Data Protection Law In India

The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna of data protection laws in the country. The provisions are however not adequate to meet the needs of the corporate India. The Article tries to analyze the protection accorded to data and information residing in the computer systems in the country.

Data Protection Law in India Shojan Jacob

The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna of data protection laws in the country. The provisions are however not adequate to meet the needs of the corporate India. The Article tries to analyze the protection accorded to data and information residing in the computer systems in the country. Data is defined as unprocessed information. Information, on the other hand, is defined as the data that have been organized and communicated in a coherent and meaningful manner. Data is converted into information and information is converted into knowledge. In the cyber world all such information is stored in the computers. The information may include financial details, health information, business proposals, intellectual property and sensitive data. Till recently there was no specific provision to address the issue of Data Protection. However, the IT Amendment Act 2008 has set the ball rolling in addressing this issue. The IT Act, 2000 and the 2008 Amendment The Government had in the year 2006 introduced a separate Bill called the Personal Protection Act to specifically address the issue of data protection. However the Act has not seen the light of the day. But now, the issue of data protection has been addressed in IT Amendment Act, 2008 through Sections 43A and 72A. Section 43A reads as follows: Compensation for failure to protect data Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. Explanation: For the purposes of this section (i) body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

(iii) sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. Reasonable security practices and procedures The IT Act now requires corporates to maintain reasonable security practices, and procedures as to sensitive personal data or information, but does not define the phrase reasonable security practices, and procedures. As understood from the section Reasonable Security Practice and Procedures is to be determined in the following order: - As defined between the parties by mutual agreement or - As specified in any law for the time being in force or - To be specified by the Central Government in consultation with such professional bodies or associations as it may deem fit. However till date there is no law specifying security practice nor has the Central government defined the security practices to be implemented in order to securing vital data. In the absence of such defined security practices and procedures, it is open for the parties to enter into agreements and lay down their own methods of protecting their sensitive information. Section 43A not only provides the freedom for doing so but also penalizes any breach of such contractual obligations. Thus till a frame work of security practices is defined, the companies can enter into their own contracts and lay down minimum standards for protecting data. For this purpose, depending upon the industry, compliance with business requirements such as ISO 27001, DPA, Basel II, HIPAA etc. may be enforced by means of agreements between the parties. And failure on the part of any party to maintain such contractual obligation can lead to legal consequences by virtue of this section. It is to be noted that there is no upper limit for compensation that can be claimed by the affected party in such circumstances. Breach of confidentiality and privacy The IT Act 2000, under Section 72 protects private information that is obtained by agencies by virtue of powers conferred under the Act and enforces a criminal liability with imprisonment for 2 years and fine of RS 1 lakh or both. This applied to the Certifying Authorities as well who obtained information from subscribers. Section 72A, which has been newly added addresses the issue of data vandalism occurring in breach of contractual agreements. Section 72A reads as follows: Punishment for Disclosure of information in breach of lawful contract Save as otherwise provided in this Act or any other law for the time being in force, (i) any person including an intermediary who; (ii) while providing services under the terms of lawful contract; (iii) has secured access to any material containing personal information about another person; (iv) with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain;

(v) discloses; (vi) without the consent of the person concerned, or in breach of a lawful contract; (vii) such material to any other person; and (viii) shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both. Extraterritorial applicability of the Data Protection Laws The Data Protection Act of UK as well as HIPAA of US ensures that their data protection obligations reach beyond its shores whenever data is sent out for processing to other countries. However, in the Indian context the above mentioned provisions do not speak of the extraterritorial applicability of the law. Section 75 of the IT Act speaks about the extraterritorial applicability of the Act. According to this Section, the provisions of the IT Act shall apply to any offence or contravention committed by any person irrespective of his nationality, provided the act or conduct constituting the offence or contravention involves a computer, computer system or computer network in India. Section 75 is framed from the angle of addressing the issue of cyber crime. The section does not address the issue of data protection. The sections 43A and 72A which are now introduced to protect data also does not address the territorial applicability of these provisions. Therefore it can be safely concluded that when data is transferred outside the territories of India it gets no legal protection. Conclusion In the current scenario the data protection provisions do not extend beyond the territories of India. Within the territory of India, Sections 43A and 72A provides protection for the data. And even data outsourced to India gets protection under these sections. But when data is send outside the territories of India, one cannot seek protection under these sections. India has no jurisdiction in such cases and there is no obligation cast on the countries to which India sends sensitive personal information for processing to have an acceptable data protection mechanism.