Data Protection Act in India with Compared
To the European Union Countries
Danish Jamil *1, Muhammad Numan Ali Khan*2
Department of Computer Engineering, Sir Syed University of Engineering and Technology Main University Road Karachi-75300 Pakistan
1
Department of Computer Engineering, Sir Syed University of Engineering and Technology Main University Road Karachi-75300 Pakistan
2
Abstract—The paper discusses about the cyber law system
prevalent in India and also suggests that more robust and efficient law system should be introduced. It briefly shows that there is not much public awareness and seriousness regarding the Data Protection. Though India is regarded as a big host for the outsourcing and data processing but still the employees and people working for these companies and call centres are not aware about the cyber law as the cyber law is not much flourished and propagated in India as it is in the European countries. The European countries have developed a good and robust data protection act which easily convicts the guilty and hence the people are more aware and cautious while getting into dark side to the computer world. The paper also shows in the few laws that are been really implemented in India.
Keywords
—
Data Protection Act, Cyber Crime, Section 43A,Section 65, Section 66, Section 72A, BPO, Personal Data Protection Bill, Outsourcing Industry, Information Technology Act, 2000, OECD, Safe Harbour approach Cyber Law,Gulity,Employees,Outsourcing,Data Processing,Propagated, Convicts, Cautions, Flourished,Implemented.
I. INTRODUCTION
India is built as the union of states which is subdivided into twenty-eight states, six union territories and Delhi is the national capital of the country. Though being such a vast country the data protection act in India is facing a lot of challenges and problems as there is not much of awareness regarding protecting the data. There is a continuous rise in cyber crime as there is huge population but lesser resources to manage the population and the cyber crimes that take place. The theft and stolen data market is on a rise as there is not much of law in Indian territories. India is the largest source and host of data outsourcing and data processing and hence it can become the epicentre of the cyber crime mainly because there is the absence of appropriate cyber law. The Data Security Council of India (DSCI) and the Department of Information (DIT) Technology should try to improve their efforts regarding to the data protection act. The answer is simple it can be obtained by improved and appropriate legislative provisions along with the public awareness regarding the cyber crime and data theft. The cyber crime is increasing at a high speed and so there should be an
awareness regarding this issue. The cyber crime in India cannot be reduced unless there is an authentic and strong cyber law structure. The IT and BPO sector of the Indian companies handle and access all the types of sensitive and personal data of people around the world. These data consists of the credit card information and financial information else well as the medical information and history of various individuals across the world. The companies store these confidential and important data in the form of electronic medium which is easily accessible to the employees of the company and hence the vulnerability of theft of data becomes high. There are cases of security breaches and data leaks in the high profile Indian companies. And hence the concern for data privacy has been arisen in the Indian BPO industry.
II. DISCUSSION
There is not much in the legislation in India which deals with the data protection. But there is the Personal Data Protection Bill which was introduced in the Parliament in 2006 which is yet not been passed. The Bill is assumed to consist of the general framework of the European Union Data Privacy Directive which was introduced in 1996. The Bill follows a comprehensive model wherein the Bill aims at the collection, processing and distribution of personal and private data. It should be well noted that the Bill is totally applicable and limited to the personal data defined in the Clause 2 of the Bill. This Bill is applicable to both the government and the private enterprises which are engaged in the data processing and functioning. Provisions are also made for Data Controllers who have superintendence and adjudicatory jurisdiction over the subjects in the Bill. It specifies that the penal sanctions can be imposed on offenders along with the offender compensating for the damages done by them to the victim. There is no doubt that the bill is the proper step in the right direction but however the delay in the passing of the Bill is leading to nowhere.
provisions in the IT Act do not accomplish the need of robust Data Protection Law.
Recently the Information Technology Act, 2000 has been amended to meet the challenges arising from the cyber crime but still the amended Act has to come into force. This Act has introduced two very important provisions that have a strong hold on the legal regime for the data protection. They are section 43A and 72A which are included in the IT Act. Though the provisions made in the IT Act, 2000 are not enough for the data security and confidentiality issue of the data.
