DATA PROTECTION AND PRIVACY LAWS IN INDIA (copyright laws)
The Consumer protection that, in past, would have been printed on paper and stored in locked file cabinets is now stored in digitized form on hard drives and databases that can be accessed by intruders. With the increase in the use of Internet and other related services there is drastic increase in such data-thefts, instead of entering a person’s house or office, trespassers can now copy data files, tamper with the data, delete data , insert destructive programs and hide evidence of their access, from all over the world.
The loudest call for a law on Data Protection has come out of the fast-growing Business Process Outsourcing (BPO) industry in India. A significant amount of BPO work involves handling of personal information about consumers who live in either the United States or the European Union. For instance data transfers from Europe account for about 20% of the total data received under Business Process Outsourcing operations. However, the lack of a legal regime to regulate privacy and disclosure of data may be a significant barrier to a further increase in more work being outsourced to India. This concern arises as Indian BPO companies and their employees are becoming privy to personal data of the clients and customers of outsourcers.Various jurisdictions like Canada, European Union, United States of America have incorporated data privacy and data protection laws in their legal system. One of the most important needs of the such societies is to ensure the reciprocity principle with respect to data protection is complied by the country to which the data is transferred.
Need for Data Protection Laws:
One sting operation carried on by British news channel exposed the vulnerability of data security at Indian BPO’s.India lacks adequate data protection laws to meet the requirements of International scenarios. In an economy driven investor confidence and boosted by levels of FDI’s, establishing stringent regime of protection laws to meet International standards is imperative. The many reasons that can be cited for the need to take an urgent action in this regard are :
· Impact on Indian Business
BPO companies have faced some form of resistance or other from the US and Europe due to the absence of any data protection measures in the country. This can encourage the US and UK to stop outsourcing critical data-related processes to India.The work of BPO companies may also be hampered because in absence of any data protection measures in the country. Indian businesses usually do not download the data of these companies, but have only have access to this data. What India needs to put in place is a mechanism that will protect against the misuse of personal data that is in one’s possession rather than misuse of data that is in one’s ownership.The EU is an important market for Indian ITes as it accounts for around 20 per cent of India's ITes revenues. 70 per cent of the country's ITes revenues accrue from the US. ITes are expected to earn for India around $ 1 billion this fiscal.
· Requirements of EU and US Law
Both EU and US law lay down stringent standards for transfer of data to third countries, particularly where data protection mechanisms are considered to be insufficient. Article 25 of the European Union Data Protection Directive lays down the reciprocity principle in matters of data transfer and protection. By using such a provision, the Directive seeks to create a framework that protects individuals’ personal information from misuses and abuse. Such a framework would therefore be circumvented if no protection is available as soon as data leaves the territorial jurisdiction of the countries subject to EU data protection directive. As we have seen with the boom of BPO companies, more and more of such work is leaving the territory of the states from which data is originated. This provision in the EU Directive has prompted international concern about the future of global operations involving flows of personal data. In practice, this has created a situation that effectively imposes EU data protection standards in jurisdictions outside Europe.
· Shortcomings of the IT Act
In India Section 43(Penalty for damage to computer systems) ,Section 66(Hacking with the computer systems) and Section 72(Breach of Confidentiality and Privacy) of the Information Technology Act read with Section 408(Criminal Breach of Trust), Section 468(Forgery and Cheating) and Section 420(Cheating and dishonestly inducing delivery of property) of the Indian Penal Code lay down law in relation to Data protection and Privacy law in India. But the main question in this context is whether these provisions are sufficient to deal with the offence and the practice thereof. Inspite of these provisions India has to still face criticism of the ignorant international community, on the inadequacy of Laws in India.. Additionally there are other issues such as the employee fraud factor which is a problem which cannot be tackled except with a multifaceted approach to Information Security in BPOs.Thus there is a stringent need for adequate data protection and privacy Laws in India to meet the international obligations and further to protect the Indian BPO sector and check and control the data thefts and frauds occurring at a regular scale in India.
