The IT Act, 2000 and its Amendment Act, 2008 has been enforced to address the data protection laws in the country. However many of us are unaware of its importance and interpret them as complex. This article helps the readers understand the Indian laws perspective towards data protection.
Internet has in store a huge amount of data for different kind of people with different requirements. It has proved to be a boon in as much as it is being used for the purpose of growth and development. The growing use of internet can be witnessed in e-Commerce. The problem that arises in e-Commerce is that the Internet is in itself global. In order to protect the misuse of data and information, data protection laws become very important.
At the outset it is needful to discuss briefly about Data Protection. Data Protection relates to issues relating to the collection, storage, accuracy and use of data provided by net users in the use of the World Wide Web. Visitors to any website want their privacy rights to be respected when they engage in e-Commerce. It is part of the confidence-creating role that successful e-Commerce businesses have to convey to the consumer. If industry doesn't make sure it's guarding the privacy of the data it collects, it will be the responsibility of the government and it's their obligation to enact legislation.
Any transaction between two or more parties involves an exchange of essential information between the parties. Technological developments have enabled transactions by electronic means. Any such information/data collected by the parties should be used only for the specific purposes for which they were collected. The need arose, to create rights for those who have their data stored and create responsibilities for those who collect, store and process such data. The law relating to the creation of such rights and responsibilities may be referred to as ‘data protection’ law.
Importance of Data Protection Laws
The past few years have witnessed a sharp change in direction in the effort to promulgate data protection laws in India. Business and Governmental leaders well understand the impact that such laws may have on the unique Indian economy, a major goal of which is to increase the already impressive influx of out-sourcing work. Nevertheless, those leaders have recently concluded that enacting a comprehensive scheme of data protection may not—at least in the immediate future—be the best plan of action.
In India, till recently there was no specific provision to address the issue of Data Protection. However, the IT Amendment Act 2008 has set the ball rolling in addressing this issue.
Data Protection under Indian Law
Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.
To understand the Indian perspective toward data protection, it is necessary to understand the various sections under The IT Act, 2000 and the 2008 Amendment and other laws.
Under IT Act, 2000
Section 43: This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.
Section 65:This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.
Section 66: Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.
Section 70: This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.
Section 72: This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.
The IT Act, 2000 and the 2008 Amendment
The Government had in the year 2006 introduced a separate Bill called the Personal Protection Act to specifically address the issue of data protection. However the Act has not seen the light of the day. But now, the issue of data protection has been addressed in IT Amendment Act, 2008 through Sections 43A and 72A.
Section 43A reads as follows:
Compensation for failure to protect data
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
Explanation: For the purposes of this section
(i) body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Breach of Confidentiality and Privacy
The IT Act 2000, under Section 72 protects private information that is obtained by agencies by virtue of powers conferred under the Act and enforces a criminal liability with imprisonment for 2 years and fine of RS 1 lakh or both. This applied to the Certifying Authorities as well who obtained information from subscribers.
Section 72A, which has been newly added addresses the issue of data vandalism occurring in breach of contractual agreements. Section 72A reads as follows:
Punishment for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force,
(i) any person including an intermediary who;
(ii) while providing services under the terms of lawful contract;
(iii) has secured access to any material containing personal information about another person;
(iv) with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain;
(v) discloses;
(vi) without the consent of the person concerned, or in breach of a lawful contract;
(vii) such material to any other person; and
(viii) shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.
Other Laws pertaining to DP
In addition to the IT Act, 2000 and the 2008 Amendment laws, there are other laws pertaining to Data Protection. Let us understand them in brief
Law of contract
These days’ companies are relying on the contract law as a useful means to protect their information. The corporate houses enters into several agreements with other companies, clients, agencies or partners to keep their information secured to the extent they want to secure it. Agreements such as ‘non circumvention and non-disclosure’ agreements, ‘user license’ agreements, ‘referral partner’ agreements etc. are entered into by them which contains confidentiality and privacy clauses and also arbitration clauses for the purpose of resolving the dispute if arises. These agreements help them in smooth running of business. Business Process Outsourcing (BPO) companies have implemented processes like BS 7799 and the ISO 17799 standards of information security management, which restrict the quantity of data that can be made available to employees of BPO and call centers.
Indian Penal code (IPC)
It imposes punishment for the wrongs which were expected to occur till the last decade. But it failed to incorporate within itself the punishment for crimes related to data which has become the order of the day.
The Personal Data Protection Bill, 2006
Upon the footprints of the foreign laws, this bill has been introduced in the Rajya Sabha on December 8th 2006. The purpose of this bill is to provide protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected with the Act or incidental to the Act. Provisions contained in this Act are relating to nature of data to be obtained for the specific purpose and the quantum of data to be obtained for that purpose. Data controllers have been proposed to be appointed to look upon the matters relating to violation of the proposed Act.
Conclusion
On comparing the Indian law with the law of developed countries the proper requirement for the Indian law can be analyzed. Data are not of same utility and importance; it varies from one another on the basis of utility. So we require framing separate categories of data having different utility values, as the U.S have. Moreover the provisions of IT Act deal basically with extraction of data, destruction of data, etc. Companies cannot get full protection of data through that which ultimately forced them to enter into separate private contracts to keep their data secured. These contracts have the same enforceability as the general contract.
Despite the efforts being made for having a data protection law as a separate discipline, our legislature have left some lacuna in framing the bill of 2006. The bill has been drafted wholly on the structure of the UK Data Protection Act whereas today’s requirement is of a comprehensive Act. Thus it can be suggested that a compiled drafting on the basis of US laws relating to data protection would be more favourable to the today’ requirement.
Being one of the most concerned topics of discussion in the modern era, legislatures are required to frame more stringent and comprehensive law for the protection of data which requires a qualitative effort rather than quantitative.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specialising in Computer System Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com |
