Author Name:   kumar.mihir

amendments were brought in the information Technology Act, 2000 to provide the measures for data protection in India which may assuage the fears of misuse of data / information being dealt with by the outsourcing industry or the IT Sector or during the e-commerce for the time being...

Data Protection: A Study

“Scientia Potenti Est- Knowledge is power”. The said maxim is apt to describe the primary business model in the 21st century when information is the key to success. With India emerging as the outsourcing hub, it is apt to evaluate the legal regime for protection of data as with the world outsourcing its essential services to India, there is a growing clamour to ensure protection of the data and other sensitive information which are passed on and are being handled by the Indian outsourcing industry

The outsourcing industry in India have been steadily growing as is evident from the fact that in the Financial year 1998, its share was only 1.2 percent of the GDP which has grown to estimated 6.4 percent of the GDP in the Financial year 2011. In monetary terms the IT-BPO sector is estimated to aggregate revenues of USD 88.1 billion in the year 2011 which is predicted to grow upto USD130 Billion in the year 2015. As the outsourcing industry is primarily data driven, effective legal provisions for the protection of the same is a given, India, however does not have a dedicated statute for the protection of data such as the Data Protection Act, 1998 of the United Kingdom and only Some of the provisions of the Information Technology Act, 2000 deal with the protection of Data in India.

International Obligations
Article 39 of the Trade-Related Aspects of Intellectual Property Rights (TRIPS) enjoins the members to make laws to protect data/ information. Article 39 of Trips reads as follows:

“Article 39
1. In the course of ensuring effective protection against unfair competition as provided in Article 10bis of the Paris Convention (1967), Members shall protect undisclosed information in accordance with paragraph 2 and data submitted to governments or governmental agencies in accordance with paragraph 3.

2. Natural and legal persons shall have the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without their consent in a manner contrary to honest commercial practices (10) so long as such information:

(a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

(b) has commercial value because it is secret; and

(c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.........”

Despite the above, India, though being a member of WTO, however does not have a separate Data Protection Law. The only statute governing the field has been the Information Technology Act, 2000 which has been enacted to give effect to the resolution A/RES/ 51/162 dated 30th January 1997 passed by the General Assembly of United Nations whereby it adopted the Model Law on Electronic Commerce prepared by the United Nations Commission on International Trade Law (UNCITRAL).

Statutory Regime & Outsourcing Industry
The Information Technology Act, 2000 came into force on 17.10.2000 vide G.S.R No. 788(E) dated 17.10.2000 and for the first time, a legal definition of “Computer”, “Data”, “electronic record”, “Information” et al were provided. The said Act gave a legal recognition to the electronic records and digital signatures and in Chapter IX thereof provided for penalty and adjudication. Section 43 of the Act interalia provided that in case of unauthorised access, download or copying or damage to data etc, the person responsible shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person affected.

Apart from civil liability provided under Section 43, Chapter XI (Sections 63 to 78) of the Act of 2000 provided for criminal liability in cases of Tampering, Hacking, publishing or transmitting obscene material, misrepresentation etc. Apart from the same, Section 72 of the Act provided for penalty in case of breach of confidentiality and privacy and laid that in case any person who has secured access to any electronic record, Data or information, discloses the same to any other person without obtaining the consent of the person concerned, he shall be punished with imprisonment upto two years or with fine upto Rupees one lakh or with both.

However, the provisions of the Information Technology Act, 2000 were not adequate and the need for more stringent data protection measures were felt, the Information Technology (Amendment) Act, 2008 was enacted which came into force on 27.10.2009. The said Amendment Act brought in the concepts like cyber security in the statute book and widened the scope of digital signatures by replacing the words “electronic signature”. The amendment act also provided for secure electronic signatures and enjoined the central government to prescribe security procedures and practices for securing electronic records and signatures (Sections 15-16) The amendment Act also removed the cap of Rupees One Crore as earlier provided under Section 43 for damage to computer and computer systems and for unauthorised downloading/ copying of data. The said Amendment Act also introduced Section 43A which provides for compensation to be paid in case a body corporate fails to protect the data. Section 46 of the Act prescribes that the person affected has to approach the adjudicating officer appointed under Section 46 of the Act in case the claim for injury or damage does not exceed Rupees Five crores and the civil court in case, the claim exceeds Rupees Five crores. The amendment act also brought/ introduced several new provisions which provide for offenses such as identity theft, receiving stolen computer resource/ device, cheating, violation of privacy, cyber terrorism, pornography (Section 66A-F & 67A-C). The amendment act also brought in provisions directing intermediaries to protect the data/information and penalty has been prescribed for disclosure of information of information in breach of lawful contract (Section 72A)

