The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna

of data protection laws in the country. The provisions are however not adequate to meet the needs of
the corporate India. The Article tries to analyze the protection accorded to data and information
residing in the computer systems in the country.

Data Protection Law in India

Shojan Jacob

The Information Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna of
data protection laws in the country. The provisions are however not adequate to meet the needs of the
corporate India. The Article tries to analyze the protection accorded to data and information residing in
the computer systems in the country.

Data is defined as unprocessed information. Information, on the other hand, is defined as the data that
have been organized and communicated in a coherent and meaningful manner. Data is converted into
information and information is converted into knowledge.

In the cyber world all such information is stored in the computers. The information may include
financial details, health information, business proposals, intellectual property and sensitive data. Till
recently there was no specific provision to address the issue of Data Protection. However, the IT
Amendment Act 2008 has set the ball rolling in addressing this issue.

The IT Act, 2000 and the 2008 Amendment

The Government had in the year 2006 introduced a separate Bill called the Personal Protection Act to
specifically address the issue of data protection. However the Act has not seen the light of the day.
But now, the issue of data protection has been addressed in IT Amendment Act, 2008 through
Sections 43A and 72A.

Section 43A reads as follows:

Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in
a computer resource which it owns, controls or operates, is negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to
any person, such body corporate shall be liable to pay damages by way of compensation, to the
person so affected.

Explanation: For the purposes of this section

(i) body corporate means any company and includes a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities

(ii) reasonable security practices and procedures means security practices and procedures designed
to protect such information from unauthorised access, damage, use, modification, disclosure or
impairment, as may be specified in an agreement between the parties or as may be specified in any
law for the time being in force and in the absence of such agreement or any law, such reasonable
security practices and procedures, as may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem fit.
(iii) sensitive personal data or information means such personal information as may be prescribed by
the Central Government in consultation with such professional bodies or associations as it may deem
fit.

Reasonable security practices and procedures

The IT Act now requires corporates to maintain reasonable security practices, and procedures as to
sensitive personal data or information, but does not define the phrase reasonable security practices,
and procedures. As understood from the section Reasonable Security Practice and Procedures is to
be determined in the following order:

- As defined between the parties by mutual agreement or

- As specified in any law for the time being in force or

- To be specified by the Central Government in consultation with such professional bodies or

associations as it may deem fit.

However till date there is no law specifying security practice nor has the Central government defined
the security practices to be implemented in order to securing vital data.

In the absence of such defined security practices and procedures, it is open for the parties to enter into
agreements and lay down their own methods of protecting their sensitive information. Section 43A not
only provides the freedom for doing so but also penalizes any breach of such contractual obligations.
Thus till a frame work of security practices is defined, the companies can enter into their own contracts
and lay down minimum standards for protecting data.

For this purpose, depending upon the industry, compliance with business requirements such as ISO
27001, DPA, Basel II, HIPAA etc. may be enforced by means of agreements between the parties. And
failure on the part of any party to maintain such contractual obligation can lead to legal consequences
by virtue of this section. It is to be noted that there is no upper limit for compensation that can be
claimed by the affected party in such circumstances.

Breach of confidentiality and privacy

The IT Act 2000, under Section 72 protects private information that is obtained by agencies by virtue of
powers conferred under the Act and enforces a criminal liability with imprisonment for 2 years and fine
of RS 1 lakh or both. This applied to the Certifying Authorities as well who obtained information from
subscribers.

Section 72A, which has been newly added addresses the issue of data vandalism occurring in breach
of contractual agreements. Section 72A reads as follows:

Punishment for Disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force,

(i) any person including an intermediary who;

(ii) while providing services under the terms of lawful contract;

(iii) has secured access to any material containing personal information about another person;

(iv) with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain;
(v) discloses;

(vi) without the consent of the person concerned, or in breach of a lawful contract;

(vii) such material to any other person; and

(viii) shall be punished with imprisonment for a term which may extend to three years, or with a fine
which may extend to five lakh rupees, or with both.

Extraterritorial applicability of the Data Protection Laws

The Data Protection Act of UK as well as HIPAA of US ensures that their data protection obligations
reach beyond its shores whenever data is sent out for processing to other countries. However, in the
Indian context the above mentioned provisions do not speak of the extraterritorial applicability of the
law.

Section 75 of the IT Act speaks about the extraterritorial applicability of the Act. According to this
Section, the provisions of the IT Act shall apply to any offence or contravention committed by any
person irrespective of his nationality, provided the act or conduct constituting the offence or
contravention involves a computer, computer system or computer network in India.

Section 75 is framed from the angle of addressing the issue of cyber crime. The section does not
address the issue of data protection. The sections 43A and 72A which are now introduced to protect
data also does not address the territorial applicability of these provisions. Therefore it can be safely
concluded that when data is transferred outside the territories of India it gets no legal protection.

Conclusion

In the current scenario the data protection provisions do not extend beyond the territories of India.
Within the territory of India, Sections 43A and 72A provides protection for the data. And even data
outsourced to India gets protection under these sections. But when data is send outside the territories
of India, one cannot seek protection under these sections. India has no jurisdiction in such cases and
there is no obligation cast on the countries to which India sends sensitive personal information for
processing to have an acceptable data protection mechanism.