Data Protection Laws in India

In today’s world as everything is going to connected through internet every time when data is provided to a service provider or a firm then there is great danger of misuse of that data. Today, in India there is no specific law on the subject of data protection or on the violation of the privacy of an individual. Although some sections of the Information Technology Act deals with the computer related offences and violation of privacy, but those provisions are in no way sufficient to deal with the present situation. Even in one proposed Data Protection Bill, 2006, there are so many lacunas. The Bill does not contain any provision relating to the categorical division of data; but actually different type of data requires different type of protection as like in the case of US. We have to provide practical guidelines that what type of data can be revealed generally to all persons or what type of data only to some specific or only to the data subject. In this regard changes are also required in the copyright act 1957. We are required to make a comprehensive law, which should deal with the different aspects of data protection as right to privacy or intellectual rights. Ultimately, the authors want to convey that if there would be comprehensive code dealing with data protection, then the incidents of data theft or unauthorised access will reduce, and it will attract more and more foreign firms/entities to our country, which would be a boom to our country’s IT industry.

Introduction

We are living in the age of computer technology. With the advancement of computer related technology, the cyber crimes are the order of the day. This crime knows no boundary and limits. Recently the Government of United States has accused Chinese hackers for stealing their data and that too from the highly secured network of Pentagon. Now, one can easily imagine if Pentagon is not safe then who else can be?

As we all know that India has emerged as an IT hub of the world and it is extremely important for us to have a proper law dealing with Data protection. But Data protection laws in India are currently facing many problems and resentments due to absence of proper legislative frameworks. [2] . India being the largest host of outsource data can be an easy target for cyber Criminals mainly due to lack of proper law. The Data Security Council of India [3] (DSCI) and Department of Information Technology (DIT) must also rejuvenate its efforts in this regard on the similar lines.

Now if you might remember that some 1 and half years ago the website of Ministry of health, Government of India was hacked and all the links were directed to some porn sites. Also PMO’s cyber security was compromised for several months. We can imagine the consequences if some important data might have been stolen. To protect all these we not only need a strong cyber law but also an effective cyber force to work on.

Why we need Data Protection Law

With the advancement in IT and BPO sectors, Indian companies handle and have access to almost all kind of sensitive details of individuals across the world. It includes Credit card details, financial information and even medical history. These data are stored in electronic medium and is vulnerable in the hands of their employees. There have been many instances where these data are stolen. These recent trends in the Indian IT sector has raised concerns about data privacy.

Now Dealing with the law, there is no express legislation dealing with in India dealing with the data protection. Although a bill was introduced in the parliament in 2006, it is yet to see the light of the day. That bill seems to be on the framework of European Union Data Privacy Directive 1996. It is important to note that applicability of that bill was limited to “Personal Data”.

The bills provides for both government as well as private enterprises engaged in data collection. It also provides for the appointment of, “Data Controllers”, who have general superintendence and adjudicatory jurisdiction over subjects covered by the bill. It also says that penal sanctions may be imposed on offenders in addition to compensation for damages to victims. The bill is clearly a step in the right direction. However due to the paucity of information, the bill is still pending.

In India, to cover cyber crimes we do have Indian Information Technology Act, commonly referred as IT act, to cover IT related laws in India and delineates the scope of access that a party may have to on data stored on a computer, computer system or computer network, the provisions of the IT Act do not address the need for a stringent data protection law being in place.

This act has been amended in 2008 to meet the growing challenges of the cyber crime. However these amendments are still insufficient to deal with the present scenario. This amendment has added two important provisions that have a strong bearing on data protection laws. These are section 43A and 72A. But the provisions pertaining to data security and confidentiality are grossly inadequate.

In recent years the incidents of data theft in BPO [4] has raised concern over the dada safety in Indian Companies. In this case the confidential data of some British Nationals have been stolen. This gave rise to a debate over the safety of data of foreign nationals in Indian Companies.

Now the question is being a major Super power in IT sector, can India afford to deal with an important issue such as this in the manner in which it has dealt with in the amendments to the IT Act?

Data Processing Laws and Privacy

Data Protection is required at every stage whether it is about collection or use or disclosure. The privacy of an individual should not be infringed. There should be special provisions in this regard special in democratic countries as of our. Because it is not a simple right, but it is related to the fundamental rights, it is related to right to life.