Exploring the Options for a Data Protection Law
All this just points out one fact that there being an urgent need to have data protection and privacy laws in India. Three broad options are available for creating and strengthening the existing legal framework relating to data protection in India. Firstly, like the countries of the European Union, India can enact a new legislation to deal with data protection. Secondly, India may opt for amending an existing law, such as the Information Technology Act which already contains some provisions relating to revealing of electronic information. The IT Act, 2000 is aimed at providing a comprehensive regulatory environment for electronic commerce.The advantage of such a move is that existing administrative mechanisms which have been contemplated under the Information Technology Act can be used to administer data protection as well.Thirdly, India may also choose to enter into bilateral or multilateral agreements, like the US ‘Safe Harbour’ regulations, with countries that are its major business partners in the field of outsourcing. The first method seems to have found favour with the Indian government. In fact a law on data privacy has been in the offing for quite some time. The National Task Force on IT and Software Development, established by the Prime Minister’s Office in May 1998, submitted an “IT Action Plan” to Prime Minister Vajpayee in July 1998, calling for the creation of a “National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data.” It examined the UK Data Protection Act as a model and recommended a number of cyber laws including ones on privacy and encryption.A bill is being drafted jointly between the Department of Information Technology and the National Association for Software Service Companies (NASSCOM). The aim is to allow India to be officially designated by the European Commission as a country that can be assumed to ensure an adequate level of protection. This would clear the path for any data processing operations involving personal data originated in the EU to be carried out by India-established companies, as they would have to meet the same requirements as EU-based companies.
Data protection Law in India with special reference to the BPO Sector:
India is the preferred destination for offshore Business Process Outsourcing (BPO). A large number of corporations have started outsourcing their non-core functions such as human resource management and customer relationship management to third parties so that they can focus on their core activities and reduce costs. Among the countries providing offshore outsourcing, India has an extremely advantageous position due to its low cost structure and large pool of skilled English speaking manpower. The issue of data protection arises in respect of confidential data and other private information collected by the Information Technology Enabled Services (ITES) providers. While the European Union and the United States have stringent data protection regulations, India sadly has not adapted to the changing needs of the times and does not have a comprehensive data protection regime. All that one may find is a couple of provisions relating to privacy in the Indian Constitution and a few sections in the Information Technology Act, 2000. In the BPO industry, the service provider is likely to have access to the personal and confidential data of its customer’s clients and therefore it is the duty of the service-provider to protect the data of it’s customers. Before analyzing the Law on the subject it would be relevant to analyze the kinds of data thefts which have happened in India:
· Pune Citibank Mphasis Call Centre Fraud
The case involved a fraud of US $ 3, 50,000 from accounts of four US customers were dishonestly transferred to bogus accounts. Some employees gained the confidence of the customer and obtained their PIN numbers to commit fraud. They got these under the guise of helping the customers out of difficult situations. Highest security prevails in the call centers in India as they know that they will lose their business. There was not as much of breach of security but of sourcing engineering. All accounts were opened in Pune and the customers complained that the money from their accounts was transferred to Pune accounts and that’s how the criminals were traced. Police has been able to prove the honesty of the call center and has frozen the accounts where the money was transferred. This will give a lot of ammunition to those lobbying against outsourcing in US.
India saw its first cybercrime conviction recently. The case involved the theft by an Employee of a Call-center Arif Azim in Noida. There was a provision on the website, www.sony-sambandh.com enabling the non-resident Indians e-shopping facility and thereon the delivery of the goods in India. In this case the website employees received an order for certain commodities and the necessary Credit card details were also given and the product was delivered accordingly. After one month of the transaction it was revealed Arif Azim was working in a call-center in Noida had carried the unauthorized transaction on details of credit card number of an American customer of the call-center.
· Infinity e- search BPO case:
The Gurgaon BPO fraud has created an embarrassing situation for Infinity e-Search. A British newspaper had reported that one of its undercover reporters had purchased personal information of 1,000 British customers from an Indian call-center employee. However, the employee of Infinity eSearch, a New Delhi-based web designing company, who was reportedly involved in the case, has denied any wrongdoing.
Such Instances of data thefts and frauds like the fraud at Msource, the BPO unit of Mphasis, and HSBC data theftcase have attracted worldwide attention and become a major cause for concern among the industry players and associations in India. These are a few instances which have brought the inefficiency and weakness of the Indian BPO Sector.
Information Technology Act, 2000 and its shortcomings
The term data has been defined under Section 2 (c)of the Act which in explicit terms includes the data as used by the BPO’s. Further Section 43, 66 and 72 of the Information Technology Act can be analyzed which lay down provisions in relation to Data Thefts and Privacy.
The Section covers the aspects of Data Theft but it is in very general terms, it fails to make a distinction between sensitive personal data and deals with data in general terms. The Section fails to lay an obligation on the Corporate possessing the Sensitive data to protect the data. Further the Heading of the Section lays down Penalty for damage to computer, computer system, etc. and it is more concentrated on access to computers, introducing virus, etc and reading the whole Section together one cannot conclude the Section intends to protect adequately the data and especially the personal data of the customers.
