The amendments passed on December 22/23 by the Parliament to the eight year
old ITA 2000, has
been watched keenly by IT and ITES companies. Many are happy since the
resulting ITA 2000 -Version 2008 which we prefer to call ITA 2008 has tried
to address the demand for "Data Protection".
The earlier version of ITA 2000 did provide that data vandalism would be
treated as an offence under Section 66 of the Act with three year's
imprisonment and eligible for claiming compensation of upto Rs 1 crore
under Section 43. However, since there was no specific indication that this
was a measure to protect data in the hands of BPOs, many in the industry
were expressing an opinion that India does not have data protection laws.
Though the Government introduced a separate bill called "Personal Data
Protection Act 2006" to meet this demand, the Bill is still pending in
the parliament and is likely to lapse. Now ITA 2008 has tried to
address the demand of the IT industry by specifically introducing two
sections namely Section 43A and Section 72 A which specify that they are
measures towards "Data Protection". This may make the Personal
Data Protection Act 2006 redundant and superfluous at least to the extent
of punishing breaches in data protection responsibilities of BPOs.
It must be remembered that even now India does not have a separate "Privacy
Protection Law" which means that no law has so far guaranteed the Citizens
a right to protect his or her Privacy except for the constitutional rights.
There is no definition of what is "Sensitive Personal Information", there
is no authority such as the "Data Commissioner" to whom complaints can be
taken by a victim. There is also no obligation for countries other than
India to whom India sends sensitive personal information for processing to
have an acceptable data protection mechanism etc.
It is not enough if we simply declare compensation and offence related to
Data Protection. These were already there in law and ITA 2008 may make it
little more clarified and little more stringent. But does ITA 2008 have
provisions that can be considered cardinal for "Privacy
Protection"?... Let's explore.
1.
Our first stop at exploring the Data Protection related provisions in ITA
2008 will be Section 43A which is reproduced here:
Section 43A:
Compensation
for
failure
to
protect
data
Where a body
corporate, possessing, dealing or handling any sensitive personal data
or information in a computer resource which it owns, controls or
operates, is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or
wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, to the person so affected.
Explanation: For
the purposes of this section
(i) "body
corporate" means any company and includes a firm, sole proprietorship
or other association of individuals engaged in commercial or
professional activities
(ii) "reasonable
security practices and procedures" means security practices and
procedures designed to protect such information from unauthorised
access, damage, use, modification, disclosure or impairment, as may
be specified in an agreement between the parties or as may be
specified in any law for the time being in force and in the absence
of such agreement or any law, such reasonable security practices and
procedures, as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may
deem fit.
(iii) "sensitive
personal data or information" means such personal information as may
be prescribed by the Central Government in consultation with such
professional bodies or associations as it may deem fit.
The first observation that we need to make here is that the limit for compensation
which was Rs 1 Crore under the Section 43 of ITA 2000 has been removed. In
other words, there is no upper limit for damages that can be claimed.
The Government is expected to define "Sensitive Personal Information"
and it is the responsibility of "Body Corporates" to ensure that reasonable
security practices are followed.
The definition of Reasonable Security Practice is to be determined in the
following order.
1. As defined in a mutual contract between the vendor and the processor of
data or a data subject and the data processor.
2. As specified in any law for the time being in force
3. To be specified by the Central Government in consultation with such
professional bodies or associations as it may deem fit.
The IT and ITES industry should therefore first examine their SLA and in
its absence examine if there is any law that directly affects their
activities. If neither are there, then the security practices to be
specified by the Government as a follow up of ITA 2000 would be followed.
In the event SLA makes a mention of security practices as defined in Data
Protection Act or HIPAA or GLBA etc, then that will take precedence over
any other security practice.
Industry may be happy with this clarification but they should be now
concerned about the possibility of large liabilities to which they would be
exposed as well as the need to follow compliance of international laws.
They also need to implement "Compliance Audits" so that they would steer
clear of being termed "negligent". The judgement of what constitutes
"negligence" would be left to the wisdom of the "Adjudicator" in respect of
claims upto RS 5 crores and a "Civil Judge" in respect of claims beyond RS
5 crores.
