India:

an up-date on Data Protection Legislation

by
Tejas Karia
(BSL, LLM (LSE), Advocate, Solicitor
Associate, Amarchand & Mangaldas)
Amarchand & Mangaldas & Suresh A. Shroff & Co.
Solicitors & Advocates
Amarchand Towers, 216 Okhla Industrial Estate, Phase - III
New Delhi-110 020 India
Tel: + (91 11) 2692 0500, 5159 0700 Fax: + (91 11) 2692 4900
e-mail: tejas.karia@amarchand.com

Privileged & Confidential

9th February 2006
1
 Status of Data Protection
Legislation in India
• The existing legal framework for protecting
sensitive personal data.
• Overview of the investment in India by other
countries for handling personal data.
• Need of Data Protection legislation in India.
• Attempts for passing the legislation.
• Present status.
• Way forward …
Privileged & Confidential 2
 Existing Legal Framework
• Information Technology Act, 2000

– Section 43: Penalty for download, copy or extract of data without permission of the owner of a computer etc. – not exceeding rupees ten
million to the person affected.

– Section 65: Punishment for tempering with Computer Source Code – imprisonment up to 3 years, or fine up to rupees 200,000, or both.

– Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by
very few
• Disadvantage of dollar rupee inequality
• Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of domestic
practices is very likely

Privileged & Confidential 3

 Existing Legal Framework
• Information Technology Act, 2000

– Section 66: Hacking - imprisonment up to three years, fine up to rupees 200,000, or both.

– Section 72: Penalty for breach of confidentiality and privacy: unauthorised access to any electronic record, book, register,
correspondence, information, document and disclosure of the same – imprisonment up to 2 years, or fine up to rupees 100,000, or both.

– Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services rendered by
very few
• Disadvantage of dollar rupee inequality
• Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation of domestic
practices is very likely

Privileged & Confidential 4

 Existing Legal Framework
• Indian Contract Act, 1872:

– Breach of Contract: Violation of terms of the contract or non-performance of the obligations.

– Remedies:
• Damages
• Specific Performance

– Structure of legal services in India is still at primary stage where sophisticated multilocational/multijurisdictional services
rendered by very few
• Disadvantage of dollar rupee inequality
• Phased entry as was done in Singapore, China and the Asean region is required as otherwise cannibalisation
of domestic practices is very likely

Privileged & Confidential 5

 Existing Legal Framework

• Indian Penal Code, 1860:

– Section 406: Criminal Breach of Trust: Imprisonment, which

may extend to 3 years, or fine, or with both.

– Section 420: Cheating: Imprisonment, which may extend to

7 years and a fine.

Privileged & Confidential 6

 Existing Legal Framework

• Consumer Protection Act, 1986:

– “Deficiency in Service”: complaint before consumer
forum / commission.

• Specific Relief Act, 1963:

– Temporary and permanent injunctions against
unauthorised disclosure of confidential information.

Privileged & Confidential 7

 Overview of Investment in India
• India controls 65% of of the global market in software-
code outsourcing and 46% in back-office outsourcing.
• Indian software and services export was approximately
$ 17.2 billion in 2004-05, as compared to $ 12.8 billion
(an increase of 34%)
• Outsourcing revenues are expected to reach $ 60 billion
by 2010.
• As per the Nasscom-Mckinsey survey, the export
revenue from IT sector would add 7% to India’s GDP
by 2010 along with creation of 8.8 million new jobs.
Privileged & Confidential 8
 Overview of Investment in India
• IT solutions business in India is expected to grow at
25% to touch $ 35 billion in export revenues.
• The BPO business would witness a CAGR of 37% to
account $ 25 billion of the projected $ 60 billion.
• According to Indian IT body – National Association of
Software and Service Companies (“NASSCOM”),
India could potentially accelerate the overall IT export
by almost $ 15-20 billion by 2010 if it focuses on
multi-dimensional innovation.
Privileged & Confidential 9
 Need for Data Protection
Legislation in India
• Absence of data protection and privacy law in India
often cited as a strong reason for stopping the movement
of call center and BPO work in India
• Necessity for creating appropriate confidence among
investors and foreign companies about safety and
protection of personal data.
• Adequate level of protection for allowing Safe Harbor
for transfer of data from EU countries.
• Unenforceability of contractual provisions regarding
protection of data.
Privileged & Confidential 10
 Various attempts for passing
Data Protection Legislation
• Drafting of separate legislation.

• Amendments to existing Information

Technology Act.