The incidents of Data theft have increased considerably and the awareness is becoming significant in BPO when one of the employees sold some personal data of a large number of British nationals to an undercover reporter who worked for British tabloid ‘The Sun’. This incident had brought up issues regarding how secure is the data in Indian hands and so forth bringing in a shameful condition. Hence it is very much required that the Government should impose good Data Protection Act. And that India needs to implement amendments and impose a good Data Protection Act so that
the cyber crimes related to ecommerce transactions and many more can be kept under a thorough check and control. So now there are many fingers pointing out towards India to question that as being the major IT power in the global market is it appropriate that the importance of Data secrecy and privacy be ignored by the Indian jurisdiction and is it proper not to implement a proper law system to impose rules and regulations in the world of cyber crime.
The amendments and provisions to IT are as follows: Section 43A
Section 65 Section 66 Section 72A
SECTION 43A: PENALTY OF DAMAGES TO COMPUTER SYSTEM
“Section 43A states that if a “body corporate” possessing,
dealing or handling any “sensitive personal data or information” in a computer resource which it owns, controls or operates is negligent in implementing and maintaining “reasonable security practices and procedures”, and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.”[1]
The definition of Section 43A uses the term ‘body corporate’ which means that the body corporate includes a company, a firm, sole proprietorship, associations and Organisations engaged in commercial prospective. The term used as the ‘reasonable security practices and Procedures’ include the protection and security aspects and procedures which are desired to achieve the protection of the data caused due to unauthorised modification and use of data which may lead to tampering with the confidential data. This can be specified either as: In an agreement between the parties that is the party holding the data and the party whose is the owner of
the data. In absence of an agreement then both the parties have to follow the law prescribed by the government.
This clearly specifies that the contracting parties can Specify in their contract the level of security they want from their disclosing parties if any data loss or damage or data breach has taken place and that the disclosing parties are liable to pay for the damages.
Although the amendment act does not specify the meaning of ‘sensitive personal data’ and states that it means some personal information definition may be included by the union government after consulting the professional and business associations.
“Section 43 states that:
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, —
(a) Accesses or secures access to such computer, computer system or computer network;
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) Introduces or causes to be introduced any computer Contaminant or computer virus into any computer, computer system or computer network;
(d) Damages or causes to be damaged any computer, computer system or computer network data, computer data base or any other programmes residing in such computer, computer system or computer network;”[2]
Hence this section ignores the need to check the liability caused due to loss of computer data, database theft, unauthorised digital copying, downloading, and extracting and transmitting the data, using the cookies etc.
The purpose of section 43 (a) is not bounded to unauthorized access gained remotely through a network. It applies also to unauthorized access made physically. Let’s look an example. A banker while talking about loan proposal with their prospective client. The Client leaves that place to receive an Emergency call on his cell. In the meantime, the client starts up the application programmes in the manager’s systems, say, and saw a different details of others clients. Then after, he becomes it is against the law he get charge of an offence of securing unauthorized access under this sub-section.
A different appealing point is that section 43(a) penalizes a person for “hacking”, as it is known in general parlance, i.e., gaining unauthorized access into somebody else’s systems. Although, “hacking” as described under section 66 of the Information Technology Act, has a much wider implication.
as defined under section 70, then criminal liability is also attracted.
SECTION 65: TAMPERING WITH THE
COMPUTER SOURCE DOCUMENTS: “This Section states that:
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer program, computer system or computer network, when the computer source code is 32 required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.”[3]
Computer Source code includes listing of programs, design and layout of the program, commands and analysis of computer resources. Hence this section is used for the protection of the Computer Source Code.
SECTION 66: HACKING THE COMPUTER SYSTEM “This Section states that:
(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.”[4]
This section species the law relating to hacking and is quoted as data protection provision in India. If there is important data stored on the computer which has a value/utility and is to be treated as confidential and such data is been accessed by the unauthorised party then the section is applied. For example if a sensitive email is there on a computer and an unauthorised person accesses the document then the confidentiality of the email is lost then in such case the party liable for the loss comes under this provision.
