Balancing the breach: data privacy laws in the wake of the NSA revelations.

• Author: Giles, Courtney
• Position: National Security Agency

1. Introduction II. Background A. History of Privacy on the Internet B. The Proposed Regulations: India and Brazil III. A Closer Look into the Proposed Data Privacy Laws A. Strengths and Weaknesses of the Proposed Laws B. Effects of the Proposed Laws IV. A Practical Solution to the Inconsistency V. Conclusion I. Introduction

   [I]f you want to keep a secret, you must also hide it from yourself.

   --George Orwell (1)

   In the famous novel Nineteen Eighty-Four, George Orwell painted a picture of a society that was constantly watched by Big Brother. Since the advent of computer databases, many different critics (2) and judges (3) have utilized the Big Brother metaphor to warn against the privacy concerns these computer databases pose. (4) In June 2013, the world found that this once fictional metaphor was in fact reality. Edward Snowden, a former National Security Agency ("NSA") contractor, leaked confidential documents and information. The information revealed that the united States had developed a top-secret program, called PRISM. (5) The PRISM program allowed the NSA to collect a variety of digital information from Internet and phone companies through a secret data-mining program to monitor worldwide Internet data, including information on foreign allies operating outside the United States. (6) The PRISM program was enacted for the sake of national security, but at the expense of individuals' and other countries' privacy.

   How did other countries react to this unconsented international surveillance? (7) Many countries expressed concern over the substance of Snowden's revelations. (8) The leaked documents indicated that India was the fifth most tracked country by the NSA. (9) The NSA also targeted Brazil, and the Brazilian president's communications were intercepted. (10)

   Even though both India and Brazil were targets of U.S. surveillance, the countries had differing initial reactions to the news. For example, Brazil expressed concern that the NSA had been secretly collecting data across the country without its government's knowledge. Brazil's president, Dilma Rousseff, emphasized the importance of the right to privacy, stating that "[t]he right to safety of citizens of one country can never be guaranteed by violating fundamental human rights of citizens of another country." (11) President Rousseff emphasized the need for respect among nations in upholding international relations. (12) But, "[i]n the absence of the respect for sovereignty, there is no basis for the relationship among Nations." (13) President Rousseff further emphasized the importance of making new privacy laws when she stated, the "[t]ime is ripe to create the conditions to prevent cyberspace from being used as a weapon of war, through espionage, sabotage, and attacks against systems and infrastructure of other countries." (14) The problem of protecting the interception and communication of online data affects the entire international community, not just the relationship among countries. (15) Finally, President Rousseff confirmed that Brazil has planned to establish its own secure, encrypted email service to "prevent possible espionage." (16)

   In contrast, India reacted quite differently to the NSA leaks. India's Union Minister for External Affairs, Salman Khurshid, defended the United States' actions by noting, "[i]t is only computer analysis of patterns of calls and emails that are being sent ... not actually snooping." (17)

   Now, Brazil and India are collaborating to find a solution to the issue of data protection on the Internet. Khurshid reinforced that the mass surveillance by the NSA is an "area of concern for all democracies" and announced that India is collaborating with Brazil and other countries "in efforts to find platforms for global governance of the cyber space." (18)

   This conundrum reveals three main objectives digital privacy seeks to reconcile: (1) the government's responsibility to ensure the security of its country; (2) the individual's right to privacy; and (3) the business's interest in providing services to its clients. (19) This Comment will focus on the tension between an individual's privacy and a business's objectives in dealing with laws enacted by different governments. Part II will discuss the history of privacy laws in India and Brazil. It will then outline regulations that have been proposed in each country since the NSA revelations. Part III.A will compare the proposed regulations and the shortfalls of each regulation, including the inconsistency among data privacy laws. Part III.B will examine the possible effects of the laws on individuals and businesses. Part IV will propose a solution to the disjoined Internet privacy laws, arguing that co-regulation is the best option for cohesive Internet privacy laws on an international scale. Finally, the Conclusion will reinforce the need for unified data privacy protection to better ensure the objectives of different countries are met. This can be accomplished through already-established alliances among countries such as India and Brazil.

