A crucial component of Indian companies’ global success story has been the phenomenal growth and expansion in the information technology (IT) and the business process outsourcing (BPO) sectors, which provide cost-efficient services to international clients across industries as varied as healthcare, marketing, banking, financial services and even legal services. Given the nature of these sectors and the services being provided, Indian companies in the IT and BPO sectors handle and have access to all kinds of sensitive and personal data of individuals across the world, including their credit card details, financial information and even their medical history.
This leads to a risk that such personal data may be misused for, while organizations may have safeguards and security practices in place, the Indian legal regime is still evolving to address the issue of adequate safeguards for the protection of such personal data.
There is no express legislation in India dealing with data protection. Although the Personal Data Protection Bill was introduced in Parliament in 2006, it is yet to see the light of day. While the Information Technology Act, 2000 (IT Act), contains provisions regarding cyber and related IT laws in India and delineates the scope of access that a party may have to on data stored on a computer, computer system or computer network, the provisions of the IT Act do not address the need for a stringent data protection law being in place.
Illustration: Jayachandran / Mint
On 5 February, the IT Act was amended by the Information Technology (Amendment) Act, 2008. While the amendment Act is yet to come into force, it has introduced two important provisions that have a strong bearing on the legal regime for data protection. These are sections 43A and 72A, inserted into the IT Act by the amendment Act.
Section 43A states that if a “body corporate” possessing, dealing or handling any “sensitive personal data or information” in a computer resource which it owns, controls or operates is negligent in implementing and maintaining “reasonable security practices and procedures”, and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.
The term “body corporate” is wide enough to include a company, a firm, sole proprietorship or other association of individuals engaged in professional or commercial activities. Then there is the question of what constitutes “reasonable security practices and procedures”. Reasonable security practices and procedures have been defined to mean security practices and procedures designed to protect information from unauthorized access, damage, use, modification, disclosure or impairment as may be specified either (i) in an agreement between the parties; or (ii) in any law in force; and in the absence of an agreement or law, as may be prescribed by the Union government. This essentially means that contracting parties could incorporate in their contract the level and extent of the security procedures, practices and protection that the disclosing party desires to put in place in order to protect its sensitive personal information. A breach of such provisions, if falling within the purview of section 43A, could make the receiving party liable to pay damages.
However, the amendment Act has not specified the meaning of the term “sensitive personal data or information” and merely states that it would mean such personal information as may be prescribed by the Union government in consultation with such professional bodies or associations as it may deem fit.
The other amendment, section 72A, states that (except as otherwise provided in the IT Act or any other law in force) if any person, including an intermediary, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, and with intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses the material to another person without the consent of the person concerned or in breach of a contract, then the person disclosing such information can be punished with imprisonment for up to three years and/or can be fined up to Rs5 lakh. Contrast this with the existing provision, section 72 of the IT Act, which provides penalty in the form of fine and/or imprisonment if information obtained by virtue of a power granted under the IT Act is disclosed to a third party without the consent of the person concerned.
Section 72 is, therefore, limited to information being obtained by virtue of a “power granted under the IT Act”. The purview of section 72A, on the other hand, is wider than the existing section 72 and extends to disclosure of personal information of a person (without consent) while providing services under a lawful contract and not merely disclosure of information obtained by virtue of “powers granted under the IT Act”.
Another addition (under section 72A) is of the term “intermediary”. This has been defined under the amendment Act to mean (with respect to any particular electronic record) a person, who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, Web-hosting service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes.
While the provisions of the amendment Act may not be as stringent as the data protection laws in other jurisdictions in protecting the rights of individuals in relation to their personal data, the amendment Act has attempted to make organizations handling sensitive and personal information liable for any misuse of such data and has definitely set the ball rolling in the right direction.
This column is contributed by Ashima Obhan of AZB & Partners, Advocates & Solicitors.
Send your comments to firstname.lastname@example.org