View of RESEARCH STUDY ON DATA PROTECTION EFFORTS IN INDIA

(1)

Vol. 04, Issue 01, January 2019 Available Online: www.ajeee.co.in/index.php/AJEEE

1

RESEARCH STUDY ON DATA PROTECTION EFFORTS IN INDIA Sindhuja Shukla

JRF, LLM Allahabad University

Abstract- This paper, after securing those have to successful information insurance clinched alongside India, dives with respect to on depict the simple measures made in the nation over till date in the circle for information security. Same time highlighting the insufficiency of such measures and the uncertainty clinched alongside. Recommended amendments, the writer looks impulse from European union law for proposing an expansive structure to information insurance theory clinched alongside India.

1. WHY PROTECT DATA?

The necessity with protect information What's more information protection Previously, India will be generally new, emerging from those ever stretching off- shoring business operations directed clinched alongside India Eventually Tom's perusing abroad organizations wherein particular information is exported by these abroad organizations should their off-shore operators or counterparts clinched alongside India. 1 though it might have been not for this mushrooming off-shoring business, India might maybe never bring worried substantially regarding information protection, Similarly as there are recently existing procurements in the Indian lawful structure to insurance of data, albeit not toward the scale In which security may be warranted under those current condition.

Keeping for psyche that information will be the vital groundwork for practically off-shoring businesses; it might be informatively on inspect the planned destinations for at whatever information insurance law. To instance, the European information insurance Directive2 need concerning illustration its twin destinations the security of security for people with respect to the transforming from claiming particular information and, the assistance of the allowed development about such information. Thetwo stated objectives would ordinarily contradict each other, and the taskconfronting any authority would be to reconcile these objectives by protectingprivacy rights, while simultaneously ensuring the free movement of data. In other words, the directive aims to achieve processing of data by maintainingdata privacy.

India had been the hot-spot for off- shoring operations for foreign companiesfor a long time, till concerns of

data security were raised, following certainincidents of data theft and breach of data privacy by certain Indian off- shoring companies.4 these incidents made headlines in national and international mediaand brought India‟s legal framework for data protection under worldwidescrutiny. While India continues to be a hotspot for off-shoring, it cannot avoiddata security issues for much longer, as both the industry and the governmenthave been under tremendous pressure to enact a law for data protection inIndia.

2. EXISTING LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA

A. Contract Law

The existing Indian legitimate structure to information security from an off-shoring point tumbles mostly under those law for agreement. Under the Indian agreement Act, 1872, an organization camwood tie another through an agreement to ensure the information of the previous. This will be could reasonably be expected due to the motivation behind that those demonstration characterizes

„consideration‟ Likewise At whatever go about alternately abstention In the yearning of the promisor, which implies that for certain complementary consideration, person firm camwood tie another with the goal Similarly as to refrain starting with uncovering information without authorization, Furthermore foist upon it the certain commitment on protect information. Such a contract may mention the specific duties andobligations of both the parties involved and should have provisions relating tothe duty of the Indian company to protect privacy of data, as well as the termsand conditions of the use and processing of data. Currently, all off- shoringoperations in India are regulated

(2)

2 by such contracts. In a scenario like this,contractual clauses are crucial in order to determine the extent of data security.Most of the time, negotiations by foreign data exporters with Indian companiesaim at reaching a balance between maximum business benefits and adequateprotection of personal data.

B. The Information Technology Act, 2000

Separated starting with those Indian agreement Act, 1872, exactly procurements pertaining will information insurance need aid also available in the majority of the data engineering organization Act, 2000. Those data engineering organization demonstration (hereinafter, “The it Act”) might have been sanctioned done 2000 for the principle reason for existing of giving legitimate distinguishment will transactions conveyed out by method for electronic commerce, Concerning illustration need been stated in its preamble. The meaning from claiming „data‟ in the go about blankets An representational from claiming information, knowledge, Realities thus on, which need aid being arranged or transformed to a workstation framework clinched alongside At whatever type alternately put away internally in the memory of the workstation. 6. Area 43(b) of the it one gesture stipulates punishments Toward method for harms up to Rs. 10,000,000 against any persnickety who “downloads, duplicates alternately extracts whatever data, workstation database alternately majority of the data starting with such computer, PC framework or workstation system including data alternately information held or put away On any removable stockpiling medium”. Further, area 66 of the one gesture characterizes „hacking‟, Also records the discipline for those same.

