Data Protection Laws in India

What is data protection?

Individuals, as citizens and consumers need to have the means to exercise their right to privacy and protect themselves and their information from abuse. This is particularly the case when it comes to our personal information. Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions.Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system. In modern societies, to empower us to control our information and to protect us from abuses, it is essential that data protection laws restrain and shape the activities of companies and governments. These institutions have shown repeatedly that unless rules restrict their actions, they will endeavor to collect it all, mine it all, keep it all, while telling us nothing at all.

Why data protection laws are needed in India?

As we all know that India has emerged as an IT hub of the world and it is extremely important for us to have a proper law dealing with Data protection. But Data protection laws in India are currently facing many problems and resentments due to absence of proper legislative frameworks. India being the largest host of outsource data can be an easy target for cyber Criminals mainly due to lack of proper law. The Data Security Council of India (DSCI) and Department of Information Technology (DIT) must also rejuvenate its efforts in this regard on the similar lines.Recently the Government of United States has accused Chinese hackers for stealing their data and that too from the highly secured network of Pentagon.Now, let’s look at India. Almost 1 and half years ago the website of Ministry of health, Government of India was hacked and all the links were directed to some porn sites. Also PMO’s cyber security was compromised for several months. We can imagine the consequences if some important data might have been stolen. To protect all these we not only need a strong cyber law but also an effective cyber force to work on.

Even in one proposed Data Protection Bill, 2006, there are so many lacunas. The Bill does not contain any provision relating to the categorical division of data; but actually different type of data requires different type of protection as like in the case of US.The bills provides for both government as well as private enterprises engaged in data collection. It also provides for the appointment of, “Data Controllers", who have general superintendence and adjudicatory jurisdiction over subjects covered by the bill. It also says that penal sanctions may be imposed on offenders in addition to compensation for damages to victims. The bill is clearly a step in the right direction. However due to the paucity of information, the bill is still pending.

In India, to cover cybercrimes we do have Indian Information Technology Act, commonly referred as IT act, to cover IT related laws in India and delineates the scope of access that a party may have to on data stored on a computer, computer system or computer network, the provisions of the IT Act do not address the need for a stringent data protection law being in place.

This act has been amended in 2008 to meet the growing challenges of the cybercrime. However these amendments are still insufficient to deal with the present scenario. This amendment has added two important provisions that have a strong bearing on data protection laws. These are section 43A and 72A. But the provisions pertaining to data security and confidentiality are grossly inadequate.

In recent years the incidents of data theft in BPO [4] has raised concern over the dada safety in Indian Companies. In this case the confidential data of some British Nationals have been stolen. This gave rise to a debate over the safety of data of foreign nationals in Indian Companies.

Present scenario in India

At present the following limited protection is available to data base rights in India:

• Article 21 of the Constitution guarantees every citizen the fundamental right to personal liberty which includes the right to privacy and by extension private data not available in public domain. This right extends to data in electronic forms and the Information Technology Act, 2000 (“IT Act”) vide Section 66E dealing with punishment for violation of privacy, facilitates protection of such data.
• Copyright to a database (rights associated with the labour and investment involved in compiling data, verifying it and presenting and using it in a format which creates a value in such data) is protected under the Copyright Act, 1957 (“Copyright Act”) and the provisions of the IT Act which deal with protection of data along with penal provisions dealing with compensation and violation of the same act as a deterrent in respect of a person seeking to divulge the data without the express consent of the person whose data has been provided.

Although India has detailed and well defined legal system in place at present, there are no data protection laws in the country. Indian laws do not cover aspects related to the offshoring and the internet, which have emerged recently, the arrival of the internet resulted in a new set of complex legal issues. This is followed by offshoring, which led to further complications. The IT Act 2000, which finally came into existence in 2000, includes laws and policies concerning data security and cybercrimes. Apart from the IT act, the Indian Copyright Act of 1972 deals with copyright issues in computer programmes. However, according to many privacy experts and privacy professionals, the Bill is not adequate enough to provide data protection. In absence of specific laws, the Indian Judicial System offers a few proxy laws and other indirect safeguards. Some of the proxy laws are:

• Indian Penal Code - Section 406 (Punishment for Criminal Breach of Trust) & Section 420 (Cheating and dishonestly inducing delivery of property)
• Indian Contract Act- Breach of contract

 

Initiatives taken by India to upgrade it data protection standards

In addition to the laws in India, that supports protection of data directly or indirectly through various provisions, the Ministry of Information Technology Act in India has undertaken several initiatives to upgrade its security standards.

Standardization Testing and Quality Certification (STQC) Directorate: Owing to the international demand that Indian firms should have an international security standards accreditation, the Indian government has set up the STQC Directorate (Under the department of Information Technology (DIT) ). The Directorate has been able to launch an independent third party certification scheme for the information security management system(ISMS), as per BS 7799 Part 2, and has achieved international recognition in the form of accreditation from the RvA, Netherlands. The STQC Directorate provides services such as testing hardware and software products certification and also training personnel in quality and security standards and processes.

