Go to:  

  Tuesday, February 09, 2010 (+5:30GMT)
 
More Search Options 		 
HOME |  TAX |  CORPORATE |  TRADE |  CRIMINAL |  CONSUMER PROTECTION |  INTELLECTUAL PROPERTY |  BANKING  ENVIRONMENT MEDIA AND ENTERTAINMENT |  ADVOCATES AND JUDGES

STATE NEWS
Delhi
Maharashtra
Uttar Pradesh
Andhra Pradesh
Jammu and Kashmir
West Bengal
Gujarat
Punjab

UPDATES
Judgments
Legislation
Notifications and Circulars
Articles

RESOURCES
Budget
Exim Policy
Credit Policy
Faq's on Laws
Court Calendar
Education Center
Newsletters
Court Lists
Editor's Pick

Data Protection Law in India
Shojan Jacob
The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna of data protection laws in the country. The provisions are however not adequate to meet the needs of the corporate India. The Article tries to analyze the protection accorded to data and information residing in the computer systems in the country.

OTHER ESSAYS
Grey areas in the law relating to the use of force in dispersing an unlawful assembly
Dr. N. C. Asthana (IPS) & Dr. Anjali Nirmal
Plea Bargaining: A unique remedy
Sidhartha Mohapatra & Hailshree Saksena
Critical analysis of the law of adultery in India
Bharat Chugh
The ‘Maaza’ Trademark Battle- a brief study
Vidya Sunderam
Other alternatives to Imprisonment
Puneet Shukla
Judicial accountability as proposed under Judges Inquiry Bill, 2006
I. L. Prasanthi
Judiciary and its role
Raj Nandini Singh
Critical Analysis: Reflection of IP in Competition Law of India
Rahul Dutta
Public accessibility to copyrighted orphan works
Meenu Maheswary
The Right to Information: “Facilitating people’s participation and state accountability towards”
Laxmi Sharma
FDI Guidelines under Press Notes 2, 3 and 4 (2009)
Sharad Sharma
Is the Regulatory framework for creating a Media Company in consonance with the guarantee in Article 19(1) (a)
Prashant R. Dahat
Patenting of microorganisms
Prashant R. Dahat
Enforcement of Intellectual Property Rights: Customs and Cross – Border Measures
Apurv Karmakar
Section 197 of Cr.P.C vis-a-vis ‘Public servant’ u/s 21(twelfth) (b) IPC
Ch. Amritalingam
Set-backs in Indian Judiciary
Bala Nikit
Subjugation of women rights lead to violation of human rights
Pooja Vatsh
Cybersquatting: A brief legal overview
Rima Bhardwaj & Dushyant Upadhyay
Truth as a defence in Contempt of Court proceedings
Tehsin S Vora
Right of foreign homosexuals to have a surrogate child in India: An analysis
Jyotsna Sharma
MORE...

Contribute

 

The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna of data protection laws in the country. The provisions are however not adequate to meet the needs of the corporate India. The Article tries to analyze the protection accorded to data and information residing in the computer systems in the country.

Data is defined as unprocessed information. Information, on the other hand, is defined as the data that have been organized and communicated in a coherent and meaningful manner. Data is converted into information and information is converted into knowledge.

In the cyber world all such information is stored in the computers. The information may include financial details, health information, business proposals, intellectual property and sensitive data. Till recently there was no specific provision to address the issue of Data Protection. However, the IT Amendment Act 2008 has set the ball rolling in addressing this issue.

The IT Act, 2000 and the 2008 Amendment

The Government had in the year 2006 introduced a separate Bill called the Personal Protection Act to specifically address the issue of data protection. However the Act has not seen the light of the day.  But now, the issue of data protection has been addressed in IT Amendment Act, 2008 through Sections 43A and 72A.

Section 43A reads as follows:

Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. 

Explanation: For the purposes of this section

(i)  body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities

(ii)  reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

(iii)  sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Reasonable security practices and procedures

The IT Act now requires corporates to maintain reasonable security practices, and procedures as to sensitive personal data or information, but does not define the phrase reasonable security practices, and procedures. As understood from the section Reasonable Security Practice and Procedures is to be determined in the following order:

-  As defined between the parties by mutual agreement or

-  As specified in any law for the time being in force or

-  To be specified by the Central Government in consultation with such professional bodies or associations as it may deem fit.

However till date there is no law specifying security practice nor has the Central government defined the security practices to be implemented in order to securing vital data.

In the absence of such defined security practices and procedures, it is open for the parties to enter into agreements and lay down their own methods of protecting their sensitive information. Section 43A not only provides the freedom for doing so but also penalizes any breach of such contractual obligations.  Thus till a frame work of security practices is defined, the companies can enter into their own contracts and lay down minimum standards for protecting data.

For this purpose, depending upon the industry, compliance with business requirements such as ISO 27001, DPA, Basel II, HIPAA etc. may be enforced by means of agreements between the parties. And failure on the part of any party to maintain such contractual obligation can lead to legal consequences by virtue of this section. It is to be noted that there is no upper limit for compensation that can be claimed by the affected party in such circumstances.

Breach of confidentiality and privacy

The IT Act 2000, under Section 72 protects private information that is obtained by agencies by virtue of powers conferred under the Act and enforces a criminal liability with imprisonment for 2 years and fine of RS 1 lakh or both. This applied to the Certifying Authorities as well who obtained information from subscribers.

Section 72A, which has been newly added addresses the issue of data vandalism occurring in breach of contractual agreements. Section 72A reads as follows:

Punishment for Disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force,

(i)  any person including an intermediary who;

(ii)  while providing services under the terms of lawful contract;

(iii)  has secured access to any material containing personal information about another person;

(iv)  with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain;

(v)  discloses;

(vi)  without the consent of the person concerned, or in breach of a lawful contract;

(vii)  such material to any other person; and 

(viii)  shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

Extraterritorial applicability of the Data Protection Laws

The Data Protection Act of UK as well as HIPAA of US ensures that their data protection obligations reach beyond its shores whenever data is sent out for processing to other countries. However, in the Indian context the above mentioned provisions do not speak of the extraterritorial applicability of the law.

Section 75 of the IT Act speaks about the extraterritorial applicability of the Act. According to this Section, the provisions of the IT Act shall apply to any offence or contravention committed by any person irrespective of his nationality, provided the act or conduct constituting the offence or contravention involves a computer, computer system or computer network in India.

Section 75 is framed from the angle of addressing the issue of cyber crime. The section does not address the issue of data protection. The sections 43A and 72A which are now introduced to protect data also does not address the territorial applicability of these provisions. Therefore it can be safely concluded that when data is transferred outside the territories of India it gets no legal protection.

Conclusion

In the current scenario the data protection provisions do not extend beyond the territories of India. Within the territory of India, Sections 43A and 72A provides protection for the data. And even data outsourced to India gets protection under these sections. But when data is send outside the territories of India, one cannot seek protection under these sections. India has no jurisdiction in such cases and there is no obligation cast on the countries to which India sends sensitive personal information for processing to have an acceptable data protection mechanism.

(Author is an Advocate at Kerala High Court)

Research | News | Policy Watch
LATEST NEWS