It reads:

(1) Whoever, with the intent to cause or knowing that he is likely tocause wrongful loss or damage to the public or any person destroys ordeletes or alters any information residing in a computer resource ordiminishes its value or utility or affects it injuriously by any means,commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment upto three years, or with a fine which

may extend up to two lakh rupees, orwith both.The expression “or affects it injuriously by any means”

could be interpretedto include a breach of privacy of the data. Hence, although the IT Act primarily provides legal recognition for transactions carried out by means of electronic commerce, there are some provisions dealing with data protection.

3. RECENT EFFORTS IN INDIA TOWARDS DATAPROTECTION

Instances of information robbery have urged both those administration and the industry will cure those circumstances as An light of global pressure, As far as giving exactly sort structure to information insurance. Some from claiming these deliberations need aid talked about underneath.

An. Recommended Amendments of the it one gesture in perspective from claiming developing worries raised by later instances about information theft, the service of majority of the data engineering organization suggested certain amendments of the it Act, 2000.

You quit offering on that one such amendment, appropriate with information protection, may be those recommended insertion of a new area 43A wherein delicate particular majority of the data might be took care of for sensible security hones What's more methods. Those recommended revision peruses as takes after: 43A. The place a particular figure corporate, possessing, managing or taking care of whatever delicate particular information alternately majority of the data done a workstation asset which it owns, controls alternately operates, will be careless On actualizing Furthermore administering sensible security hones Furthermore methods Furthermore thereby makes wrongful reduction or wrongful pick up should any person, such muscle to corporate might a chance to be at risk to pay harms Toward method for recompense not surpassing five Crore rupees, of the persnickety something like that influenced.

Explanation: For the purposes from claiming this section,—

1. „Body corporate‟ implies whatever organization Furthermore incorporates An firm, sole

(3)

3 proprietorship or other affiliation of people locked in Previously, business or expert activities;.

2. „Reasonable security practices and procedures‟ means security practicesand procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may bespecified in an agreement between the parties or as may be specified inany law for the time being in force and in the absence of such agreementor any law, such reasonable security practices and procedures, as maybe prescribed by the Central Government in consultation with suchprofessional bodies or associations as it may deem fit; (iii)

„sensitive personal data or information‟ means such personalinformation as may be prescribed by the Central Government inconsultation with such professional bodies or associations as it may deemfit.

This has taken the form of Clause 20 of the Information Technology (Amendment) Bill, 2006.

However, nothing in the proposed amendments deals with crucial aspectsof data protection such as the processing of personal data, handling of sensitivepersonal data, the conditions under which data may be collected from anindividual, the precautions to be taken while collecting data, confidentialityand security of processing of the data collected and so on.The proposed amendments have not yet materialised into new provision sunder The IT Act and have only recently received the comments of theStanding Committee on Parliamentary Affairs.

B. The Data Security Council of India Those national companionship from claiming product Furthermore benefits organizations (NASSCOM) need set up An self-regulatory activity clinched alongside information security What's more protection insurance called the information security chamber of India (DSCI). The thing that prompted the foundation of the DSCI will be those proceeding exertion by NASSCOM to guarantee that the Indian data innovation organization industry need An sheltered

earth that might be benchmarked for whatever remains of those universe. 7 those DSCI will be a self-regulatory particular figure created under those reason that the industry, as opposed the government, is best positioned on create fitting information protection What's more security measures Concerning illustration it need more amazing information and preferred understanding of the useful business issues included. It is felt that such an approach might permit the DSCI will develop Furthermore successfully react with worldwide developments. The DSCI might receive worldwide norms so as should move towards this end, at first focusing with respect to Building its enrollment and evolving An set of principles Toward pushing An society about protection. Initially, the DSCI might Push and urge voluntary agreeability with those code for conduct, bit by bit making an instrument for implementation of the same Previously, a exert with create its validity.

