In this blog post, Abhiraj Thakur, a 1st year student of NALSAR University of Law, Hyderabad, writes about Data protection. He also details the current laws in India that deal with the breach of Data Privacy.

With the advent of the internet and vast flow of information, the world has certainly become small. Millions of computers connected by the internet results in large magnitudes of data flowing from one part of the earth to the other every second. However, as technology develops more and more, so does an increase in the misuse of it, which is by and large inevitable. India over the past years has been witnessing an increase in  cyber crimes in addition to an increase in the usage of the internet for exchange of sensitive, personal and commercial data. Therefore, protection of data is very important.

Many countries of the world provide data protection to its citizens under several International conventions and local laws. Today, it is considered the duty of every civilised nation to grant protection of data to its citizens. Most legal systems of the world today have recognised data protection as a direct offshoot of the Right to Privacy and the privacy for citizens of any country is very important. Some significant examples are:

In Europe

Every citizen of a European union member country has the ‘Right to respect for ones private and family life’ by the virtue of Article 8 of the European Convention on Human rights, 1953. As a result, every citizen has the right to the protection of his/her personal and sensitive data. The European Union Data Protection Directive of 1995 is a comprehensive law that regulates the flow of data for EU states.

In USA

Data protection as a form of right to privacy was realised much earlier in the United States than anywhere else. The cases such as Griswold v Connecticut made courts ponder over the contours of right to privacy. As of today, there are many federal and state laws to regulate data in US. The Electronics Communication Privacy Act of 1986 and Online Privacy Protection Act of 2003 are the most important federal laws that grant protection to of data to citizens. In fact, there is a specific act just to deal with data protection for children called the Children’s Online Privacy Protection Act of 1998.

 

Indian Scenario: Framework of Laws

As of today, there is no specific legislation governing data protection for citizens of India. However, there exists a set of general and specialised statutes, policies and procedures that regulate the flow of sensitive data in and out of the country.

What to Protect?

A pertinent question that arises is “What is sensitive and personal data? and For what is to be protected?” In 2011, the Department of Information Technology of the Government of India released the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Rule 2(i) of the notification defines “what is personal information?” It means any information that relates to a natural person from which either directly or indirectly such person can be identified.

Rule 3 of the notification further lays down what sensitive personal data for a person is. It means or includes:

• Important Passwords, such as of bank accounts or other important financial details.
• Data about Physical, Psychological and Mental health of a person.
• Medical records and history of the person including Biometric Information.
• Data pertaining to Sexual orientation of an individual.

 

Specialised Statues

The Information Technology Act, 2000

The IT Act by virtue of various sections makes mishandling of sensitive data punishable and inter alia lays down guidelines for handling of such data. Section 43 of the Act makes provision for the imposition of fines up to 10 lakh rupees for downloading data without consent. Also, when someone damages a computer by exposing it to a virus, it is punishable under this section. However, some reasonable exceptions under Section 69 have been carved out for the state to collect data in conditions such as for maintaining public order, sovereignty and integrity of India, etc.

Section 43A of the IT act talks about adopting Reasonable Security Practices and Procedures (RSPPs) that need to be adopted by any person who holds personal sensitive data. If the person fails to follow RSPPs he/she is liable to pay compensation if any wrongful loss or gain takes place subsequently. ‘Person’ under the act also includes corporate bodies who possess and handle personal data. Today, there are numerous companies providing internet services in the country, this section is effective in curbing the malpractices that arise, if any.

Also, Section 72A of the Act talks about situations when there is an unwarranted disclosure of information, intentionally or knowingly by the person who provides services under a contract to another person. If the data disclosed is without the consent of the person to whom the data belongs, the party disclosing can be held liable under this section. The punishment prescribed for such an act ranges from incarceration which may be extended to 3 years or fine to the maximum of 5 lakh rupees. Also, both can be simultaneously awarded.

Intellectual Property Laws : Indian Copyright Act, 1957

The IP laws in India also to an extent deal with data protection of citizens. The Indian Copyright Act of 1957 makes piracy of copyrighted matters a punishable offence. Section 63B of the Act is pertinent in this regard. It makes the  use of an infringing copy of a computer program on another computer punishable. The punishment ranges from 6 months to 3 years in prison. Also fines of varying amounts can be imposed.

The scheme is relevant for data protection as the Indian courts have in past recognised copyright for ‘databases’. Almost all service providing companies maintain a database of their customers, these databases are often huge and demand a lot of time, labour, skill along with money. So the courts have granted copyrights for databases considering them to be “literary works”. This is beneficial for the customers as no other entity apart from the service providing company can legally make use of the information provided by them.

 

Procedures and Guidelines

Certain Sectoral laws have been framed in the country to deal with the flow of personal data of citizens. These laws act as guidelines and procedures in different sectors of service providing in the country.

IT Rules of 2011, Notification

These rules are made specifically keeping in mind the corporate sector. The corporate sector of today take a lot of personal data of both their customers and employees. So it becomes essential for them to handle such information with caution and care. These corporates need to provide a privacy policy in advance to show as to how they would handle the data.

Rule 5(2) of the Notification restricts collection of personal data by corporate to only those circumstances when it is necessary for any lawful purpose.

Rule 5(3) lays down that a corporate before collecting personal sensitive data from any person needs to make sure that the person is fully aware of the purpose of which data is being collected and also he/she should have voluntarily consented for the collection.

Further, Rule 5(4) states that a corporate shall hold the personal information collected only for the time period that is necessary and not after that.

Credit Information Companies Regulation Act of 2005 (CICRA)

The Act is popularly known as CICRA. As per this Act, the credit information of individuals of India has to be collected in consonance with certain regulations as laid down by this Act. Also under the Act, the bodies that collect the financial information can be held liable in case of unauthorised leak of the Data. Offshore financial transactions are very common in today’s cyberspace and keeping in regard the large number of people involved in them, such acts are helpful for protection of personal data of the individuals concerned.

General Laws

The Indian Penal Code, 1860

Under the general laws, there is no provision dealing with data privacy, neither in the criminal code or the contract Act.

Reasonably, the IPC is too old a statute to recognize offences such as that of leaking of personal data. But even the latest amendments in the code have not addressed the breaches of data privacy. In this regard, a better approach would be to infer the liability for such breaches from related crimes enumerated in the code. An example can be of Section 403 that talks about dishonest misappropriation or conversion of ‘movable property’. Whether personal data can be considered a movable property within the meaning of this section is a thing to ponder on and for courts to decide.

 

Judicial Recognition

Indian judiciary has recognised the right to privacy inherent in the right to life and personal liberty granted under Article 21 of the constitution. Also,in numerous cases courts have recognised data protection within the ambit of right to privacy, thus considering it to be a constitutional right.

 

The greatest advantage of digital age is that it has made the world an Information superhighway, where a lot of information is held, transferred and received by different entities. Privacy is a very important component of human life and so data protection is increasingly becoming an area of concern for the entire world. India though having certain different laws in place to regulate data lacks a comprehensive legislation on data privacy as is there in countries like USA and UK which is alarming with regard to ever increasing number of internet users in the country. How government reacts to threats of technology is a thing to be looked for.