With the advent of technology and e-commerce, the problems related to the same are also increasing day by day. India itself has faced a tremendous increase in cyber crimes, data stealing etc. The cyber protection cells have witnessed various instances of data theft recently. India, being the host and the biggest platform of data outsourcing needs an effective and well formulated mechanism for dealing with these crimes. Data Protection laws may be defined as the laws which are enacted for safeguarding and protecting the data present on the internet.

India has witnessed various high profile data theft cases off lately. One of the biggest incidents of data theft was the HSBC case, wherein a former employee of HSBC, the biggest bank of Europe, committed a fraud that affected millions of its customers. This theft not only caused harm to numerous of the Bank's customers but also left a permanent question mark on the year long reputation and Reliability of the Bank.

Unlike the EU, India does not have any separate law which is designed exclusively for the data protection. However, the courts on numeral instances have interpreted "data protection" within the ambits of "Right to Privacy" as implicit in Article 19 and 21 of the Constitution of India. Apart from this, the laws which are presently dealing with the subject of data protection are "The Indian Contracts Act" and "The Information Technology Act". Section 43 A of the Information technology Act explicitly provides that "Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected"

Further Section 72 A provides that "Punishment for disclosure of information in breach of lawful contract. -Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both"

It is apparent that both the sections mentioned above are not dealing with data security directly. Prior to 2011 the situation of the laws related to data protection was very vague and ambiguous, as there was no law which dealt directly and explicitly with this issue.

Later in 2011, after the enactment of the European Union's strict and stringent Data Protection Laws, the Government of India also felt the need for the same in our country. Consequently, a new set of rules named the "Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011" came into picture. These rules have provisions for three groups- Body Incorporates, Information Providers (Data Subjects) and the Government. The key features of the Rules are as follows-

  • Rule 3 mentions the list of things which will be treated as "sensitive personal data "under the Act. It includes passwords, credit or debits card information, medical and biometric records etc.
  • Rule 4 casts a duty upon the Body Corporate to provide a privacy policy for dealing with personal information and sensitive data and it also requires that the policy should be available on the website of the body corporate. The policy shall include all the necessary details for e.g. type of personal data collected, statements of practices, purpose of collection, provisions related to disclosure and security practices etc.
  • Rule 5 states various provisions which govern the collection of information by the Body Corporate. The main clauses are as follows
    1. Body Corporate shall not collect sensitive personal data without obtaining consent in writing or by fax or e-mail form the provider regarding the purpose for which the data is being collected.
    2. Any personal information or sensitive data shall not be collected unless and until it is for a lawful purpose and the collection is necessary for the fulfillment of that particular purpose.
    3. The provider shall be made aware of the facts as to the information collected, its purpose, its recipients and the agencies that are collecting and retaining the information.
    4. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required.
    5. However, the Body Incorporate shall not be responsible for the authenticity and reliability of any personal data or sensitive information.
    6. The provider shall be given an option to opt out of providing such information along with an option to withdraw his consent to the collection at any later stage as well.
    7. The Body Corporate shall keep the data secured and it shall designate a grievance redressing body for any discrepancies arising in future.
  • Rule 6 requires that the Body Corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed by the parties through any contract. However, such information can be shared without any prior consent with government agencies mandated under law or any other third party by an order under the law, who shall be under a duty not to disclose it further.
  • Rule 8 clarifies that a body corporate shall be considered to have complied with reasonable security practices if they have implemented and documented the standards of these security practices. Rule 8 (2) mentions the name of one such ISO security standard for data protection. However, any person or agency that are following any code of best practice other than that mentioned in rule 8(2) shall get their code duly approved by the Central Government. Body Corporate and agencies who have implemented either ISO standards or any other standard duly approved by the central government shall be considered to have implemented security measures provided that such codes have been audited on a yearly basis by independent auditors approved by the government.

Therefore, we can say that the new laws are stricter and the legislature has made an attempt to tighten its grip over the un-estimated and negligent use of the personal data by the Body Incorporates. It's time for them to review and recheck their privacy policies and make them in accordance with the new standards created by the Rules.

CONCLUSION

As mentioned above, India is still struggling for enduring an effective and concrete legislation for data protection. A new legislation dealing specifically with the protection of data and information present on the web is the dire need of the day. However, while drafting the laws, the legislature has to be cautious of maintaining a balance between the interests of the common public and tightening its grip on the increasing rate of cyber crimes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.