data protection  Indian IT industry  privacy

India woke up to many a headline as above mentioned particularly on and after 2003 - 2005. Data Protection or the perceived lack of it hit the headlines with a sudden spurt of reported cases of data theft and its subsequent misuse in particular by employees of Business Process Outsourcing Companies – commonly referred to, as a ‘BPO’. Perception / awareness of ‘Information’ or ‘Data’ as a valuable asset or property set in and with it the data protection paranoia. Companies reviewed / revisited / prepared their policies and procedures for quarantining data and preventing data leak in any manner and through any media. Either due to such stringent measures or through awareness reported cases of data leakage or data theft have considerably reduced in India. The same may however not be a reflection of the real situation as software companies and BPOs abhor any form of publicity for such incidents, which affect the very basis of their businesses.

This article is an overview of how much the Laws in India:

• Assist in Data Protection; and / or
• Provide sufficient deterrents for violations; and / or
• Enforce such deterrents against such violators;

Constitutional Mandate

India has one of the lengthiest Constitutions in the World! Article 21 of the Constitution (one of the Fundamental Rights enshrined in the Constitution) protects right to life and personal liberty. Though this Article did not specify protection of privacy, the Supreme Court[1] interpreted “personal liberty” to include “Right to Privacy”[2]. This protection however applies only against Governmental action.

Data

In 2000 India enacted its Information Technology Act, 2000 (“IT Act”). Data under S.2 (o) includes a representation of information, knowledge, facts, concepts or instructions prepared in a formalized manner, and intended to be / being / has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

Whilst the IT Act did not enumerate elaborate provisions for data protection, it does contain some provisions to prevent and punish data protection.

Provisions under the IT Act

Penalties for infringement of certain actions are broadly classified into two heads under the IT Act – Civil penalties to be decided by a special Authority (called the “Adjudicating Authority” under the IT Act) & criminal offences punishable after a trial by a Magistrate’s Court (the first rung of the Indian Criminal Judicial hierarchy).

The provisions relating to data protection are set out under S.43 of the IT Act, which provides for award of compensation of up to Rupees One Crore (about USD 250,000/-), by the Adjudicating Authority, for downloading, copying, extracting any data, computer data base or information from such computer, computer system or computer network including information or data stored in any removable storage medium (floppy, CD, etc.,), without permission of the Owner.

There is no corresponding provision under the criminal offences set out under the IT Act. The only provision pertaining to Data Protection and Privacy i.e., S.72 of the IT Act refers to violation of Confidential Information provided to an authority under the Act and not in respect of private parties and / or under contractual provisions.

Applicability of IPC

Apart from the IT Act India has time tested General Criminal Laws namely the Indian Penal Code (“IPC”).

S.378 of IPC defines theft as taking dishonestly any movable property “out of the possession” of any person without that person’s consent. The offence of “theft” under IPC relates to the “possession” of movable property and not “Ownership” thereof.

Section 22 I. P.C. defines 'movable property' as “corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth”. Incorporeal property such as information, data etc., therefore does not appear to be covered under the definition of “Theft”.

S.29 A IPC defines “electronic Record” as data, record or data generated image or sound stored, received or sent in an electronic form, micro - film or computer generated micro - fiche. Even if data is therefore removed or “stolen” through the use of such “electronic record”, it may still not amount to an offence of “Theft” as the data is not removed “out of the possession” of the owner as required under S.379 IPC[3]. Actual deprivation is therefore an inherent ingredient to establish the offence of “Theft” of property even if it is for a temporary period of time[4].

Current scenario – Innovation supplementing legislation

Do the limitations in statutory provisions in any manner affect Data Protection in India or has it led to a higher risk / occurrence of Data theft or leakage in India as opposed to jurisdictions where the Data Protection laws are stringent? The apparent response appears to be “No”.

Most companies particularly in the Outsourcing Sector appear to have resorted to stringent contractual provisions to supplement the existing Data Protection Laws[5]. The contractual provisions lay down the protective parameters to be followed by the Outsourcing entity in India. Invariably the said parameters are on par with and in some instances include specific adherence to the Data Protection Laws of the contracting state (i.e., in case the contracting party is from USA - The Sarbanes - Oxley Act, 2002 or Graham – Leach – Bliley Act, 1999). The advantages and pitfalls are dealt with separately as mentioned hereunder.

Proposed Amendments to the IT Act

The (Indian) Ministry of Information Technology has passed an IT Amendment Bill in 2006 (“IT Bill”), which is still awaiting passage through due process as an Act of Parliament. The Legislature has proposed to include Data Protection provisions through these amendments instead of through a separate enactment:

S.43A of the Bill sets out a penalty of Rs.5 Crores against any person causing wrongful loss or wrongful gain to ay person due to negligent handling of “sensitive personal data or information”;

S.66 of the Bill introduces criminal penalties of imprisonment up to two years for commission of the violations set out in S.43 of the Act (as abovementioned);

S.66A of the Bill also sets out extensive provisions for protection of personal privacy;

Reality Check

Statutes with punitive measures – both in terms of civil damages and criminal provisions for imprisonment in most instances act as a deterrent as violations of data / data theft / data leakage / data abuse are the acts of a highly literate offender.

Questions therefore arise about the efficacy of mere supplements through Contractual provisions in the absence of extensive statutory restrictions. India has seen a spurt in outsourcing businesses in newer fields including in Law. India already enjoys the reputation as an IT capital, which further leads to outsourcing of inter alia technology development activities (Software / Hardware / Pharmaceuticals etc.,).

The IT Bill appears to again be an intermediary or knee jerk legislation driven by market forces as opposed to a natural progression in this field i.e., Data Protection. The provisions abovementioned give wide scope for interpretation, which whilst making a legislation dynamic could also lead to chaos particularly whilst attempting its enforcement. A detailed study of Dispute Resolution methodologies and their efficacy is being set out in a separate article as part of this series. Suffice it to say at this juncture that whilst the above amendments may meet the expediency of the current situation, it may be advisable to either tighten the applicability to ensure enforcement or to set out detailed provisions for Data Protection as a policy based legislation may not be the right choice for punitive provisions.

[1] The Apex Court of India;

[2] Kharak Singh v State of UP - Supreme Court Decision;

[3] Please refer to State of Maharashtra Vs. Vishwanath – decided by the Supreme Court of India;

[4] K. N. Mehra Vs. State of Rajasthan – Supreme Court Decision;

[5] Please lookout for a separate article on Contract Laws In India;