It has already known that no data protection laws exist in India. However there are 4 components exist namely:

(a) The Constitution of India: “Privacy” is not a subject matter of any of the three lists in Schedule VII of the Constitution of India. Therefore it will come under entry 97 of List I (Union List). It states: “any other matter not enumerated in List II (State List) and List III (Concurrent List) …….” Thus only the Parliament is competent to legislate on privacy since it can be interpreted as any other matter not enumerated in List II and List III.

Till date there is no specific enactment on Privacy. But the Constitution of India has embodied certain Rights in Part III [5] , which are commonly known as Fundamental Rights. These are enumerated in Article 14-30 of the Constitution and cannot be taken away by the Union/State and are legally enforceable against the Union/State.

(b) Judgments of the Hon’ble Supreme Court of India: The Supreme Court of India through its various Judgments has made Right to Privacy as a fundamental right under article 21 of the Constitution of India.

Judicial activism has greatly influenced Right to Privacy within the realm of Fundamental Rights. Article 141 of the Constitution states that “the law declared by the Supreme Court shall be binding on all courts within the territory of India.” Therefore, the decisions of The Supreme Court of India become the Law of the Land.

Again the Supreme Court of India has came for the help of common citizen by declaring right to privacy as a fundamental right under article 21 which states that “no person shall be deprived of his life or personal liberty except according to procedures established by law”

This Right to Privacy was upheld in various Supreme Court Judgments. Few are Kharak Singh v State of UP [6] , Gobind v State of M.P [7] , R. Rajagopal v State of Tamil Nadu [8] , State v Charulata Joshi [9] .

(c)  The Indian Contract Act, 1872: Now a days most of the companies are relying upon contract law as an important tool to protect their data. Almost all the Corporate houses enters into contractual agreement with their clients, companies ect to protect their data to the maximum possible limit. Many Contractual agreements such as ‘non circumvention and non-disclosure’ agreements, ‘user license’ agreements, ‘referral partner’ agreements etc. are entered into by them which specifically contains confidentiality and privacy clauses and also arbitration clauses for the purpose of resolving the dispute if arises. These agreements help them in smooth running of business. BPO companies have implemented processes like BS 7799 and the ISO 17799 standards of information security management, which restrict the quantity of data that can be made available to employees of BPO and call centers.

(d) The Information Technology Act, 2000: In the ITA there are some provision that are related to the data protection. Although, there is no separate chapter or comprehensive sections on the aspect of privacy.

Under section 43 of the IT act, an individual can claim compensation upto 10 million in the following cases

Unauthorised access to a computer, computer system, computer network, data, computer databases.

Unauthorised downloading, coping or extraction of any data, computer database or information.

Introduction of computer contaminant.

Damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programs residing in such computer, computer system or computer network.

Damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programs residing in such computer, computer system or computer network; or

disrupts or causes disruption of any computer, computer system or computer  network;

denies or causes the denial of access to any person authorised to access  any computer, computer system or computer network by any means;

provides any assistance to any person to facilitate access to a computer,  computer system or computer network in contravention of the provisions of this  Act, rules or regulations made thereunder,

charges the services availed of by a person to the account of another  person by tampering with or manipulating any computer, computer system, or   computer network,

destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means

Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008)

Now by the Amendment of 2008, even the criminal punishment is provided for the violation of any provision of section 43, that is 3y punishment.

Sec 72 is the only section whic h deals with the aspect of privacy, and provides the punishment of 2years or with fine of Rupees one lakh or both, but main lacuna is that it is only confined to the persons on whom power is conferred under this act.

Data processing laws and property rights:

Article 300A provides that no person shall be deprived from his right to property except by the authority of law. But the main thing is that it can only be claimed against the state or against the entity of the state, so to avail this section one has to prove that the entity (if that is a person that he cannot be counted as an entity, it is only if the violation is done by some company or bank and that too if government owed) is one of government. By the Copyright Act of 1957, the intellectual Property Rights are protected in the literary, dramatic, musical, artistic, and cinematographic works. Computer database is also included in the term literary work. There it the copy of or interference with a computer database will be a violation of the copyrights and for that civil and criminal both type of punishment are provided. Although, there is one difficulty that is how to differentiate between the data protection and database protection, and the issues of privacy of an individual are generally related to the data protection of the creativity and investment put into the compilation, verification and presentation of databases.

