India is the hub of global information technology (IT) outsourcing. The IT and IT-enabled services (ITeS) sector has witnessed phenomenal compounded annual growth of around 30% during the last few years, growing to a revenue of $52 billion (about Rs2.54 trillion) in 2007-08. Even this year, after the global financial meltdown, the industry’s revenue is expected to grow by 18-20% compared with the previous year. It provides direct employment to two million professionals, and indirect employment to four times that number.
Any disruption in the IT and outsourcing industry has the potential to affect employment in the country.
For India to maintain its leadership in this field, and to further expand it, certain enablers are necessary—in fact their need has been felt by the industry for quite some time. Most notable among them is the requirement to strengthen the data protection regime so as to make global data flows to India more trustworthy.
Industry gave its inputs to the government on amendments to the Information Technology (IT) Act, 2000, with the objective of addressing its concerns on data protection, and for creating a more predictive legal environment for the growth of e-commerce and e-governance that includes electronic signatures, data leakage and cyber crime, among others.
The IT Act, 2000, created a basic legal framework for e-commerce through acceptance of electronic documents and digital signatures as evidence in a court of law; promoted e-commerce and e-governance as major applications through legal sanctity accorded to electronic records and digital signatures; acceptance of electronic documents by the government, and provided for dealing with offences in cyberspace in the form of hackers and other criminals trying to gain unauthorized access into databases and other business sites.
While the amendments to the Act were triggered by the arrest of Avnish Bajaj, CEO, Baazi.com (now part of eBay.com) for transmitting obscene images of schoolchildren, as an intermediary, industry’s concerns about data protection issues were given due consideration by the government.
Given the importance of outsourcing to India, data protection has become a pressing issue. Customers in the US, Europe, Australia and other countries require that the privacy of data is maintained in transborder data flows. In order to manage compliance in global space, adequate local laws will increase India’s ability to compete with emerging outsourcing destinations such as Vietnam and eastern Europe.
The impact of globalization on privacy of identity is growing. The fact that more and more personal information is crossing borders in transborder data flows means that data breaches often affect people in multiple countries, and may result in financial frauds—as in the case of TJX Companies Inc., a retailer in the US. Nearly 100 million credit and debit cards belonging to people from various regions were exposed when hackers broke into its computer systems. They kept the information in personal computer servers in the US and eastern Europe, and converted some of it into ready-to-use bank cards. Hackers sold the stolen credit card information to people in the US and Europe via the Internet. A US federal grand jury indicted 11 people. The crime ring included individuals from the US, the Ukraine, China, Estonia and Belarus. Such crimes need to be addressed in national data protection laws.
Critical support: A legal outsourcing firm in Bangalore. Any disruption in the information technology and outsourcing industry has the potential to affect milions of jobs across sectors. Hemant Mishra / Mint
Cyberspace legal issues include everything: e-commerce and e-governance applications, electronic signatures, data protection, encryption, protection of critical information infrastructure, cyber security and national security. A strong data protection regime requires addressing of all of these. The amended Act does precisely that. It has tried to respond in a way that enhances trustworthiness of the entire cyberspace.
The amendments to the IT Act broadly includes:
• New definitions of certain terms such as electronic signature, communication device, cyber café and cyber security, bringing more devices and services within the ambit of the Act.
• Role and responsibilities of intermediaries have been clearly defined; conditions under which they will be liable for third-party information are more explicit.
• Data protection strengthened through a new clause, 43A, that stipulates that service providers must protect personal information of clients while processing under a lawful contract, with scope for consultation with industry bodies for prescribing security standards.
• Penalty for breach of confidentiality under a new section, 72A.
• Cyber crimes, including cyber terrorism and child pornography, under new provisions of sections, 66A to 66F, 67A to 67C, and 69A, 69B.
• Protected systems under section 70 now declared as critical information infrastructure and protected through additional sections 70A and 70B that have created a nodal agency for their protection— the Indian Computer Emergency Response Team.
• Preservation and retention of traffic data and information by service providers and intermediaries under sections 67C, 69B and 70B for cyber forensic evidence and for analysis for new attacks on the information infrastructure in the country.
Kamlesh Bajaj is chief executive officer, Data Security Council of India. This is the third of a four-part series on cyber security.
Respond to this column at firstname.lastname@example.org