Data Protection Laws of India

In the recent years India has emerged as one of the preferred destinations for offshore business outsourcing. Financial services, educational services, legal services, banking services, healthcare services, marketing services and telecommunication services . The factors that have turned India into one of the hotspots for offshore outsourcing are the educated and unemployed masses, enterprising nature of Indians who have excellent spoken English skills and relatively cheap labour.

In June 2005, one BPO was in the eye of the storm when one of its employees sold personal data belonging to a large number of British nationals to an undercover reporter from the British tabloid ‘The Sun’. The incident sparked off a debate among the offshore industry circles, media and the legal world as to how safe foreign data is in Indian hands. The discussions were also veered towards the need for some kind of protection for personal data in India which is absent currently.

Data Protection Issues have time and again raised concern in the authorities about the cyber extortion, privacy, confidentiality, data protection and national security. With the increasing penetration in the online usage of more and more people towards internet, e-banking, e-shopping etc. the concerns of data protection and related issues are growing day by day.

Privacy is closely connected to Data Protection. An individual’s data like his name address, telephone numbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various web sites.

Passing on such information to interested parties can lead to intrusion in privacy like incessant marketing calls.

It would be a misnomer to say that India does not have ‘data protection’ legislation at all.

This is factually wrong. The fact is that there exists data protection legislation in India.

The subject matter of data protection and privacy has been dealt within the Information

Technology Act, 2000 but not in an exclusive manner.

Data protection is not a subject in any of the three lists in Schedule VII of the

Constitution of India. But Entry 97 of List 1 states: “any other matter not enumerated in

List II and List III …….” Thus only the Indian Parliament is competent to legislate on

data protection since it can be interpreted as any other matter not enumerated in List II

and List III.

Data protection is, thus, a Central subject and only the Central Government is competent

to frame legislations on issues dealing with data protection. In fact, the Information

Technology Act, 2000,and the Indian Copyright Act, 1957 , enacted by the Indian Parliament are the main legislations in this field, which contains provisions on data protection. There is also a proposed Personal Data Protection Bill, 2006, which deals with the protection of personal data.

THE INFORMATION TECHNOLOGY ACT, 2000

The Indian Parliament enacted an Act called the Information Technology Act, 2000. It

received the assent of the President on the 9th June, 2000 and is effective from 17th October, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law

on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.

It was a foresight on the part of the Government of India to initiate the entire process of

enacting India’s first ever information technology legislation in the year 1997 itself.

It is significant to note that by enactment of the Information Technology Act, 2000, the

Indian Parliament provided a new legal idiom to data protection and privacy. The main

principles on data protection and privacy enumerated under the Information Technology

Act, 2000 are:

(i) defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.

(ii) creating civil liability if any person accesses or secures access to computer, computer system or computer network

(iii) creating criminal liability if any person accesses or secures access to computer, computer system or computer network

(iv) declaring any computer, computer system or computer network as a protected system

(v) imposing penalty for breach of confidentiality and privacy

(vi) setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations Appellate Tribunal etc.

Further, the Information Technology Act, 2000 defines certain key terms with respect to data protection, like access [S.2 (1)(a)], Computer [S.2 (1)(i)], Computer network [S.2 (1)(j), Computer resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer database

[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form [S.2 (1)(r)], Electronic record

[S.2 (1)(t], Information [S.2 (1)(v)], Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security procedure [S.2 (1)(zf)].

Civil liability in case of data, computer database theft, privacy violation etc.

The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section

43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised

access to computer, computer system, computer network or resources.

Section 43 of the Act covers instances such as: (a) computer trespass, violation of privacy

etc. (b) unauthorised digital copying, downloading and extraction of data, computer

database or information;. theft of data held or stored in any media, (c) unauthorised

transmission of data or programme residing within a computer, computer system or

computer network (cookies, spyware, GUID or digital profiling are not legally

permissible), (d) data loss, data corruption etc., (e) computer data/database disruption,

spamming etc., (f) denial of service attacks, data theft, fraud, forgery etc., (g)

unauthorised access to computer data/computer databases and (h) instances of data theft

(passwords, login IDs) etc.

Criminal liability in case of data, computer database theft, privacy violation etc.

The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections

65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of data, and computer database.

For example, section 65 [Tampering with computer source documents] of the Act is not

limited to protecting computer source code only, but it also safeguards data and computer

databases; and similarly section 66 [Hacking with Computer System] covers cyber offences related to (a) Illegal access, (b) Illegal interception, (c) Data interference, (d)

System interference, (e) Misuse of devices, etc.

Interestingly, section 72 [Penalty for breach of confidentiality and privacy] is aimed at

public (and private) authorities10, which have been granted power under the Act to secure

access to any electronic record, book, register, correspondence, information, document or

other material information. The idea behind the aforesaid section is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party.

INDIAN COPYRIGHT ACT, 1957 protects “Databases” as ‘literary works’ under Section 13 (1) (a) of the Act which says that Copyright shall subsists throughout India in original literary, dramatic, musical and artistic works

Copyright Act 1957 - Section 2(6)--Literary work--Compilation of list of clients /customers developed by a person by devoting time, money, labour and skill amounts to a literary work wherein the author has a copyright.

