INTRODUCTION India, being one of the largest telecommunication sector and the outsourcing industry, the demand for the data protection increases every other day. The crimes relating to the computer data is very high as the internet does not create any barrier with regard to the physical boundaries. The computer data is facing a lot more resentment due to absence of proper legislative framework. Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one‟s one‟s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private 1
organization or an agency.
In the current scenario, the data protection can be achieved through privacy rights in Indian Constitution and the Information Technology Act as well as through property rights in Copyright Act, 1957; Indian Contract Act, 1872 and the Indian Penal Code, 1860.
1
http://www.vaishlaw.com/article/information_technology_laws/data_protection_laws_in_india.pdf?articleid=10 0324
1
RIGHT TO PRIVACY UNDER INDIAN CONSTITUTION The Indian Constitution do not expressly grants the right to privacy but this can be inferred under Article 19 (Freedom of Speech and Expression); Article 21 (Right to Life and Personal Liberty) and Article 14 (Equality and Equal Protection of laws). But these rights are subject to reasonable restrictions given under Article 19(2) which can be imposed by the State. Judicial Activism has brought right to privacy within Article 21 which talks about Right to Life and Personal Liberty. Article 21 provides that “no person shall be deprived of his life or personal liberty except according to procedures established by law”. On the basis of this provision, the Supreme Court observed that “those who feel called upon to deprive other persons of their personal liberty in the discharge of what they conceive to be their duty must strictly and scrupulously observe the forms and rules of the law”. 2
The Supreme Court in Kharak Singh v State of UP observed that the right to privacy is an 3
essential ingredient of life and personal liberty. Similary PUCL v Union of India the Court observed that privacy is a part of life and personal liberty as enshrined in Article 21 and the said 4
right cannot be curtailed except by the procedure established by law. In Gobind v State of MP
the Supreme Court observed that “privacy-dignity “privacy-dignity claims deserve to be examined with care and to be denied only when an important countervailing interest is shown to be superior. If the Court does find that a claimed right is entitled to protection as a fundamental privacy right, a law infringing it must satisfy the compelling State interest test”. 5
The court however ruled in Malak singh v State of P & H , that while exercising surveillance over reputed bad characters, habitual offenders, and potential offenders the police should not encroach upon the privacy of a citizen so as to offend his rights under Article 21 and Article 19 (1) (d). Similarly, in Pooran Mal v Director of Inspection (Investigation) of Income Tax, New Delhi held that evidence collected by an illegal search cannot be excluded on ground of invasion of privacy because there is no specific fundamental right to privacy. This decision given by Supreme Court weakens the right to privacy because it allows the public authorities to obtain 2
AIR 1963 SC 1295 (1997) 1 SCC 301 4 (1975) 2 SCC 148 5 AIR 1981 SC760, 3
2
6
evidence illegally. In V.S Kuttan Pillai v Ramakrishnan , the court held that general warrant for searching and seizing listed documents would not entail invasion of privacy even if the search did not yield any result because of o f counter availing state interests. 7
It has been held in State of Punjab v. Baldev Singh that for a search of a person the safeguards provided Sec. 50 of the Code of Criminal Procedure are mandatorily to be followed. The invasion of a person has been given a protection through insistence on a procedural safeguard but the court has not ruled that evidence obtained in breach of Sec. 50 safeguards would be impermissible evidence. In R. Rajagopal v State of Tamil Nadu, the Court held that the petitioners have a right to publish what they allege to be the lifestory/ autobiography of Auto Shankar insofar as it appears from the public records, even without his consent or authorization. But if they go beyond b eyond that and publish his life story, they may be invading his right to privacy, then they will be liable for the consequences in accordance with law. Similarly, the State or its officials cannot prevent or restraint the said publication. It stated that “A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child bearing and education among other matters. None can publish anything concerning the above matters without his consent- whether truthful or otherwise and whether laudatory or critical. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages”. 8
In case of Peoples Union for Civil Liberties (PUCL) v. Union of India right to privacy of an electoral candidate was held not violated by publications of details of his criminal antecedents and/or his assets and liabilities. The right to be informed of the electorate was held superior to candidate‟s desire for secrecy. It has been held that a doctor‟s disclosure of a person‟s incurable physical ailment (HIV) to the relatives of the one to whom he was to get married was not violative of right to privacy. Doctor patient relationship, though basically commercial, is professionally; a matter of confidence and, therefore, doctors are morally and ethically bound to maintain confidentiality. In such a situation, public disclosure of even true private facts may amount to an invasion of the Right of Privacy 6
AIR 1980 SC 185 AIR 1999 SC 2378 8 AIR 2003 SC 2363 7
3
which may sometimes lead to the clash of one person's "right to be let alone" with another 9
person's right to be informed.
