1 / 21

Status of Data Protection Legislation in India

This article provides an overview of the existing legal framework for protecting personal data in India and discusses the need for data protection legislation. It also explores the attempts made to pass such legislation and the current status. The article concludes by highlighting the way forward for data protection in India.

jdana
Download Presentation

Status of Data Protection Legislation in India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. India:an up-date on Data Protection Legislation byTejas Karia(BSL, LLM (LSE), Advocate, SolicitorAssociate, Amarchand & Mangaldas) Amarchand & Mangaldas & Suresh A. Shroff & Co.Solicitors & AdvocatesAmarchand Towers, 216 Okhla Industrial Estate, Phase - III New Delhi-110 020 India Tel: + (91 11) 2692 0500, 5159 0700 Fax: + (91 11) 2692 4900 e-mail: tejas.karia@amarchand.com 9th February 2006

  2. Status of Data Protection Legislation in India • The existing legal framework for protecting sensitive personal data. • Overview of the investment in India by other countries for handling personal data. • Need of Data Protection legislation in India. • Attempts for passing the legislation. • Present status. • Way forward …

  3. Existing Legal Framework • Information Technology Act, 2000 • Section 43: Penalty for download, copy or extract of data without permission of the owner of a computer etc. – not exceeding rupees ten million to the person affected. • Section 65: Punishment for tempering with Computer Source Code – imprisonment up to 3 years, or fine up to rupees 200,000, or both. • Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by very few • Disadvantage of dollar rupee inequality • Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of domestic practices is very likely

  4. Existing Legal Framework • Information Technology Act, 2000 • Section 66: Hacking - imprisonment up to three years, fine up to rupees 200,000, or both. • Section 72: Penalty for breach of confidentiality and privacy: unauthorised access to any electronic record, book, register, correspondence, information, document and disclosure of the same – imprisonment up to 2 years, or fine up to rupees 100,000, or both. • Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by very few • Disadvantage of dollar rupee inequality • Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of domestic practices is very likely

  5. Existing Legal Framework • Indian Contract Act, 1872: • Breach of Contract: Violation of terms of the contract or non-performance of the obligations. • Remedies: • Damages • Specific Performance • Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by very few • Disadvantage of dollar rupee inequality • Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of domestic practices is very likely

  6. Existing Legal Framework • Indian Penal Code, 1860: • Section 406: Criminal Breach of Trust: Imprisonment, which may extend to 3 years, or fine, or with both. • Section 420: Cheating: Imprisonment, which may extend to 7 years and a fine.

  7. Existing Legal Framework • Consumer Protection Act, 1986: • “Deficiency in Service”: complaint before consumer forum / commission. • Specific Relief Act, 1963: • Temporary and permanent injunctions against unauthorised disclosure of confidential information.

  8. Overview of Investment in India • India controls 65% of of the global market in software-code outsourcing and 46% in back-office outsourcing. • Indian software and services export was approximately $ 17.2 billion in 2004-05, as compared to $ 12.8 billion (an increase of 34%) • Outsourcing revenues are expected to reach $ 60 billion by 2010. • As per the Nasscom-Mckinsey survey, the export revenue from IT sector would add 7% to India’s GDP by 2010 along with creation of 8.8 million new jobs.

  9. Overview of Investment in India • IT solutions business in India is expected to grow at 25% to touch $ 35 billion in export revenues. • The BPO business would witness a CAGR of 37% to account $ 25 billion of the projected $ 60 billion. • According to Indian IT body – National Association of Software and Service Companies (“NASSCOM”), India could potentially accelerate the overall IT export by almost $ 15-20 billion by 2010 if it focuses on multi-dimensional innovation.

  10. Need for Data Protection Legislation in India • Absence of data protection and privacy law in India often cited as a strong reason for stopping the movement of call center and BPO work in India • Necessity for creating appropriate confidence among investors and foreign companies about safety and protection of personal data. • Adequate level of protection for allowing Safe Harbor for transfer of data from EU countries. • Unenforceability of contractual provisions regarding protection of data.