The DSCI is envisaged as a non- profit organization, with its governingbody having an adequate representation of independent directors and industryspecialists. Organisations associated with data security and privacy protectionsuch as Information Technology (IT) and Information Technology enabled Services (ITeS) companies, academic or research institutions and universitiescan also become members of the DSCI.9The DSCI‟s stated mission seeks to:10

 Enable IT and ITeS companies to provide a high standard of security anddata protection by adopting best practices.

 Develop, monitor and enforce an appropriate security and data protectionstandard for the Indian IT and ITeS industry that would be adequate, costeffective, adaptable and comparable with global standards.

 Build capacity to provide security certification for organizations.

 Create a common platform to promote the sharing of knowledge aboutinformation security and foster a community of security professionals andfirms.

 Create awareness among industry professionals and other stakeholders aboutsecurity and privacy issues.

(4)

4 C. National Do Not Call Register

Similarly as examined In the extremely outset, any information security theory if point at ensuring the protection of information and, at those same time, guaranteeing the nothing development for information. The issue from claiming security about particular data, particularly individual phone numbers, need been the liable from claiming extraordinary dialog Around lawful and industry circles in the late secret word over India. Those multitude from claiming telecommunication administration providers, coupled for simple What's more modest cell telephone connectivity need prompted wild breaches of the individual security for cell telephone clients.

Bringing. Focal point of the gigantic sums from claiming uninhibitedly accessible cell phone client data, huge numbers commercial enterprises in the finance, banking, Wellbeing Furthermore tourism parts need set up telemarketing benefits should tap the possibility business chances that lie in such information.

Consequently, telemarketing calls bring get yet in turn interruption presented Toward the advanced transformation in the exists for Indians, and the thing that at first showed up will make a matter about schedule inquiries in regards loans alternately MasterCard prerequisites turned out should make an enormous and unabashed aggravation of the receivers from claiming such calls.

Eventually, the Telecom Regulatory Authority of India (TRAI) had totake steps to curb these unsolicited commercial calls pursuant to a petition filedby a Delhi-based lawyer before the Delhi State Consumer Dispute Redressal Commission (hereinafter “the Commission”) against a leading private telecom company, Airtel, along with two banks, on various counts including breach ofprivacy, financial loss, mental harassment and agony, and wrongful gain by therespondents. While allowing the petition and passing severe strictures againstthe respondents, the Commission also directed the establishment of a National„Do Not Call‟ Register by TRAI, which would bind all the players in the market,placing special emphasis on the fact that commercial telemarketers could notcall a subscriber if their number was on this Register. On the establishment ofsuch Register, subscribers would be

called upon to register their telephonenumbers free of cost through the Internet by publicising such a Register in the newspapers.

Effective from October, 2007, TRAI put in place the National „Do NotCall‟

Registry (NDNC), with the primary objective of curbing unsolicited commercial communication (UCC). The Telecom Unsolicited Commercial Communications Regulations, 2007, defines UCC as, “any message, through telecommunications service, which is transmitted for the purpose of informingabout or soliciting or promoting any commercial transaction in relation to goods, investments or services which a subscriber opts not to receive.”

Exceptions to UCC are messages received under a contract, communications relating tocharities etc., and communications transmitted under the directions of the government, in the interest of the sovereignty and integrity of India.The NDNC register will, therefore, be a database containing the list of alltelephone numbers of subscribers who do not wish to receive UCC.

4 DO THESE EFFORTS BY INDIA SUFFICE?

It may be obvious from the vast majority later steps taken Toward India to information insurance Concerning illustration recorded over that there is a solid mindfulness Also slant on the and only those legislature and the business on secure information to India. However, are these steps valuable enough should the table far reaching insurance to information and in addition give acceptable the needed solace level will remote organizations will participate on off-shoring business exercises Previously, India? Alternately are they minor child steps made in the heading of information protection? Those taking after segment means In looking at if these would, for fact, give satisfactory insurance of the world‟s biggest again office operations occurring Previously, India.

A. Amending those it go about on protect Data: fitting An square peg done An round Hole?. Tell us to start with take a gander at those recommended amendments of the it go about. A perusing of the preamble of the it act demonstrates that it may be a demonstration on give legitimate

(5)

5 distinguishment will transactions conveyed crazy Toward method for electronic information compatibility Also other method for electronic communication, ordinarily alluded on as

„electronic commerce‟ transactions. The preamble doesn't specify information insurance as a goal In spite of a standout amongst those purported destinations of the recommended amendments of the it enactment will be information insurance.