It was held that in divorce proceedings an order to undergo medical examination on strong grounds of necessity to establish a contention was held not invasive of right to privacy. Public 10
policy requirements was permitted to prevail over private interests. interests. 11
In District Registrar and Collector v. Canara Bank , the court struck down Sec. 73 of the Indian Stamp Act, 1899 as amended by the Andhra Pradesh Act (17 0f 1986) as permitting an overbroad invasion of private premises or the homes of persons in possession of documents in a power of search s earch as seizure s eizure without guidelines as to who and when and for what wh at reasons can be empowered to search and seize, and impound the documents. The court, however held that no right to privacy could be available for any matter which is part of public records including court records. Three inferences can be drawn from the above decision which is as a s follows:
Right to privacy exists and the unlawful invasion is punishable
Constitutional recognition exists for right to privacy
Right to privacy is not an absolute right.
9
X v. Hospital Z AIR 1999 SC 495 Sharda v. Dharmpal, AIR 2003 SC 3450 11 (2005)1 SCC 496 10
4
PROTECTION UNDER INFORMATION TECHNOLOGY ACT, 2000 The Chapter IX and XI of the Information Technology Act, 2000 provides for contraventions to unauthorized access to computer, computer system, computer network or resources, unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of 12
data, computer database, etc.
Section 43 of the IT Act, imposes a penalty of INR 10 million inter alia, for downloading data without consent. The same penalty would be imposed upon a person who, inter alia, introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network. Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to INR 200,000, or with both. Earlier, the IT Act under Section 66 defined the term hacking and provided penalty for the same. However, the term "hacking" has now been deleted by the introduction of the IT Amendment Act, 2008. The substituted Section 66 now reads as “If any person, dishonestly or fraudulently does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both”. Section 72 of the Act penalizes persons who have been given powers under the Act for breach of privacy and confidentiality. The Act reads as under: Any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to
12
http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf http://ec.europa.eu/jus tice/policies/privacy/docs/studies/final_report_india_en.pdf
5
any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. This is the only Section requiring the consent of the concerned person but, given its limited scope, it would be difficult to consider that it could provide a sufficient level of personal data 13
protection.
The Information Technology (Amendment) Act, 2008 has included provisions relating to the issue of data protection. Section 43-A of the Act deals with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to 14
sensitive personal data or information. The provision runs as follows: “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.” Section 72-A as introduced through the Information Technology (Amendment) Act, 2008 provides for the punishment for disclosure of information in breach of lawful contract. contract. Moreover, section 75 of the Act talks about extra- territorial jurisdiction. According to this Section, the provisions of the IT Act shall apply to any offence or contravention committed by any person irrespective of his nationality, provided the act or conduct constituting the offence or contravention involves a computer, computer system or computer network in India. Section 75 of the Act, addresses the issue of cyber crimes and not data protection. While when having a look at section 43A and 72A, it can be understood that the provisions do not talk about the territorial application. Thus, it can be easily concluded that when the sata is being transmitted outside India no protection as such is available. av ailable.
13
Ibid http://legalknowledgeportal.com/2013/06/24/data-privacy-and-protection-law-in-india-understanding-theregime/ 14
6
The provisions purportedly for „data protection‟ juts out as an ugly patch work on the Information Technology Act and does not offer any comprehensive protection to personal data in 15
India.
The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the 16
lacuna of data protection laws in the country. But the above provisions do not meet the demand of data protection in present India. The Amendment Act does not confer extra-territorial jurisdiction in relation to data protection as compared to Data Protection Act of UK as well as HIPPA (Health Insurance Portability And Accountability Act Of 1996) in US. Moreover, the Information Technology Act, 2000 is a general legislation with the objective of legal recognition of transactions through electronic means and electronic filing of documents with the Government Agencies and not“DATA PROTECTION” legislation. Thus, it deals with 17
protection of data in a “piecemeal fashion” .
15
http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-protection-and-the-it-act-india http://cifo.in/uploads/Data-Protection-Law-in-India.pdf 17 http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-protection-and-the-it-act-india 16
7
DATA PROCESSING LAWS AND PROPERTY RIGHTS Article 300A provides that no person shall be deprived from his right to property except by the authority of law. But the main thing is that it can only be claimed against the state or against the entity of the state, so to avail this section one has to prove that the entity (if that is a person that he cannot be counted as an entity, it is only if the violation is done by some company or bank 18
and that too if government owed) is one of government. The
Copyright
Act,
1957
defines
literary
work
under
section
2(o)
as
follows:
„“literary work” includes computer programmes, tables and compilations including computer databases.” Moreover, Section 63B states that any person who knowingly make use of an infringing copy of a computer programme shall be punishable with imprisonment which shall not be less than seven days but which may extend to three years and fine which shall not be less than fifty thousand rupees but which may extend to two lakh rupees. It is important to note that the Copyright Act, 1957 protects computer databases and not data. However, it is difficult to bring out the difference between the database protection and data protection. The database protection includes computer database stored on tape, disk or other electronic means, would generally be a compilation and capable of protection as a literary work. 19
But data protection is aimed at protecting the informational privacy of individuals.