Computer Emergency Response Team (CERT): Team (CERT-In) was established by the DIT to be a part of the international CERT community. CERT was set up to protect India’s IT assets against viruses and other security threats. It performs the following functions:

• It serves as a central point, responding to computer security incidents and providing a reliable, trusted, 24 hours referral contact for emergencies.
• It disseminates best practices among system administrators and service providers.
• It increases the awareness and understanding of InfoSec and computer security issues among the Indian Cyber user community.
• It alerts the community regarding the latest security threats by publishing advisories, vulnerability notes ad incident notes.
• It serves as a coordinating center among organizations to solve computer security problems.
• It establishes linkages with similar organizations in the international arena.
• It performs R&D activities in collaboration with premier research and educational organizations regarding the security of existing systems and regarding evolving cyber security problems.

 

Information Security Technology Development Council (ISTDC):

The ministry has recently set up the ISTDC. The main objective of this program is to facilitate, coordinate and promote technological advancements, and to respond to InfoSec incidents, threats and attacks at the national level. ISTDC has been established for the following functions:

• Evaluating the cyber security project proposals received, and recommendations for further processing by DIT;
• Reviewing ongoing projects through monitoring committees and recommend any modification in scope, funding, duration, additional inputs, termination, transfer of technology etc.
• Recommending follow-up action on completed projects- transfer of technology, initiation of next phase, etc.
• Forming project review and steering groups of projects approved and funded by the DIT.

Various breaches when data protection laws can be applied.

Penalty for Damage to Computer, Computer Systems, etc. under the IT Act

Section 43 of the IT Act, imposes a penalty of INR 10 million inter alia, for downloading data without consent. The same penalty would be imposed upon a person who, inter alia, introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network.

Section 43 provides for penalty for a wide range of cyber contraventions such as:

• Related to unauthorised access to computer, computer system, computer network or resources;
• Unauthorised digital copying, downloading and extraction of data, computer database or information, theft of data held or stored in any media;
• Introduction of any computer contaminant or computer virus into any computer system or computer network;
• Unauthorised transmission of data or programme residing within a computer, computer system or computer network;
• Computer data/database disruption, spamming, etc.
• Denial of service attacks, data theft, fraud, forgery, etc.
• Unauthorised access to computer data/computer databases;
• Instances of data theft (passwords, login IDs), etc.
• Destroys, deletes or alters any information residing in a computer resource, etc. and (j) Steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.

 

Tampering with Computer Source Documents as provided for under the IT Act, 2000

Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to INR 200,000, or with both.

Computer related offences

Earlier, the IT Act under Section 66 defined the term 'hacking' and provided penalty for the same. However, the term 'hacking' has now been deleted by the introduction of the IT Amendment Act, 2008. The substituted Section 66 now reads as "If any person, dishonestly or fraudulently does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both".

Penalty for Breach of Confidentiality and Privacy

Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to INR 100,000, or with both.

Judicial Pronouncements on Right to privacy and data protection laws in India

The right to privacy judicial activism has brought the right to privacy within the realm of fundamental rights by interpreting Articles 19 and 21. The judiciary has recognised right to privacy as a necessary ingredient of the right to life and personal liberty. The Supreme Court of India has interpreted the right to life to mean right to dignified life in Kharak Singh vs State of Uttar Pradesh, especially the minority judgment of Subba Rao, J. In Gobind v. State of M.P., Mathew J., delivering the majority judgment asserted that the right to privacy was itself a fundamental right, but subject to some restrictions on the basis of compelling public interest. Privacy as such interpreted by our Apex Court in its various judgments means different things to different people. Privacy is a desire to be left alone, the desire to be paid for one data and ability to act freely.

Right to privacy relating to a person’s correspondence has become a debating issue due to the technological developments. In R.M. Malkani v. State of Maharashtra, the Supreme Court observed that, the Court will not tolerate safeguards for the protection of the citizen to be imperilled by permitting the police to proceed by unlawful or irregular methods. Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also Government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of Article 21 and Article 19(1)(a) of the Constitution. In People’s Union for Civil Liberties v. Union of India, the Supreme Court held that right to hold a telephonic conversation in the privacy of one’s home or office without interference can certainly be claimed as right to privacy. In this case the Supreme Court had laid down certain procedural guidelines to conduct legal interceptions, and also provided for a high-level review committee to investigate the relevance for such interceptions. But such caution has been thrown to winds in recent directives from the government bodies as is evident from phone tapping incidents that have come to light. In State of Maharashtra v. Bharat Shanti Lai Shah, the Supreme Court said that interception of conversation though constitutes an invasion of an individual’s right to privacy but it can be curtailed in accordance with procedure validly established by law.