The unlimited liability under Section 43 A is good for a Country which is a
net exporter of data for processing. But for a country like India which is
predominantly an importer of data for processing, the "unlimited liability"
is like a sword hanging on the head of every BPO. Any major calamity may
result in a huge international liability which may wipe out the BPO in one
single case of security breach.
The wisdom of IT industry to force the Government to impose a liability and
responsibility on them through changes to ITA 2000 instead of voluntary
code of ethics is perhaps questionable.
2. Our next stop exploring the Data Protection related provisions in ITA
2008 will be Section 72 A which is reproduced here:
Section 72 A: Punishment for Disclosure of
information in breach of lawful contract
Save as otherwise
provided in this Act or any other law for the time being in force,
-any person
including an intermediary who,
-while providing
services under the terms of lawful contract,
-has secured
access to any material containing personal information about another
person,
-with the intent
to cause or knowing that he is likely to cause wrongful loss or
wrongful gain
-discloses,
-without the
consent of the person concerned, or -in breach of a
lawful contract,
-such material to
any other person,
-shall be punished
with imprisonment for a term which may extend to three years,
or with a fine which may extend to five lakh rupees, or with both
Under this section, disclosure "without consent" or "in breach of lawful
contract" exposes a person including an "intermediary" to three year
imprisonment. The offence is cognizable but bailable.
The disclosure should be either intentional or with knowledge that it may
result in wrongful gain or loss (to somebody).
The subject material should contain "personal information". We may note
that this section does not use the term "sensitive personal information" as
used under Section 43A. Hence, "Any personal information" can invoke this
section if other conditions are satisfied. This applies only when the
information is obtained in pursuance to a service offered.
Further, under Section 85, the liabilities that fall on a company under
this section will extend to any officer in charge of business or director
etc unless "Due Diligence" is proved.
One concern about this section arises out of the use of the words " save as
otherwise provided ... under any other law for the time being in
force". This makes this section 72 A subordinate to any such laws if it
exists. This could be a source of nuisance litigation in the days to come.
Though there is no mention of a "Grievance Redressal Mechanism" separately
by victims of data security breaches in the form of "Data Commissioner",
the adjudication process with the Cyber Appellate tribunal must be
considered as adequate replacement. What is lacking however is a method of
proactive regulation such as "Compulsory registration of data processors"
along with "De registration as a means of penalizing a contravention".
The need to enforce security norms by data exporters from India has not
been specified. However the extra territorial jurisdiction of this Act as
per Section 75 may be interpreted as extending data protection obligations to any
external party who under a contract takes up processing of data from India.
Some Areas of Concern for IT Companies
While the two sections, Sec 43A and 72A directly impact IT Companies
dealing with data processing, some of the following sections also have a
significant impact on IT companies and could be source of irritation
as well.
For example, under Section 67C, every "Intermediary" has the following
obligation:
67C: Preservation
and Retention of information by intermediaries
(1) Intermediary
shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may
prescribe.
(2) Any intermediary
who intentionally or knowingly contravenes the provisions of sub
section (1) shall be punished with an imprisonment for a term which may
extend to three years and shall also be liable to fine.
An Intermediary is also a member of the IT
industry and the definition in Section 2(w) is wide enough to include
many service providers.
The definition states:
"Intermediary" with
respect to any particular electronic records, means
any person who on
behalf of another person receives, stores or transmits that record or
provides any service with respect to that record and
includes telecom
service providers, network service providers, internet service
providers, web hosting service providers, search engines, online
payment sites, online-auction sites, online market places and cyber
cafes.
We may note that this definition includes "Telecom Companies" such as
AirTel or Reliance Infocomm or Tata Indicom. It includes Google, Rediff,
Sify, Ebay.in, cyber cafes etc. It includes many BPOs who operate as back
office service providers, Data Centers, HR service providers, etc.
It is clear that a very large number of IT companies come under the scope
of the section 67C.