· Section 66 of the Information Technology Act:
Section 66 of the Act covers the Law on data protection and such cases can be covered under the Section, but unfortunately it fails to address the concept of data thefts. The following illustration will make the point clear, if any sensitive personal e-mail is saved in a computer and if any person accesses the said document, then the value of the information is completely lost, this will make then party liable under this provision. The provision only provides proxy Law for Data protection and privacy law.
This section states contains provision in relation to access of documents, records etc and disclosing the information to others. This is the only Section requiring the consent of the concerned person but, given its limited scope, it would be difficult to consider that it could provide a sufficient level of personal data protection. Indeed, this section confines itself to the acts and omissions of those persons, who have been conferred powers under the Act, rules or regulations made there under. These authorities are:
· The Controller of Certifying Authorities,
· The Deputy and Assistant Controllers of Certifying Authorities,
· Licensed Certifying Authorities,
· The Adjudicating Officer,
· The Presiding Officer of the Cyber Appellate Tribunal,
· The Registrar of the Cyber Appellate Tribunal,
· Network Service Provider, and
· Police Officer (Deputy Superintendent of Police.
Since the Act has only conferred powers to these authorities, the number of ‘data controllers’ having duties is rather limited.
Mechanisms adopted to ensure data protection and Privacy Laws by BPO’s India:
The many steps taken by BPO’s to impart more data protection are:
2. The companies are entering into adhoc Contracts in order to meet their international obligation Apart from Contracts, Companies ensure they meet their International obligations and comply with the international standards mechanisms like-
· BS7799, ISO7799 - Security standards,
· BS15000, ITSM - Standards for good corporate governance, and
· Certain up-coming standards like COPC - For call centers and BPOs, CISP - For holders of credit card related information etc.
3. Companies have also developed various technological mechanisms like security product `e-secure' aimed at filling the existing gap of security vulnerabilities in the business process outsourcing (BPO) industry
4. National Association of Software and Service Companies (NASCOM),is in the process of setting up the Data Security Council of India (DSCI) as a Self Regulatory Organization (SRO) to establish, popularize, monitor and enforce privacy and data protection standards for India’s ITes-BPO industry.
5. The Government is planning to amend the information Technology Act along with the recommendations of NASSCOM. The Information Technology Bill, 2006 has been introduced in the Parliament on December 15 2006.The following are a few amendments suggested to the Information Technology Act,
· Section 43 (2) is been proposed to be added to the existing section which states as follows,If anybody corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected. Further the Explanation to the provision includes the meaning of the term “Reasonable security practices and procedures” “sensitive personal data.”Thus the proposed Amendment will ensure data protection and further Privacy of the information mechanisms. Proposed section 43(2) provides a basis for liability if a body corporate does not implement reasonable security measures to protect sensitive personal information that it owns or handles using its computer resources. This liability accrues with the suit of a person who is affected by the body corporates inadequate security practices and procedures.
· Section 66 is been proposed to be amended which lays down clear provisions in relation to computer related offences further improvement in the existing legislation, by use of the words dishonestly, fraudulently, or without permission definitely lays down greater liability, and thereby enlarging the scope of Legislation. However the Section has been amended to further Language of Section 66 related to computer related offences has been revised to be in lines with Section 43 related to penalty for damage to computer resource. But unfortunately the provision fails to cover in complete the offences related to Data protection and privacy Laws and is more targeted towards computer related offences.
· Section 72 (2) Breach of Confidentiality and Privacy: Section 72(2) has been proposed to be added which clearly lays down an obligation on the Intermediaries for violation of an individual’s privacy and Confidentiality. The provision states as follows, “Save as otherwise provided under this Act, if any intermediary who by virtue of any subscriber availing his services has secured access to any material or other information relating to such subscriber, discloses such information or material to any other person, without the consent of such subscriber and with intent to cause injury to him, such intermediary shall be liable to pay damages by way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected.”
At the outset that the Indian Constitution does not expressly recognize the right to privacy. However, the Supreme Court has held that there is a right of privacy implicit in Article 21 of the Constitution. It must be further noticed that judicial pronouncements have generally dealt with privacy in the context of police surveillance. However, Internet Service Providers are barred from violating the privacy rights of their subscribers by virtue of the license to operate they are granted by the Department of Telecommunications. There is no clear law (i.e. general date protection law) regarding privacy of personal information and details etc.
The above-mentioned are a few Amendments to the provisions of Information Technology Act, in relation to data protection and privacy. But unfortunately these provisions fail to cover the data protection and privacy provision as contemplated under other jurisdictions and the government needs to re-consider these Amendments. The best course would be have a separate Legislation ensuring data protection and privacy in India. The only reason for Amendments in the information Technology Act, is the amendment procedure is easier than coming out with a Act on the concept. But unfortunately the proposed Amendments is an attempt to cover data protection and privacy, especially section 43(2) and 72(2) but these are again acting only as Temporary solution to the problem. The government needs to come out with a comprehensive law on the subject.
