old and

children are also going maniac in this era of internet. It has already led to multiple social

problems ranging from dissonance among spouses, derailment of youth and above all the issue

of “information assurance” and “freedom of privacy”

1.1.9 Questions to be posited

Have we ever thought about the probable misuse of these technologies, have we ever pondered

on the issue of “information assurance”? All these apps and their application require some

information to be shared either manually or automatically before use and that makes the issue

really complicated. The regulations related to data sharing, information sharing differ from

country to country and are differently implemented. Given this situation of inadequate legal

norms, it can be very well imagined that the user’s data remains at high risk.

How does the sharing take place, what is the medium used for the sharing of the information and

how the shared information is handled, stored and processed are some of the crucial questions to
be posited at the very beginning. The minimum standards as to these very intricacies are very

much in place in some of the jurisdictions of the world. Some jurisdictions have model best

practices in this regard.

In light of all these worrisome technologies and their interfaces with humans, the present

research would like to thoroughly interrogate the one aspect of the information ocean i.e. the

issues and concerns relating to outsourcing of data. The inter country outsourcing of data is on

rise and nations are in continuous flux of sharing personal information’s of their citizens either

by Govt. or by private entities for business purposes.

1.1.10 Game of Big Data

Global data flows, today, are no longer the result of a file transfer that was initiated by an

individual’s action for point-to-point transfer over 30 years ago26. As soon as a transaction is

initiated on the Internet, multiple data flows take place simultaneously, via phenomena such as

web 2.0, online social networking, search engine, cloud computing 27 and Big Data10 This has led

to ubiquity of data transfers over the Internet, and enhanced economic importance of data

processing, with direct involvement of individuals in trans-border data flows. While this is

exposing individuals to more privacy risks, it is also challenging businesses which are collecting

the data directly entered by users, or through their actions without their knowledge, - e.g. web

surfing, e-banking or e-commerce – and correlating the same through more advanced analytic

tools to generate economic value out of data.

10
Ira S. Rubinstein, Big Data: The End of Privacy or a New Beginning?, 3 International Data Privacy Law
Journal, Oxford University Press,74, 2012
 Data Security Law in India

Before delving into the issues of data security milieu in India, it is important to see its evolution in India.

In the late 80’s general electric was the first company in India which started the inter-country

outsourcing of business processes and information technology. In September 1989, it was only

after the meeting of Mr. Jack Welch, Chairman and CEO at the time with the Chief Technical

Advisor to then Prime Minister Rajiv Gandhi, which led to convince Mr. Welch of the

possibilities for GE in India.11, GE collaborated &formed a joint venture with Wipro Ltd. within

a year to develop and market medical equipment’s in India. GE then began processing of credit

card applications, call centers, and other business specific consumer activities and used India as a

base for data entry.

Till 1991 India’s foreign opportunities were very scarce, it was only after year 1991 that India opened its

borders for foreign investors. Indian economy for foreign investment saw a great surge in the

rein of Dr. Manmohan Singh, Finance Minister at that point in time (later who became India’s

Prime Minister), when he started opening and introducing competition into the Indian telecom

industry to bring down prices. Satellite downlink stations were installed and set up to attract

more foreign investment in the leadership of Dr. Manmohan Singh when he made flexible certain

stringent rules which were obstructing the foreign investors to invest in India Market. Satellite

downlink stations were established in Bangalore with the newly relaxed rules instituted by Dr.

Singh, and it made it very easier for foreign companies to avoid the erratic Indian

11
See Barbara Crutchfield George & Deborah Roach Gaut, Offshore Outsourcing to India by U.S. and E.U. Companies,6
U.C. DAVIS BUS. L.J. 13 (2006), (Available at http://blj.ucdavis.edu.article.asp?id=604) accessed on 27th March, 2014
 phone network and connect with their home bases and other distant locations. Earlier they used

to have its own satellite downlink, an Indian government official was required to oversee it and

had the right to examine all data going in or out of the country. “Since then many foreign

companies like Citigroup, Microsoft, Delta Airlines, IBM, Accenture, and countless other

multinational companies have developed outsourcing relationships with leading Indian

outsourcing companies, such as Infosys Technologies, Wipro , MphasiS, and Tata Consulting”.