We are awaiting the notification regarding the time for which specified
information needs to be preserved under this section. It could be one year
in the minimum and six to seven years at the outer end.
What is important to note is that any alleged non compliance could expose the
Company and its executives to the penal provisions of this section as well
as section 65. Since this is a "Cognizable" offence, any "Inspector" of
Police can now start questioning the CEO of a BPO if he is preserving the
information in tact etc.
Will a Police Inspector consider it necessary to enter a BPO office and
demand such information?. ..May be initially, this will happen with Cyber Cafes. Next it will happen at
ISPs and Small Portal owners. But we never know if the larger Companies are
immune to such intrusion.
No discussion on ITA 2008 on Privacy issues is complete without a reference to Sections 69,
69A and 69B which enable the Government to exert a huge influence on the
Information Security industry.
While the powers which the Government has gained through these three
sections are justified in the context of the Cyber Security requirements,
in the event appropriate safeguards are not enshrined in the rules and
regulations, these three sections will become the most oppressive clauses
of the new Act.
To understand the reasons for coming to such conclusion, let us explore
these three sections in depth.
For immediate reference of the readers, the three sections are first
reproduced here.
Sec 69: Powers to issue directions for
interception or monitoring or decryption of any information through any
computer resource.
(1) Where the central Government or a State
Government or any of its officer specially authorized by the Central
Government or the State Government, as the case may be, in this behalf may,
if satisfied that it is necessary or expedient to do in the interest
of the sovereignty or integrity of India, defense of India, security of the
State, friendly relations with foreign States or public order or for
preventing incitement to the commission of any cognizable offence
relating to above or for investigation of any offence, it may,
subject to the provisions of sub-section (2), for reasons to be recorded in
writing, by order,
direct any agency of the appropriate Government
to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information transmitted received
or stored through any computer resource
(2) The Procedure and safeguards subject to which
such interception or monitoring or decryption may be carried out, shall be
such as may be prescribed
(3) The subscriber or intermediary or any person in
charge of the computer resource shall, when called upon by any agency which
has been directed under sub section (1), extend all facilities and
technical assistance to -
(a) provide access to or secure access to the
computer resource generating, transmitting, receiving or storing such
information; or
(b) intercept or
monitor or decrypt the information, as the case may be; or
(c) provide
information stored in computer resource.
(4) The subscriber or
intermediary or any person who fails to assist the agency referred to
in sub-section (3) shall be punished with an imprisonment for a term
which may extend to seven years and shall also be liable to
fine.
We may note that this section provides access to a designated agency of the
Central or State Government to any information stored in any Computer
Resource whether in a public place or a private place, whether at home or
at office with the excuse that it is required for prevention of or required
for the investigation of any offence. The power is not restricted to
information in transit such as e-mails but also other information that may
be stored.
This means that any Police officer (or such other agency that may be
designated under this section) under the excuse of investigating an offence
(whether in the interest of national integrity or otherwise) can walk into
any IT company and demand that he may intercept (access) information.
It is to be noted that non cooperation by the company can result in
imprisonment upto seven years.
The powers under the Section 69 which are quite oppressive enough to sit up
and take notice. Sections 69A and 69 B extend the powers further.
These sections state as follows:
Sec 69A: Power
to issue directions for blocking for public access of any information
through any computer resource
(1) Where the
Central Government or any of its officer specially authorized by it
in this behalf is satisfied that it is necessary or expedient so to
do in the interest of sovereignty and integrity of India, defense of
India, security of the State, friendly relations with foreign states
or public order or for preventing incitement to the commission of any
cognizable offence relating to above, it may subject to the
provisions of sub-sections (2) for reasons to be recorded in writing,
by order
direct any agency
of the Government or intermediary to
block access by the
public or cause to be blocked for access by public any information
generated, transmitted, received, stored or hosted in any computer
resource.
(2) The procedure
and safeguards subject to which such blocking for access by the
public may be carried out shall be such as may be prescribed.
(3) The intermediary who
fails to comply with the direction issued under sub-section (1) shall
be punished with an imprisonment for a term which may extend to
seven years and also be liable to fine.