Section 2(o) defines `literary work' to include (among others) computer programmes, tables and compilations including computer databases.. Under section 14, literary work is one of the items wherein exclusive rights can be claimed so as to amount to copyright. Under Section 17(c) if a work is made in the course of other's employment under a contract of service or apprenticeship it is the employer who is the first owner of the copyright therein in the absence of any agreement to the contrary.

THE PERSONAL DATA PROTECTION BILL, 2006 : The purpose of this bill is to provide protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected with the Act or incidental to the Act.

Section 2 (c) defines "personal data" as information or data which relate to a living individual who can be identified from that information or data whether collected by any Government or any private organization or agency.

The personal data of any person collected for a particular purpose or obtained in connection with any transaction, whether by appropriate Government or by any private organization, shall not be put to processing without the consent of the person concerned. Provided that personal data of any person may be processed for any of the following

purposes:—

(a) the prevention or detection of crime;

(b) the prosecution of offenders; and

(c) the assessment or collection of any tax or duty.

Provided further that no consent of the individual shall be required if the personal data details of the individual are obtained through sources which have been made public.

Provisions contained in this Act are relates to data to be obtained of any person collected by an organization whether government or private, shall not be disclosed to any other organization for the purposes of direct marketing or for any commercial gain and if there is a contravention to this the person shall be entitled to compensation in addition to imprisonment for a term, which may extend to three years or with fine, which may extend upto ten lakh rupees or with both if contravenes or attempts contravene or abets the contravention of any provisions.

If the person committing the contravention is a company, then , every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

Data controllers have been proposed to be appointed to look upon the matters relating to violation of the proposed Act

JUDICIAL APPRAISAL

· In the matter of Himalaya Drug Company V/s. Sumit 2006(32) PTC 112 (DEL), the Delhi High Court proceeded ex-parte against the defendant who admitted to pass a Herbal Data Base as that of plaintiff’s and violated the trade dress.
The Delhi High Court not only restrained the defendant by an order of permanent injunction from reproducing, communicating to the public, adopting, using or infringing in any other manner the plaintiff’s Copyright in the Herbal Data Base as well as each Herbal Write-up /Description that comprises the Herbal Data Base, but also awarded punitive damages to the extent of Rs. 8 lacs.

· In the recent case of, Daljit Titus, Advocate & Ors. V/s. Alfred A. Adevare & Ors. 2006(32) PTC 609 (DEL), the Delhi High Court protected the works done by the defendant in the plaintiff’s law firm as an employee of the firm for the benefit of clients of the plaintiff under their contract of service.

It observed that the defendants were free to carry on their profession, utilize the skills and information they had mentally retained, but restrained them from using the copied material of the plaintiff in which the plaintiff alone has a right. The defendants were also restrained to utilize the agreements, due diligence reports, list of clients and all such materials which came to their knowledge or have been developed during their relationship with the plaintiff.
The above case raise the issue of well drafted contracts before entering into any kind of relationship with the parties. It envisaged the need of the proper clauses to be drafted as to the dealing of Data, Computer Data Base while in relationship or at the termination of such agreements. Para 6.28 of P.Narayanan on Copyright and Industrial Design – (Third Edition) says that “Whenever an employee of a Solicitor firm drafts a document, the employer is the first owner of the Copyright document”, which means that to protect the Data, computer Data Bases of an organization, one needs to have good drafted contracts with an employee so that no dispute arises after the termination of service of an employee.

· In Burlington Home Shopping Pvt. Ltd. Vs. Rajnish Chibber, 1995 IVAD (Delhi) the highcourt of delhi observed that"Trade catalogues are generally compilations, and as such are capable of protection as literary works. On similar principles, a computer database, stored on tape, disk or by other electronic means, would also generally be a compilation and capable of protection as a literary work"

· In the recent case of Dr. Harsh Pathak vs Union of India & Ors. , a PIL filed by a lawyer in the supremecourt regarding unsolicited Phone calls, the apex court passed an interim order restricting cellular companies to make promotional calls.

CONCLUSION

The Information Technology Act, 2000 is not data or privacy protection legislation per

se. It does not lay down any specific data protection or privacy principles. The Information Technology Act, 2000 is a generic legislation, which articulates on range of

themes, like digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offences and confidentiality and privacy. It suffers from a one Act

syndrome. It would be erroneous to compare the Information Technology Act, 2000 provisions with the European Directive on Data Protection (EC/95/46), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980, and the Safe Harbor principles of the US.

In fact the Information Technology Act, 2000 deals with the issue of data protection and

privacy in a piecemeal fashion. There is no an actual legal framework in the form of Data

Protection Authority, data quality and proportionality, data transparency etc. which properly addresses and covers data protection issues in accordance with the principles of the EU Directive, OECD Guidelines or Safe Harbor Principles. Accordingly, even if the new proposed amendments to the Information Technology Act, 2000 were adopted, India

would still lack a real legal framework for data protection and privacy.