Data theft, the Indian legal position (a primer)
A good primer article on the state of Indian Laws concerning BPOs, data theft etc. Some glaring flaws are evident, but this story is a decent starting point for anyone interested in examining laws of India on data privacy and sharing.
A suitable law is not ready as yet
Incorporate issues under contractual, IT and criminal legislations
CHETAN NAGENDRA
Posted online: Tuesday, June 28, 2005 at 0006 hours IST
The issue at hand is the state of readiness of the Indian legal framework in coping with the increasing multitude of data security and privacy threats. Though there is no specific data protection statute in India, the existing legal framework can be utilised for data security and privacy.
In India, the Indian Contract Act, 1872, and the Specific Relief Act, 1963, provide the framework for legal agreements. Agreements may be used to contractually enforce data security. Almost all entities outsourcing to third party outfits in India prefer to do so within a contractual framework, employing a combination of strict confidentiality and non-disclosure agreements. Most outsourcing entities (OEs) enter into service- level agreements (SLAs) to ensure prescribed quality levels by the service provider (SP). SLAs often prescribe monetary damages and proffer at-will agreement termination clauses that try to ensure SPs adhere strictly to data security and privacy norms.
The Contract Act recognises a contract as a civil obligation, non-compliance of which may lead to compensatory, not penal, damages. While courts are loath to enforce large sums of liquidated damages or unlimited penalties, reasonable compensation for loss or damage, as laid down by the parties in the contract, are usually enforceable. Consequential damages, if detailed in the contract, are required to be reasonably computed. Penalties in the form of higher interest rate computations in the event of default are usually disregarded or recomputed by the court at reasonable rates.
OEs may also utilise the Specific Relief Act. This is particularly useful to enforce provisions in outsourcing contracts against SPs. For example, in the event the latter is required to destroy all traces of data imported post-processing and neglects to do so, the OE may sue for specific performance to ensure compliance under the contract.
OEs may also resort to other remedies, in the form of temporary/permanent injunctions restraining SPs, in the face of imminent data security or privacy threats by the latter.
OEs also favour shifting jurisdiction and governing law of the outsourcing contract to more favourable locations than India. For example, some plaintiff-friendly US states do not recognise limitation of liability clauses on the part of SPs. Therefore, the tab for non-compliance of contracts containing such clauses can be heavy on Indian SPs. On the other hand, there is a practical difficulty in enforcing such decrees by foreign courts in India. Enforcement of foreign decrees will require a fresh application before Indian courts, if those were awarded by courts in territories not considered reciprocal for this purpose (such as the US).
Utilising a contractual framework for protecting data and ensuring privacy is an effective choice for OEs interested in outsourcing data that requires high-level legal compliance. Examples are medical histories of patients, processing of financial information requiring utilisation of personally identifiable information, like social security numbers, or areas prone to identity theft, like credit card transaction processing. However, approaching the courts here may mean a long battle, due to the backlog of prior litigation. OEs should, instead, opt for other means of dispute resolution, such as arbitration.
The IT Act has several provisions on data security and privacy. Some of the penal provisions include Section 43 (penalty for damage to computer, computer system, etc), Section 65 (tampering with computer source documents) and Section 66 (hacking with computer system). Most prosecutions under the Act commence under these provisions.
It has been reported that an expert committee, constituted for an in-depth review, favours widening the ambit of computer offences in the wake of rapid technological advancements. Although there is no lack of statutory support for prosecuting crimes within the Act’s ambit, there is a distinct lack of sensitisation of the police. For instance, a CEO of a reputed online auction company was arrested for an arguable offence under Section 67 (publishing of obscene information in electronic form). The enforcing authority’s policy seems to be to act first and review at leisure.
The fundamental rights enshrined in Article 19 (the right to freedom of speech and expression of an individual) of the Constitution come closest to protecting an individual’s privacy and his freedom of expression. The two rights are two sides of the same coin. One person’s right to know and be informed may violate another’s right to be left alone.
Though the Constitution and interpreted case laws enumerate upon the rights of privacy, speech and expression to be enjoyed by citizens, these may be invoked only in disputes between a citizen and the state.
