Data protection laws refer to the set of policies, procedures and privacy laws that aims to avoid intrusion caused by the collection and dissemination of personal data. Data is broadly classified into two types: Public data which is made accessible to the public at large such as court records, birth and death records, basic company details whereas private data cannot be disseminated to the public without prior permission of the subject. It includes family details, travel history, location and all those information that are private to an individual. Personal data of an individual is protected under Article 21 of the Indian Constitution, which provides every citizen with the ‘Right to Privacy as a fundamental right. In India, the relevant laws dealing with data protection laws are Information Technology Act, 2000 and the Indian Contract Act, 1872.
Information Technology Act, 2000
The IT Act aims to provide legal recognition for transactions referred to as ‘electronic commerce’ by means of electronic data interchange and various means of electronic communication.
Section 43 of the Act catalogues a wide range of acts with respect to computers and computer resources, which attracts sanction under this section. Accessing a computer without the permission of its owner, destroying or altering the data contained in the computer, deleting data saved in the system, introducing a computer virus, reproducing a piece of information will attract liability under this section. Under Section 43A, a body corporate who is negligent in implementing and maintaining reasonable security thereby causing wrongful loss or wrongful gain to any person will be liable to pay damage in the form of compensation to the affected party.
In the case of Poona Auto Ancillaries Pvt. Ltd. v. Punjab National Bank, an amount of Rs 80.12 lakh was transferred from the account of the complainant to the third party, without his authorization. None of the ultimate transferees could be located and the information that was provided by the final transferee was false. It was held by the adjudicating officer that, the respondent bank had acted negligently in following security practices and was directed to pay Rs 45 lakh as compensation to the complainant.
There are service agreements executed by data controllers and data processors to set out rights and obligations of the parties with respect to sharing of data and personal information. A person while providing services under the lawful contract, gets access to the personal information with the intent of causing wrongful loss or wrongful gain, will be punished under Section 72A of the IT Act.
Limitations of Information Technology Act, 2000
The scope and applicability of the Act on providing data protection is very narrow. Few shortcomings of the Act are:
Spamming– It is defined as receiving unsolicited bulk e-mails posing major economic problems. The Act does not discuss the issues relating to spam.
Phishing– It is a criminally fraudulent act of acquiring sensitive information such as credit card details, username and passwords by masquerading as a trustworthy entity in electronic communication. There is no law against Phishing mentioned in the Act.
Data protection and Internet banking– spam does talk about unauthorized access to the data but it fails to provide any grounds for maintaining the integrity of customer transactions. It does not lay down any duty on the bank to protect the details of the customer and clients.
Grounds on which the government can interfere with the data
Under Section 69 of the IT Act any person, authorized by the Government is satisfied that it is necessary for the interest of India for the sovereignty or defence or integrity or protection of India to prevent incitement to the commission of any cognizable offence or for investigation of any offence, can direct any agency of the Government to intercept, monitor or decrypt any information that is generated, stored or transferred in any computer system.
The scope of this section includes both interceptions, monitoring and decryption for the purpose of investigating cyber-crimes. Under Section 69A of the IT Act, the Government has also notified the Information Technology (Procedures and Safeguards for Blocking Access of Information) Rules, 2009, which deals with the blocking of websites.
Personal Data Protection Bill, 2019
The Government of India took significant steps in formulating policy and data regulation with respect to financial, health and personal data and data related to e-commerce. The highlights of the bills are:
- The looming proposed privacy law: The current draft of the bill prescribes compliance of data for all forms of personal data, introduces a regulator for central data protection, broadens the rights guaranteed to an individual and institutes data localization requirement for certain sensitive data. The Bill applies extraterritorially to non-Indian organizations and also imposes hefty financial penalties in case of non-compliance.
- Proposed non-personal data framework: The Ministry of Electronics and Information Technology, constituted an NPD Committee to explore the governance of non-personal data (“NPD”). The report given by NPD recommended that the PDP Bill and the NPD Framework should work in tandem clarifying that only anonymized data will fall under the NPD framework. The report among other things details the types of NPD that may be collected and provides for a detailed data sharing mechanism that exempts sharing between private entities.
- Policy for the management and sharing of health data: Health Data Management Policy (“HDMPolicy”) was approved by the Ministry of Health and Family Welfare (“MOHFW”) in line with the PDP Bill to govern health data in the ecosystem. The HDM Policy will provide for the creation of health IDs for individual and Health Practitioner IDs for medical practitioners. It will mandate data fiduciaries to abide by the basic data protection laws and establish requirements including security practices and impact assessment. There will be an establishment of a grievance redressal forum and data will be shared only after the consent of an individual.
- Geo-location Information: The definition of sensitive protection data under IT rules does not cover location information. Applications like Facebook, Snapchat, google can easily track the location and trade it with a third party. To overcome this, the PDP bill has proposed a wider definition of personal data that will cover geo-location information.
It is imperative for India to come up with a proper legislative structure to maintain and promote the growth of Business Process Outsourcing. The BPO fulfils both public and legal standards to prevail in the jurisdiction through which data is shipped to India. Even after the amendments to the IT Act, 2000, its confidentiality requirement and data security are highly insufficient. One of the major reasons identified for breach of data is lack of awareness. It is important for all organizations to draw a roadmap and set higher data privacy standards. With the help of the PDP bill, we can expect significant regulation on the economic and commercial usage of non-personal data. Even the judiciary is more cognizant of privacy rights than ever before, which is a sign of a strong data protection laws regulation ahead.