SECTION 72: PENALTY FOR BREACHING THE CONFIDENTIALITY AND PRIVACY
“This section states that:
Any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakhs rupees, or with both.”[5]
“Section 72 is limited to information being obtained by virtue of a “power granted under the IT Act”. The purview of section 72A, on the other hand, is wider than the existing
section 72 and extends to disclosure of personal information of a person (without consent) while providing services under a lawful contract and not merely disclosure of information obtained by virtue of “powers granted under the IT Act”.” [1]
Section72A has a term ‘intermediary’ which can be defined under the amendment Act which states with respect to any particular electronic record pertaining to a person, who can act on behalf of another person in order to receive a service/data/record, store or forward the record or provide any service from the available record or data and this includes telecom service providers, internet service providers, network service providers, web-hosting service providers, online payment sites, search engines, online market places, cyber cafes and online auction sites.
Comparison with the UK Data Protection Act:
The comparison between the law of developed countries and Indian law gives a clear picture that the Indian laws need to be analysed and reviewed in order to maintain law and regulations. It is clear that UK has its Data Protection Act of 1998 wherein the Act is basically designed to provide protection and privacy to the personal data of the individuals residing in UK.
According to the Data Protection Act, the people and Organizations involved in storing personal data should register with the information commissioner, who is been appointed by the government as an official of the government in order to keep a check on the rules and regulations provided by the Act. The Act has certain restriction in the collection of personal data. Any personal data can be demanded only for one or more lawful purposes and cannot be further processed or used apart from the task/tasks that it was needed for. The personal data should not be excessive and should be relevant and correct and adequate for the purpose/purposes it is needed and to be processed.
It is quite evident that the European Union and U.S try to protect the Personal data of their citizens as the Data Protection Act is much sophisticated and moreover they keep on trying to enhance their system. Though US have a different methodology from what the European Union follows for the Data Protection and Privacy.
US follow the sectoral approach that consists of mixed legislation and regulations and self regulations also. Data is grouped in several classes on the basis of their utility in US. Hence a different law structure is followed for each class of data. While the provision in the Indian IT Act deals with extraction of data, destroying the data etc. which means that companies don’t get protection of data which forces them to lead towards separate private contracts to keep their data secured. The European Union follows and forces the Protection of personal data on all its countries and the US also complies with the European Union as by the Safe Harbour Agreement can business be facilitated from the European Union countries. Hence it is very necessary for India to comply with the European Union.
The Bill is a complete draft of the UK data protection Act but according to the today’s requirement more comprehensive Act is needed. Thus the US approach of data protection can be also being followed to get fully equipped with today’s requirements.
The IT act protects credit data which is one of the personal data aspects. Hence unauthorised use or transfer of data or information should only be used to identify the credit worthiness of the customer and should be processed further. Any part of legislation is not sufficient and hence a comprehensive and complete data protection Act is needed in India where information Technology Act, 2000 is not a data or privacy related act as it does not have all the principles of the data protection and privacy. The IT Act, 2000 is a generic Act which has concentrates on things like the digital signatures, cyber contraventions and offences, e-governance, confidentiality. It is mistaken and is wrongly compared to the European Directive on Data Protection (EC/95/46), OECD Guidelines on the protection of Privacy and Transborder Flows of Personal Data and the Safe Harbour Approach of the US. The fact is that the IT Act, 2000 deals with the issue of the Data Protection and privacy in a partial way. There is a lack of actual framework in the IT Act, 2000 wherein the Data Protection Authority and quality and transparency of the data are considered. Even if the IT Act, 2000 adopts some new amendments still there would be a lack of the actual framework for data protection and privacy that should match the EU directive, OECD Guidelines or the Safe Harbour Principles.
The absence of Data Protection Law in India is a heavy loss to the outsourcing industry as though it is a flourishing industry in India but does not have a proper Data Protection Act. The customers in the US and European Union are protected by the comprehensive privacy directive which requires that the personal data cannot be transferred to countries which do not have adequate protection policy. As a result the European trade Union finds that data protection is a major issue which has to be taken into consideration in these international out-sourcing companies. Hence this may lead to a block in the out-sourcing industry in India. Hence India needs to handle this situation tactfully and should consider the importance for the need of a Data Protection Act.