With the enactment of the Amendment Act of 2008, India for the first time got statutory provisions dealing with data protection. However, as the ingredients of “sensitive personal data and information” as well as the “reasonable security practices and procedures” were yet to be prescribed by the Central Government, the Ministry of Communications and Information Technology vide Notification No. GSR 313 (E) dated 11th April 2011 made the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information ) Rules, 2011 (the said rules). Rule 3 of the said rules defines personal sensitive data or information and provides that the same may include information relating to password, financial information such as bank account or credit card details, health condition, medical records etc. Rule 4 enjoins every body corporate which receives or deals with information to provide a privacy policy. Rule 5 prescribes that every body corporate shall obtain consent in writing from the provider of the sensitive information regarding purpose of usage before collection of such information and such body corporate will not collect such information unless it is collected for a lawful purpose connected with the function or activity of such body corporate and collection of such information or data is necessary and once such data is collected, it shall not be retained for a period longer than what is required. Rule 6 provides that disclosure of the information to any third party shall require prior permission from the provider unless such disclosure has been agreed to in the contract between the body corporate and the provider or where the disclosure is necessary for compliance of a legal obligation. The Body corporate has been barred to publish sensitive information and the third parties receiving such information have been barred to disclose it further. Rule 7 lays down that the body corporate may transfer such information to any other body corporate or person in India or outside, that ensure the same level of data protection and such transfer will be allowed only if it is necessary for performance of lawful contract between the body corporate and provider of information or where the provider has consented for data transfer. Rule 8 of the said rules further provide reasonable security practises and procedures and lays down that international standard IS/ISO/IEC 27001 on “Information Technology- Security Techniques- Information Security Management System- requirements “ would be one such standard.

The Ministry of Communication and Information Technology further issued a press note dated 24th August 2011 and clarified that the said rules are applicable to the body corporate or any person located within India. The press note further provides that any body corporate providing services relating to collection or handling of sensitive personal data or information under contractual obligation with any other legal entity located within India or outside is not subject to requirements of Rules 5 &6 as mentioned hereinabove. A body corporate providing services to the provider of information under a contractual obligation directly with them however has to comply with Rules 5 &6. The said press note also clarifies that privacy policy mentioned in Rule 4 relates to the body corporate and is not with respect to any particular obligation under the contract. The press note at the end provides that the consent mentioned in Rule 5 includes consent given by any mode of electronic communication.

Impact On Industry & Compliances Required
In view of the above provisions, the BPO Companies in India have been enjoined to protect the sensitive personal data or information as available with and dealt by them and in case of any failure on their part which may cause wrongful loss or wrongful gain to any person, they shall be liable to pay damages by way of compensation to the person affected. The person affected has to approach the adjudicating officer appointed under Section 46 of the Act in case the claim for injury or damage does not exceed Rupees Five crores and the civil court in case, the claim exceeds Rupees Five crores.

Apart from the above, the said rules of 2011 prescribe that a BPO Company located in India shall have to comply with the provisions of the same and provide a privacy policy for handling sensitive personal data or information having the requisite details and such policy has to be published on the website of the BPO company. If the data is being handled, collected, processed by any other person on behalf of the company, in such case, the policy may be displayed either on the website of such other person or of the company and the same would be sufficient.

