I was reading through an
article this morning about India's Information Technology Act 2000 which is likely to be amended to take account of data protection concerns. What is unclear at this stage is what these amendments will consist of and when they are likely to take effect. However, addressing data protection concerns in India have long been overdue, particularly with the recent Channel 4
documentary highlighting the security failures in a number of commercial call centres which allow detailed financial data on individuals to be gathered and sold on with ease.
Art. 25 of the Data Protection Directive 95/46/EC clearly provides that personal data is not transferred to countries outside the EEA without satisfying an adequate level of protection.
Art. 25
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
These provisions have been implemented in the UK Data Protection Act, Schedule 1, 8th data protection principle:
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
It remains to be seen whether India's laws will be sufficiently vigorous to deal with data protection breaches, but at least, it is a move towards the right direction.