III.CONCLUSIONS
In comparison to the European countries the Indian cyber law system is very poor and hence it can’t be a fortnight job to introduce the cyber laws in India but it is very necessary to actually bring in the appropriate cyber law and awareness about them. But for sustaining the out sourcing companies in India which deals with international personal data and information, it is a must that a legal framework needs to be introduced before it becomes too late and the blooming industry of outsourcing comes to an end in India. Practically it is a hurdle for India not to have a proper and adequate Legislative framework regarding the Personal Data Protection and Privacy of Data. The European Union official have declared a list of adequate countries which include Argentina,
Canada, Australia and Switzerland but India still needs to get enrolled in this white list but it cannot unless it has a proper and adequate Data Protection Act. Thus clearing the European Union standards can India be eligible to import data from the EU member States without following the difficult and cumbersome procedures. Hence by implementing an accurate and good Data Protection Law, India can flourish more then just been a supplier of services to the world’s international and
multinational corporations.
A significant research remains to be done concerning the regulation of transborder data flows. The areas where research is desirable are the economic effects of transborder data flows; the benefits and costs of regulation; and the attitudes of individuals to them. Additionally policy instruments and practical tools can also be drafted, such types of rules to allow entities exporting personal data to appraise the risks of such exports (similar to the rules of the Treasury Board of Canada referred.). Such rules can describe more accurately different risk levels as they narrate to exacting data processing scenarios.
Additionally, a lot of developing countries would probable take benefit from the drafting of a model law dealing with transborder data flows, therefore they don’t have to start their score from zero or they can use a regional or national model whilst they are achieving so. on the other hand, the drafting of a model law would need an international agreement on the default rule for transborder data flows, which has so far been missing. It probable hard to pick a single international organization to manage such work. Data protection and privacy is still seen as peripheral to the work of many international organizations, and there is not a single one who can manipulate the wide membership and specialised expertise to deal with all the ramifications of the topic. This is partially because data protection and privacy law is not in the order drop into a particular area of law, but is a combination of different areas such as consumer protection, human rights law, and other areas.
All the organizations that deal with the topic bring strengths and weaknesses. Especially, those organizations with the most proficiency in policy issues relating to transborder data flows (such as the OECD) lack membership of developing countries. Whereas the UN organizations is likely not to have as much proficiency in data protection and privacy law. Regional institutions also may be too intimately tied to one region to deal with the issues of a global nature. This dispute for improved cooperation of a number of organizations in sequence to create the strengths which each of them has.
ACKNOWLEDGMENT
Protection Act along with my study on the Indian Laws and Regulations for the cyber crime and also allowing me to write a paper at the very first instance of my proposal.
REFERENCES
[1] Mohammed Nyamathulla Khan, 2009, Does India have a Data
Protection Law Available from website: [Online]
http://www.legalserviceindia.com/article/l406-Does-India-have-a- Data-Protection-law.html
[Accessed on 28th June 2011]
[2] CRID – University of Namur, 2005, Section 43. Penalty for damage
to computer, computer system, etc., pg 31 Available from website: [Online]
http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/final_report_i ndia_en.pdf [Accessed on 11th Julyl 2011]
[3] CRID – University of Namur, 2005, Section 65 Tampering with
source document, pg 31-32 Available from website: [Online]
http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/final_report_i ndia_en.pdf [Accessed on 15th July 2011]
[4] CRID – University of Namur, 2005, Section 66 Hacking with
computer system, pg 33 Available from website: [Online]
http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/final_report_i ndia_en.pdf [Accessed on 14th Julyl 2011]
[5] CRID – University of Namur, 2005, Section 72. Penalty for breach
of confidentiality and privacy, pg 33 Available from website: [Online] http://ec.europa.eu/justice_home/fsj/privacy/docs/studies/final_report_i
ndia_en.pdf [Accessed on 18th June 2011]
[6]See Jon Bing, ‘Data Protection, Jurisdiction and the Choice of
Law’ (1999) Privacy Law & Policy Reporter 92,
<http://www.austlii.edu.au/au/journals/PLPR/1999/65.html>
[Accessed on 01st Dec 2011].
[7] Michael Kirby, ‘The History, Achievement and Future of the
1980 OECD Guidelines on Privacy’ (n,87), at asking what the OECD should do ‘to ensure the consideration of representative opinions from developing countries in the expression of the values that will impact on global technology.