In R. Rajagopal v. State of T.N., the Supreme Court held that the petitioners have a right to publish what they allege to be the life story/autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorisation. But if they go beyond that and publish his life story, they may be invading his right to privacy. The Constitution exhaustively enumerates the permissible grounds of restriction on the freedom of expression in Article 19(2); it would be quite difficult for courts to add privacy as one more ground for imposing reasonable restriction.

In Destruction of Public & Private Properties v. State of A.P., the Supreme Court said that media should base upon the principles of impartiality and objectivity in reporting; ensuring neutrality; responsible reporting of sensitive issues, especially crime, violence, agitations and protests; sensitivity in reporting women and children and matters relating to national security; and respect for privacy. Casting couch is a very popular tool used by media nowadays which directly hammer the individual privacy. There is no guideline to handle this issue. Privacy frame will provide solution to solve this problem.

In People’s Union for Civil Liberties (PUCL) v. Union of India, the Supreme Court observed that by calling upon contesting candidate to disclose the assets and liabilities of his/her spouse the fundamental right to information of a voter or citizen is thereby promoted. When there is a competition between the right to privacy of an individual and the right to information of the citizens, the former right has to be subordinated to the latter right as it serves larger public interest. The question arises as to what extent a voter has a right to know about a candidate’s privacy. The voter’s right to know about a candidate’s privacy can be protected and flourished by removing the drawbacks of laws relating to voter’s right to information. Privacy means the right to control the communication of personally identifiable information about any person. It requires a balancing attitude; a balancing interest.

In Mr. X v. Hospital Z, the Supreme Court held that doctor-patient relationship though basically commercial, is professionally a matter of confidence and, therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation public disclosure of even true private facts may sometimes lead to the clash of one person’s right to be let alone with another person’s right to be informed. In another case the Apex Court said that the hospital or doctor was open to reveal such information to persons related to the girl whom he intended to marry and she had a right to know about the HIV-positive status of the appellant. The Court also held that the appellant’s right was not affected in any manner in revealing his HIV-positive status to the relatives of his fiancé. In matrimonial cases the petitioner would always insist on medical examination. In Selvi v. State of Karnataka, the Court held that narco-analysis, lie detection and BEAP tests in an involuntary manner violate prescribed boundaries of privacy. A medical examination cannot justify the dilution of constitutional rights such as right to privacy. In Bhabani Prasad Jena v. Orissa State Commission for Women, the Supreme Court said that if DNA test is eminently needed to reach the truth, the court must exercise the discretion of medical examination of a person.

In Sharda v. Dharmpal, the Supreme Court said that though the right to personal liberty has been read into Article 21, it cannot be treated as an absolute right. To enable the court to arrive at a just conclusion a person could be subjected to test even though it would invade his right to privacy. It concluded that one has to maintain a balance between the rights of a citizen and the right to privacy. It ultimately requires a healthy and congenial interrelationship between the social good and the individual liberty.

Privacy and data protection Privacy and data protection require that information about individuals should not be automatically made available to other individuals and organisations. Each person must be able to exercise a substantial degree of control over that data and its use. Data protection is legal safeguard to prevent misuse of information about individual person on a medium including computers. It is adoption of administrative, technical, or physical deterrents to safeguard personal data. Privacy is closely connected to data protection. An individual’s data like his name, address, telephone numbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various websites. Passing of such information to interested parties can lead to intrusion in privacy like incessant marketing calls. The main principles on privacy and data protection enumerated under the Information Technology Act, 2000 are defining data, civil and criminal liability in case of breach of data protection and violation of confidentiality and privacy.

District Registrar and Collector v. Canara Bank, the Supreme Court said that the disclosure of the contents of the private documents of its customers or copies of such private documents, by the bank would amount to a breach of confidentiality and would, therefore, be violative of privacy rights of its customers.

Conclusion

In today’s time, our personal information is required for security purpose. We all provide the authentic institutes the specified information that are asked by them. It is provided on trust basis that our information is in the safe hands and will not be given to any unknown person without our knowledge. Though, the notorious netisens have become so smart nowadays that, they can acquire our personal information, which were not supposed to be leaked, by using there, so called hacking skills. Such netisens in India, are not even afraid of committing such offences since they know that laws are not properly framed yet, and also if they gets caught, they won’t be punished strictly. This is due to lack of data protection laws in India. Though, discussed above that India had taken few initiatives and also made amendments in IT Act 2000, we still need a separate legislation for handling such situations. India is still struggling for enduring an effective and concrete legislation for data protection. A new legislation dealing specifically with the protection of data and information present on the web is the dire need of the day. However, while drafting the laws, the legislature has to be cautious of maintaining a balance between the interests of the common public and tightening its grip on the increasing rate of cybercrimes. It is a need of the hour that a proper Data Protection laws are made, so that the citizens of the country are not under a constant fear of their personal details getting leaked and getting misused. It is also necessary for us, so that foreign companies who are willing to enter the Indian market are not afraid of doing so since no company would ever invest its time and money to a country which is vulnerable on its data and privacy protection.