As for criminal law, the possibilities of prosecution of offences emanating from actual breach of data security and privacy under the Indian Penal Code, 1860, are bleak. For instance, forgery, cheating or criminal breach of trust, have been interpreted as an offenses against corporeal property. However, ‘data’ being incorporeal, may not fall within the interpretation of ‘property’ under the IPC.
In sum, the current legal system does not provide a strong legal framework for companies willing to outsource work here. A new data security and privacy statute is proposed to be enacted shortly. It will need to incorporate various issues under the contractual, IT and criminal law frameworks. Unless the legal regime is made to suit new types of threats against privacy and confidentiality, and unless such a regime is implemented effectively, India’s position as an important outsourcing destination may be threatened.
The writer is an associate at Amarchand Mangaldas
posted by Superfly at 4:19 PM
1 Comments:
ANOTHER CHANCE TO RAISE HUE AND CRY
The missing of tapes containing banking details may give another chance to raise another hue and cry regarding “inadequate Data Protection law” in the country loosing the tapes.
See http://news.zdnet.co.uk/hardware/storage/0,39020366,39208014,00.htm for details.
The same happened a few days back in India that led to the starting of the “legislative process” in India though it was not needed at all.
The following articles will give a clear picture of the existence of the Data Protection Law in India:
(1) The existence of the Data Protection laws in India- http://perry4law.blogspot.com/2005/05/mandates-of-wto.html
(2) The need to satisfy the requirements of Constitution of India-http://perry4law.blogspot.com/2005/05/data-protection-law-in-india.html
(3) The Privacy and Data rights of netizens- http://perry4law.blogspot.com/2005/06/privacy-and-data-rights-of-netizens.html
(4) The need and manner of Data Protection- http://perry4law.blogspot.com/2005/06/needs-and-modes-of-data-pr_111773529833410003.html
It is surprising that despite the proven fact of "sufficient Data Protection Law" in India, we are facing the tremendous pressure of foreign countries.
The proposed change in the Information Technology Act, 2000 for conferring data protection or its separate enactment is not only unwarranted but is equally based on misinterpretation of the provisions of the Indian Copyright Act, 1957 and the TRIPS Agreement.
The concerns and apprehensions of the MNCs are far-fetched and unwarranted. The TRIPS Agreement and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases of MNCs. The data, information and details provided by the MNCs will get the protection of ‘Data Property” if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If they fail to satisfy the requirement of Article 10(2), still they will be protected as copyright. The brightest and the positive aspect of this situation is that even non-data items are also protected, both under the TRIPS Agreement and the Copyright Act, 1957. Thus, the MNCs should concentrate on their “business initiatives” rather than wasting their resources and time on unnecessary concerns.
(See http://perry4law.blogspot.com/2005/05/mandates-of-wto.html for more details).
It must be appreciated that it is not the “enactment” of a law but the desire, will and efforts to accept and enforce it in its true letter and spirit, which can confer the most strongest, secure and safest protection for any purpose. The enforcement of these rights requires a “qualitative effort” and not a “quantitative effort”. The “enforcement” problem cannot be “bypassed” and “labeled” as inadequacy of data protection laws in India. For instance, if we do not enforce the provisions of Copyright Act, 1957 or the Trade Marks Act, 1999, properly, then we can again argue that these Acts need to be amended to accommodate the wishes of MNCs. Any objection of lack of data protection laws in India is raised only due to the ignorance of the availability of data protection laws in India.
India has a sound cyber law regime and both paper based and electronic form data can be effectively and legally protected in India. Any objection regarding “insufficient” cyber law or Data protection law is only a misconception and ignorance of law in this regard.
It seems the difference between “Data protection laws” and their “enforcement” is not clear to the persons agitating against insufficient data protection laws in India. India has sufficient data protection laws and these laws only require sound techno-legal enforcement.
Let us hope the same hue and cry will not be raised this time that may ultimately result in the wastage of valuable time, money and resources.
Disagreeing, with due respect and regard, with the abovementioned reasoned and learned opinion and respecting the right to speech and expression of the learned author.
Praveen Dalal
Arbitrator,Consultant and Advocate
Delhi High Court
Tele No: 9899169611
E-mail: pd37@rediffmail.com
Post a Comment
<< Home