The Indian Penal code can also be used to prevent the theft of data. There are some offences i the Indian Penal Code as like misappropriation of property, theft or criminal breach of trust, these sections can be used to attract imprisonment or fine. In the IPC, the offences of theft and misappropriation can only committed in respect of an movable property, it will include corporeal property of every description except land and things which are permanently attached to the land. Data is also a type of movable property, so it can be covered even under criminal law, and in the Copyright they (database) can be protected as it will be counted as intellectual property.

Further even under the common law, the right privacy of individuals was recognised. If the information “has the necessary quality of confidence” or it was imparted in the circumstances that imported an obligation of confidence. Now, the conversion with a lawyer or a doctor will be considered to have this quality of confidence, but a general conversation with a friend will not. A duty of confidentiality may also arise, where as a result of contract one party agrees to keep an information confidential provided by the another party. The court can prevent the disclosure of confidential information by issuance of an injunction, or if the disclosure has already been made then damages can be awarded by the court. Most tier I BPO companies have certificates that comply with Safe Harbour Act, the Gramm Leach Bliley Act 1999 [10] and Fair Debt Collection Practices Act for banking activities and the Healthcare Insurance Portability and Accountability Act for health related services.

Data Protection Laws in Other Countries

Many countries other than India have their data protection laws as a separate discipline. They have well framed and established laws, exclusively for the data protection.

U.K Law

U.K. parliament framed its Data Protection Act (DPA) in the year 1984 which thereafter repealed by the DPA of 1998. This Act is basically instituted for the purpose of providing protection and privacy of the personal data of the individuals in UK. The covers different type of details about any living person as like birthday, anniversary dates, addresses, telephone numbers, fax numbers, e-mail addresses etc. It applies only to the data which was held/intended to be held, on operating systems automatically in response to instructions given for that purpose or held in a relevant filing system.

Under this act there are some special categories of personal data which are defined as sensitive personal data, sec 2 [11] says thata data will be counted as sensitive personal data if – it relates to

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Further under the act, in schedule there are certain detailed principles which are necessarily complied with as like data should only be used for lawful purposes, it should be kept only till the fulfilment of the purpose, data should be kept up to date, the purpose for which the data is obtained should be specified in a notice given to the data subject by the data controller.

As per the Act, the persons and organizations which store personal data must register with the information commissioner, which has been appointed as the government official to oversee the Act. The Act put restrictions on collection of data. Personal data can be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. The personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.

U.S Law

The European Union as well as the USA both have comprehensive laws on the subject of data protection. But in USA, there is a different approach in this regard. In USA the data is categorized in different groups on the basis of the sensitiveness and utility of the data, and then different type of protection is provided to different type of data.

Several acts were also passed by US government, as like in 1974 one Privacy Act was passed. It is a code which deals with fair information practices relating to the collection, use and disclosure of data. In this act standards were laid down for different authorities for these things. It was also provided in the act that no disclosure of any data about one person if the consent of the person has not been taken or if it doesn’t fall in any of the 11 exceptions which are itself mentioned in the Act. One another Electronic Communications Privacy Act, was also passed in USA in the year 1986, it provides provisions for access, use, and disclosure of the data saved in electronic devices. It prohibits unlawful access and certain disclosure of electronic communication. As per this Act, electronic communication means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce.” It basic aim was to secure that the data which is stored in the electronic communication or transferred by the electronic means will be used fairly.

One another act was passed in USA, named Children’s Online Privacy Protection Act, it was special related to the personal data [12] of children which was made available on the internet. In this act some procedure were laid down, while any web-owner is collecting any personal information related to a child he/she is required to follow the procedure; even the consent of the guardian was made compulsory. Further it is provided under the act that the information should be collected in good faith, and the disclosure of the information that was collected from a child, the procedure of collection and thereafter the methods of the use of that information, all these things were required to be revealed under the act by a notice on the website itself.

There is one another act, Consumer Internet Privacy Act, 1986. As per this act if any type of information is provided to any interactive computer service by a subscriber, then that information should not be revealed to a third party unless there is subscribers prior written consent. Federal Trade Commission was given authority to investigate or examine any type of computer service to see that the service providers are not indulges in any type of activity, which is prohibited by this act.

Laws in the Rest of the Europe

European countries are very advanced in the respect of data protection. In the European Union, some of the countries have data protection laws from 1970s [13] . For the sake of conformity in the different countries’ national laws directives have been issued by the European Union, and the national laws should be made as per the guidelines laid down in these directives. One of such directive was Data Protection Directive 1995, in which the right of the data subjects and the responsibilities of data holder were clearly defined in it. Different types of guidelines were issued in this regard as like the data subject should be informed that how is his/her data being used, the data controller should provide his name and address and purpose of the collection of the data etc.