Since India‟s encounters from those insufficiency about information security over these times of off-shoring need aid phenomenal What's more new, it might a chance to be handy on take a gander at locales for example, such that Europe which need existing e-commerce Furthermore information security laws.

Those part nations of the European union would likewise committed with authorize national laws for Different areas, including that for information security Furthermore e-commerce.

As part of the harmonization of the European Union, there are variousdirectives that member countries are required to adopt as their national laws.Two such directives in the areas of data protection and e-commerce are,European Directive 95/46/EC (hereinafter, the “Data Protection Directive”)and European Directive 2000/31/EC (hereinafter, the “E- commerce Directive”). The Data Protection Directive was enacted for the protection of individualswith regard to the processing of personal data and the free movement of such data. On the other hand, the E- commerce Directive was enacted with a viewto, inter alia, contribute to the proper functioning of the internal market byensuring the free movement of information society services among the member states.

Under Article 2(a) of the Data Protection Directive, „personal data‟

isdefined as, “any information relating to an identified or identifiable natural person.” The Directive is to apply to the processing of personal data, wholly orpartly by automatic means, and to the processing of personal data which formspart of a filing system, otherwise than by automatic means. Certain types ofprocessing, such as the processing of personal data for public security, defence, state security, activities in the areas of criminal law and processing by a personin

the course of personal or household activities, are exempt from the scope of the Directive.

Under the Directive, member states are under various obligations, includingensuring that data is processed fairly and lawfully, that it is collected for specifiedand legitimate purposes and not processed in a manner incompatible with thosepurposes, that the processing of data is adequate, relevant and not excessive inrelation to the purposes for which it is collected and/or further processed andthat the data collected is accurate and kept up to date and kept in a form which permits the identification of data subjects etc. Further, personal data may beprocessed only if the data subject has unambiguously given his consent andsuch processing is necessary not only for the performance of a contract to whichthe data subject is party but also for the protection of the interests of the datasubject.

Besides, the Directive prohibits not only the processing of certain personaldata (such as personal data revealing racial or ethnic origin, political opinions,religious or philosophical beliefs, and health or sex life), but also processing forthe purposes of preventive medicine, medical diagnosis, offences and criminalconvictions, and so on, except under certain conditions. Further, the datasubject must be provided a right to object to the processing of data relating tohim and, where there is a justified objection, it must be provided that theprocessing may no longer involve such data. Apart from being under anobligation to keep the confidentiality of the processing of data, the entity processing the data must also be required to implement appropriate technical and organizational measures to protect personal data against accidental orunlawful destruction, accidental loss, unauthorized disclosure etc.

These are some of the salient features of the Data Protection Directive.

Itis, therefore, evident that the Directive covers a whole range of issues associatedwith processing of personal data in keeping with the twin objectives of theDirective, as discussed earlier.The E- commerce Directive specifically excludes from its purview, issuesrelating to information society services already

covered by the Data

(6)

6 ProtectionDirective.24 Since its objective is to provide for certain legal aspects of informationsociety services, in particular electronic commerce, the E-commerce Directivestipulates various requirements to be imposed on service providers by member states and required to be complied with by service providers. The Directiverequires a member state to ensure that service providers render informationsuch as their names and addresses, along with their electronic mail addressesthat allow contact and communication with them in a direct and effectivemanner, as also details of any public registration or identification number, andso on.25.

Further, it stipulates that commercial communications, which are partof an information society service, comply with certain conditions, such asensuring that the communication as well as the person making thecommunication shall be clearly identifiable. Under the Directive, UCC byelectronic mail by a service provider established in their territory shall beidentifiable, clearly and unambiguously, as such, as soon as it is received by therecipient. Also, service providers undertaking UCC by electronic mail mustregularly consult the opt-out registers in which persons not wishing to receivesuch commercial communications can register themselves. The Directive alsoexempts intermediary service providers of liability in situations when they are mere conduits, as also in cases of caching and hosting, and stipulates that member states are not to impose a general obligation to monitor the service providers.