Due to excessive outsourcing practices today personal information about customers of various

companies can be accessed easily. This comprises information of potential misuse like numbers

of credit card, social security numbers like ZIP codes etc., driver’s license details, and dates of

birth, medical records and other important personal information. The work culture of Indian BPO

employees engages them in several tasks that expose them to customer’s sensitive private data in

transactions. “Transcription of medical records, preparation of tax returns, processing of credit

card applications and bills, handling of mortgage applications, reviewing of insurance claims,

analysis of patients’ X-rays, and help-desk services” and many more activities involving

handling of sensitive information and personal information of customers are some of the works

which are handled and processed by Indian employees. The companies would be remiss to ignore

that

“…these kinds of business process applications create thorny issues about personal data

protection for the customers…As offshore vendors deal more often with customers and

specific customer data, the potential for abuse rises.”12

Another crucial information to be put across and emphasized at this stage of the writing is the

12
Ibid
youngest population of India in the world with almost 70% of its population below the age of 35

and 50 percent under the age of 25, which paves the platform for an almost unlimited skilled

number of potential workers. Approximately 800,000 Indian workers are estimated to be

involved in all areas of the outsourcing providing industries. Furthermore, BPO services are

provided by reputed 400 Indian businesses with special workforce of 400,000 workers. Cities like

Mumbai, Hyderabad &Bangalore are most known for outsourcing in India.

1.2 Itinerary of current Data Security regime evolution in India.

There is no data security legislation in India as of now. There are several statutes in force in India

which cover data protection directly and indirectly. Primarily India relies on the constitution of

India, The Information technology Act, 2000, The credit Information Companies (Regulations)

Act, 2005 (CICRA 2005), The Information Technology (Reasonable Security Practices and

Procedures and Sensitive Personal Data or Information) Rules 2011 (Information Technology

Rules 2011). Out of these various statutes the one which directly deals with data protection is

Information Technology Act. 2000. When the IT Act, 2000 was passed, the concept of data

protection was not envisaged.

to be suffered by the wrongdoer from one crore to five crore i.e. The damages that one can suffer

under these instances can be well above one crore. There is also a provision under IT Act making

a person criminally liable in cases of divulgence of information received under lawful contracts

from data exporters. Information Technology (Reasonable security practices and procedures and

sensitive personal data or information) Rules, 2011 to an extent are also very illuminating.

Apart from Information Technology Act, 200049the Constitution of India mandates indirectly

Protection of data. There lies an innate tussle between right to privacy on the one side and the

right to information and right to know on the side. Law relating to data protection should

preferably

strive to settle these conflicting interests. The attempt must be to conserve or protect data in such

manner that right of privacy of the individual and organization must not get compromised.

Meaning thereby, the right to information under article 19(1)(a) and the right to know under

article 21 should be uphold.

The constitution of India envisages some inviolable rights and the law relating to data protection

must be in compliance of those rights.

Right to privacy under article 21: The law of privacy provides an inviolable right to do things

in privy; it’s a right which has many manifestations. To what extent you want to share your

information, your whereabouts, your desires and your own self is the supreme right provided

under article 21 of the constitution of India. Individual has got the choice under the above said

article to keep his/her information out of the purview of public. But this right of privacy

sometimes is seen as limitation to the right of information and that actually leads to whole tussle

between privacy on the on hand and information on the other.

The first right of privacy often gets infringed when individuals personal information and data is

being used without his/her prior permission for identifying consumer behavior, for knowing
 nation’s preferences, likes and dislikes etc. “In recent times, however, this right has acquired a

constitutional status51. India is a signatory to the International Covenant on Civil and Political

Rights, 1966. Article17 thereof provides for the ‘right of privacy’. Article12 of the Universal

Declaration of Human Rights, 1948 is almost in similar terms. Article 17 of the International