In furtherance of protection of privacy rights of an individual, there is Personal data protection Bill. In our country, at present, there is no law on protection of personal information and data of an individual collected by various organizations. As a result many a time, personal information of an individual collected for a particular purpose is misused for other purposes also, primarily for direct marketing without the consent of the individual.The personal data of an individual collected by an organization is at times sold to other organizations for paltry sum in connivance with the employees of the organizations. These organizations with the competition to outdo each other enter into the privacy of individual by making direct marketing calls. There has to be some internal confidentiality standard within the system so that personal information of an individual may not be transferred to others, which, at times, causes a lot of distress and embarrassment. Accordingly, there is a need to have a law in our country also for protection of personal information to ensure that personal information of a n individual collected for a particular purpose should be used for that particular purpose only and is not revealed to others for commercial or other purposes. For the above-said purpose, the Data Protection Bill is been pending before the Rajya Sabha, to provide for protection of personal data and information of an individual collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without his consent and for matters connected therewith or incidental thereto. The Bill contains provisions in relation to consent of the person before disclosing any personal information, circumstances when the personal data can be disclosed if it is in Public interest, appointment of Controller of data Collector, etc.Thus such Law needs to be properly implemented, it further acts in a positive way to protect the privacy and data protection rights of an individual.
Conclusion and Suggestions:
With the growing advent of e-commerce, the absence of data privacy and protection laws is definitely unsuited to the environment. With the growth of Indian BPO sector one of the major constraints faced by them is inadequacy of laws and with the advent of the increase in the number of frauds it is pertinent for the government to give serious thoughts to the Sector and bring adequate Legislations on the subject-matter. The Government has proposed the Amendments to the Information Technology Act, but unfortunately these proposed provisions fail to satisfy the needs of the BPO Sector. The Provisions though try covering the subject-matter but these unfortunately can be regarded as proxy-laws. The Government needs to re-consider the Amendments and come up with a substantial Law on the subject.
In the present facts and circumstances, the proposed Amendments must address the following issues:
· Law of Confidence:
One of the major issues involved in the BPO Sector is in respect of maintaining the Confidential Information of the customers. The present Law on the subject-matter fails to address this issue. The proposed Amendment to the Information Technology Act, adding Section 72(2) also fails to address the issue but the applicability of the section is limited only to Internet Service providers. It fails to cover the organizations and individuals on whom the data is entrusted. Thus the new law must ensure the issue needs to be properly addressed and ensuring the Privacy of the data of the Customers by the BPO’s and the need to fix penal liability for the Breach of Confidence.
· Types of Information which may be protected:
The Law on the subject-matter must clearly lay down the type of information, which deserves protection in the BPO setup. The proposed Amendment to the Information Technology act, Explanation to Section 43 of the Proposed definition deals with the term of sensitive personal data, but unfortunately the law doesn’t contemplate and address the subject-matter in clear terms. If for Example, an Employee working in a BPO shifts his job and possess the personal information of all the customers of the former company, Such information is liable to be protected. But the employee can always claim the information has become a part of the employees own skill and knowledge. Therefore it is very important the Law should be clear on this matter and must clearly lay down the information which is protected by legislature.
· Amendments to Criminal Law:
Section 463 of the Indian Penal Code which contains the definition of the term ‘theft’ must be broadly defined to include thefts in relation to data protection and thereby it would be able to satisfy its penal provisions as laid down under Section 43 of the Information Technology Act.
The above-mentioned are a few recommendations in relation to points to be considered while drafting a new or amending the existing Information technology Act relating to data Privacy protection law.
The BPO sector is one of the major growing sectors in India and it is necessary government enforces adequate mechanisms to ensure the further progress and development of the sector. In the meantime the BPO industries should on their own develop adequate mechanisms to meet the basic requirements as laid down in other Jurisdictions. The BPO sector Employees must be provided adequate training to handle personal data of the customers. There should be adequate terms in the employ—contracts ensuring there is no misuse of the data by the Employees.
Ultimately it may be concluded that an improved data privacy and data protection regulation is the need of the hour and it is in the interest of the development of the IT sector, that there be adequate laws on the subject-matter thereby enabling India meeting it’s International obligations.