Similarly, Indian Penal Code, 1860 does not expressly provides a specific provision for data protection but can be used effectively for data theft. The punishment relating to theft and misappropriation are applicable to computer databases as they are moveable property. An alternative solution has also been provided by the Indian Contract Act, 1872. When a party is guilty of breach of contract, the party committing breach of contract is liable to pay compensation for loss or damage caused to the other party and the other party may claim specific performance of the contract against the party in default. Thus, the companies may include clauses relating to data protection and their privac y in their contracts.
18 19
http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-business-law-essay.php http://www.majmudarindia.com/pdf/Data%20Protection%20in%20India.pdf
8
As per Credit Information and Company Regulation Act, 2005, the credit information of the individuals has to be collected as per the privacy norms. This is the first Act which defines personal data and provides for security. The scope of this Act does not cover whole of data protection. Further even under the common law, the right privacy of individuals was recognised. If the information “has the necessary quality of confidence” or it was imparted in the circumstances that imported an obligation of confidence. Now, the conversion with a lawyer or a doctor will be 20
considered to have this quality of confidence, but a general conversation with a friend will not.
20
http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-business-law-essay.php
9
INDUSTRY INITIATIVE In India, the efforts at complying with the demands of adhering to privacy laws have originated mainly from the private sector rather than the Government. In the absence of a specific legislation, the Indian software and outsourcing industry has been taking initiatives on its own that would provide comfort to the foreign clients and vendors. The National Association of Service & Software Companies (“NASSCOM”) is India's national information technology trade group and has been the driving force behind many private sector efforts to improve data security. For example, NASSCOM has created a National Skills Registry which is a centralized database of employees of the IT services and BPO companies. This database is for verification (with independent background checks) of the human resources within the industry. Further, a self regulatory organisation has been launched which will establish, monitor and enforce privacy and data protection standards for India‟s business process outsourcing (“BPO”) industry. The organisation organisation has already completed its initial round of funding and the final rollout phase including industry membership is underway. Further, due to absence of any specific legislation on data protection BPOs have included selfregulatory bye-laws for data protection such as ISO 17799 standards to standardize the security of information. In addition, many of the BPOs are having certifications which comply with the Sarbanes Oxley Act, the Safe Harbor Act, the Gramm Leach Bliley Act for financial services, the Fair Debt Collection Practices Act for banking and the Healthcare Insurance Portability and Accountability Act for healthcare.
10
CONCLUSION If we compare the present stage of data processing laws in India with the countries of Europe and USA then we find that these countries are far ahead of India in this respect. Those countries have particular and comprehensive laws relating to data protection and privacy. There is one another thing which is to be noted that different type of data should be divided into different categories as per the utility and importance of data. So, we are required to frame a scheme that should be based on o n the categorical division d ivision of data as like USA, and even ev en in the UK, although there is no such categorical division but still some type t ype of data is defined as sensitive data; for the disclosure of this sensitive data. The provisions of the IT Act are basically or the destruction/extraction of data, there is great lack of comprehensive guidelines in this regard and the companies are required to rely on their private contracts, which process is in itself complex lengthy. There are no special provisions related to the privacy of an individual, only sec 72 deals with the violation of privacy, and that is confined only to those persons on whom the power is conferred by this act. Although there is one proposed Data Protection Bill, 2013 which deals with the collection use and disclosure of the personal data. Some of the provisions are taken from the European Directive on the Data Protection. In the act no category wise division of data was made, in this regard we have to take inspiration in spiration from US laws. So, a comprehensive data protection law is the need of the hour in India, although to follow the foreign law of either UK or USA in totality will not be a good option. We have to divide different type of data into different categories and then different degrees of protection should be provided to different type of data. But that should be contained in one act, not in different scattered pieces of legislation. We also required to prepare practical guidelines that what type of personal data d ata can be provided to others in specific circumstances, and what should not so there may not be complexities as like in the case of UK. If we go for the enactment of a comprehensive data protection laws then it would reduce the instances of data theft and more and more foreign companies and firms would be interested in growing their business in India; it would work like a boom to the sector of Information Technology in India.
11
BIBLIOGRAPHY 1. http://www.vaishlaw.com/article/information_technology_laws/data_protection_laws_in_ india.pdf?articleid=100324 2. http://uk.practicallaw.com/1-505-9607 3. http://www.majmudarindia.com/pdf/Data%20Protection%20in%20India.pdf 4. http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-protectionand-the-it-act-india 5. http://ptlb.in/clpic/wp-content/uploads/2014/01/Data-Protection-Laws-In-India-AndPrivacy-Rights-In-India.pdf 6. http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf 7. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf 8. http://legalknowledgeportal.com/2013/06/24/data-privacy-and-protection-law-in-indiaunderstanding-the-regime/ 9. http://nopr.niscair.res.in/bitstream/123456789/3561/1/JIPR%2011(2)%20125-131.pdf 10. http://www.legalserviceindia.com/article/l368-Data-Protection-Law-In-India.html 11. http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-businesslaw-essay.php
12