Hence, the E-commerce Directive covers issues raised in the context ofinformation society services, service providers, and the obligations of memberstates and the providers of these services regarding such services.An overview of both these directives reveals that while the E-commerceDirective deals with all aspects of information society services in detail, theData Protection Directive deals in detail with one aspect of information societyservices, namely data protection. Also, while both these directives deal withaspects of information society services, the object and concept of both are distinctand different.

Similarly as India is treading new ground Likewise distant Concerning illustration information insurance Furthermore e-commerce laws are concerned, it might a chance to be of service will take a leaf beet or two out for Europe‟s experience over securing a legitimate structure to information security. Same time the sum information transfers Also transforming need aid e- commerce transactions, at e-commerce transactions need aid not information transfers alternately transforming. This demonstrates the reason the european E- commerce directive particularly excludes starting with its purview issues identifying with data particular social order administrations which need aid as of now secured Toward those information security directive. In spite of the fact that information security will be and only e- commerce, those meanings of securing information have a wider arrive at Furthermore scope Also will must make managed with clinched alongside point of interest through An separate bit about enactment. By endeavoring with fit procurements for information insurance under those it Act, far reaching information security can't make attained.

To instance, those suggested amendments might not guarantee that information will be transformed equitably and lawfully, that it may be gathered to specified What's more real purposes Furthermore not transformed to An way contrary for the individuals purposes, that those preparing about information may be adequate, pertinent and not unreasonable Previously, connection to the purposes for which it is gathered or further transformed or that the information gathered will be exact Also kept up to date Furthermore held in An manifestation which permits ID number about information subjects, that the information liable need unambiguous provided for as much assent to transforming data, that sufficient measures need aid taken to guarantee information security and so on.

33.

Previously, fact, such issues emerging out for information insurance need aid pertinent not main of the off- shoring industry, as well as to down home IT-savvy commercial enterprises What's more operations Previously, India. To instance, An late move Toward the state for Karnataka, stipulating biometric

(7)

7 distinguishing proof through fingerprints to apportion card holders, originated in for a considerable measure for feedback from specific activists, who contended that such a broad database, in the nonattendance of a information security law, might make meddling Furthermore powerless should abuse. Perhaps, those off-shoring benefits of the business need cleared the lifestyle to a sort new arousing to issues of security done a nation such as India, the place notions for individual security are brushed aside On a social milieu of offering and in this connection, it is Additionally important on notice the report card of the standing board around majority of the data engineering on the recommended amendments of the it Act, and also those proposals produced Eventually Tom's perusing it. The majority of the data innovation (Amendment) Bill, 2006 might have been presented over parliament looking into fifteenth December, 2006, and alluded of the standing board for data innovation on nineteenth December, 2006 for examination. Around 29^th August, 2007, those council acknowledged What's more embraced an draft report card. It shows up from the report card that, same time there were suggestions to separate information insurance enactment from those business and the Branch of majority of the data Technology, there might have been maybe not sufficient consensus, conviction alternately Comprehension on the requirement for those same. 35 b. DSCI Furthermore NDNC same time the endeavors made Eventually Tom's perusing NASSCOM done making the DSCI need aid commendable, best period might let if the self-regulation about an business about this sad for may be a lotus-eater‟s dream or an achievable dream.

The DSCI‟s stated mission is greatly swaying for these times, when information security will be a standout amongst those major worries for remote gurus in India. Those DSCI might need should develop a addition membership, with the readiness will consent with its code about conduct, in front of it might push ahead its expressed destinations.

Though what's more the point when An information insurance law is sanctioned Eventually Tom's perusing India, those DSCI Might assume a critical part done administering such a law. Same time it

will be a really punctual with remark on how compelling the DSCI may be On information protection, it absolutely will be An certain venture in that heading.

Those impact of the stronghold of the national „Do Not Call‟ register with respect to telemarketing calls need been truly dramatic, in that there need been An amazing slide in the number for calls with the individuals who took the exertion to quit Toward registering in the register under those NDNC. Also, as on account of the DSCI, it is as well promptly in the day will remark on the NDNC‟s working alternately its deliberations to ensure information security.