 Rodney Ryder, Dealing with the EU? ,http://www.pcquest.com/content/businesscomputing/2004/104010502.asp
 UK to investigate allegations against Indian Call Centers :www.indianraj.com(October 7 2006)
 UK to investigate allegations against Indian Call Centers :www.indianraj.com(October 7 2006)
 Vivek Kathpalia & Vaibhav Parikh, India under Pressure to Enact a Data Protection Law, http://www.nishithdesai.com/eco-times/India_under_pressure-Apr-11-2004.htm
 Conference on legal aspects of Outsourcing, Consilience 2004.
 India Has A Robust Data Protection Law , as given on www.navi.org, on June 24 2005 , visited on May 23 2008.
 Information Technology Act 2000, No. 21 of 2000. http://www.mit.gov.in/it-bill.htm
 Chapter X of the Act creates an Appellate tribunal to oversee adjudication of cyber crimes such as damage to computer systems (Section 43) and breach of confidentiality (Section 72). See also Orijit Das, “Networking Web Caching: Detouring the Access,” Computers Today, June 15, 2000.
 The principles on the basis of which America exports data are called the Safe Harbour Principles. These principles are in operation between the EU and the United States. The EU-U.S. Safe Harbour agreement seeks to bridge the gap between the top-down European data protection regime and the more decentralized U.S. approach. The Safe Harbour became effective on November 1, 2000
 National Task Force on IT & SD, Basic Background Report, 9th June 1998. <http://it-taskforce.nic.in/it-taskforce/bg.htm>
 Eduardo Ustaran, Destination India, (October 2003) available at www.blp-dataprotection.com. However, the EU’s procedure to determine whether a third country is safe from a data protection perspective is rather cumbersome and bureaucratic, and involves several stages of opinions and approvals.
 This is a case of data theft and misuse of confidential information to transfer money illegally from customer accounts at HSBC's captive unit, HSBC Electronic Data Processing India Pvt Ltd (HDPI), in Bangalore. An Employee was arrested accessing personal, security and debit card information of some of its UK customers and passing them on to co-fraudsters for conducting fraudulent transactions through ATM and telephone banking services.
 "data" means a representation of information, knowledge, facts, concepts or instruction which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
 The Section may be summarized as follows,
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, —
(a) accesses or secures access to such computer, computer system or computer network;
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
 Section 72 of the Information Technology Act states as follows, Any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
 The Data Protection Regime in India- Need for an overhaul- Archana Vaidynath, Corporate Law Reporter, journal, pg.35.
 New Security Tools for BPO’s as reported in the Business Line on Dec 15 2005. The purpose of eSecure is to empower and facilitate call centers and the BPO industry to meet the challenges of data protection and privacy of customer information by providing continuous and proactive security assurance at a cost amounting to about Rs 4,200-8,000 per month depending on the size and number of locations of the call centre.
NASSCOM I’s the premier trade body and the chamber of commerce of the IT-BPO industry in India whose aim is to maintain India's leadership position in the global offshore IT-BPO industry, to grow the market by enabling industry to tap into emerging opportunity areas and to strengthen the domestic market in India.
 Section 66 stands as follows,
Computer related offenses:
(a) If any person, dishonestly or fraudulently, without permission of the owner or of any other person who is incharge of a computer resource
accesses or secures access to such computer resource; downloads, copies or extracts any data, computer data base or information from such computer resource including information or data held or stored in any removable storage medium; denies or causes the denial of access to any person authorized to access any computer resource;
he shall be punishable with imprisonment upto one year or a fine which may extend up to two lakhs or with both;
(b) If any person, dishonestly or fraudulently, without permission of the owner or of any other person who is incharge of a computer resource
introduces or causes to be introduced any computer contaminant or computer virus into any computer resource; disrupts or causes disruption or impairment of electronic resource; charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource; provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act, rules or regulations made there under; damages or causes to be damaged any computer resource, date, computer database, or other programmes residing in such computer resource;
he shall be punishable with imprisonment upto two years or a fine which may extend up to five lacs or with both;
Further Explanations to the terms ‘Dishonestly’, ‘Fraudulently’, Without the permission of the owner” have been provided in the Amending Section.
 Art. 21 reads “No person shall be deprived of his life or personal liberty except according to procedure established by law”. Kharak Singh v. State of UP, 1 SCR 332 (1964); Also Mr. R.C. Jain, National Human Rights Commission, India.
 Orijit Das, “Networking Web Caching: Detouring the Access,” Computers Today, June 15, 2000
 As reported in www.rajyasabha.nic.in/bills-ls-rs/2006/XCI_2006.pdf
 Explanation (vi)to Section 43 of the proposed Amendment to Information Technology Act , states, “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.