It is provided in the data protection directive – that member states shall provide that the personal data must be [14]

(a) processed fairly and lawfully

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

In this regard some principles are also provided to the US Companies, which are known as Safe Harbour Principles, these principles relates to-

Notice- Individuals must be informed that their data is being collected and about how it will be used.

Choice- Individuals must have the ability to opt out of the collection and forward transfer of data to third parties.

Onward Transfer- Transfers of to third parties may only occur to other organizations that follow adequate data protection principles

Security- Reasonable efforts must be made to prevent loss of collected information.

Data Integrity- Data must be relevant and reliable for the purpose it was collected.

Access- Individuals must be access the information held about them, and correct or delete it if it is inaccurate.

Enforcement- There must be effective means of enforcing these rules.

Other Lacunas in the Information Technology Act

There are so many lacunas in the Information technology Act, in relation to the data protection laws. There is great lack of comprehensive guidelines in relation to the security measures and there are also some technical fault in the act-

Sec 43 of the Act deals with Penalty for damage to computer, computer system, etc

It says

“If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,- accesses or secures access to such computer, computer system or computer network downloads, copies or extracts any data, computer data base information from such computer, computer system or computer network including information or data held or stored in any removable storage medium……………. shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.”

Here, although the amount of one crore rupees may be a big amount for a lay person, but there are so many firms and individuals in the corporate for whom the amount of one crore may be a miniscal one; so, even the amount of this compensation should not be a fixed one but it should depend upon the prevailing circumstances.

Under section 43 (1) [15] which deals which compensation for failure to protect data says “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.”

Further sec 43 (1) (ii) says “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”

However till date there is no law specifying security practice nor has the Central government defined the security practices to be implemented in order to securing vital data. In the absence of such defined security practices and procedures, it is open for the parties to enter into agreements and lay down their own methods of protecting their sensitive information. Section 43A not only provides the freedom for doing so but also penalizes any breach of such contractual obligations.  Thus till a frame work of security practices is defined, the companies can enter into their own contracts and lay down minimum standards for protecting data.

Sec 72 deals with Breach of confidentiality and privacy, it says “Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

But this section is confined only to the persons on whom power is conferred by this act, or by any rule or regulation made under this act. So, the scope of this section is very narrow it should not be confined only to those persons on whom the power is conferred but it should also be applicable to other persons as well. Further there is no other section in this act which deals with the violation of privacy.

Now, under section 79, a service provider is not liable if that has taken due diligence but no comprehensive guidelines have been issued in this area under the act; although power has been provided under the same section to Central Government to issue guidelines in this respect but till now no guidelines have been issued in this regard.

Conclusion

If we compare the present stage of data processing laws in India with the countries of Europe and USA then we find that these countries are far ahead of India in this respect. Those countries have particular and comprehensive laws relating to data protection and privacy. There is one another thing which is to be noted that different type of data should be divided into different categories as per the utility and importance of data. So, we are required to frame a scheme that should be based on the categorical division of data as like USA, and even in the UK, although there is no such categorical division but still some type of data is defined as sensitive data; for the disclosure of this sensitive data. The provisions of the IT Act are basically or the destruction/extraction of data, there is great lack of comprehensive guidelines in this regard and the companies are required to rely on their private contracts, which process is in itself complex lengthy. There are no special provisions related to the privacy of an individual, only sec 72 deals with the violation of privacy, and that is confined only to those persons on whom the power is conferred by this act.

Although there is one proposed Data Protection Bill 2006, which deals with the collection use and disclosure of the personal data. Some of the provisions are taken from the European Directive on the Data Protection. In the act no category wise division of data was made, in this regard we have to take inspiration from US laws [16] .

So, a comprehensive data protection law is the need of the hour in India, although to follow the foreign law of either UK or USA in totality will not be a good option. We have to divide different type of data into different categories and then different degrees of protection should be provided to different type of data. But that should be contained in one act, not in different scattered pieces of legislation. We also required to prepare practical guidelines that what type of personal data can be provided to others in specific circumstances, and what should not so there may not be complexities as like in the case of UK [17] . If we go for the enactment of a comprehensive data protection laws then it would reduce the instances of data theft and more and more foreign companies and firms would be interested in growing their business in India; it would work like a boom to the sector of Information Technology in India.