DATA PROTECTION IN INDIA

Annamma Samuel

INTRODUCTION

Definition of Data Unprocessed information Organized and communicated in a

coherent and meaningful manner Data is converted into information

and information is converted into knowledge.

Data protection is aimed at protecting the informational privacy of individuals

database protection protect the creativity and investment put into the compilation, verification and presentation of databases.

A database can be technically explained as machine readable compilation of information.

The world’s first computer specific statute was enacted in the form of a Data Protection Act, in the German state of Hesse, in 1970.

No specific legislation on private data or information

Data can be protected through Constitution of India Information technology Act 2000 Database can be protected

through Copyright Act, 1957 Information Technology Act, 2000

The Information Technology Act, 2000, Sec. 2(1)(o)

‘data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

EXISTING LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA

Indian Contract Act,1872 ‘consideration’ One firm can bind another so as

to refrain from revealing data without authorization, to protect privacy of data, as well as the terms and conditions of the use and processing of data.

The Information Technology Act, 2000 (1) Section 43 deals with penalties for

damage to computer, computer system etc. 

(2) Section 65 deals with tampering with computer source documents. 

(3) Section 66 deals with hacking with computer system.

(4) Section 72 deals with penalty for breach of confidentiality and privacy.

IT Amendment Act, 2008

Requires all foreign corporations with offshore Indian service partners to maintain “reasonable security practices and procedures” when handling “sensitive personal data”

Section 43A;Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. 

Does not define the phrase reasonable security practices, and procedures. 

Determined in the following order: As defined between the parties by

mutual agreement or As specified in any law for the time

being in force or To be specified by the Central

Government in consultation with such professional bodies or associations as it may deem fit.

Section 72A Disclosure of information in breach of lawful

contract any person including an intermediary who; while providing services under the terms of lawful

contract; has secured access to any material containing

personal information about another person; with the intent to cause or knowing that he is likely to

cause wrongful loss or wrongful gain; discloses; without the consent of the person concerned, or in

breach of a lawful contract; such material to any other person; and  shall be punished with imprisonment for a term which

may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

LIMITATION

Does not address the territorial applicability of these provisions. Therefore it can be safely concluded that when data is transferred outside the territories of India it gets no legal protection.

The US Position:

Safe Harbour Principles (SHP)” To protect information and its privacy,

free flow of information and to promote e-commerce.

Notice need to be given to the data subject (consumer) explaining the need to collect data

what it will be used and how will it be used, who will have access to it and how the data will be kept secured

The consumer should be provided access to data and to validate the personal information, or to rectify it, alter it or to delete any erroneous information.

Every Third Party to whom data is sent should comply with SHP.

THE UK POSITION

Data Protection Act, 1998 There should be fair and lawful

processing of data. Data Controllers should ensure that

data is used only for lawful and specified purposes and should not carry out any processing which is incompatible with those purposes.

Data Controller should hold only personal data that is adequate and relevant and not excessive in relation to the purpose for which it is held

All personal data are accurate and up to date.

Personal data shall not be kept for longer than necessary for the specified purpose or purposes.

Processing of personal data should be carried out in accordance with the rights of the data subjects under the Act.

Adequate, appropriate, technical and organisational measures should be taken against unauthorised or unlawful processing and accidental loss, destruction or damage to the personal data.

Data Controllers are obligated not to transfer data to countries that do not have adequate level of data protection.

CASES In June 2005, ‘The Sun’ newspaper

claimed that one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.

Call-center employee in Bangalore peddling credit card information to fraudsters who stole US$398,000 from British bank accounts

The Data Security Council of India

self-regulatory initiative of NASSCOM Enable IT companies to provide a high

standard of security and data protection by adopting best practices.

Develop, monitor and enforce an appropriate security and data protection

Standard for the Indian IT industry that would be adequate

Cost effective, adaptable and comparable with global standards.

Build capacity to provide security certification for organizations.

Create a common platform to promote the sharing of knowledge about

information security and foster a community of security professionals and firms.

Create awareness among industry professionals and other stakeholders about security and privacy issues.

National Do Not Call Register Telecom Regulatory Authority of

India (TRAI) had taken steps to curb unsolicited commercial calls.

Subscribers would be called upon to register their telephone numbers free of cost.

THANK YOU