 "Strike a balance between access to data and data theft")
India's privacy and data protection laws have come under the scanner once again after LinkedIn, the world's largest professional networking website, reported on May 17 that data stolen from it in 2012 were now being circulated online.
The data theft affects individuals with LinkedIn accounts prior to 2012 and who have not changed passwords for their accounts since.
Indian data protection laws have been the subject of much debate and concern in recent times with the advent of e-commerce platforms and cyber technology in the nation. Several high-profile cases of data theft, such as the HSBC Bank breach, have exposed glaring lacunae in the international data protection framework.
Section 43A of the Act provides for compensation to be paid by body corporates that have been negligent in implementation or maintenance of reasonable safety procedures for sensitive personal data, which have led to wrongful losses to the affected person or wrongful gains made by others.
Section 72A of the Act provides for punishment of persons (including intermediaries) for disclosure of information in breach of lawful contracts. According to the provision, any person who has secured access to personal information about another person, and knowing it to be likely to cause wrongful loss or wrongful gain, discloses such material in breach of a lawful contract, without the consent of the individual, shall be punished with imprisonment for up to three years and/or fine up to Rs 5 lakh.
Neither of these above provisions addresses data protection directly, but deals with the issue from a largely punitive approach. In 2011, the changing global data protection sphere necessitated further legislative advances leading to the implementation of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules 2011.
Rule 3 provides a list of 'sensitive data' and includes personal information such as passwords, financial information, sexual orientation, biometric information, medical history as well as physical, physiological and mental health conditions.
Rule 4 casts a duty upon body corporates to provide for a privacy policy for sensitive data and requires the policy and all other necessary details to be made publicly available on their websites.
Rule 5 governs the scope of data collection by body corporates. It stipulates that body corporates shall not collect sensitive personal data without the consent of the individual concerned.
The rule mandates the information acquired to be used only for the purposes for which it has been collected and requires body corporates to inform data providers of such collection, usage and storage. Additionally, the rule prohibits retention of information after the time period for which it is required and directs body corporates to form grievance redressal bodies for potential discrepancies.
Rule 6 requires body corporates to seek consent of providers before disseminating of sensitive data to third parties, but carves exceptions for information sharing with government agencies and under orders of law.
Rule 8 clarifies that body corporates shall be considered to have complied with reasonable safety practices if they implement and document the prescribed standards. Rule 8(2) prescribes an ISO 27001 security standard, which is to be ordinarily maintained, but also allows for usage of other codes of practice, if approved by the central government.
In the latest attempt to further expand and consolidate data protection laws in the country, the government had drafted the Privacy (Protection) Bill 2013. The Bill envisaged stronger regulations for protection of personal data as well as prohibitive provisions against data theft and unlawful access. The Bill also contemplated procedural safeguards relating to collection, storage, transfer and disclosure of personal data.
Unfortunately, the Privacy Bill 2013 was not taken forward by the government and has yet to be tabled before Parliament for consideration. There exists a dire need for implementation of the features of the Bill as well as to formulate a web-based data protection policy to aid the current Indian situation and ensure personal and corporate stability in this dynamic arena. Any future introductions in the legislative space, though, must balance the access of data in the interests of the common public, while simultaneously tackling the ever-increasing instances of data theft and cyber crime in the nation.
The data theft affects individuals with LinkedIn accounts prior to 2012 and who have not changed passwords for their accounts since.
Indian data protection laws have been the subject of much debate and concern in recent times with the advent of e-commerce platforms and cyber technology in the nation. Several high-profile cases of data theft, such as the HSBC Bank breach, have exposed glaring lacunae in the international data protection framework.
More From This Section
There are no specific data protection laws in India unlike the European Union and several other countries. The Indian data protection scheme, in its most basic form, has been interpreted to be enshrined in Article 19 and 21 of the Constitution of India, under the broad head of 'Right to Privacy'. In addition, the Indian Contract Act 1872, Indian Copyright Act 1957, Information Technology Act 2000 (the Act) contain further provisions to address the issue of data protection in the country.
Section 43A of the Act provides for compensation to be paid by body corporates that have been negligent in implementation or maintenance of reasonable safety procedures for sensitive personal data, which have led to wrongful losses to the affected person or wrongful gains made by others.
Section 72A of the Act provides for punishment of persons (including intermediaries) for disclosure of information in breach of lawful contracts. According to the provision, any person who has secured access to personal information about another person, and knowing it to be likely to cause wrongful loss or wrongful gain, discloses such material in breach of a lawful contract, without the consent of the individual, shall be punished with imprisonment for up to three years and/or fine up to Rs 5 lakh.
Neither of these above provisions addresses data protection directly, but deals with the issue from a largely punitive approach. In 2011, the changing global data protection sphere necessitated further legislative advances leading to the implementation of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules 2011.
Rule 3 provides a list of 'sensitive data' and includes personal information such as passwords, financial information, sexual orientation, biometric information, medical history as well as physical, physiological and mental health conditions.
Rule 4 casts a duty upon body corporates to provide for a privacy policy for sensitive data and requires the policy and all other necessary details to be made publicly available on their websites.
Rule 5 governs the scope of data collection by body corporates. It stipulates that body corporates shall not collect sensitive personal data without the consent of the individual concerned.
The rule mandates the information acquired to be used only for the purposes for which it has been collected and requires body corporates to inform data providers of such collection, usage and storage. Additionally, the rule prohibits retention of information after the time period for which it is required and directs body corporates to form grievance redressal bodies for potential discrepancies.
Rule 6 requires body corporates to seek consent of providers before disseminating of sensitive data to third parties, but carves exceptions for information sharing with government agencies and under orders of law.
Rule 8 clarifies that body corporates shall be considered to have complied with reasonable safety practices if they implement and document the prescribed standards. Rule 8(2) prescribes an ISO 27001 security standard, which is to be ordinarily maintained, but also allows for usage of other codes of practice, if approved by the central government.
In the latest attempt to further expand and consolidate data protection laws in the country, the government had drafted the Privacy (Protection) Bill 2013. The Bill envisaged stronger regulations for protection of personal data as well as prohibitive provisions against data theft and unlawful access. The Bill also contemplated procedural safeguards relating to collection, storage, transfer and disclosure of personal data.
Unfortunately, the Privacy Bill 2013 was not taken forward by the government and has yet to be tabled before Parliament for consideration. There exists a dire need for implementation of the features of the Bill as well as to formulate a web-based data protection policy to aid the current Indian situation and ensure personal and corporate stability in this dynamic arena. Any future introductions in the legislative space, though, must balance the access of data in the interests of the common public, while simultaneously tackling the ever-increasing instances of data theft and cyber crime in the nation.