Sec 69B: Power
to authorize to monitor and collect traffic data or information through any
computer resource for Cyber Security
(1) The Central
Government may, to enhance Cyber Security and for identification,
analysis and prevention of any intrusion or spread of computer
contaminant in the country, by notification in the official Gazette,
authorize
any agency of the
Government to
monitor and
collect traffic data or information generated, transmitted, received
or stored in any computer resource
(2) The
Intermediary or any person in-charge of the Computer resource shall
when called upon by the agency which has been authorized under
sub-section (1), provide technical assistance and extend all
facilities to such agency to enable online access or to secure and
provide online access to the computer resource generating ,
transmitting, receiving or storing such traffic data or information
(3) The procedure
and safeguards for monitoring and collecting traffic data or
information, shall be such as may be prescribed
(4) Any intermediary who
intentionally or knowingly contravenes the provisions of sub-section
(2) shall be punished with an imprisonment for a term which may
extend to three years and shall also be liable to fine.
Explanation: For
the purposes of this section,
(i) "Computer
Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic
data" means any data identifying or purporting to identify any
person, computer system or computer network or location to or from
which the communication is or may be transmitted and includes
communications origin, destination, route, time, date, size,
duration or type of underlying service or any other information.
The two sections extend the powers of
interception and decryption in Section 69 to power to block access and
power to demand "traffic data" from any person who is in possession of
the relevant information. Refusal or non cooperation is a cognizable
offence.
These three sections therefore provide
what can be described as "brutal" powers to certain agencies.
It is not necessary that the designated
agency under these sections should be the "Police". However, it is
perhaps inevitable that Police will either be directly designated as
the "Designated agency" under this section or will be the authority
that will advise action under this section to any other agency
otherwise designated. (As is presently the case with CERT-In in respect
of blocking of websites with obscene content). It is possible that the
proposed "Nodal Agency" designated under Section 70 B (Which is called
the Indian Computer Emergency Team which position may be occupied by
the CERT-IN after due notification) may be entrusted with the
responsibility of implementing the powers under Sections 69, 69A and
69B. However the nodal agency may act on the basis of recommendations
received from the Police since it may not have direct capability for
investigations.
Has any IT industry representative thought
about the possible misuse of these sections and what would be the
consequences thereof? If not, it is time to do so so that adequate
safeguards can also be simultaneously introduced. It is time to think
what should be such safeguards, how they should be implemented and
which agency should monitor etc.
To repeat my earlier comment, in the
current scenario of threats prevailing in India, perhaps it is
difficult not to accept such draconian laws as necessary. However, it
is the responsibility of all of us to ensure that safeguards that
are expected to be in place to prevent abuse of the powers under these
three sections are adequate to ensure that the draconian powers are
properly reigned and any abuse is adequately punished.
In particular, I consider it absolutely
necessary that any agency which is given powers under these three
sections should be answerable to a monitoring body which should have
the powers to receive complaints from the public, conduct its own
investigation even against Police officers involved and also prosecute
them as necessary. There should be no immunity given to such officials
against being held accountable for breaches of propriety and law.
Such an agency should be like the "Human Rights Commission" and
should be an independent body devoted to the welfare of the netizens. It can be a new set up of a "Netizen
Rights Commission" with the necessary powers. It should not simply
be a judicial body with people who may not understand the technical
issues involved. It must have representation of private persons of
eminence who understand the technology issues and the human right
violations that may arise therefrom.
If there are legal hurdles to create such
a commission, then it is suggested that a "Netizen's Rights Advisory
Board" is created in every State which should receive complaints,
investigate, and give its recommendations. The recommendations may be
taken up for implementation by the Human Rights Commission or the
Courts to provide justice to the aggrieved.
In case appropriate safeguards and a
monitoring mechanism is not immediately set up, there is a grave danger
lurking ahead for IT companies and its executives who may become pawns
in the hands of law enforcement officers who know where the law pinches
and is able to tickle the sensitive spots in the IT industry.
