Revised data protection law ready, will ease compliance
Contents News/Article Date : 15th November 2022
Relating to which Act The Information Technology Act 2020, Indian Contract Act 1872, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Applicable to which State : All the establishments in the States
Type : : Companies misusing user data will face “punitive and financial” consequences once the proposed data protection law comes into effect, Rajeev Chandrashekhar, minister of state for information technology, said in a tweet on Tuesday.
Pertains to employers and employees
Relevance of this news : Karma Management Global Consulting Solutions Pvt. Ltd is in the business of Payroll, Outsourcing and Regulatory Compliances from its inception in 2004 and since then, has brought in a lot of efficiencies and technological upgradations with experts on its roll, to ease the hassles of Payroll Processing, Temp Staffing On-boarding , Regulatory and Payroll compliances by providing customized solutions to all its elite clients.
In this instance, Karma Global takes a review of what data protection laws exists in India in the light of the data protection bill which is said to be ready and likely to be released as soon as possible.
Data Protection Laws in India
Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency.
India presently does not have any express legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future.
The (Indian) Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.
Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with protection of “Sensitive personal data or information of a person”, which includes such personal information which consists of information relating to:-
Financial information such as bank account or credit card or debit card or other payment instrument details;
Physical, physiological and mental health condition;
Medical records and history;
The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with “Personal sensitive data or information”. In case of any breach, the body corporate or any other person acting on behalf of body corporate, the body corporate may be held liable to pay damages to the person so affected.
Under section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000 (approx. US$ 8,000).
It is to be noted that s 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary in the interest of:
the sovereignty or integrity of India,
defence of India,
security of the State,
friendly relations with foreign States or
public order or
for preventing incitement to the commission of any cognizable offence relating to above or
for investigation of any offence,
It may by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. This section empowers the Government to intercept, monitor or decrypt any information including information of personal nature in any computer resource.
Where the information is such that it ought to be divulged in public interest, the Government may require disclosure of such information. Information relating to anti-national activities which are against national security, breaches of the law or statutory duty or fraud may come under this category.
Information Technology Act, 2000
The Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) is an act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternative to paper-based methods of communication and storage of information to facilitate electronic filing of documents with the Government agencies.
Grounds on which Government can interfere with Data
Under section 69 of the IT Act, any person, authorised by the Government or any of its officer specially authorised by the Government, if satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, for reasons to be recorded in writing, by order, can direct any agency of the Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. The scope of section 69 of the IT Act includes both interception and monitoring along with decryption for the purpose of investigation of cyber-crimes. The Government has also notified the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above section.
The Government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which deals with the blocking of websites. The Government has blocked the access of various websites.
Penalty for Damage to Computer, Computer Systems, etc. under the IT Act
Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of the following acts:
- accesses or secures access to such computer, computer system or computer network;
- downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
- introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
- damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
- disrupts or causes disruption of any computer, computer system or computer network;
- denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
- charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person so affected.
- destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
- steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.
Tampering with Computer Source Documents as provided for under the IT Act, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with both.
Computer related offences
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.
Penalty for Breach of Confidentiality and Privacy
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
Amendments as introduced by the IT Amendment Act, 2008
Section 10A was inserted in the IT Act which deals with the validity of contracts formed through electronic means which lays down that contracts formed through electronic means “shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose”.
The following important sections have been substituted and inserted by the IT Amendment Act, 2008:
- Section 43A – Compensation for failure to protect data.
- Section 66 – Computer Related Offences
- Section 66A – Punishment for sending offensive messages through communication service, etc. (This provision had been struck down by the Hon’ble Supreme Court as unconstitutional on 24th March 2015 in Shreya Singhal vs. Union of India)
- Section 66B – Punishment for dishonestly receiving stolen computer resource or communication device.
- Section 66C – Punishment for identity theft.
- Section 66D – Punishment for cheating by personation by using computer resource.
- Section 66E – Punishment for violation for privacy.
- Section 66F – Punishment for cyber terrorism.
- Section 67 – Punishment for publishing or transmitting obscene material in electronic form.
- Section 67A – Punishment for publishing or transmitting of material containing sexually explicit act, etc, in electronic form.
- Section 67B – Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc, in electronic form.
- Section 67C – Preservation and Retention of information by intermediaries.
- Section 69 – Powers to issue directions for interception or monitoring or decryption of any information through any computer resource.
- Section 69A – Power to issue directions for blocking for public access of any information through any computer resource.
- Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security.
- Section 72A – Punishment for disclosure of information in breach of lawful contract.
- Section 79 – Exemption from liability of intermediary in certain cases.
- Section 84A –Modes or methods for encryption.
- Section 84B –Punishment for abetment of offences.
- Section 84C –Punishment for attempt to commit offences.
Subject : Revised data protection law ready, will ease compliance – Companies misusing user data will face “punitive and financial” consequences once the proposed data protection law comes into effect, Rajeev Chandrashekhar, minister of state for information technology, said in a tweet on Tuesday.
Revised data protection law ready, will ease compliance
The government withdrew the Personal Data Protection Bill, 2021 in August. The bill was introduced in Lok Sabha in December 2019. Subsequently, a joint parliamentary committee in a 16 December 2021 report tabled in the parliament, said that the law should bring both personal and non-personal data under its purview.
Minister of state for information technology Rajeev Chandrashekhar has said misuse of user data will attract punitive and financial consequences under new law.
- The draft (data protection) bill is said to be ready and is likely to be released as early as today
- The updated version of the bill will deal solely with personal data, as per officials in the know
Companies misusing user data will face “punitive and financial” consequences once the proposed data protection law comes into effect, Rajeev Chandrashekhar, minister of state for information technology, said in a tweet on Tuesday.
Citing a New York Times news report on tech major Google’s $391.5-million privacy settlement in the US for allegedly misleading users into believing that they had turned off location tracking, Chandrashekhar said: “India’s #DigitalDataProtection bill will put a stop to this, & ensure that any platform or intermediary that does this will face punitive & financial consequences.” The draft (data protection) bill is ready to be released, said two industry insiders in the know, requesting anonymity.
Two people, also seeking anonymity, confirmed the development and said the bill should be released in a matter of days, maybe as early as Wednesday. However, there was no official confirmation of the release date.
The government withdrew the Personal Data Protection Bill, 2021 in August. The bill was introduced in Lok Sabha in December 2019. Subsequently, a joint parliamentary committee in a 16 December 2021 report tabled in the parliament, said that the law should bring both personal and non-personal data under its purview. The proposal, however, was vehemently opposed by a section of the industry.
According to the two officials cited above, the updated version of the bill will deal with personal data and leave out non-personal data. Additionally, it will also deal with digital data, that is, data obtained through digital means, such as apps and websites, they added.
A senior government official said the data protection bill is expected within this week and may relax some data localization, data storage and data processing norms. Furthermore, the provisions for compliance will be reduced, which in turn will help India’s booming startup ecosystem.
The bill is not likely to regulate devices or include provisions for testing and certification of hardware, he said seeking anonymity. Intermediaries currently regulated under the IT intermediary guidelines are also not likely to figure in the draft bill to make sure there are no regulatory overlaps.
Besides, the proposed bill will make it easier for companies to comply with the new guidelines on data protection, which is good news for India’s startup ecosystem.
In August, Chandrashekhar emphasized during a press briefing that the compliance burden on startups was one of the reasons for withdrawing the bill.
“Big tech firms would have just hired more lawyers to comply if there was a complicated privacy law. The burden of such legislation would hurt startups,” he had reasoned. However, it is not clear how far it will affect data localization rules proposed in the original version of the bill, where the government mandated all companies dealing with sensitive data of Indian users to keep a copy within its borders. Tech firms, including industry leaders, have opposed the localization rules.
“Many compliance issues were highlighted in the 2021 bill. Data localization was a factor, but not as much for small and medium businesses. It was a major concern for larger organizations. For SMEs, the compliance burden was primarily in terms of reporting and data retention — the amount of time mandated to retain a certain amount of customer data or metadata,” said technology and policy analyst Prasanto K. Roy.
The bill would have forced SMEs to “look at compliance in a way they had never done before”, he added. “It would have forced them to scramble for tech solutions to comply with the data protection law. Data processing was also an issue for large organizations. Later, non-personal data was also brought in. The biggest issue was the focus had shifted from data privacy law to data law. Data protection law was supposed to be the privacy law, but it didn’t happen.”
A person said there is speculation that the data protection bill may be a barebone version of the original draft and may not be as detailed as it was, as the government seeks to reserve the overall regulation of the digital ecosystem within India’s jurisdiction for the Digital India Act, which is also expected to be released in the coming months. An email query to a ministry of electronics and information technology spokesperson did not elicit a response till press time.