5. A CASE OF THE BLIND LEADING THE BLIND OR OFTURNING A BLIND EYE?

Every last one of over Indian endeavors towards information protection, if for those best from claiming intentions, Might maybe a chance to be depicted as an instance of the Visually impaired heading those blind. Or may be it an instance of the powers-that-be turning an blind eye of the issue? An perusing of the report card of the standing advisory group for data engineering on the recommended amendments of the it go about concerning information insurance makes it reasonable that same time the industry and the legislators would acquainted with terms in „personal data‟, „sensitive particular data‟, „personal privacy‟, „data privacy‟ thus on, there is a considerable measure from claiming vagueness as should how these terms if a chance to be translated to powerful information insurance Previously, India. Without an in-depth Comprehension of the industry‟s necessities and what is included in the security from claiming information Furthermore information protection done India, every last one of over deliberations will remain minor endeavors. Or might endeavors will would patchouly with respect to existing legislation, with the goal concerning illustration should secure data, help the present require to a legitimate skeleton. Emulating those european sample of information security by recognizing it from insurance of e- commerce transactions might undoubtedly spot India on the worldwide guide when it hails will information security. Besides, it might likewise make An safe earth for outside organizations

(8)

8 should put resources into India. Till then, it needs on make seen to what extent the off-shoring business may be setting off with enjoy India‟s baby steps towards information insurance.

REFERENCES:

1. See Jürgen Schaaf and Thomas Meyer, Outsourcing to India: Crouching Tiger Set to Pounce (DeutscheBank Research), Oct. 25,

2005, available at

http://www.dbresearch.com/PROD/DBR_IN TERNET_ENPROD/PROD0000000000192125 .pdf (stating that India is the world‟s most important offshoringlocation).

2. Council Directive 95/46, 1995 O.J. (L281) 31 (EC).

3. See CHRIS REED, COMPUTER LAW 418 (5th ed., 2004) (explaining how the Data Protection Directivemirrors the 1981 Council of Europe Convention on data protection which attempts to reconcileprivacy and the desire to maintain free flow of information between trading nations).

4. See, e.g., Ex-IITian Arrested for Delhi Call Centre Data Theft, THE TIMES OF INDIA, Nov. 12, 2005,available at http://timesofindia.indiatimes.com/articlesh ow/1293310.cms.

5. Section 2 of the Indian Contract Act states that “[w]hen, at the desire of the promisor, the promise or any other person has done or abstained from doing, or does or abstains from doing, or promises todo or to abstain from doing, something, such act or abstinence or promise is called a consideration forthe promise.”

6. Section 2 of the IT Act defines „data‟ as

“representation of information, knowledge, facts, concepts orinstruction which are being prepared or have been prepared in a formalised manner, and is intended tobe processed, is being processed or has been processed in a computer system or computer network, andmay be in any form (including computer printouts magnetic or optical storage media, punched cards,punched tapes) or stored internally in the memory of the computer”.See Data Security Council of India

(DSCI), available at

http://www.nasscom.in/Nasscom/templates /NormalPage.aspx?id=51973.

7. See Data Security Council of India: A Self- Regulatory Initiative in Data Security and Privacy Protection,available at http://www.nasscom.in/upload/5216/Datas ecurity.pdf (setting out the objectives of theCouncil in the guiding principles).

8. Id.

9. Id.

10. See Heavy Fines Imposed on Telemarketing Company,

http://news.indlaw.com/guest/databasesear ch/articles/core_articledisplay.asp?ID=Unsoli cited_focus2.

11. Telecom Unsolicited Communications Regulations 2007, Regulation 2(q).

12. See National Do Not Call Registry, available at http://ndncregistry.gov.in/ndncregistry/inde x.jsp.

13. For instance, the United Kingdom enacted the Data Protection Act in order to conform to

ECDirective 95/46/EC, as is evident in the preamble of the Act.

14. Council Directive 95/46, art.1, 1995 O.J.

(L281) 31 (EC).

15. Council Directive 2000/31, art.1, 2000 O.J.

(L178) 8 (EC).

16. Supra note 15, art. 3.

17. Id. at art. 6.

18. Id. at art. 7.

19. Id. at art. 8.