2. Background

   Our world is more connected than ever with the expansion of technology and the Internet. New technologies have decreased the cost and increased the speed of information storage and transfers, resulting in widespread information collection and exchange. (20) Businesses are taking advantage of these technologies to increase productivity, improve efficiency, and enhance competitiveness. (21) The low cost of data transfer has allowed businesses to locate operations and develop relationships throughout the world. (22) As a result, enormous amounts of data flow from country to country on a daily basis. (23) However, many privacy laws that govern the flow of this data are local or national. (24) Therefore, data is flowing across borders with varying degrees of legal protection. (25)

   Despite this inconsistency in legal protection, countries continue to develop their own privacy laws without collaborating with other countries in the process. Part II.A will first discuss the specific evolution of privacy laws in India and Brazil. Then, Part II.B will walk through the relevant sections of the current proposed data privacy laws in both India and Brazil.

   1. History of Privacy on the Internet

      Privacy has been a major concern since computers transformed business processes and allowed people to share information in seconds. (26) The protection of this information is often referred to as "informational privacy." (27) It is a type of privacy that gives individuals a right to control their personal information. (28) Many countries have enacted omnibus laws that govern the collection, use, and dissemination of this personal data, and often have an oversight committee to ensure compliance with these laws. (29) However, today, international data privacy laws remain largely inconsistent and present challenges for businesses that operate on a global scale. (30)

      1. India's Path to Data Privacy Protection

         The Constitution of India ("Constitution") gives the government power to enact legislation. (31) Any laws enacted that pertain to data protection or privacy must conform to the fundamental rights laid out in the Constitution. (32) There is no fundamental right to privacy laid out in the Constitution, but Article 21 recognizes the right to life and personal liberty. (33) The Supreme Court of India has held the right to privacy is included in the right to personal liberty set out in Article 21. (34) Although the highest court in India has acknowledged a constitutional right to privacy, it has not adequately enforced this constitutional right guaranteed to its citizens. (35)

         Prompted by economic concerns, India finally gave protection for data privacy in 2000. (36) The large outsourcing industry in India brought vast amounts of data from foreign countries into India. (37) Outsourcing occurs when one company retains another to perform a non-core business process. (38) India is a favored destination for outsourcing, allowing business to operate more efficiently. (39) However, a critical concern for businesses that outsource is data privacy. (40) Companies export extensive amounts of sensitive personal information about their customers, leading to increased privacy risks in outsourcing. (41) In India, these risks were heightened because the country lacked legislative and regulatory protection of data privacy. (42) To appease foreign businesses' reluctance to outsource to India, Parliament passed the Information Technology Act of 2000 ("IT Act"). (43) The IT Act aimed to protect privacy in the business setting. (44) The legislation required businesses to use reasonable security practices for protecting sensitive data. (45)

         However, for the most part, the IT Act did not actively ensure data was handled and stored safely, (46) and it did not specifically provide for protection of sensitive personal information. (47) As a result, foreign clients had to protect their data through data protection clauses in outsourcing contracts to ensure some sort of data security. (48) Many businesses were forced to self-regulate and voluntarily adopt stringent security measures to reduce the risks of misuse of personal data. (49) To attract foreign business and clients into India, stronger data protection laws were needed. (50)

         In 2008, Parliament passed an amendment to the IT Act. (51) The amendment added offenses such as cyber-terrorism and made more cyber-crimes punishable. (52) Section 43A makes every company responsible for implementing and maintaining "reasonable security practices" over sensitive personal data. (53) The transfer of any sensitive personal data out of India to another country is only allowed if that country maintains privacy laws that ensure the same level of data protection as India, or if the transfer is necessary to perform the function for which it was collected. (54) If the company is negligent in implementing and maintaining these...