Covenant does not go contrary to any part of our municipal law. Article21 of the Constitution

has, therefore, to be interpreted in conformity with the international law”13

13
PUCL Vs UOI [(1997) 1 SCC 301]
STATEMENT OF PROBLEM

The advancement in information technology has resulted in the rapid growth of inter country

business outsourcing industries which consists of personal data whose misuse or abuse invades

on the right to privacy and intellectual property rights of individuals or an organization as a

whole, meaning thereby that the moral, legal and constitutional obligation of state not to deprive

any citizen of their privacy and property has been eclipsed by blurred legislative regime of data

protection. Moreover when it comes to outsourcing done by foreign country to Indian vendor,

there lies a huge uncertainty as to the point of protection in the absence of adequate regimen for

data (foreign and national) protection in India which in turn restricts foreign countries to

outsource in India.

1.3 HYPOTHESIS

The existing provisions of Data protection regime i.e. The Information Technology Act, 2008,

The Indian Contract Act, 1872, The Indian Penal Code, 1860, Indian Copyright Act, 1957 and

Self regulations developed by the organizations for the protection and upkeep of data seems to be

insufficient and inadequate to answer the problems related to data protection vis-à-vis the

outsourcing industry demands.

1.4 OBJECTIVE

To study the laws related to data protection in India, United States of America and United

Kingdom and also study the approach of international organizations and make a comparative

analysis of the different regulatory initiatives existing in the above mentioned nations.
1.5 RESEARCH METHODOLOGY

For the purpose of my study I have referred to Primary Resources like Government Reports,

Report of European Union and OECD also the Guidelines of the EU Commission. I have also

made use of secondary resources like material from library and internet sources. The research

method

SCHEME OF THE STUDY

The current proposed study has been divided into seven major parts.

PART-I: INTRODUCTION

PART – II: LEGAL POSITION IN INDIA

PART – III: LEGAL POSITION IN UNITED STATES OF AMERICA

PART – IV: LEGAL POSITION IN UNITED KINGDOM

PART – V: LEGAL POSITION IN EUROPEAN UNION

PART – VI: INTER COUNTRY OUTSOURCING IN INDIA: AN

ANALYSIS PART-VII: CONCLUSION

1.5.1 PART- 1: Introduction

First part shall cover the challenges and the entire scenario in relation to data protection in India

and abroad. The introductory part shall be outlining the research methodology opted by the

researcher and also outline scheme of the study.

1.5.2 Part – II: Legal Position in India

fraud. It further studies the new amendment made to IT Act, 2008, Personal Data Protection

Bill, 2006, Data Protection Bill, 2011 and The Privacy (Protection) Bill, 2013 farmed by “The

Centre for Internet and Society”. In the end this part will analyze report of the “Group of Experts

on Privacy constituted by Planning Commission of India under the chairmanship of Justice

A.P.Shah, former Chief Justice, Delhi High Court.

1.5.3 PART – III: Legal Position in United States of America

The third Part would go on to explain the legal scenario present in United States of America,

studying the specific laws prevailing over there to address the issues related to data security and

individual privacy. It will also explain the most prominent mechanism of data protection in USA

i.e. Safe Harbor Program, while dealing with the trans-border data flows.

1.5.4 PART – IV: Legal Position in United Kingdom

The fourth Part will contain the details of the law in existence in United Kingdom. It starts with a

brief background of the data protection regime over there and then moves on to analyze the Data

Protection legislation being implemented vis-à-vis the trans-border transfer of data.

1.5.5 Part – V: Legal Position in European Union

The fifth Part would study the position being adopted by the European Union regarding the

problems faced in the EU countries. This part would expansively deal with the data protection

principles adopted and incorporated by majority of EU nations in their domestic laws. It would

specifically deal with the EU Directives of 1995.

1.5.6 Part – VI: Inter Country outsourcing in India: An Analysis

Finally, the Sixth Part will be dealing with the outsourcing industry and position of India. It

would also seek to give an understanding of the implications of the ITAA 2008 on the

outsourcing business. This part would contain a comparative table of all the legal positions

studied in the earlier parts of this paper.

1.5.7 PART- VII: Conclusion

In the end, the paper will be summed up along with certain suggestions regarding the matter of

data protection laws in the outsourcing industry and checking of my hypothesis in the

conclusion.