• Expert Committee on Cyber Law

Privileged & Confidential 11

 Various attempts for passing
Data Protection Legislation
• Drafting of separate legislation:

– A separate and exclusive legislation embodying the Data

Protection principles like other Countries.

– EU model vs. US model

• Stringent legislative protection vs. Self-Regulatory Organizations
• Enforcement: statutory rights v. contractual rights
• Safe Harbor Principles

– Failure to enact separate legislation

Privileged & Confidential 12
 Various attempts for passing
Data Protection Legislation
• Amendments to existing Information Technology Act,
2000:
– Insertion of definitions of:
• Personal data, Data Controller, Data Processor, Data Subject,
Processing etc.
– Introduction of Chapter VIIIA for Data Protection
• Provisions for reciprocity and exemptions
– Guidelines on rights of Data Subjects and Minimum Security
and Organisational Standards to be adopted by Data
Controllers and Data Processors
Privileged & Confidential 13
 Various attempts for passing
Data Protection Legislation
• Expert Committee on Cyber Laws:
– Appointed to suggest the amendments to Information
Technology Act, 2000
– Minimal changes suggested to existing law for introducing
the protection for handling sensitive personal data.
– Introduction of concept of ‘sensitive personal data’ in
existing Section 43:
• Any body corporate, that owns or handles sensitive personal data or
information in a computer resource, if found to be negligent in
implementing and maintaining reasonable security practices and
procedure – shall be liable to pay damages by way of compensation
not exceeding rupees ten million to the person so affected.
Privileged & Confidential 14
 Various attempts for passing
Data Protection Legislation
• Expert Committee on Cyber Laws:
– What is “reasonable security practices and procedures” ?
• In the absence of a contract between the parties or any special law,
such security practices and procedures as appropriate to the nature of
the information to protect that information from unauthorised access,
damage, use, modification, disclosure or impairment, as may be
prescribed by the Central Government in consultation with self-
regulatory bodies of the industries, if any.
– “Sensitive personal data or information” – which is
prescribed as “sensitive” by the Central Government in
consultation with self-regulatory bodies of the industry, if
any.
Privileged & Confidential 15
 Various attempts for passing
Data Protection Legislation
• Expert Committee on Cyber Laws:
– Section 66: Definition of Hacking replaced by Computer
related offences
– Computer related offences are defined as:
• If any person, dishonestly or fraudulently, without permission
 accesses or secures access to such computer resource
 Downloads, copies or extracts any data, computer data base or
information from such computer resource including information or data
held or stored in any removable storage medium
 Denies or causes the denial of access to any person authorised to access
any computer resource
shall be punishable with imprisonment up to 1 year or a fine which may
extend up to rupees 200,000 or with both.
Privileged & Confidential 16
 Various attempts for passing
Data Protection Legislation
• Expert Committee on Cyber Laws:
– Computer related offences are defined as:
• If any person, dishonestly or fraudulently, without permission
 Introduces or causes to be introduced computer virus into computer resource;
 Disrupts or causes disruption or impairment of electronic resources;
 Charges the services by tampering with or manipulating any computer
resources;
 Provides assistance to any person to facilitate access to a computer resource
in contravention of the provisions of the IT Act, 2000, rules, regulations
made thereunder;
 Damages or causes to be damaged any computer resource, date, computer
database, or other programmes residing in such computer resource;
shall be punishable with imprisonment up to 2 years or a fine which may
extend up to rupees 500,000 or with both.

Privileged & Confidential 17

 Various attempts for passing
Data Protection Legislation
• Expert Committee on Cyber Laws:
– Section 72: Breach of confidentiality and privacy:
• Penalty increased to rupees 500,000
• Additional provisions for intermediaries
• Intentional capturing and broadcasting images violating the privacy
• Bar on jurisdiction of courts to take congnizance except upon
complaint filed by the aggrieved person in writing before a Magistrate
• Punishment: damages by way of compensation of rupees 2.5 million
to the person so affected
– Section 79: Exemption from liability of intermediary in
certain cases.

Privileged & Confidential 18

 Present Status
• No clarity on form of legislation.
• Absence of any specific protection causes concern for
trans-border flow of personal data.
• Stray incidents of misuse of personal data by persons
handling personal data.
• The recommendations of Expert Committee likely to be
placed before Parliament in February 2006 for amending
the existing Information Technology Act, 2000.
• No certaninity of enforcement mechanism.

Privileged & Confidential 19

 Way forward…
• Need for comprehensive legislation on data
protection in India.
• At least the proposed amendments should
capture all the aspects of data protection
principles.

Privileged & Confidential 20

 THANK YOU

Privileged & Confidential 21