In case the BPO is an independent entity and is providing services relating to collection, storage, dealing or handling of sensitive personal information or data under a contractual obligation with any other legal entity or company, then the said BPO shall not be liable interalia to obtain a consent in writing from the provider of information while collecting the information or while disclosing the same, whether the said provider is in India or outside. In other words, as stated above, such a BPO Company shall not be subject to the requirements of Rules 5 & 6 of the said rules of 2011. However, in case of any back office of a company providing services to the provider of information under a direct contract, Rules 5 &6 of the said Rules shall be applicable and the said company shall be liable to obtain the consent even when the provider of information is outside India. Thus a company dealing directly with the provider of information shall have to seek written consent from the provider while collecting the information and inform the said provider about the purpose for which the said information is being collected. The Company shall also have to designate a grievance officer to address the grievances of the provider of information. Such a company shall also require prior permission of the provider before disclosing the information to a third party except in cases when such disclosure has expressly been agreed to in the contract between the company and the provider or where the disclosure is necessary for compliance of a legal obligation or where the government agencies request such information .

The outsourcing companies have been barred from transferring Data and sensitive information to any other body which does not have the same level of data protection as is present in India. The outsourcing Companies have also been enjoined to comply with the reasonable security practices and procedures such as international standard IS/ISO/IEC 27001 on “Information Technology- Security Techniques- Information Security Management System- requirements” or any other best practices approved by the central government.

It may be added herein that the companies operating in India shall have to carry out regular audits to ensure the compliance of the Rules as any violation of the same would entail an action under the Information technology Act, 2000 as amended.

Problem Areas
The information Technology Act, 2000 with the amendment Act of 2008, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the press note dated 24th August 2011 read together, provide the legal framework for data protection in India. However, there are certain concerns that the above statutory provisions have failed to address in an effective manner.

· The first concern is that the Rules do not require any consent to be taken from the person to whom the information relates to and only the consent of the “provider” of the information has been deemed sufficient. This may lead to misuse of information when the provider and the person to whom the information relates to are different. In such a case, even if the company having information has taken consent of the provider as required under the Rules, the person affected may sue the said company for compensation under Section 43A of the IT Act.

· The unfettered access that the government agencies may have to the sensitive information is another cause of concern as it would amount to an infringement to the right to privacy of an individual. It may be noted that the Rules do not provide the government agencies to obtain a warrant in order to access the sensitive information and only a written request has been provided for. Further, it is not clear as to whether the said rule applies to the government agencies constituted and operating under the Indian Laws or whether the same also applies to the government agencies operating under other jurisdictions.

· The bar on transfer of information to other countries which do not have the same level of data protection measures may also hamper the outsourcing industry in India. Such bar would mean that the outsourcing companies cannot sent the data to their employers, employees or other offices located in different jurisdictions which do not have the same level of data protection and the same may lead to loss of business opportunities.

· The adjudication procedure provided under Section 46 of the Act lays down that claims for compensation upto Rupees 5 Crores shall be dealt by the adjudication officer and claims for more than 5 Crores would be decided in competent civil courts. However, the civil courts in India may not be equipped to handle such claims due to poor infrastructure, lengthy dockets, huge pendency of cases etc.

Conclusion
The Government of India had introduced the Personal Data Protection Bill, 2006 in Rajya Sabha on 08th December 2006 with a view to provide a dedicated Statute for protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent. However, the bill was allowed to be lapsed and instead, amendments were brought in the information Technology Act, 2000 to provide the measures for data protection in India which may assuage the fears of misuse of data / information being dealt with by the outsourcing industry or the IT Sector or during the e-commerce for the time being. However, with the ever changing technology and increase in the volumes of data being processed, the need for a dedicated statute for data protection may be felt again after some time and the Government of the Day would be forced to enact the same to sustain the faith of the world in India.
************
# http://www.nasscom.in/indian-itbpo-industry (13. 10.2011)
# http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/XCI_2006.pdf (13.10.2011)

The  author can be reached at: kumar.mihir@legalserviceindia.com

Follow the Procedure Below To Submit Your Articles

Submit your Article by using our online form Click here
Note* we only accept Original Articles, we will not accept Articles Already Published in other websites.
For Further Details Contact: editor@legalserviceindia.com

File Your Copyright - Right Now!