The purpose of this article is to throw light upon various provisions in Indian laws relating to data protection. A comparative analysis with foreign laws has also been made so as to know the lacuna on Indian laws. The critical analysis of the proposed bill on data protection has also been made.
Maintaining of data bases is not as much difficult task as maintaining its integrity, so in this era the most concerned debate is going on to innovate a perfect method of data protection. With the advancement in technological development, there took place a transition in the standard of crimes. In the present era most of the crimes are being done by the professionals through the easiest medium i.e. computers and electronic gadgets. Just by the single click, the criminals are able to get the secured information. The lust of information is acting as a catalyst in the growth of cyber crimes.
It is the very big headache for the business houses, financial institutions and the governmental bodies so as to give adequate protection to their huge databases. In the absence of any particular stringent law relating to data protection, the miscreants are gaining expertise in their work day by day.
Though this world simplified our life style but it left certain anomalies in procurement of its object which resulted in involuntary disclosure of data. This can be analyzed from theses illustrations:
1. On every login to the e-mail account in the cyber cafes, the electronic trail of password remained left there unsecured.
2. On every use of credit card for purchasing purpose, the trail of brand preference, place of shopping etc. left behind.
3. On every login to internet, there left behind an electronic trail enabling website owners and advertising companies to get access to the preference and choices of the users by tracking them.
4. Employees are under seizing, as employers routinely use software to access employee’s e-mail and their move.
5. Phone call signals of the police are easily tracked by the naxalites enabling them to know about the police plans.
6. Source code theft is the most preferred act of the miscreants.
7. Unsolicited e-mails are also a usual practice of gathering personal information of the users.
8. Movement across the web can be tracked by placing cookies and then retrieving such a way that allows building detailed profile of the user’s interest, spending habits and lifestyle.
9. Through hacking, the hackers can whimsically alter anyone’s account.
Thus it can be easily pointed out that how easy we are providing room to the miscreants to enhance and simplify their acts and how safe is it to avail the services of the digital world.
Data protection under foreign law.
Many countries other than India have their data protection laws as a separate discipline. They have well framed and established laws, exclusively for the data protection.
U.K. parliament framed its Data Protection Act (DPA) in the year 1984 which thereafter repealed by the DPA of 1998. This Act is basically instituted for the purpose of providing protection and privacy of the personal data of the individuals in UK. The Act covers data which can be used to identify a living person. This includes names, birthday, anniversary dates, addresses, telephone numbers, fax numbers, e-mail addresses etc. It applies only to the data which is held or intended to be held, on computers or other equipments operating automatically in response to instructions given for that purpose or held in a relevant filing system.
As per the Act, the persons and organizations which store personal data must register with the information commissioner, which has been appointed as the government official to oversee the Act. The Act put restrictions on collection of data. Personal data can be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. The personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
Though both U.S and the European Union focus on enhancing privacy protection of their citizens, U.S takes a different approach to privacy from that of the European Union. US adopted the sectoral approach that relies of mix of legislation, regulation, and self regulation. In U.S, data are grouped into several classes on the basis of their utility and importance. Thereafter, accordingly a different degree of protection is awarded to the different classes of data.
Several Acts were also passed in order to stabilize the data protection laws in the United States. The privacy Act was passed in the year 1974 which provided for establishing standards for when it is reasonable, ethical and justifiable for government agencies to compare data in different databases. Another Electronic Communications Privacy Act was passed for restricting the interception of electronic communications and prohibiting the access to stored data without the consent of the user or the communication service.
Further the Children's Online Privacy Protection Act was passed by the US Congress in October 1998 requiring website operators to obtain parental consent before obtaining personal information from children, and a Consumer Internet Privacy Protection Act required an ISP to get permission of the subscriber before disclosing his personal information to third parties.
However, the existing federal laws is not suffice to cover the broad range of issues and circumstances that make the new digital environment a threat to personal privacy. Furthermore, the US Government has been reluctant to impose a regulatory burden on Electronic Commerce activities that could hamper its development and has looked for an answer in self regulation.
Data protection under Indian Law
Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of
IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.
Under IT Act, 2000
This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.
This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.
Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.
This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.
This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.
Law of contract
These days’ companies are relying on the contract law as a useful means to protect their information. The corporate houses enters into several agreements with other companies, clients, agencies or partners to keep their information secured to the extent they want to secure it. Agreements such as ‘non circumvention and non-disclosure’ agreements, ‘user license’ agreements, ‘referral partner’ agreements etc. are entered into by them which contains confidentiality and privacy clauses and also arbitration clauses for the purpose of resolving the dispute if arises. These agreements help them in smooth running of business. BPO companies have implemented processes like BS 7799 and the ISO 17799 standards of information security management, which restrict the quantity of data that can be made available to employees of BPO and call centers.
Indian Penal code
It imposes punishment for the wrongs which were expected to occur till the last decade. But it failed to incorporate within itself the punishment for crimes related to data which has become the order of the day.