  11. Various attempts for passing Data Protection Legislation • Drafting of separate legislation. • Amendments to existing Information Technology Act. • Expert Committee on Cyber Law

  12. Various attempts for passing Data Protection Legislation • Drafting of separate legislation: • A separate and exclusive legislation embodying the Data Protection principles like other Countries. • EU model vs. US model • Stringent legislative protection vs. Self-Regulatory Organizations • Enforcement: statutory rights v. contractual rights • Safe Harbor Principles • Failure to enact separate legislation

  13. Various attempts for passing Data Protection Legislation • Amendments to existing Information Technology Act, 2000: • Insertion of definitions of: • Personal data, Data Controller, Data Processor, Data Subject, Processing etc. • Introduction of Chapter VIIIA for Data Protection • Provisions for reciprocity and exemptions • Guidelines on rights of Data Subjects and Minimum Security and Organisational Standards to be adopted by Data Controllers and Data Processors

  14. Various attempts for passing Data Protection Legislation • Expert Committee on Cyber Laws: • Appointed to suggest the amendments to Information Technology Act, 2000 • Minimal changes suggested to existing law for introducing the protection for handling sensitive personal data. • Introduction of concept of ‘sensitive personal data’ in existing Section 43: • Any body corporate, that owns or handles sensitive personal data or information in a computer resource, if found to be negligent in implementing and maintaining reasonable security practices and procedure – shall be liable to pay damages by way of compensation not exceeding rupees ten million to the person so affected.

  15. Various attempts for passing Data Protection Legislation • Expert Committee on Cyber Laws: • What is “reasonable security practices and procedures” ? • In the absence of a contract between the parties or any special law, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorised access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with self-regulatory bodies of the industries, if any. • “Sensitive personal data or information” – which is prescribed as “sensitive” by the Central Government in consultation with self-regulatory bodies of the industry, if any.

  16. Various attempts for passing Data Protection Legislation • Expert Committee on Cyber Laws: • Section 66: Definition of Hacking replaced by Computer related offences • Computer related offences are defined as: • If any person, dishonestly or fraudulently, without permission • accesses or secures access to such computer resource • Downloads, copies or extracts any data, computer data base or information from such computer resource including information or data held or stored in any removable storage medium • Denies or causes the denial of access to any person authorised to access any computer resource shall be punishable with imprisonment up to 1 year or a fine which may extend up to rupees 200,000 or with both.

  17. Various attempts for passing Data Protection Legislation • Expert Committee on Cyber Laws: • Computer related offences are defined as: • If any person, dishonestly or fraudulently, without permission • Introduces or causes to be introduced computer virus into computer resource; • Disrupts or causes disruption or impairment of electronic resources; • Charges the services by tampering with or manipulating any computer resources; • Provides assistance to any person to facilitate access to a computer resource in contravention of the provisions of the IT Act, 2000, rules, regulations made thereunder; • Damages or causes to be damaged any computer resource, date, computer database, or other programmes residing in such computer resource; shall be punishable with imprisonment up to 2 years or a fine which may extend up to rupees 500,000 or with both.

  18. Various attempts for passing Data Protection Legislation • Expert Committee on Cyber Laws: • Section 72: Breach of confidentiality and privacy: • Penalty increased to rupees 500,000 • Additional provisions for intermediaries • Intentional capturing and broadcasting images violating the privacy • Bar on jurisdiction of courts to take congnizance except upon complaint filed by the aggrieved person in writing before a Magistrate • Punishment: damages by way of compensation of rupees 2.5 million to the person so affected • Section 79: Exemption from liability of intermediary in certain cases.

  19. Present Status • No clarity on form of legislation. • Absence of any specific protection causes concern for trans-border flow of personal data. • Stray incidents of misuse of personal data by persons handling personal data. • The recommendations of Expert Committee likely to be placed before Parliament in February 2006 for amending the existing Information Technology Act, 2000. • No certaninity of enforcement mechanism.

  20. Way forward… • Need for comprehensive legislation on data protection in India. • At least the proposed amendments should capture all the aspects of data protection principles.

  21. THANK YOU

More Related